Combined - Out Icai MCQ

Module: 1, Primer on Information Technology – Facilitated e-Learning
1.3 IT ASSURANCE SERVICES AND ROLE OF CA IN BPO-KPO
1 Why do Chartered Accountants need to embrace IT?

A. IT is a trendy thing
B. IT is a buzzword
C. IT is a key enabler in Enterprises
D. IT is interesting
2 Which of the following is an advantage of Outsourced services?

A. Privacy and confidentiality
B. Attrition of staff
C. Cost cutting
D. Legal compliances
3 While auditing an Outsourced agreement, an IS auditor would be most concerned with

A. The commercial terms of outsourcing arrangement
B. The continuity of operations in case of failure of service provider
C. The location from which services are provided
D. The loss of in-house IT competencies
4 Embracing IT will enable Auditors provide Consulting and Assurance services to an enterprise in the areas of
A. IT Risk Management
B. IT Strategic Planning
C. IT Security Management
D. All of the above.
5 An IS Auditor auditing the on-line transaction processing system of an organization outsourced to a third party
will be most concerned that
A. Transactions are authorized by the outsourced agency.
B. Transaction log is not printed on daily basis.
C. Organization does not have adequate trained IT personnel.
D. The third party is providing outsourced services to other clients also.
ANSWERS
1 C
2 C
3 B
4 D
5 A
1.4 Business Intelligence

1 A goal of data mining includes which of the following?
A. To create a new data warehouse
B. To create data marts
C. To eliminate need to understand business
D. To discover useful patterns in large volume of diverse data
2 A Data Warehouse is which of the following?

A. A system that is used to run the business in real time and is based on historical data
B. A system that is used to run the business in real time and is based on current data
C. A system that is used to support decision making and is based on historical data
D. A system that is used to support decision making and is based on current data
3 Which of the following is a tool that helps in predicting future trends & behaviors, allowing business managers
to make proactive, knowledge driven decisions
A. Data warehouse
B. Data mining
C. Data marts
D. Data Dictionary
4 Which of the following is false?

A. Data mart contains more detailed data than DW.
B. Data Marts are used only by large Companies.
C. Data mart requires less powerful Hardware than DW.
D. Data for a single aspect of business is stored in Data mart.
5 Which of the following is Challenge in ERP?

A. Improved Data Access
B. Improvement in work processes.
C. Standardized Business processes.
D. Selection and configuration of ERP package
6 E-commerce is:
A. Any electronic communication between a Company and its shareholders
B. Organization using electronic media to link to its employees
C. Conduct of business activities over computer networks electronically.
D. The use of electronic communications for all business processes.
ANSWERS
1 D
2 C
3 B
4 B
5 D
6 C
1.5 Cloud Computing
1 Which of the following is not a service model for cloud

A. IaaS (Infrastructure as a service)
B. Paas (Platform as a Service)
C. SaaS (Software as a Service)
D. DaaS (Display as a Service)
2 Which of the following would not be a reason to move to cloud computing?

A. Agility
B. Scalability
C. Security
D. Resource Pooling
3 Which is not a benefit of cloud computing?

A. Vendor lock in
B. Ability to access the application & data from anywhere
C. Reduce Hardware Costs
D. Reduce need for physical space
4 Which is not an advantage of Mobile Computing?

A. Saves Time
B. Entertainment
C. Health Hazard
D. Location flexibility
ANSWERS
1 D
2 C
3 A
4 C
1.6 Emerging Technologies
1 Which of the following is not a concern of BYOD:-

A. Reluctance of Employees
B. Compatibility issues
C. Reduced IT support requirement
D. Security Administration issues
2 Which of the following facilitates data exchange & defining of tags:-

A. HTML
B. Social Media
C. BYOD
D. XML
3 In which of the following content is managed & supplied by user:-

A. XBRL
B. XML
C. BYOD
D. Social Media
4 Social Media benefits both users and marketers because:

A. It leads to an increase in Internet traffic.
B. Through use of social media marketers will have a more robust online presence.
C. Marketers will have monopoly over users.
D. Users will have less influence over the marketplace.
5 Which is not an advantage of XBRL:-

A. Accuracy
B. Speed
C. Reusability
D. Taxonomies are always accurate
ANSWERS
1 C
2 D
3 D
4 B
5 D
1.7 Business Information Systems
1 This System can process Semi-structured problems:-

A. Expert systems
B. DSS
C. Artificial Intelligence
D. Transaction processing Systems
2 Which of the following refers to a normal operational activity for conduct of business?
A. DSS
B. Expert Systems
C. Artificial Intelligence
D. Transaction Processing Systems
3 A technology that manages Huge amount of data from diverse sources:-

A. Big Data
B. DSS
C. Expert Systems
D. Transaction Processing Systems
4. A computer program that embodies specialized knowledge in a specific domain is called?

A. Automatic Processor
B. Intelligent planner
C. Expert System
D. Transaction processing systems
5 Which of the following systems is used to present high-level overview of information as well as the ability to
drill down to details for senior managers?
A. Decision support system
B. Executive support system
C. Expert support system
D. Transaction-processing system
ANSWERS
1 B
2 D
3 A
4 C
5 B
1.8 emerging technologies risk control & audit
1 Which of the following is not a Green IT Practice?-

A. Decommissioning Unused Systems
B. Consolidation of unused systems
C. Virtualization
D. Printing rather than Electronic records
2 Which of the following is not a reason to adopt Green IT?

A. Short term profits
B. Economic
C. Social and Environmental
D. Regulatory
3 Which of the following is a characteristic of Web 2.0 applications?

A. Multiple users schedule their time to use it one by one
B. Focused on the ability for people to collaborate and share information online
C. They provide users with content rather than facilitating users to create it
D. Web 2.0 application use only static pages
4 Which of the following is not a use of Web 2.0 applications?

A. Blogs
B. Wikis
C. Personal Read only websites
D. Social Networks
5 Which of the following is not a Security Concern of Web 2.0 applications?

A. Collaboration and Third Party content
B. Click jacking
C. Community based
D. Extended validation Tools
ANSWERS
1 D
2 A
3 B
4 C
5 D
Chapter 1: Business Process and Business Applications
Questions
1. Initial adoption of Business Model adopted by an organisation is dependent upon:
A. Business Applications
B. Business Objective
C. Controls in business applications
D. Business Laws
2. Which of the following is to be reviewed first by an IS Auditor in audit of application software is to

understand:
A. Business Application
B. Business Controls
C. Business Model
D. Business Laws
3. Arrange the following in chronological order
A. Establishing the expected degree of reliance to be placed on internal control

B. Determining and programming the nature, timing, and extent of the audit procedures to be
performed
C. Coordinating the work to be performed
D. Acquiring knowledge of the client’s accounting system, policies and internal control procedures
The correct serial order:
A. A, B, C, D
B. D, A, B, C
C. D, C, B, A
D. B, C, D, A
4. ISACA ITAF 1202, states IS auditor needs the following for an enterprise:
A. Inherent Risk and Audit Risk.
B. Detection Risk and Control Risk.
C. Subject matter risk and Audit risk.
D. None of above
Module 6
5. The best definition which fits ‘COBIT 5’ is that it is a:

A. Business framework for the governance and management of enterprise IT.
B. System Audit Tool
C. Management tool for corporate governance
D. IT management tool
Chapter 1: Business Process and Business Applications
Answers and Explanations

1. B. Business Objectives shall be the prime reason for adoption of business models. Other answers
may be valid reasons but are never the first reason for adoption of a specific business model.
“A business model describes the rationale of how an organization creates, delivers, and captures
value (economic, social, cultural, or other forms of value). The process of business model construction
is part of business strategy.”
2. C. Business Model, needs to be assessed first by IS Auditor. The, b and d, are assessment to be
made later on. As an IS Auditor it becomes important to understand the business model adopted by
an organisation for a better understanding of risk associated with business model adopted by an
organisation.
3. B As per SA 00 SA 200 on “OVERALL OBJECTIVES OF THE INDEPENDENT AUDITOR AND

THE CONDUCT OF AN AUDIT IN ACCORDANCE WITH STANDARDS ON AUDITING, the steps to
audit as mentioned at point b.
4. B ISACA ITAF 1202, states IS auditor needs to consider subject matter risk and audit risk. Subject
matter risk, relates to business risk, country risk, contract risks. Audit risk, is define as auditor reaching
incorrect conclusion after an audit. The components of audit risk being control risk, inherent risk and
detection risk.
5. A. COBIT 5 can be best described as “Business framework for the governance and management
of enterprise IT by ‘a’. Other answers are part of COBIT framework but not full Framework.
Chapter 2, Part 3: Cases of Application Controls
Questions
1. Application controls shall include all except
A. Application controls are a subset of internal controls.

B. The purpose is to collect timely, accurate and reliable information.
C. It is part of the IS Auditor’s responsibility to implement the same.
D. It is part of business application software.
2. As per Income Tax Act, 1961 and banking norms, all fixed deposit holders of bank need to submit
their PAN or form 60/61(a form as per Income Tax Act/Rules). Bank in its account opening form, has
not updated the need for form 60/61 in case PAN is not there. This defines which control lapse as per
COBIT.
A. Source Data Preparation and Authorisation:

B. Source Data Collection and Entry
C. Accuracy, Completeness and Authenticity Checks
D. Processing Integrity and Validity
3. In a public sector bank while updating master data for advances given, the bank employee does
not update “INSURANCE DATA”. This includes details of Insurance Policy, Amount Insured, Expiry
Date of Insurance and other related information. This defines which control lapse as per COBIT.
A. Source Data Preparation and Authorisation:

B. Source Data Collection and Entry
C. Accuracy, Completeness and Authenticity Checks
D. Processing Integrity and Validity
4. Emailed purchase order for 500 units was received as 5000 units.
This defines which control lapse as per COBIT.
A. Source Data Collection and Entry

B. Accuracy, Completeness and Authenticity Checks
C. Output Review, Reconciliation and Error Handling
D. Transaction Authentication and Integrity
Module 6
5. An IS Auditor, processes a dummy transaction to check whether the system is allowing cash
payments in excess of Rs.20,000/-. This check by auditor represents which of the following evidence
collection technique?
A. Inquiry and confirmation

B. Re-calculation
C. Inspection
D. Re-performance
6. While auditing e-commerce transactions, auditor’s key concern includes all except:
A. Authorisation
B. Authentication
C. Author
D. Confirmation
7. RBI instructed banks to stop cash retraction in all ATMs across India from April 1, 013. This was
result of few ATM frauds detected. This action by RBI can be best classified as:
A. Creation
B. Rectification
C. Repair
D. None of above
8. Non – repudiation relates to all terms except one:
A. Right to deny withdrawn.

B. Digital Signatures.
C. E-commerce
D. None of above
9. Company’s billing system does not allow billing to those dealers who have not paid advance amount
against proforma invoice. This check is best called as:
A. Limit Check
B. Dependency Check
C. Range Check
D. Duplicate Check
Chapter 2, Part 3: Cases of Application Controls
10. While posting message on FACEBOOK, if user posts the same message again, FACEBOOK
gives a warning. The warning indicates which control.
A. Limit Check
B. Dependency Check
C. Range Check
D. Duplicate Check
Module 6

1. C. Represents what auditor’s verifies but not that what he/she implements. Rest is part of
definition and purpose of application controls.
2. A. is the correct answer as the source data capture is not proper. Ensure that source documents
are prepared by authorised and qualified personnel following established procedures, taking into
account adequate segregation of duties regarding the origination and approval of these documents.
Errors and omissions can be minimised through good input form design.
3. C. This ensures that transactions are accurate, complete and valid. Validate data that were input,
and edit or send back for correction as close to the point of origination as possible.
4. D. is the correct answer. As per COBIT, where transactions are exchanged electronically,
establish an agreed-upon standard of communication and mechanisms necessary for mutual
authentication, including how transactions will be represented, the responsibilities of both parties
and how exception conditions will be handled.
5. D. IS Auditor may process test data on application controls to see how it responds.
6. C. Is correct. Others are key concerns of an IS auditor while auditing e-commerce transactions.
7. B. is the right answer. A, is not an answer as action by RBI is based on fraud detection. Repair is
done to rectify an error which has occurred in a working system.
8. D. is the correct answer. The other options are related to non-repudiation. A, is definition of word.
B, digital signatures create non-repudiation. E-commerce transactions need it (non-repudiation) for
execution of contract.
9. B. Dependency check is one where value of one field is related to that of another.
10. D. is the answer as this is a duplicate check.

Chapter 3, Part 7: System Audit Report format as per best practices
Questions
1. The best way to define the purpose for an IS Audit in one word:
A. Assurance
B. Activity
C. Review
D. Performance
2. What is the primary basis of audit strategy? It should be based on:
A. knowledge.
B. life-cycle.
C. user-request
D. risk assessment.
3. Which of the following audit tools is MOST useful to an IS auditor when an audit trail is required?
A. Integrated test facility (ITF)

B. Continuous and intermittent simulation (CIS)
C. Audit hooks
D. Snapshots
4. Which of the following is the first step in compliance testing? To review:
A. access security controls

B. input controls
C. processing controls
D. output controls.
5. The cashier of a company has rights to create bank master in TALLY. This error is a reflection of
poor definition for which type of control:
A. User Controls
B. Application Control
C. Input Control
D. Output Control
6. An employees has left the company. The first thing to do is to:
A. Hire a replacement employee.

B. Disable his/her access rights.
C. Ask the employee to clear all dues/advances.
D. Escort employee out of company premises.
Module 6
8. Common features in ISACA ITAF 401, SA 700 and NFRA (National Financial Reporting Authority)
is.
A. Reporting
B. Auditing
C. Accounting
D. Standard

1. A. The IS audit focuses on determining the risks that are relevant to information assets, and in
assessing controls in order to reduce or mitigate these risks. Management gets an assurance about
the functioning of controls.
2. D. Audit Strategy is based on risk assessment done by the auditor. Other answers do not represent
basis for deciding audit strategy.
3. D. Snapshots is the right answer as in this technique IS auditor can create evidence through IMAGE
capturing? A snapshot tool is most useful when an audit trail is required. ITF can be used to
incorporate test transactions into a normal production run of a system. CIS is useful when transactions
meeting certain criteria need to be examined. Audit hooks are useful when only select transactions or
processes need to be examined.
4. A. is the first step towards compliance test. Other steps are more part of application system
transaction audit.
5. A. user controls are not properly defined. User controls need to be defined based on NEED TO DO
and NEED TO DO basis. The above is reflection of a greater problem of improper assessment user
profiles created in the system.
6. B. the first thing to do as soon as an employee leaves the company is to disable his/her access
rights in system. This needs to be done to prevent frauds being committed. Other answers may be
valid but are not the first thing to do.
C is the correct answer other options are components of SQL.
7. D. ISACA ITAF is a reporting standard by ISACA. SA 700 is a reporting standard by ICAI. NFRA is
an authority created in the new Companies act, to prescribe standard for accounting and auditing.
Chapter 1 Concepts of Governance and Management of Information Systems
Questions
1. Who is responsible for establishing right structure of decision-making accountabilities?
A. Senior management
B. Operational management
C. Chief information officer
D. IT steering committee
2. The MOST important benefit of implementing Governance of Enterprise IT is:

A. Monitor and measure enterprise performance
B. Provide guidance to IT to achieve business objectives
C. Run the companies to meet shareholders’ interest
D. Ensure strategic alignment of IT with business
3. The primary objective of Corporate Governance is:

A. Reduce IT cost in line with enterprise objectives and performance.
B. Optimise implementation of IT Controls in line with business needs
C. Implement security policies and procedures using best practices.
D. Increase shareholder value by enhancing economic performance.
4. The ultimate objective Governance of Enterprise IT is to ensure that IT activities in an

enterprise are directed and controlled to achieve business objectives for meeting the
needs of:
A. Shareholders
B. Stakeholders
C. Investors
D. Regulators
5. Which of the following is a key components of Corporate Governance?

A. Employee rights
B. Security policy
C. Transparency
D. Risk assessment
6. Enterprise governance and Governance of Enterprise IT governance requires a balance

between:
A. compliance and return on investment expected by shareholders
B. profit maximization and wealth maximization as decided by board
C. IT risks and cost of implementing IT controls as set by IT
Module 3
D. conformance and performance goals as directed by the board.

7. Business Governance helps the Board by enabling them to understand:
A. enterprise functions
B. risk assessment
C. key performance drivers
D. Key controls
8. The effectiveness of the IT governance structure and processes are directly dependent
upon level of involvement of
A. Heads of Business units
B. Internal auditor department
C. Technology management
D. Board/senior management
9. Which of the following is one of the key benefits of GEIT?

A. Identification of relevant laws, regulations and policies requiring compliance.
B. Improved transparency and understanding of IT’s contribution to business
C. Better utilization of human resources by using automation
D. Increased revenues and higher Return on investments.
10. Which of the following is the primary objective for implementing ERM?
A. Implement right level of controls.
B. Better availability of information.
C. Tighter security at lower cost.
D. Implement IT best practices.
Chapter 1 Concepts of Governance and Management of Information Systems

1. A. The senior management is responsible for ensuring right structure of decision-making
accountabilities. The operational management is responsible for ensuring that operations of the
enterprise are run as per enterprise policy. The chief information officer is responsible for ensuring IT
enabled investments provide business value and the IT steering committee is responsible for steering
IT enabled projects toward successful completion of objectives.
2. D. The MOST important benefit of implementing Governance of Enterprise IT is that it helps in
ensuring strategic alignment of IT with business. Alignment of IT strategy in tune with enterprise
strategy ensures value delivery from IT enabled investments. The monitoring and measuring of
enterprise performance is one of the key processes of GEIT. GETI does not provide guidance to IT
to achieve business objectives but provides overall framework and setting for IT to achieve business
objectives. Although GEIT is often implemented from a regulatory perspective and enables
enterprises to meet corporate governance requirements, it does not directly focus on running the
enterprises based on shareholders’ interest. Shareholders are one of the key stakeholders whose
objectives are considered while formulating enterprise goals.
3. B. The primary objective of Corporate Governance is to implement security policies and procedures
using best practices. Corporate governance requirements are best met by using bet practices which
are globally accepted. The focus of implementing corporate governance is on ensuring regulatory
compliance and this does not look at cost aspects. Hence, reducing IT cost in line with enterprise
objectives and performance is not an objective. Further, optimise implementation of IT Controls in line
with business needs has to be considered as part of GEIT and is not directly objective of corporate
governance. There are multiple stakeholders whose interests are sought to be protected by
regulations of corporate governance. One of the stakeholders are shareholders. However, the
regulations do not consider how to increase shareholder value by enhancing economic performance
but to protect their interests.
4. B. The ultimate objective Governance of Enterprise IT (GEIT) is to ensure that IT activities in an
enterprise are directed and controlled to achieve business objectives for meeting the needs of the
stakeholders. There are multiple stakeholders and GEIT requires balancing the needs of these
stakeholders. Shareholders, Investors and Regulators are some of the stakeholders.
5. C. One of the key components of Corporate Governance is ensuring transparency. This promotes
effective governance through establishing, communication and monitoring of performance. Employee
rights are not the focus of corporate governance. Security policy as prepared by the IT as applicable
for the enterprise is approved by the board. Corporate governance requirements do not provide any
specific details of risk assessment but only outline need for implementing risk management as
appropriate for the enterprise.
Module 3
6. C. Enterprise governance and Governance of Enterprise IT governance requires a balance

between IT risks and cost of implementing IT controls as set by IT. Risk appetite and Risk tolerance
is set by the Board and this is based on risks which are acceptable and limit to which these are
acceptable. The compliance and return on investment expected by shareholders is not relevant as
shareholders do not have a stake in deciding this. The last two options about: profit maximization and
wealth maximization as decided by board and conformance and performance goals directed by the
board are translated through the overall enterprise strategy which is then translated into business and
IT strategy.
7. C The primary objective of Business Governance is to ensure performance and hence the focus
by Board is to understand and implement key performance drivers. The other options are related to
operational areas which are dealt by management at their level as required.
8. D. The Board/senior management play the most critical role in ensuring the effectiveness of the
IT governance structure and processes. Hence, the effectiveness of Governance is directly
dependent upon their level of involvement. The head of business units work on implementing the
directions of the board and are focussed on management. The internal auditor department play an
important role in evaluating how well IT governance is implemented but their role is providing
guidance. The technology management is responsible for aligning IT strategy in line with the
enterprise strategy and implementing IT solutions which help meet enterprise objectives.
9. C. Implementing GEIT requires active collaboration between the board/senior management in
directing IT towards enterprise objectives and putting a governance framework in place. Hence, the
key benefit of GEIT is the improved transparency and understanding of IT’s contribution to business
which is reflected in the performance management system. Although identification of relevant laws,
regulations and policies requiring compliance is important in implementing GEIT, this is not the
primary benefit. Directly, the focus of GEIT is neither on better utilization of human resources by using
automation or on increased revenues and higher return on investments although they are considered
as required.
10. A. The primary objective for implementing ERM is it helps in deciding and implementing the right
level of controls. The other 3 options are indirect benefits of implementing ERM.
Chapter 2: GRC Frameworks and Risk Management Practices
Questions
1. The most important requirement for IT governance function to be effective is:
A. Monitoring
B. Evaluation
C. Directing
D. Managing
2. The primary objective of implementing principles, policies and framework within an

organization is to:
A. communicate stakeholder’s intent.
B. benchmark performance against competitors.
C. confirm with regulatory compliance.
D. implement corporate governance.
3. The MOST important benefit of implementing IT risk management process is that it

helps in:
A. optimizing internal control framework.
B. ensuring residual risk is at acceptable level.
C. prioritizing business functions for audit planning.
D. complying with regulatory requirements.
4. Which of the following is a major risk factor?

A. Existence of inflationary trends.
B. Vendor launches new software.
C. Board of directors elects new chairman.
D. Change in government post elections.
5. The level to which an enterprise can accept financial loss from a new initiative is:
A. Risk tolerance
B. Risk management
C. Risk appetite
D. Risk acceptance
6. Designing and implementing a control to reduce the likelihood and/or impact of risk
materializing is a:
A. Risk acceptance
B. Risk transfer
C. Risk treatment
D. Risk transfer
Module 3
7. Which of the following is a valid risk statement?

A. Network service provider is unable to meet bandwidth.
B. Hacker attempts to launch attack on web site.
C. Application server crash due to power failure.
D. Delay in servicing customers due to network congestion.
8. Which of the following is primary reason for periodic review of risk? The changes in:
A. risk factors
B. risk appetite
C. budget
D. risk strategy
9. Which of the following is a strategic IT risk?

A. IS audit may not identify critical non-compliance.
B. Non-availability of networks impacting services to customers.
C. New application may not achieve expected benefits.
D. Defer replacement of obsolete hardware.
10. Which of the following is the most essential action after evaluation of inherent risks?
A. Evaluate implemented controls.
B. Update risk register.
C. Prepare heat map.
D. Prioritized evaluated risk.
Chapter 2: GRC Frameworks and Risk Management Practices

1. C. Directing is the most critical of the Governance function which can be performed by the
Board. Although, governance has three critical functions: Evaluate, direct and monitor, evaluation
and monitoring can be performed against directions.
2. A. Principles, policies and framework have to be implemented within organizations primarily to
communicate the intent of management (Stakeholders) so that management can implement or
translate this into specific action.
3. B. The primary function of IT risk management process is to support value creation by reducing
the risk to an acceptable level. The other options are secondary benefits of IT risk management.
4. D. Risk factors are conditions that affect the risk profile of organization. Change in government
is one of major risk factor as compared with other options.
5. C. Risk appetite denotes the level of risk acceptable by management. Risk tolerance is the time
up to which an organization can afford to accept the risk. Risk management is a process of risk
mitigation and risk acceptance is decision of the management and is considered as risk response.
6. C. Implementing control is a risk treatment.
7. D. Options A, B and C are threats and not risks.
8. A. Changes in risk factors is the primary reason for reviewing changes in risk levels for an
organization. The other options are secondary reasons.
9. D. Deferring replacement of obsolete hardware is strategic decision and hence it is a strategic
IT risk. Others are operational IT risks.
10. A. Once risks are evaluated it is necessary to find out the current state of risk mitigation (gaps
in controls) by evaluating the existing controls. This help in identifying gaps and implementing
controls so as to reduce the total exposure within acceptable limits. Other activities are required
but not as essential as identifying gaps in controls.
Chapter 3: GEIT and GRC
Questions
1. Which of the following scenarios has the highest impact?
A. Absence of business continuity plan.
B. Absence of Security operations center.
C. Absence of monitoring of SLA.
D. Absence of risk management process.
2. Which of the following is the best strategy to address the risk of non-compliance?
A. Maintain inventory compliance requirements.
B. Embedding risk of non-compliance in operations.
C. Appointing chief compliance officer.
D. Implement IT governance framework.
3. Implementing IT risk management process is essential for implementing IT governance

because IT risk management primarily helps enterprise in:
A. Protecting and securing IT resources.
B. Arriving at likelihood and impact of risk.
C. Optimizing cost of control based on risk.
D. Monitoring performance of resources.
4. Which of the following is most important requirement of compliance with governance?

A. Monitoring performance
B. Whistle blower policy
C. Independent directors
D. Assurance on controls.
5. Which of the following is main benefit of implementing GRC framework with organization?
A. Reduction in compliance expenditure
B. Assurance on compliance and controls
C. Reduction in internal audit cycles over year
D. Availability of compliance status dashboard
Module 3
6. Which type of non-compliance does situation of an organization using evaluation version of

software provided by vendor beyond specified number of days without paying for it?
A. Regulatory
B. Legal
C. Contractual
D. Internal
7. Overall reduction in regulatory non-compliances within the organization over a period of

time indicates that:
A. Governance practices implemented are effective
B. The risk response policy adopted is to avoid risk
C. Legal framework provides for heavy penalties
D. Increase in number of internal audits performed
8. Which of the following is first step in implementing GRC framework with organization?
A. Perform IT risk assessment
B. Identify internal policy requirements
C. Determining critical success factors
D. Perform control gap analysis
9. Primary objective of implementing legal and regulatory requirement framework like SOX or
clause 49 is to:
A. Make management accountable
B. Protect stakeholder’s interest
C. Get assurance on internal controls
D. Facilitate trading on stock exchanges
10. GRC compliances were made mandatory because of:

A. Management override of controls
B. Frauds committed by staff members
C. Reduction in market value of shares
D. Adoption of open economic policy
Chapter 3: GEIT and GRC

1. A. Of the options absence of BCP shall have highest impact when incident results in disaster.
2. B. Embedding compliance requirements in operations controls in best strategy to mitigate the risks
related to on-compliance.
3. C. Risk management helps in selecting cost beneficial controls based on exposure. This in turn
helps in value creation for organization.
4. D. Most important requirement of Governance compliance is assurance on internal controls
implemented within organization. Other requirements are important but secondary.
5. B. Main benefit of implementing GRC framework is to provide assurance to stakeholders on
compliance and internal controls. Others are secondary and subjective.
6. C. It is a breach of contract between vendor and organization. Depending on provisions it can be
regulatory and internal non-compliance also. It will be legal non-compliance if the software is used
without paying and informing to vendor.
7. A. Reduction in non-compliances indicates that the governance framework is effective. Others may
or may not be concluded.
8. D. The first step in implementing GRC framework is to perform control gap analysis in order to
achieve the desired state. Identifying policy requirements is performed based on gap analysis.
Performing risk assessment also uses the input from control gaps. Deciding critical success factors
is done after plan is defined.
9. B. Protecting stakeholder’s interest has been primary objective of compliance requirements.
10. A. Management of some organization’s committed financial frauds jeopardizing existence of
organizations and hence stakeholder’s investment.
Chapter 4: Key Enablers of GEIT
Questions
1. Which of the following is most important resource of the organization?
A. Policies and procedures
B. IT infrastructure and applications
C. Information and data
D. Culture, ethics and behaviour
2. Which of the following is most important characteristic of policies?

A. Must be limited in number.
B. Requires framework to implement.
C. Reviewed periodically.
D. Non-intrusive and logical.
3. Primary function of a process is to:

A. Act on input and generate output.
B. Define activities to be performed.
C. Focus on achieving business goals.
D. Comply with adopted standards.
4. Effective organization structure focuses on:

A. Defining designations.
B. Delegating responsibility.
C. Defining escalation path.
D. Deciding span of control.
5. Implementing GEIT is a primary responsibility of which of the following?

A. IT steering committee
B. IT strategy committee
C. IT risk committee
D. IT portfolio management
6. Prioritization of IT initiatives within organization is primarily based on:

A. Results of risk assessments
B. Expected benefit realization
C. Recommendations of CIO
D. Rate of obsolescence of IT
7. Primary objective of IT steering committee is to:

Module 3
A. Align IT initiatives with business

B. Approve and manage IT projects
C. Supervise IT and business operations
D. Decide IT strategy for organization
8. A data administrator is primarily a:

A. Data base administrator
B. Data owner
C. Data custodian
D. Data integrator
9. Which of the following is a function of information security manager?

A. Implement firewalls in organization
B. Perform IT risk assessment
C. Approve information security policy
D. Define rules for implementing ID
10. Which of the following is best control for building requisite skills and competencies within
organization?
A. Hiring only highly qualified people
B. Outsourcing the critical operations
C. Conducting skill enhancement training
D. Defining skill requirements in job description
Chapter 4: Key Enablers of GEIT

1. C. Entire GEIT implementation focuses on Information and data. Policies are defined based on
nature of information and data, culture and behaviour. IT infrastructure and applications stores,
process and communicates information.
2. D. Policies are vehicle to communicate intent of management and hence must be clear and easy
to implement that will make them effective. B and D are requirements to maintain policies and A is
characteristic of principles.
3. A. Primary function of process is to process received inputs and generate output to achieve process
goals. Process is a set of activities but it is not primary function to define activities. Although
processes are defined to achieve business goals, these are broken down to arrive at process goals.
Compliance with standards may need certain processes but the primary function is to process input.
4. B. Effectiveness of organization structure depends on right level of delegation of responsibilities.
Defining designation is only naming of specific role which is not directly relevant. Other options
depend upon level of delegation.
5. B. IT strategy committee is appointed at board level and they are responsible for implementing
GEIT. Other committees are more tactical and operational in nature.
6. B. Although the IT steering committee considers all inputs, the primary consideration is expected
benefits to the organization.
7. A. The primary objective of appointing IT steering committee is to ensure that IT initiatives are in
line with business objectives. D is objective of IT strategy committee. B and C are secondary
objectives derived from A.
8. C. Data administrator is primarily a data custodian.
9. D. Information security manager does not perform A, B and C. A is performed by network manager,
B is performed by department heads, security manager is facilitator, information security policy is
defined by security manager and approved by management.
10. C. The best control for building requisite skills and competencies within organization is to ensure
skill enhancement training is provided.
Chapter 5: Performance Management Systems
Questions
1. Which of the following is best approach for monitoring the performance of IT resources?
A. Compare lag indicators against expected thresholds
B. Monitor lead indicators with industry best practices
C. Define thresholds for lag indicators based on long term plan
D. Lead indicators have corresponding lag indicator.
2. Performance monitoring using balance score card is most useful since it primarily focuses
on:
A. Management perspective
B. Product and services
C. Customer perspectives
D. Service delivery processes
3. Which of the following is considered as an example of a lead indicator?

A. Number of gaps with respect to industry standard.
B. Comparative market position of organization.
C. Percentage of growth achieved over three years.
D. Improvement in customer satisfaction survey.
4. The PRIMARY objective of base lining IT resource performance with business process
owners is to:
A. define and implement lead and lag indicators.
B. ensure resource planning is aligned with industry.
C. assess cost effectiveness of outsourcing contracts.
D. benchmark expected performance measurement.
5. Which of the following is BEST measure to optimize performance of skilled IT human

resources?
A. Include personal development plan in job description.
B. Document personal expectations during exit interviews.
C. Implement ‘Bring Your Own Device (BYOD)’ policy.
D. Monitor performance measure against baseline.
6. IT resource optimization plan should primarily focus on:

A. Reducing cost of resources
Module 3
B. Ensuring availability
C. Conducting training programs
D. Information security issues
7. The PRIMARY objective of implementing performance measurement metrics for information

assets is to:
A. decide appropriate controls to be implemented to protect IT assets.
B. compare performance of IT assets with industry best practices.
C. determine contribution of assets to achievement of process goals.
D. determine span of control during life cycle of IT assets.
8. Which of the following is the PRIMARY purpose of optimizing the use of IT resources within
an enterprise?
A. To increase likelihood of benefit realization.
B. To ensure readiness for future change.
C. To reduce cost of IT investments.
D. To address dependency on IT capabilities.
9. While monitoring the performance of IT resources the PRIMARY focus of senior

management is to ensure that:
A. IT sourcing strategies focus on using third party services.
B. IT resource replacements are approved as per IT strategic plan.
C. key goals and metrics for all IT resources are identified.
D. resources are allocated in accordance with expected performance.
10. Organization considering deploying application using cloud computing services provided by
third party service provider. The MAIN advantage of this arrangement is that it will:
A. minimize risks associated with IT
B. help in optimizing resource utilization.
C. ensure availability of skilled resources.
D. reduce investment in IT infrastructure.
Chapter 5: Performance Management Systems

1. B. Lead indicators are proactive approach for ensuring performance shall be as expected
and hence are defined using industry best practices. Lag indicators are useful after the fact
(A), Thresholds based on long term plane may not provide input on performance during
execution. (C). All lead indicators may not have lag indicator.
2. C. The Balance score card (BSC) focuses on Financial, Customer, internal and learning
perspective.
3. A. Lead indicators are proactive in nature and helps management in planning. Identification
of gaps with respect to industry standard is beginning of process of implementing best
practices. Other indicators are result of past performance.
4. D. In order to plan resources performance of resource must be determined and compared
with business expectation from IT. This will help management in implementing performance
measures against expected performance. Other options uses baselines.
5. A. Motivation helps human resources in performing better. Career progression planning
including in job description along with performance norms shall help in motivating human
resources.
6. B. Resource optimization plan primarily focus on availability of right resources at right time.
Other requirements are secondary.
7. C. Resource performance is essential to measure the performance of business and IT
processes so as to monitor the level of contribution in achieving process goals and hence
business objectives. Performance measurement is performed to measure this contribution.
8. A. IT resource optimization within an enterprise must primarily focus on increasing benefit
realization from IT so as to deliver value to business. B. Ensuring readiness for future
change is essential to meet the growing IT service delivery and is part of resource
optimization requirements, but not the primary purpose. C. Resource optimization may or
may not reduce IT costs, however it will help in increasing return on IT investment. D.
Business dependency on IT depends on capabilities of IT to deliver services to business.
Resource optimization is one of the processes to address this dependency not objective.
9. D. Management must monitor the performance of IT resources to ensure that the expected
benefits from IT are being realized as per planned performance. This is done by allocating
IT resources in accordance to the planned performance of business process cascaded down
to IT resources supporting business processes.
10. B. Outsourcing shall help organization in optimizing use of existing IT resources by
outsourcing, which in turn shall help in focusing on more critical business requirements and
hence improving benefit realization. However outsourcing may or may not minimize risks
associated with IT. i.e. it may minimize risks associated with own investment but may
introduce risks associated with outsourcing. Although outsourcing helps in ensuring
availability of skilled resources, it is not main advantage. Outsourcing may or may not
Module 3
reduce investment in IT, i.e. it may reduce need for acquisition of IT infrastructure, but there
is cost associated with outsourcing and there is additional cost for SLA monitoring.
Chapter 6: Implementing Governance and Management Practices
Questions
1. Which of the following is MOST critical for implementing GEIT?
A. Obtaining financial budget for IT
B. Building business case for implementation.
C. Creating the right environment.
D. Documenting the enterprise architecture
2. Which of the following principles are MOST relevant for Governance domain?
A. Plan, Do, Check and Act
B. Evaluate, Direct and Monitor
C. Plan, Build, Run and Monitor
D. Four dimensions of Balanced Scorecard
3. The primary objectives of implementing Resource optimisation process is to ensure:

A. resource needs of the enterprise are minimised.
B. return on IT investments is ensured
C. increased monitoring of benefit realization
D. making enterprise IT infrastructure resilient.
4. Which of the following is MOST critical for ensuring sustained alignment of IT strategic
plans? The IT strategic plans provide:
A. direction to IT department on deployment of information systems
B. key functionaries are involved in development and implementation.
C. IT long and short-range plans are communicated to stakeholders.
D. feedback is captured, reported and evaluated for inclusion in future IT planning.
5. The primary objective of value optimisation process is to ensure:

A. IT-enabled investments are made at the lowest cost.
B. appropriate IT-enabled initiatives are selected.
C. cost-efficient delivery of solutions and services
D. Quantification of IT costs and likely benefits
6. Which of the following is the key benefit of capacity management?

A. Meet long-term business goals in a cost effective and timely manner
B. Meets current and future business requirements in a cost-effective manner
C. Define and maintain relationships between key resources and capabilities
D. Assess the impact of changes and deal with service incidents.
Module 3
7. In order to ensure that IT strategic plan is successful, the organization first ensure that the
plan:
A. focuses on optimization of cost.
B. is aligned with business strategy
C. provides direction for IT deployment
D. consists of long and short term goals
8. Which of the following indicators assurance that IT strategy is focuses on benefit

realization?
A. Low percentage of IT enabled investments where claimed benefits met or exceeded;
B. High percentage of IT services approved based on reduction in operational costs
C. High percentage of business cases approved based on costs and benefits
D. Satisfaction survey of key stakeholders is neutral on IT service delivery.
9. Which of the following is most important to be included in SLA, while considering the
outsourcing of IT operation to cloud service provider?
A. Ownership of information
B. Periodic audit reports
C. Logical access controls
D. Reduction in operational costs
10. Which of the following is primary input for IT resource capacity management planning?
A. Annual financial budget for IT
B. IT resource acquisition plan
C. Number of databases in use
D. Expected growth of business
Chapter 6: Implementing Governance and Management Practices

1. C. Creating the right environment is the most critical for implementing GEIT. Obtaining financial
budget for IT is an operational activity. Building business case for implementation is done for all
projects and not just for GEIT. Documenting the enterprise architecture may help to some extent in
implementing GEIT but is not a critical factor.
2. B. Governance domain is built on the three principles of Evaluate, Direct and Monitor. PDCA is
pertaining to continuous improvement initiatives. PBRM is pertaining to management domain. The
four dimensions of Balanced Scorecard are useful in translating strategy into action. They are useful
aid in implementing Governance as measure of performance management but they are not principles
of Governance.
3. C. The primary objectives of implementing Resource optimisation process is to ensure increased

monitoring of benefit realization. The resource needs of the enterprise are to be optimised and not
minimised. Implementing resource optimisation process does not ensure return on IT investments. In
implementing resource optimisation the focus is on utilisation considering the investments and
benefits. Resilience of IT infrastructure is considered in the process of maintaining business
continuity.
4. D. Capturing, reporting and evaluating feedback for inclusion in future IT planning is MOST critical
for ensuring sustained alignment of IT strategic plans as this provides metrics for monitoring and also
ensuring that the performance is maintained not only for the current but also for the future. Top
management shares the enterprise strategy based on which IT strategy is prepared by the IT
department. There is no direction to IT department on deployment of information systems provided
as part of IT strategic planning. The involvement of key functionaries in development and
implementation is critical to ensure success but it is required in the initial stages. However, this does
not guarantee the sustainability of the initiative. The communication of IT long and short-range plans
is important to get buy-in and to keep all stakeholders informed but this is only a reporting process.
5. B. The primary objective of value optimisation process is to ensure cost-efficient delivery of

solutions and services. The focus of value optimisation process is not on ensuring lowest cost but
optimal cost of all IT-enabled investments. Selection of appropriate IT-enabled initiatives is one of the
operational activities of value optimisation. Although it is critical but it is not the primary objective. All
IT investments benefits cannot be quantified. Hence, the option of quantification of IT costs and likely
benefits is not correct. Further, this is not the objective but a mechanism of performance monitoring.
6. B. The key benefit of capacity management is to ensure that not just the current but the future
business requirements are met in a cost-effective manner. Capacity management looks at both long-
term as well as short-term business goals in a cost effective and timely manner. Defining, describing
Module 3
and maintaining relationships between key resources and capabilities is a primary requirement of
capacity management and not a benefit. Assessing the impact of changes and deal with service
incidents is one of the benefits of capacity management but compared to option A, this is not a key
benefit.
7. B. IT strategic plan must be aligned with business strategic plan in order to maximize benefit
realization, optimize cost, provide direction to management and consist of long term and short term
goals.
8. C. Most IT initiatives are approved based on cost and benefits indicates that the IT strategy is
focused on benefit realization. B Indicated focus in on cost reduction. A indicates that IT initiatives
does not achieve expected benefits and D indicates that IT services are just enough.
9. A. Establishing ownership of assets deployed on infrastructure owned by third party is most

essential. Other aspects are required and must be addressed in SLA.
10. D. Expected growth of business is primary input for capacity planning of IT resources. IT resources
must fulfil the business requirements. Other options depends on expected business growth.
Module 2
Questions
1. Who among the following is responsible for establishing IS Audit function in the organisation?
A. Audit Charter
B. Audit Governance
C. Audit Objectives
D. Audit Project Plan
2. Which of the following control classifications identify the cause of a problem and minimize the impact of
threat?
A. Administrative Controls
B. Detective Controls
C. Preventive Controls
D. Corrective Controls
3. Which of the following is NOT generally considered a category of Audit Risk?

A. Detection Risk
B. Scoping Risk
C. Inherent Risk
D. Control Risk
4. Which of the following are most commonly used to mitigate risks discovered by organizations?
A. Controls
B. Personnel
C. Resources
D. Threats
5. Which of the following is not a type of internal controls?

A. Detective
B. Corrective
C. Preventive
D. Administrative
6. What means the rate at which opinion of the IS Auditor would change if he selects a larger sample size?
A. Audit Risk
B. Materiality
C. Risk Based Audit
D. Controls
7. Which of the following cannot be classified as Audit Risk?

A. Inherent Risk
B. Detection Risk
C. Controllable Risk
D. Administrative Risk
8. After you enter a purchase order in an on-line system, you get the message, “The request could not be
processed due to lack of funds in your budget”. This is an example of error?
A. Detection
B. Correction
1
Chapter 1: Concepts of IS Audit
C. Prevention
D. Recovery
9. When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure
that:
A. controls needed to mitigate risks are in place.
B. vulnerabilities and threats are identified.
C. audit risks are considered.
D. a gap analysis is appropriate
10. Reviewing management's long-term strategic plans helps the IS auditor:
A. Gains an understanding of an organization's goals and objectives.

B. Tests the enterprise's internal controls.
C. Assess the organization's reliance on information systems.
D. Determine the number of audit resources needed.

1. An audit charter establishes the role of the internal audit function. These are established by the senior
management.
2. Corrective Controls classifications identify the cause of a problem and minimize the impact of threat. The
Goal of these controls is to identify the root cause of an issue whenever possible and eliminate the
potential for that occurring again. The other controls are useful but perform other functions instead.
3. Scoping risk is not generally considered as category of audit risk. The other risk categories are also
possible types of risk; however they are not the one that question demand.
4. Controls are most commonly used to mitigate risks discovered by organizations. This is what
organizations implement as a result of the risks an organization discovers. Resources and personnel are
often expended to implement controls.
5. Administrative is not a type of internal controls. Detective is designed to detect errors or irregularities that
may have occurred. Corrective is designed to correct errors or irregularities that have been detected.
Preventive is designed to keep errors or irregularities from occurring.
6. Audit risk means the rate at which opinion of the IS Auditor would change if he selects a larger sample
size. Audit risk can be high, moderate or low depending on the sample size selected by the IS Auditor. A
risk based audit approach is usually adapted to develop and improve the continuous audit process.
Materiality means importance of information to the users. It is totally the matter of the professional
judgment of the IS Auditor to decide whether the information is material or immaterial.
7. Inherent risk means overall risk of management which is on account of entity’s business operations as a
whole. Controllable risk is the risk present in the internal control system and the enterprise can control
this risk completely and eliminate it form the system. Detection risk is the risk of the IS Auditor when he
is not able to detect the inherent risk or the controllable risk.
8. To stop or prevent a wrong entry is a function of error prevention. All other options work after an error.
Prevention works before an occurring of error.
9. In developing a risk-based audit strategy, it is critical that the risks and vulnerabilities are understood.
This will determine the areas to be audited and the extent of coverage. Understanding whether
2
Module 2
appropriate controls required to mitigate risks are in place is a resultant effect of an audit. Audit risks are
inherent aspects of auditing, are directly related to the audit process and are not relevant to the risk
analysis of the environment to be audited. Gap analysis would normally be done to compare the actual
state to an expected or desirable state.
10. Strategic planning sets corporate or departmental objectives into motion. Strategic planning is time and
project-oriented, but must also address and help determine priorities to meet business needs. Reviewing
long-term strategic plans would not achieve the objectives expressed by the other choices.
3
Module 2
Questions
1. The IS Auditor should use which of the following when developing the overall IS Audit Plan and
determining priorities for the effective allocation of IS Audit Resources?
A. Audit Materiality
B. The work of outside experts
C. Risk Assessment
D. IT Governance
2. Which of the following sampling types is used to estimate the rate of occurrence of a specific quality in
population?
A. Discovery Sampling
B. Statistical Sampling
C. Attribute Sampling
D. Stop-or-go Sampling
3. Which of the following criteria for selecting the applications to be audited is LEAST likely to be used?
A. Materiality of audit risk
B. Sensitivity of transactions
C. Technological complexity
D. Regulatory agency involvement
4. The first step the IS Audit Manager should take when preparing the annual IS audit plan is to:
A. Meet with the audit committee members to discuss the IS audit plan for the upcoming
year.
B. Ensure that the IS audit staff is competent in areas that are likely to appear on the plan
and provide training as necessary.
C. Perform a risk ranking of the current and proposed application systems to prioritize the IS
audits to be conducted.
D. Begin with the prior year's IS audit plan and carry over any IS audits that had not been
accomplished.
5. The purpose of compliance tests is to provide reasonable assurance that:

A. Controls are working as prescribed.
B. Documentation is accurate and current.
C. The duties of users and data processing personnel are segregated.
D. Exposures are defined and quantified.
6. While reviewing internal controls in a microcomputer environment, an IS auditor recommends that duties
should be regularly rotated. The effect of implementing this recommendation would ensure which of the
following controls?
A. Detective
B. Compensating
C. Corrective
D. Preventive
1
Chapter 2: IS Audit in phases
7. Which of the following is the least important factor in determining the need for an IS Auditor to be involved
in a new system development project?
A. The cost of the system
B. The value of the system to the organization.
C. The potential benefits of the system.
D. The number of lines of code to be written.
8. Each of the following is a general control concern EXCEPT:

A. Organization of the IS Department.
B. Documentation procedures within the IS Department.
C. Balancing of daily control totals.
D. Physical access controls and security measures.
9. Which of the following types of audits requires the highest degree of data processing expertise?
A. Systems software audits
B. General controls reviews
C. Microcomputer application audits
D. Mainframe application audits
1. C. The IS Auditor should use Risk Assessment while developing an overall IS Audit Plan. The other
examples are examples of audit standards.
2. C. Attribute sampling is used to estimate the rate of occurrence of a specific quality in population.
The other sampling methods described are legitimate sampling methods often employed by auditors
during audit.
3. C. Because technical complexity of an application is not as important as the materiality of the audit
risk associated with an application or sensitivity of the transactions. Regulatory agency requirements
also play an important role in determining what to audit. Answer "b" is NOT the best choice because
sensitivity of transactions would be an exposure to a company and should be considered in
determining which applications should be audited. Answer "a" is NOT the best choice because the
measurement of audit risk is an important component when determining the scope of an audit
plan. The materiality of the audit risk associated with specific application would have an impact on
whether the application is included in the audit scope. Answer "d" is NOT the best choice because
applications may relate to operational areas of the Company where regulatory agencies have
required audits.
4. C Because IS audit services should be expended only if the risk warrants it. Answers a, b, and d
occur after c has been completed. Answer "b" is NOT correct because the IS Audit Manager does
not know what areas are to appear on the IS audit plan until a risk analysis is completed and
discussions are held with the audit committee members. Answer "a" is NOT correct because the IS
Audit Manager would not meet with the audit committee until a risk analysis of areas of exposure has
been completed. Answer "d" is NOT correct because a risk analysis would be the first step before
any IS audit services are expended.
2
Module 2
5. A. The compliance tests determine whether prescribed controls are working. Answer "b" is NOT the
best choice. Current and accurate documentation may be a good procedure but it is only one type
of control procedure, therefore, answer 'A' is a better choice as more control procedures are
evaluated. Answer "c" is NOT the best choice because segregation of duties is only one type of
control procedure; therefore, answer 'A' is a better choice as more control procedures are
evaluated. Answer "d" is NOT the correct choice. Exposures are defined and quantified to determine
audit scope. Compliance tests provide reasonable assurance that controls are working as
prescribed.
6. B. A small institution may find that separation of duties (which is a preventative control) may not be
practical since there are too few employees. In such a circumstance, it may be possible to establish
an acceptable control environment by instituting compensating measures such as rotation of job
duties.
7. D. The size of the system is the least important of the factors listed. All other factors have specific
financial implications and an IS Auditor can be used to help mitigate the risk to the corporation with
the development of a new system.
8. C. Balancing of daily control totals relates to specific applications and is not considered an
overall general control concern. Answer "b" is NOT the best answer since documentation
procedures within the IS Department is an important general control concern. Answer "a" is NOT
the best answer since organization of the IS Department is an important general control concern.
Answer "d" is NOT the best answer since physical access controls and security measures are
important general control concerns.
9. A. The IS Auditor needs specialized education in hardware and operating systems

software. Answers b, c, and d can be performed when an IS Auditor has a basic level of data
processing technical knowledge and usually requires no special training. Answer "b" is NOT correct
because general controls reviews typically do not require as technical a level of knowledge as an
audit of systems software. Answer "c" is NOT correct because microcomputer application reviews
generally do not require as technical a background as an audit of systems software. Answer "d" is
NOT correct because mainframe application audits typically do not require special training or as
technical level of knowledge as system software reviews.
3
Module 2
Questions
1. Which of the following factors should not be considered in establishing the priority of audits included in
an annual audit plan?
A. Prior audit findings
B. The time period since the last audit
C. Auditee procedural changes
D. Use of audit software
2. Which of the following is LEAST likely to be included in a review to assess the risk of fraud in application
systems?
A. Volume of transactions
B. Likelihood of error
C. Value of transactions
D. Extent of existing controls
3. An IS auditor discovers evidence of fraud perpetrated with a manager's user id. The manager had written
the password, inside his/her desk drawer. The IS auditor should conclude that the:
A. Manager’s assistant perpetrated the fraud.

B. Perpetrator cannot be established beyond doubt.
C. Fraud must have been perpetrated by the manager.
D. System administrator perpetrated the fraud.
4. Which of the following situations would increase the likelihood of fraud?

A. Application programmers are implementing changes to production programs.
B. Application programmers are implementing changes to test programs.
C. Operations support staff are implementing changes to batch schedules.
D. Database administrators are implementing changes to data structures.
5. Neural networks are effective in detecting fraud, because they can:

A. Discover new trends since they are inherently linear.
B. Solve problems where large and general sets of training data are not obtainable.
C. Attack problems that require consideration of a large number of input variables.
D. Make assumptions about the shape of any curve relating variables to the output.
6. The FIRST step in managing the risk of a cyber-attack is to:

A. Assess the vulnerability impact.
B. Evaluate the likelihood of threats.
C. Identify critical information assets.
D. Estimate potential damage.
7. What generally includes the imaging of original media in presence of an independent third party?
A. Identify
B. Preserve
C. Analyze
D. Present
8. What involves extracting, processing and interpreting the evidence?

A. Identify
B. Preserve
1
Chapter 3: IT enabled services
C. Analyze
D. Present
9. What is also performed to assess the overall objectives within an organization, related to financial
information and assets’ safeguarding, efficiency and compliance?
A. Operational Audit
B. Financial Audit
C. Integrated Audit
D. IS Audits
2. What is designed to evaluate the internal control structure in a given process or area?
A. Operational Audit
B. Financial Audit
C. Integrated Audit
D. IS Audits
3. After initial investigation, IS auditor has reasons to believe that there is possibility of fraud, the IS auditor
has to:
A. Expand activities to determine whether an investigation is warranted.
B. Report the matter to the audit committee.
C. Report the possibility of fraud to top management and ask how they would like to proceed.
D. Consult with external legal counsel to determine the course of action to be taken.

1. D. Use of audit software merely refers to a technique that can be used in performing an audit. It has
no relevance to the development of the annual audit plan.
2. B. An error is the least likely element to contribute to the potential for fraud. Answer A and C are
incorrect since volume times value of transactions gives an indication of the maximum potential loss
through fraud. Answer D is incorrect since gross risk less existing control gives net risk.
3. B. The password control weaknesses means that any of the other three options could be true. Password
security would normally identify the perpetrator. In this case, it does not establish guilt beyond doubt.
4. A. Production programs are used for processing an enterprise's data. It is imperative that controls on
changes to production programs are stringent. Lack of control in this area could result in application
programs being modified to manipulate the data. Application programmers are required to implement
changes to test programs. These are used only in development and do not directly impact the live
processing of data. The implementation of changes to batch schedules by operations support staff will
affect the scheduling of the batches only; it does not impact the live data. Database administrators are
required to implement changes to data structures. This is required for reorganization of the database to
allow for additions, modifications or deletions of fields or tables in the database.
5. C. Neural networks can be used to attack problems that require consideration of numerous input
variables. They are capable of capturing relationships and patterns often missed by other statistical
methods, and they will not discover new trends. Neural networks are inherently nonlinear and make no
2
Module 2
assumption about the shape of any curve relating variables to the output. Neural networks will not work
well at solving problems for which sufficiently large and general sets of training data are not obtainable.
6. C. The first step in managing risk is the identification and classification of critical information resources
(assets). Once the assets have been identified, the process moves onto the identification of threats,
vulnerabilities and calculation of potential damages.
7. B. Preserve refers to practice of retrieving identified information and preserving it as evidence. The
practice generally includes the imaging of original media in presence of an independent third party.
8. C. Analyse involves extracting, processing and interpreting the evidence. Extracted data could be
unintelligible binary data after it has been processed and converted into human readable format. The
analysis should be performed using an image of media and not the original.
9. C. An integrated audit combines financial and operational audit steps. An integrated audit is also
performed to assess the overall objectives within an organization, related to financial information and
assets’ safeguarding, efficiency and compliance.
10. A. An operational audit is designed to evaluate the internal control structure in a given process or area.
Audits of application controls or logical security systems are some examples of operational audits.
11. A. An IS auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding
whether any additional action is necessary or whether an investigation should be recommended. The IS
auditor should notify the appropriate authorities within the organization only if it has determined that the
indicators of fraud are sufficient to recommend an investigation. Normally, the IS auditor does not have
authority to consult with external legal counsel.
3
Module 4
Questions
1: Which of the following shall BEST help in deciding upon the protection level for information asset?
A. Location of asset.
B. Impact of risk.
C. Vulnerabilities in asset.
D. Inventory of threats
2: Which of the following is a risk response option?

A. Determine likelihood of threat
B. Determine probability of risk
C. Deciding amount of insurance cover
D. Prepare risk profile report
3: After a Tsunami, a business decides to shift the location of data centre from coastal area to mid land? Which
type of risk response option it has exercised?
A. Accept
B. Avoid
C. Mitigate
D. Transfer
4: Organizations capacity to sustain loss due to uncertainty and expressed in monetary terms is best known as:
A. Risk appetite
B. Risk tolerance
C. Risk acceptance
D. Risk mitigation
5: Main use of maintaining and updating risk register is to:

A. Define controls
B. Identify risk owner
C. Built risk profile
D. Maintain evidence
6: Of the following who is accountable for deciding and implementing controls based on risk mitigation plan?
A. Chief risk officer
B. Risk owner
C. IT operations manager
D. Board of directors
7: Which of the following is a risk factor that may have impact on organization?
A. Management decides to acquire new application software.
B. A new application required by organization is released.
C. Vendor decides to stop supporting existing application.
D. Organization retires old application that is not in use.
1
Chapter 1: Information Risk Management and Controls
8: While auditing risk monitoring process which of the following IS auditor should review FIRST?
A. Risk assessment process
B. Risk management framework
C. Alignment with business risks
D. Annual review of risk register
9: The quantum of risk after organization has implemented controls based on risk mitigation plan is:
A. Accepted risk
B. Residual risk
C. Inherent risk
D. Current risk
10: Which of the following shall best help in aligning IT risk with enterprise risk?
A. Presenting IT risk results in business terms.
B. Conducting business impact analysis.
C. Making Chief risk officer accountable.
D. Align IT strategy with business strategy.

1. B: Other options i.e. location of asset, existing vulnerabilities in asset shall be covered during risk
assessments. Inventory of threats only will not help, impact due to threat must be assessed.
2. C: Of the four main risk response options accept, avoid, mitigate and transfer, Insurance cover is a risk
response option of risk transfer
3. B. BY shifting location the business has avoided the risk associated with Tsunami.
4. A. It is the definition of risk appetite. Risk tolerance is capacity to tolerate down time due to risk
materialization. Risk acceptance and risk mitigation are risk response decision based on risk appetite.
5. C. Main use of risk register is to develop risk profile of the organization for management’s review and
enable risk informed decisions.
6. B: Risk owner is primarily accountable for deciding and implementing on nature of controls. Generally
risk owner is process owner. Chief risk office guides risk owner, IT head is responsible for responding to
risk owned by IT head. Although board of directors is ultimately accountable, for specific risk, risk
owners are responsible.
7. C. Vendor decides to stop supporting existing software changes the market situation that will affect
organization, since it has to take decision on replacing application. Release of new application though
changes market, it may not affect the organization immediately as the organization may not need to
take action. A and D are internal decisions and will be based after risk assessment hence are not risk
factors.
8. D. Risk monitoring refers to review of identified and assed risks based on changes, incidents, and
periodically. Other options are part of risk management framework.
2
Module 4
9. B. Accepted risk is where controls are not implemented is part of residual risk, Inherent risk is total risk
before implementing controls. Current risk is residual risk at a point in time during control
implementation.
10. A. Expressing IT risk in business terms i.e. as impact on business will help business in understating
relevance of IT risks. Business impact analysis may be useful however it may or may not help
depending upon scope of project. Making chief risk officer accountable may help but best is A. Aligning
IT strategy with business strategy shall help in defining better IT plan, but it is at higher level.
3
Module 4
Questions
1: The Primary objective of implementing Information security management is to:
A. Ensure reasonable security practices.
B. Comply with internal audit requirements.
C. Adopt globally recognized standards.
D. Protect information assets.
2: Which of the following is primary function of information security policies?

A. Align information security practices with strategy.
B. Communicate intent of management to stakeholders.
C. Perform risk assessment of IT operations and assets.
D. Ensure compliance with requirements of standards.
3: IT security policies are set of various policies addressing different IT areas based on the IT infrastructure of
organization. Which of the following policy is most common in all organizations?
A. Acceptable use policy
B. BYOD policy
C. Data encryption policy
D. Biometric security policy
4: Data-Diddling refers to:

a. Data manipulation.
b. Data entry.
c. Data processing.
d. Data backup
5: Protecting integrity of data primarily focuses on:

A. Intentional leakage of data.
B. Accidental loss of data.
C. Accuracy and completeness.
D. Data backup procedures.
6. Primary function of information security steering committee is to:
A. Manage information security
B. Select security projects
C. Define security policies
D. Direct IT security strategy
7. Which of the following is primary reason for periodic review of security policy?
A. Compliance requirements.
B. Changes on board of directors
C. Changes in environment
D. Joining of new employees.
1
Chapter 2: Information Security Management
8. Main benefit of Control self-assessment is:

A. Replacement of internal audits
B. Implement strong controls
C. Removal of redundant controls
D. User awareness of controls
9. Which of the following is best evidence indicting support and commitment of senior management for information
security initiatives?
A. Directive for adopting global security standard.
B. Higher percentage of budget for security projects.
C. Assigning responsibilities for security to IT head.
D. Information security is on monthly meeting agenda.
10. Which of the following is a concern for compliance with information security policy?
A. Decrease in low risk findings in audit report
B. High number of approved and open policy exceptions
C. Security policy is reviewed once in two years
D. Security policy is signed by chief information officer

1. A. The primary objective of information security management is to provide adequate level of protection to
information security assets.
2. B. Policies are vehicle to communicate management’s intent to all stakeholders. Information security
practices are aligned with business objectives and not the strategy. Security policies are defined as outcome
of risk assessment. Compliance with standard is not primary function of policies.
3. C. Acceptable use policy that address the use of IT assets by users is most common in all organizations that
depends upon IT. Policies in other option depend upon organization’s use of BYOD or Encryption or
Biometric.
4. A. Data Diddling is the changing of data before or during entry into the computer system with malicious intent.
5. C. Integrity primarily refers to reliability that is achieved by implementing controls to ensure accuracy and
completeness of data.
6. D. Primary function of IT security steering committee is to direct and guide IT security within organization.
Other functions can be delegated.
7. C. Changes in environment introduce new risks. In order to address them it is necessary to review the security
policy based on assessment of new risks. Other options are secondary reasons
8. D. Main benefit of control self-assessment is process owners are aware of risks and threats impacting desired
outcome of process since they are asked to select and evaluate the controls.
2
Module 4
9. D. Without senior management’s support security cannot be a success. There are many activities senior
management is involved in effective security initiative. Reviewing progress of security in monthly meeting is
one of them. Other options may or may not indicate unless there is more evidence to conclude.
10. B. Policy exceptions are temporary and must be reviewed and closed as per plan. Increasing number of
exceptions indicates that the policy provisions may not be appropriate and hence need to be reviewed. Others
are not concerns.
3
Module 4
Questions
1: Which of the following is Primary purpose of Information classification?
A. Comply with regulatory requirement
B. Assign owner to information asset
C. Provide appropriate level of protection
D. Reduce costs of data protection
2. Data base administrator (DBA) is:

A. Information Custodian
B. System Administrator
C. End User
D. Data Owner
3: Effectiveness of information Security awareness training program is best indicated by:

A. increased percentage of classified and labelled information.
B. increase in number of mails with attachments.
C. increase in number of incidents reported by users.
D. increase in percentage of contract employees.
Q 4: Classification of information is primarily based on:

A. Where the information is stored?
B. Who has access to information?
C. What will happen if information is not available?
D. Why attachments to mail are encrypted?
5. Which of the following best helps in classifying the information within organizations?
A. using minimum classes in classification schema.
B. Conducting training on classification schema.
C. Labelling all information based on classification schema.
D. Determining storage based on classification schema.
6. A business application is hosted on a server. Being a small application the database required the application is
also on the same server. Which of the following is best way to determine the class of the server?
A. All servers are critical assets for organization
B. Based on classification of application hosted
C. Same as class of database decided by business
D. As decided by data base administrator(DBA)
7. Which of the following is a major threat related to private data of customers collect by the organization?
A. Loss of data
B. Integrity of data
C. Data diddling
D. Identify theft
1
Chapter 3: Information Assets and their Protection
8. Which of the following controls can be implemented effectively due to classification of data?
A. Input validation
B. Access controls
C. Scanning for viruses
D. Internal audit
9. While determining appropriate level of protection to information asset, IS auditor should PRMARILY
focus on which of the following evidence?
A. Results of risk assessment
B. Relative value to business
C. List of users having access
D. Classification of asset
10. Which of the following is PRIMARY consideration for classifying information assets? Assets to be
classified based on:
A. level of protection provided.
B. inputs by data owner.
C. result of risk analysis.
D. requirements of security policy.

1 C Primary purpose of information classification is to provide appropriate level of protection to information assets.
2. A. DBA is an Information custodian as DBA is responsible for maintaining database but do not have right to
modify the data.
3 A. Security awareness program helps users and employees to understand reason for security and help in
implementing it effectively. Options B, C and D do not provide information on improvement aspect.
4. C. It helps in assessing the risks associated and determine the protection level i.e. class of information. A, B and
C are determined based on classification.
5. B. Training users on how to classify information as per definition provided in classification schema shall best
help users in classifying the information. A. Number of classes shall depend upon organization’s objectives. C and
D are performed after classification of information.
6. C. The primary asset in this case is data that is being stored and process by the application. The server supports
the data and hence must be classified as per the classification of database owned by business function.
7 D. Misuse of customer’s private data can result in identity theft resulting in making organization liable for losses
and might affect reputation adversely. A, B and C are threats can be managed by internal controls.
8 B. Information classifications help management in implementing better access controls for sensitive information.
Other controls are not related to data classification.
2
Module 4
9 A. Appropriate level of protection to asset is determined based on risk associated with asset based on
vulnerabilities. Results of risk assessment, therefore is primary information IS auditor should review.
Relative value of asset to business is considered while assessing impact of risk associated. Access to
asset is determined based on classification of asset and need to do basis which is determined based on
risk associated. Assets are classified based on result of risk assessment.
10 C. Assets must be primarily classified based on risk associated. Level of protection is to be decided
based on result of risk analysis and not the other way round. Inputs from the owner are useful in assessing
risk for the organization. Security policy provides intent of management however the policies are based
on result of risk analysis.
3
Module 4
Questions
1. Which of the following is first action when a fire detection system raises the alarm?
A. Turn off the air conditioning.
B. Determine type of fire.
C. Evacuate the facility.
D. Turn off power supply
2. Which of the following is most important controls for unmanned data center?
A. Access control for entry and exit for all doors.
B. The humidity levels need not be maintained.
C. The temperature must be at sub-zero level.
D. Halon gas based fire suppression system.
3. Primary purpose of access controlled deadman door, turnstile, mantrap is to:

A. Prevent unauthorised entry
B. Detect perpetrators
C. Meet compliance requirement
D. Reduce cost of guard
4. Which of the following is main reason for appointing human guards at main entrance of facilities?
A. Address visitors’ requirements to visit.
B. Issue the access cards to visitors.
C. Cost of automation exceeds security budget.
D. Deter the unauthorized persons.
5. Which of the following is major concern associated with biometric physical access control?
A. High acceptability.
B. High false positives.
C. High false negatives.
D. High cost.
6. Which of the following evidence is best to provide assurance on automated environmental controls?
A. Annual maintenance contract with vendor.
B. Simulation testing of devices during audit.
C. Device implementation report by vendor
D. Documented results of periodic testing.
7. What are the problems that may be caused by humidity in an area with electrical devices?
A. High humidity causes excess electricity, and low humidity causes corrosion.
B. High humidity causes power fluctuations, and low humidity causes static electricity.
C. High humidity causes corrosion, and low humidity causes static electricity.
D. High humidity causes corrosion, and low humidity causes power fluctuations.
1
Chapter 4: Physical and Environmental Controls
8. Automated access controls opens doors based on access cards, pins, and/or biometric devices and are
powered by electricity. Which of the following best policy in case of power failure?
A. Keep the door in locked state
B. Open door and appoint guard
C. Find root cause of power failure
D. Arrange for battery backup
9. While selecting site for a data center which of the site is best to be selected?
A. On topmost floor to delay the unauthorised visitor to reach.
B. In the basement not easily accessible to perpetrator.
C. On ground floor do that users can access is easily.
D. On middle floor to strike the balance for above concerns.
10. Which of the following is main reason for not allowing mobile devices into data center?
A. Unauthorized changes and access in configuration.
B. Prevent photography of data center layout.
C. User can provide information to attacker on phone.
D. Mobile devices generate wireless communication.
4.6 Answers and Explanations

1. C. Life safety takes precedence. Although other answers are important steps human life always is a
priority.
2. B. Unmanned data center requires strong physical access controls and environmental access controls
too. However most essential are strong access controls. B, C and D are inappropriate controls. Halon is
environmentally hazardous gas.
3. A. Primary purpose of all types of physical access control is to prevent unauthorized entry. Other
objectives are secondary.
4. A. Human guard make decisions and can address visitor’s requirement and direct them appropriately.
Others are supplementary functions.
5. B. False positive is a concern in biometric access security as it results in unauthorized access. Other
option does not result in unauthorized access.
6. D. Automated environmental controls must be tested periodically by expert and provide report on
effective performance of equipment. Simulated tests may not be possible for all controls. AMC is a
contract, periodic testing is performance of contract.
7. C. High humidity can cause corrosion, and low humidity can cause excessive static electricity. Static
electricity can short out devices or cause loss of information.
8. B. Best policy is to keep door open and appoint guard temporarily for monitoring accesses. Keeping
doors locked shall be a problem in evacuation in case of emergency. Finding root cause can be done
independently. Arranging Battery backup after power failure is not right policy.
2
Module 4
9. D. Top floor and basement has risk of seepage and flooding. Ground floor has risk of easy attack.
10. A. Mobile devices can be connected to servers and resulting in unauthorized changes. Other concerns
are secondary.
3
Module 4
Questions
1: Which of the following pair of authentication can be considered as two factor?
A. Password and passphrase
B. Passphrase and PIN
C. Token and access card
D. Access card and PIN
2: Which of the following is primary requirement of granting user access to information asset?
A. Identification
B. Authorization
C. Authentication
D. Need to know
.
3. Mandatory access controls are those controls that are:
A. Based on global standards
B. Defined by security policy
C. Part of compliance requirements
D. Granted by asset owner
4. Which of the following is a major concern associated with Single-Sign-on?

A. Multiple passwords are noted
B. Use may select easy password
C. It is a single point of failure
D. High maintenance cost
5. Which of the following non-compliance with security policy is most difficult to detect or get evidence for?
A. Use of removable media
B. Password sharing by user
C. Access to banned web sites
D. Passing information over phone
6. Which of following processes in user access management is most essential to detect errors and omissions
resulting in unauthorised or excess accesses to users?
A. Identification
B. Authentication
C. Authorization
D. Review
7. While auditing compliance with password policy, IS auditor observed that configuration of password parameters
in system is as per policy. Which of the following the auditor should verify?
A. Review enforcement for sample users.
B. Verify all assets have same configuration.
C. Review log for password configuration.
D. Interview users on policy enforcement.
1
Chapter 5: Logical Access controls
8. One time password is considered strong because they are:

A. active for short period.
B. communicated on mobile.
C. unique for each user
D. unique for session
9. Which of the following has been attack to break the user password is difficult to control?
A. Brute Force
B. Dictionary attack
C. Spoofing
D. Social engineering
10. Which of the following is a primary objective of implementing logical access controls?
A. Identify users on the system
B. Fixing accountability of actions
C. Authorize users based on role
D. Compliance with policy

1. D. The three factors are what a user knows (PIN, Password, Passphrase), what user possesses (Access card,
Token) and what unique characteristics of user (Biometric) are. Use of any two factors for authentication is called
two factor. Option A, B and C though strong use only one factor.
2. A. Identification of user is first and primary requirement of granting access. Next will be authentication method
to be established and finally finding authorization levels based on role that also addresses need to know.
3. B. Mandatory accesses are those controls that are to be applied uniformly across organization and are defined
by security policy. D is discretionary access controls. B and C generally do not specify such requirements.
4. C. Single point of failure is a major concern. One password if compromised, all accesses for that user are
available to perpetrator.
5. B. Password sharing by user is most difficult to get evidence for or detect. Others can be monitored or enforced
using technology.
6. D. Periodic user access review helps in ensuring that all users have appropriate level of accesses. This happens
due to changes in internal environment like role changes, emergency situation, resignation and retiring of
employees. In such situations sometimes revocation of accesses is missed out, and can be corrected during
review.
7. C. Generally automated configuration need not be reviewed for samples except for sample assets. However it
most important to review the password configuration changes for ongoing enforcement of policy.
8. A. Strength of one-time password is that they are active for short time, if user does not login during that time the
password expires. Password is unique for each session and user, however it is not a strength. It can be
communicated by suitable means.
2
Module 4
9. D. Social engineering attacks weakest link that is human. Attacker uses techniques to compel users to reveal
passwords and other confidential information. For example Phishing. Other options are technology based attacks
and can be detected or controlled.
10. B. Primary objective of implementing access controls is to fix accountability on user for their actions. Others
are means to implement access controls not objectives.
3
Module 4
Questions
1. …………………..is a method used to gather information about the communication network?

A. Reconnaissance
B. Brute force
C. Eavesdropping
D. Wiretapping
2. Message digest helps organization in getting assurance on:

A. Communication delivery
B. Data availability
C. Data integrity
D. Data confidentiality
3. While auditing organization’s network which of the following control IS auditor must verify first?
A. Encrypted communication.
B. Network zoning.
C. Firewall configuration.
D. Penetration test report.
4. Cryptographic checksum is a network control that:

A. Adds a parity bit after adding the data bits.
B. Translates data in a file into a hash value.
C. Transmits the data after encryption.
D. Translates the data into a parity checksum combination.
5. Primary function of Security operations center (SOC) is to:

A. Define baseline
B. Configure firewall
C. Monitor logs
D. Implement Antivirus
6. The intrusion detection monitoring on a host for data integrity attack by malicious software is a:
A. Technical control
B. Corrective control
C. Detective Control
D. Preventive Control
7. Which of the following is most important while performing penetration testing?

A. Maintain secrecy about testing.
B. Get consent from affected stakeholders.
C. Report to be provided to all users.
D. Perform test after office hours.
1
Chapter 6: Network Security Controls
8. Most web based application attacks can be prevented by:

A. Input validation
B. Encryption
C. Penetration test
D. Access controls
9. Social engineering attacks can best be prevented by:

A. Intrusion detection system
B. Strong access controls
C. Two factor authentication
D. Awareness training
10. Which of the following is a type of malware that can be unintentional?

A. Virus
B. Logic bomb
C. Trojan
D. Worm
6.14 Answers and Explanations
1. A. Other methods are active attacks on network after getting information about networks.
2. C. Message digest is a hash function that helps in confirming integrity of data communicated over network.
3. B. Network segmentation or zoning is first control to implement network security. Other controls depends upon
segmentation.
4. B. Checksum is a type of hash that is used to check integrity of data after communication. It is different that
parity bit that adds an extra bit for each byte and word.
5. C. Primary function of SOC is to collect and monitor logs based on identified rules. It also defines correlation
between various logs and identifies possible incidents which are communicated to respective asset owners. A is
role of security manager, B and D are role of network team.
6. C. Intrusion detection detects the possible intrusion attempt. It does not prevent or corrects it. It is a control
implemented using technology.
7. B. It is most essential to get consent from affected asset owners for before performing test, so that they can
ensure that operations are not affected. Maintaining secrecy shall depend upon type of test. Report must be kept
confidential and accessed only by select few. Test generally is performed when it will have least impact, but is not
most important.
8. A. Most web application attacks like SQL injection can be prevented by validating input which can reject the
attackers input that can exploit vulnerability. Encryption may or may not prevent an attack. Penetration test shall
provide input on vulnerability that must be closed. Access controls may prevent some attacks.
2
Module 4
9. D. Social engineering attack is attack on human and hence no technology can prevent it. It is best prevented by
awareness training.
10. B. Logic bomb can be unintentional due to mistakes of developers going unnoticed.
3
Chapter 1: System Development Life Cycle (SDLC) introduction and Concepts
Questions
1. System development life cycle (SDLC) primarily refers to the process of:
A. Developing IT based solution to improve business service delivery.
B. Acquiring upgraded version of hardware for existing applications.
C. Redesigning network infrastructure as per service provider’s needs.
D. Understanding expectations of business managers from technology.
2. Organizations should adopt programming/coding standards mainly because, it:

A. Is a requirement for programming using high level languages.
B. Helps in maintaining and updating system documentation.
C. Is required for security and quality assurance function of SDLC.
D. Has been globally accepted practice by large organizations.
3. Which of the following is main reason to perform User acceptance testing (UAT)?
A. To train and educate users on features of new solution.
B. To confirm form users that solution meets requirements.
C. To complete formality of sign-off to mark end of project.
D. To finalize the implementation plan for new IT solution.
4. An organization decided to purchase a configurable application product instead of

developing in-house. Outcome of which of the following SDLC phase helped organization in
this decision?
A. Requirement definition
B. Feasibility Study
C. System analysis
D. Development phase
5. In which of the following phases of SDLC, controls for security must be considered FIRST?
A. Requirement definition
B. Feasibility study
C. System design
D. Implementation
6. IS auditor has been part of SDLC project team. Which of the following situation does not
prevent IS auditor from performing post implementation review? The IS Auditor has:
A. designed the security controls.
B. implemented security controls.
C. selected security controls.
D. developed integrated test facility.
Module 5

1. A. SDLC primarily focuses on identifying IT based solution to improve business processes
delivering services to customers. Other activities may be part of SDLC however, these are IT
projects not SDLC projects.
2. C. Adopting coding standards helps organization in ensuring quality of coding and in

minimizing the errors. It also helps in reducing obvious errors which may lead to vulnerabilities
in application. A is not true since it is required for all languages, B is partially true but is not main
reason. D is not main reason.
3. B. UAT is mainly conducted to confirm from the users and application owners that application
meets their requirements. Sign-off is a formality to be completed only if requirements are met.
Training and implementation planning are different activities which are not dependent on UAT.
4. B. Make or buy decision is the outcome of feasibility study where technical, economical and
social feasibilities are considered.
5. A. Security requirements must be considered during requirement definition. However, the

nature of controls to be implemented for security must be considered first during design phase.
This will ensure that necessary security controls are built while developing application. Security
controls are implemented and not designed during implementation phase.
6. D. Active role of IS auditor in design and development of controls affects the independence.
Hence, IS auditor cannot perform review or audit of the application system. However, developing
integrated test facility within application is not a control, but a facility to be used by auditors in
future. Hence, this does not impact independence of IS auditor.
Chapter 2: Initiating SDLC
Questions
1. An organization has implemented an IT based solutions to support business function. Which
of the following situation shall indicate the need to initiate SDLC project?
A. Vendor has launched a new hardware which is faster.
B. Organizations has unused surplus budget for IT.
C. Regulators have requested additional reports from business.
D. Competitor has launched an efficient IT based service.
2. A “Go or No Go” decision for SDLC project is primarily based on:

A. Feasibility Study
B. Business case
C. Budget provision
D. Market situation
3. Which of the following is the primary reason for organization to outsource the SDLC project?
Non-availability of:
A. Skilled resources
B. Budgetary approvals
C. Security processes
D. Infrastructure
4. Which of the following is an example of addressing social feasibility issue in SDLC project?
A. Organization decides to use existing infrastructure.
B. Beta version of application is made available to users.
C. Configuration of purchased software requires more cost.
D. Allowing employees to access social media sites.
5. Which if the following is not an indicator to assess benefit realization for internal application
software developed in-house?
A. Increase in number of customers because of new application.
B. Decrease in audit findings related to regulatory non-compliance.
C. Reduced number of virus attacks after implementing new software.
D. Increase in productivity of employees after implementation.
6. Which of the following requirements for an application to be developed for use by human
resource department are non-functional requirements? The application should:
A. Capture the employee data at the time of hiring.
B. Provide option to all only to edit own information.
C. Capture performance details required for appraisals.
D. Use relational database as backend to store data.
Module 5

1. D. When a competitor launches new IT based efficient service, it becomes necessary for
management to consider the impact in market place and in order to remain in competition should
provide similar or better services. Option A and C may not require SDLC since it can be adopted
with change management process. B may help in deciding for D, but is not the reason for
initiating SDLC project.
2. C. Business case is a document that narrates all aspect including benefit realization, cost and
effort estimates, outcome of feasibility study, available budget. That helps management in
decision on the need of the SDLC project.
3. A. Non availability of skilled resources required for application development is primary reason
for outsourcing the SDLC project. Other reasons can be addressed. i.e. (B) budget can be made
available, (C) security processes can be established. (D) Infrastructure can be acquired,
depending upon design of new application and hence it is not a reason.
4. B. In order to ensure the acceptability by users, beta version of solution is made available to
users. Based on feedback changes are made so that the solution can be socialized. Option A
addresses technical feasibility, Option C addresses economic feasibility. Option D addresses IT
policy that has nothing to do with SDLC.
5. C. Since the application is for internal use and developed in house it has nothing to do with
reduction in virus attacks. This can be benefit realization for anti-virus solution.
6. D. Specification of technology to be used are non-functional requirements.

Chapter 3: Project Management for SDLC
Questions
1. Who among the following is responsible for ongoing facilitation of a SDLC project?
A. Project sponsor
B. Project manager
C. Steering committee
2. A multi-national organization has decided to implement an ERP solution across all

geographical locations. The organization shall initiate a:
A. Project
B. Program
C. Portfolio
D. Feasibility study
3. Which of the following primarily helps project manager in mitigating the risk associated with
change in scope of software development project?
A. Change management process
B. Use of prototyping
C. Revising effort estimates
D. Baselining requirements
4. Monitoring which of the following aspect of SDLC project shall help organization in benefit
realization over sustained period of time? The project adhering to:
A. Quality
B. Budget
C. Schedule
D. Methodology
5. Which of the following tools and techniques primarily help in improving productivity of SDLC
project team members?
A. Use of standard methodology
B. Software sizing using FPA
C. Developers’ workbench
D. Appropriate HR policies
6. While performing mid-term review of SDLC project, the IS auditor primarily focuses on:
A. Project risk management process
B. Adherence to the schedule
C. Reviewing minutes of steering committee meeting
D. Cost management is as per budget
Module 5

1. A. Project sponsor is a stake holder having maximum interest / stake in the success of project
and is primary responsibility is to coordinate with various stakeholders for project success.
Project manager is responsible for executing the project activities. Steering committee monitors
project progress but is not ongoing activity. Board of director provides direction.
2. B. Considering the spread of organization the organization shall initiate a program for
implementing ERP, consisting of different project for each location. The program shall be part
of IT program portfolio of organization. Since the decision has been made, feasibility study either
has been completed or shall be initiated as part of program.
3. D. Scope creep of continued changes in requirements during SDLC project is most common
risk. If not properly handled the project may be delayed and benefit realization from the project
shall be affected. The project manager therefore, must freeze the scope by base-lining
requirements. Any change after base-lining shall follow change management process. Change
management process without base-lining may not help. Project manager may or may not use
prototyping for freezing the requirements. Revised effort estimate are applicable after change is
approved.
4. A. Quality is most important aspect for SDLC project, since it minimizes errors that can impact
operations.
5. C. Automated tools help team in improving productivity as these tools help in managing
mundane and structure activities and developers can focus on core activities. Developers’
workbench provides various functions that help in improving productivity. Use of standards help
in following uniform methods and reducing rework. Software sizing is useful in monitoring
productivity. HR policies may help in motivating team but it is secondary.
6. A. Auditor should primarily focus on risk management that will provide inputs on events that
has impact on all aspects of project. Option B, C and D help in confirming the findings from
review of risk management process.
Chapter 4: Different Models and Methods for SDLC
Questions
1. A SDLC project for updating existing application has been initiated, however project
manager has realized that the documentation has not been updated and source code is not
available. Which of the following method shall help the project manager?
A. Business process reengineering
B. Reverse engineering
C. Component based development
D. Agile development method
2. Reusing already developed programs helps project manager in improving productivity.

Which of the following methodology is outcome of this concept?
A. Agile development methodology
B. Object oriented software development
C. Component based development
D. Rapid application development
3. Which of the following is a major weakness of agile development methodology?

A. High dependence of user interaction
B. Reduced focus on recording design
C. Reduced size of development team
D. Project manager is in role of facilitator
4. The primary advantage of prototyping is that it:

A. increases user interaction
B. helps in outsourcing decision
C. used in rapid application development
D. helps in finalizing user requirements
5. Which of the following model addresses the weakness of waterfall model related to
accommodating changes during development stage?
A. Spiral model
B. Incremental model
C. Validation and verification
D. Web development method
Module 5
6. Which of the following activity is most important for IS auditor conducting mid-term review of
SDLC?
A. Ensure risks associated with development method are controlled.
B. Review appropriateness of development method.
C. Extrapolate the completion time based on current state.
D. Perform code review of programs developed so far.
Chapter 4: Different Models and Methods for SDLC

1. B. Reverse engineering helps in understanding existing system and therefore the primary
requirements that can be reengineered to develop new application. Project manager may use
any development method depending upon type of application to be developed and deployed.
2. C. Reusing already developed program is most common in software development. However

the development model based on this concept is called component based development where
program components are already developed and programmer may just use them directly. In
Object oriented method Object and classes are reused after customizing. Agile and Rapid
development are not primarily developed for reusability.
3. B. The major challenge faced by Agile development is weak documentation of design and
related record. Since it heavily depends upon working in interaction with users, where small
team of experts captures requirements and develops functional code that can be deployed.
4. D. Prototyping helps in finalizing user requirements where users can review the prototype
and confirm if it meets the requirements. This method is used in various models like rapid
application development, agile development, spiral model etc.
5. C. Waterfall model requires finalization of earlier phase before beginning next phase. This
makes it difficult to accommodate subsequent changes. Validation and verification method helps
in overcoming this weakness by introducing iteration during each phase.
6. A. IS auditor should ensure that objectives of organization in initiating SDLC project are met
by confirming that the risks associated with development are controlled.
Chapter 5: System Acquisition Framework
Questions
1. While auditing the software acquisition process the IS auditor PRIMARILY review which of
the following to understand the benefits to the business?
A. System requirement specifications
B. Cost comparison of different products
C. Alignment of IT strategy with business
D. Vendor with lowest cost has been selected
2. While auditing outsourced software development the IS auditor primarily ensure that:
A. vendor selected has experience in similar engagements
B. organization has followed established procurement process
C. outcome of feasibility study has indicated for outsourcing
D. ownership of design and source code has been established
3. Which of the following is primary objective of monitoring activities of vendor hired for
software development?
A. Invoke the penalty clause in contract.
B. Mitigate risk associated with performance.
C. Ensure senior management satisfaction.
D. Monitor third-party resource performance.
4. While acquiring application software the organization has finalized products as follows:
Product Functional requirements coverage User acceptability
A 96% 50%
B 88% 75%
C 80% 95%
D 69% 80%
The organization should select product:

A.
B.
C.
D.
5. Which of the following is a primary concern of management while considering acquisition of

new software?
A. New application does not have long term operational issues.
B. Vendor for application may not provide source code.
C. User acceptance testing has been performed but not signed off.
D. Change management for application is not defined.
Module 5
6. Compliance with terms of license for software purchased is primarily which type of
compliance?
A. Legal
B. Contractual
C. Regulatory
D. Standard
Chapter 5: System Acquisition Framework

1. A. While acquiring software organizations must focus on requirement specifications so as to
select most appropriate product. If the products does not meet requirement, it may not be
considered.
2. D. While outsourcing the software development the IS auditor must ensure that the ownership
of developed software is within the organization. In absence of this provision organization may
lose the IPR. Other things are secondary.
3. B. The primary objective of monitoring vendor activities is that the non-performance by vendor
should not impact the organization’s benefit realization plan.
4. C. The effective requirements meeting for each product is A = 48% (96*.50), B = 66%
(88*.75), C = 76 % (80*.95), D = 55% (69*.80)
5. D. Absence of change management process is a major hurdle in support and maintenance

of application software. Other issues can be managed.
6. B. Terms of software license are governed by the contract between software vendor and
purchaser. Hence, it is a contractual compliance.
Chapter 6: Implementation and Maintenance
Questions
1. Which of the following process during implementation of banking software is most critical to
minimize the risk associated with frauds?
A. Training and awareness
B. Data conversion
C. Hardware configuration
D. Procedure conversion
2. Which of the following is a major concern for IS auditor while auditing implementation phase
of SDLC project?
A. Requirement of resilient infrastructure are captured during implementation
B. Hardware acquisition has been delayed due delay in procurement process
C. Organization has contracted multiple network service providers for connectivity
D. Organization has decided to use existing site for implementing new solution
3. Who among the following should be primarily responsible for approving changes to
application system?
A. Head of IT department
B. Business process users
C. Application administrator
D. Affected business stakeholders
4. Which of the following method is most useful in implementing an ERP application at multiple
locations of same organization?
A. Parallel
B. Pilot
C. Phased
D. Cut off
5. An organization has developed a web based application for the use of internal users to be
hosted on intranet. Before finalizing and making it live it was decided to make it available to
users for providing feedback. This is an example of:
A. Internal audit
B. Alfa testing
C. Beta testing
D. User training
Module 5
6. A major concern associated with using sanitized old production data for testing new
application is that:
A. User may not provide sign off.
B. Production data may be leaked.
C. Integration testing cannot be performed.
D. All conditions cannot be tested.
Chapter 6: Implementation and Maintenance

1. B. Fraudster manipulated the data being entered into system to commit fraud by exploiting
vulnerabilities in the process. Hence, data conversion process must be monitored more closely
as compared to other processes.
2. A. Requirement of resilient infrastructure must have been considered during requirement

phase, since it affects software development as well as procuring redundant infrastructure.
Capturing this requirement during implementation phase will have major impact on benefit
realization. Other options are not major concerns, but in fact C is an advantage.
3. D. Changes to application must be primarily approved by application owner, who is also

business process owner. However change in application may also require change in dependent
systems hence it is best to get approval from all. To facilitate this process generally change
approval board is formed that represents all stake holders.
4. B. Pilot is method is most useful, as organization can implement application at one location
and run for few days. This will help in finalizing the basic configuration and also learn from post
implementation issues. Once successful the same can be replicated at other locations.
5. C. Beta testing is making product available for user for feedback before launching.
6. D. Production data generally may not cover all paths the data can take and hence system
cannot be tested for all possible cases. Data leakage is not a major concern since data is
sanitized. Options A and C are not concerns.
Questions
1. Organizations consider virtualization primarily to:
A. Optimize resource utilization
B. Eliminate hardware cost
C. Implement cloud application
D. Reduce license requirements
2. Organization is considering changing the hosting technology for application accessed by

internal and external users. Which of the following options has highest security concerns?
A. Client-server technology by providing customized client to users.
B. Private Cloud hosted within organization and accessed using web.
C. Outsourced services provided by third party on public cloud.
D. Establish own fiber optics network using service provider.
3. An organization hired third party service provider to provide Software as a Service to

internal users. Which of the following document IS auditor should review first?
A. Service level agreement signed with service provider.
B. Business case document approved by the steering committee
C. Comparative analysis of requirements for different vendors
D. Feasibility study report containing outsourcing recommendations
4. Primary benefit of developing and providing application using mobile technology to

customers of organization is to:
A. Enhance security of data
B. Increase usage of technology
C. Stay ahead in competition
D. Enhance service delivery
5. Which of the following the organization should consider first while allowing users to access
organization’s data from their own device?
A. Formulating a policy for use of personal devices
B. Selection of encryption appropriate for all devices
C. Savings in cost required for acquiring devices
D. Define uniform configuration for personal device
6. Which of the following controls are most important for big data application?
A. Data encryption
B. Data classification
C. Data access
D. Data analysis
Module 5

1. A. Virtualization primarily helps in optimizing resources by allowing consolidating hardware
and storage for application running on diverse operating systems. Eventually it reduces costs,
not eliminate, but that may not be primary objectives. Cloud technology used virtualization to
optimize resources. Virtualization may not affect license requirements.
2. C. Public cloud services provided by third party as highest security concerns.
3. B. Business case is the first document IS auditor should review to understand the reasons
behind the decision. Business case generally covers feasibility study and requirement analysis.
SLA and vendor selection can be reviewed later.
4. D. Using mobile application helps organization to add service delivery channel that enables
customers to get information anywhere. It may not enhance security, usage of technology may
not be concern for organization and although it may help in match the competition it may not
help in leading in market.
5. A. Organizations considering BYOD, must first formulate policy for usage of such devices so
as to protect the information of organization. Other aspects may be considered based on policy.
6. B. Although most important control for big data application are access controls since data is
stored in denormalized form, access controls need to be implement at data element level. This
can be achieved by data classification. Also encryption controls can be considered for most
sensitive data based on classification so that data analysis controls can be implemented
effectively.
Chapter 8: SDLC Reviews and Audit
Questions
1. The primary reason why post implementation review is not performed immediately after
implementation is to ensure that auditor can review:
A. Change management process based on incidents
B. Measure changes customer satisfaction levels
C. Compare benefits realized with business case
D. Comment of conformance of implementation process
2. While conducting post implementation review of software implemented as IS auditor shall be

MOST interested in which of the following metrics? Increasing number of:
A. Help desk calls for improving service delivery.
B. Operational errors impacting service delivery.
C. Change requests approved to add new service.
D. Updates required in end user operations manual.
3. While reviewing the prioritization and coordination of SDLC projects and program
management, IS auditor shall FIRST ensure that:
A. Project selection framework is aligned with IT strategy.
B. Risks are identified, monitored and mitigated in time.
C. Projects are completed within stipulated time and budget.
D. Project and program related documentation is available.
4. While reviewing role of senior management in an organization’s IT project and program

management, IS auditor FIRST ensures that the senior management has:
A. Allotted appropriate budget and required resources.
B. Provided for monitoring of risks associated with projects.
C. Defined key performance indicators for each IT project.
D. Issued guidelines for implementing framework.
5. Which of the following pair of activities IS auditor cannot perform as team member for software
development project?
A. Conduct the midterm review and recommend controls
B. Implement controls and develop integrated test facility
C. Develop a control module and perform unit testing
D. Implement controls and perform post implementation review
6. Which of the following SDLC project related document shall best provide input on design of
controls in application being developed?
A. Project business case and feasibility study
B. PERT, CPM diagrams and Gantt Charts
Module 5
C. Application system detail design document

D. Detailed requirements specifications
Chapter 8: SDLC Reviews and Audit

1. C. The primary reason for post-implementation review by IS Auditor is to ensure that the
organization can start realizing benefits described in business case. Other options are not primary.
2. B. Increasing number of errors affecting service delivery after implementing new application
indicates that the application contains bugs that are affecting service delivery and is a major
concern. Other options are normal processes and may or may not affect the service delivery.
3. A. Organization must have standard project selection framework as per organization’s IT

strategy, since that is going to help steering committee in deciding the priority of project selection.
Other activities are required for project and program management.
4. D. Except option D other activities are not performed by senior management
5. D. Auditor cannot audit a project where auditor has been actively involved in implementation.
6. C. Detail design document shall best provide information on controls that are being embedded
in application being developed. Requirements shall also provide information. However, design shall
ensure that requirements are captured in design.
Chapter 1: BCM, BCP and DRP
Questions
1. An organisation's disaster recovery plan should address early recovery of:
A. All information systems processes.

B. All financial processing applications.
C. Only those applications designated by the IS Manager.
D. Processing in priority order, as defined by business management.
2. Which of the following is MOST important to have in a disaster recovery plan?
A. Backup of compiled object programs

B. Reciprocal processing agreement
C. Phone contact list
D. Supply of special forms
3. Which of the following BEST describes difference between a DRP and a BCP? The DRP:
A. works for natural disasters whereas BCP works for unplanned operating incidents such
as technical failures.
B. works for business process recovery and information systems whereas BCP works
only for information systems.
C. defines all needed actions to restore to normal operation after an un-planned incident
whereas BCP only deals with critical operations needed to continue working after an
un-planned incident.
D. is the awareness process for employees whereas BCP contains procedures to recover
the operation.
4. The MOST significant level of BCP program development effort is generally required during
the:
A. Early stages of planning.

B. Evaluation stage.
C. Maintenance stage.
D. Testing Stage.
5. Disaster recovery planning for a company's computer system usually focuses on:
A. Operations turnover procedures.

B. Strategic long-range planning.
C. The probability that a disaster will occur.
Module 7
D. Alternative procedures to process transactions.
6. An unplanned interruption of normal business process is?
A. Risk
B. Vulnerability
C. Disaster
D. Resilience
7. Which of the following strategy does not encompass disaster recovery plan?
A. Preventive
B. Detective
C. Corrective
D. Administrative
8. Which of the following is not a fundamental of BCP?
A. Manage the risks which could lead to disastrous events.

B. Minimize the risks involved in the recovery process.
C. Reduce the costs involved in reviving the business from the incident
D. Mitigate negative publicity
9. Which phase starts with a damage assessment?
A. Crisis Phase
B. Emergency Response Phase
C. Recovery Phase
D. Restoration Phase
10. Which of the following is of utmost important during an impact of disaster?
A. Loss of Productivity
B. Loss of Revenue
C. Loss of Human Life
D. Loss of Goodwill & Market Share
Chapter 1: BCM, BCP and DRP

1. D. Business management should know what systems are critical and when they need to
process well in advance of a disaster. It is their responsibility to develop and maintain the
plan. Adequate time will not be available for this determination once the disaster occurs. IS
and the information processing facility are service organisations that exist for the purpose of
assisting the general user management in successfully performing their jobs.
2. A. Of the choices, a backup of compiled object programs is the most important in a

successful recovery. A reciprocal processing agreement is not as important, because
alternative equipment can be found after a disaster occurs. A phone contact list may aid in
the immediate aftermath, as would an accessible supply of special forms, but neither is as
important as having access to required programs.
3. C. The difference pertains to the scope of each plan. A disaster recovery plan recovers all
operations, whereas a business continuity plan retrieves business continuity (minimum
requirements to provide services to the customers or clients). Choices A, B and D are
incorrect because the type of plan (recovery or continuity) is independent from the sort of
disaster or process and it includes both awareness campaigns and procedures.
4. A. A company in the early stages of business continuity planning (BCP) will incur the most
significant level of program development effort, which will level out as the BCP program
moves into maintenance, testing and evaluation stages. It is during the planning stage that
an IS Auditor will play an important role in obtaining senior management's commitment to
resources and assignment of BCP responsibilities.
5. D. It is important that disaster recovery identify alternative processes that can be put in place
while the system is not available.
6. C. Disaster is event which interrupts business processes sufficiently to threaten the viability
of the organisation. Risk is a combination of the probability of an event and its consequence.
Vulnerability is the degree to which a person, asset, process, information, infrastructure or
other resources are exposed to the actions or effects of a risk, event or other occurrence.
Resilience is the ability of an organisation to resist being affected by the incident.
7. D. There are three basic strategies that encompass a disaster recovery plan: preventive
measures, detective measures, and corrective measures. Preventive measures will try to
prevent a disaster from occurring. These measures seek to identify and reduce risks.
Detective measures are taken to discover the presence of any unwanted events within the
IT infrastructure. Their aim is to uncover new potential threats. Corrective measures are
aimed to restore a system after a disaster or otherwise unwanted event takes place.
Module 7
8. D. Mitigate negative publicity is an objective of Business continuity management is to rest

all are the fundamental aim of BCP.
9. D. Restoration phase will start with a damage assessment, usually within a day or so of the
disaster, when the cause for evacuation or stopping of operations has ended, normal working
will be restarted. During the Restoration Phase, any damage to the premises and facilities
will be repaired.
C. Protection of human life is of utmost importance and, the overriding principle behind continuity
plans. Rest all are to be considered later.
Chapter 2: Strategies for development of BCP
Questions
1. Which of the following control concepts should be included in a complete test of disaster
recovery procedures?
A. Rotate recovery managers.

B. Invite client participation
C. Involve all technical staff.
D. Install locally stored backup.
2. An advantage of the use of hot sites as a backup alternative is:
A. The costs related with hot sites are low.

B. That hot sites can be used for a long amount of time.
C. That hot sites do not require that equipment and systems software be compatible with
the primary installation being backed up.
D. That hot sites can be made ready for operation within a short span of time.
3. All of the following are security and control concerns associated with disaster recovery
procedures EXCEPT:
A. Loss of audit trail.

B. Insufficient documentation of procedures.
C. Inability to restart under control.
D. Inability to resolve system deadlock.
4. Which of the following business recovery strategies would require the least expenditure of
funds?
A. Warm site
B. Empty shell
C. Hot site
D. Reciprocal agreement
5. Which of the following is NOT a feature of an uninterruptible power supply (UPS)?
A. It provides electrical supply to a computer in the event of a power failure.

B. It system is an external piece of equipment or can be built into the computer itself.
C. It should function to allow an orderly computer shutdown.
D. It uses a greater wattage into the computer to ensure enough power is available.
Module 7
6. Which of the following would warranty a quick continuity of operations when the recovery
time window is short?
A. A duplicated back-up in an alternate site

B. Duplicated data in a remote site
C. Transfer of data the moment a contingency occurs
D. A manual contingency procedure
7. For which of the following applications would rapid recovery be MOST crucial?
A. Point-of-sale
B. Corporate planning
C. Regulatory reporting
D. Departmental chargeback
8. Which of the following principles must exist to ensure the viability of a duplicate information
processing facility?
A. The site is near the primary site to ensure quick and efficient recovery is achieved.
B. The workload of the primary site is monitored to ensure adequate backup is complete.
C. The site contains the most advanced hardware available from the chosen vendor.
D. The hardware is tested when it is established to ensure it is working properly.
9. While reviewing the business continuity plan of an organisation, the IS auditor observed that
the organisation's data and software files are backed up on a periodic basis. Which
characteristic of an effective plan does this demonstrate?
A. Deterrence
B. Mitigation
C. Recovery
D. Response
10. As updates to an online order entry system are processed, the updates are recorded on a
transaction tape and a hard copy transaction log. At the end of the day, the order entry files
are backed up onto tape. During the backup procedure, the disk drive malfunctions and the
order entry files are lost. Which of the following are necessary to restore these files?
A. The previous day's backup file and the current transaction tape
B. The previous day's transaction file and the current transaction tape
C. The current transaction tape and the current hardcopy transaction log
D. The current hardcopy transaction log and the previous day's transaction file
Chapter 2: Strategies for development of BCP

1. A. Recovery managers should be rotated to ensure the experience of the recovery plan is
spread. Clients may be involved but not necessarily in every case. Not all technical staff
should be involved in each test. Remote or off-site backup should always be used.
2. D. Hot sites can be made ready for operation normally within hours. However, the use of
hot sites is expensive, should not be considered as a long-term solution and does require
that equipment and systems software be compatible with the primary installation being
backed up.
3. D. The inability to resolve system deadlock is a control concern in the design of database
management systems, not disaster recovery procedures. All of the other choices are control
concerns associated with disaster recovery procedures.
4. D. Reciprocal agreements are the least expensive because they usually rely on a
gentlemen's agreement between two firms.
5. D. A UPS typically cleanses the power to ensure wattage into the computer remains
consistent and does not damage the computer. All other answers are features of a UPS.
6. D. A quick continuity of operations could be accomplished when manual procedures

for a contingency exist. Choices A, B and C are options for recovery.
7. A. A point-of-sale system is a critical online system that when inoperable will jeopardize
the ability of a company to generate revenue and properly track inventory.
8. B. Resource availability must be assured. The workload of the site must be monitored
to ensure that availability for emergency backup use is not impaired. The site chosen
should not be subject to the same natural disaster as the primary site. In addition, a
reasonable compatibility of hardware/software must exist to serve as a basis for backup.
The latest or newest hardware may not adequately serve this need. Testing the site
when established is essential, but regular testing of the actual backup data is necessary
to ensure the operation will continue to perform as planned.
9. B. An effective business continuity plan includes steps to mitigate the effects of a disaster.
To have an appropriate backup plan, an organisation should have a process capability
established to restore data and files on a timely basis, mitigating the consequence of a
disaster. An example of deterrence is when a plan includes installation of firewalls for
information systems. An example of recovery is when a plan includes an organisation's hot
site to restore normal business operations.
Module 7
A. The previous day's backup will be the most current historical backup of activity in the system. The
current day's transaction file will contain all of the day's activity. Therefore, the combination of these
two files will enable full recovery up to the point of interruption.
Chapter 3: Audit of BCP
Questions
1. An IS auditor reviewing an organisation's information systems disaster recovery plan should
verify that it is:
A. Tested every 1 month.

B. Regularly reviewed and updated.
C. Approved by the chief executive officer
D. Approved by the top management
2. Which of the following would an IS auditor consider to be the MOST important to review
when conducting a business continuity audit?
A. A hot site is contracted for and available when needed.

B. A business continuity manual is available and current.
C. Insurance coverage is sufficient
D. Media backups are performed on a timely basis and stored off-site.
3. Which of the following findings would an IS auditor be MOST concerned about when
performing an audit of backup and recovery and the offsite storage vault?
A. There are three individuals with a key to enter the area

B. Paper documents are also stored in the offsite vault
C. Data files, which are stored in the vault, are synchronized
D. The offsite vault is located in a separate facility
4. A company performs full back-up of data and programs on a regular basis. The primary
purpose of this practice is to:
A. Maintain data integrity in the applications.

B. Restore application processing after a disruption.
C. Prevent unauthorized changes to programs and data.
D. Ensure recovery of data processing in case of a disaster.
5. Which of the following procedures would an IS auditor perform to BEST determine whether
adequate recovery/restart procedures exist?
A. Reviewing program code

B. Reviewing operations documentation
C. Turning off the UPS, then the power
Module 7
D. Reviewing program documentation
6. An IS auditor performing a review of the back-up processing facilities would be MOST

concerned that:
A. Adequate fire insurance exists.

B. Regular hardware maintenance is performed.
C. Offsite storage of transaction and master files exists.
D. Backup processing facilities are fully tested.
7. Which of the following offsite information processing facility conditions would cause an IS
auditor the GREATEST concern?
A. Company name is clearly visible on the facility.

B. The facility is located outside city limits from the originating city.
C. The facility does not have any windows.
D. The facility entrance is located in the back of the building rather than the front.
8. Which of the following methods of results analysis, during the testing of the business
continuity plan (BCP), provides the BEST assurance that the plan is workable?
A. Quantitatively measuring the results of the test
B. Measurement of accuracy
C. Elapsed time for completion of prescribed tasks
D. Evaluation of the observed test results
9. An IS auditor conducting a review of disaster recovery plan (DRP) at a financial processing

organisation has noticed that existing DRP was compiled two years ago by a systems
analyst using information from operations department. The plan was presented to CEO for
approval but it is not yet approved. The plan has never been updated, tested or circulated to
key management and staff, though interviews show that each would know what action to
take for their area in the event of a disruptive incident. The IS auditor's report should
recommend:
A. The deputy CEO be censured for his failure to approve the plan.
B. A board of senior managers be set up to review the existing plan.
C. The existing plan be approved and circulated to all key management and staff.
D. An experienced manager coordinates the creation of a new plan or revised plan within
a defined time limit.
10. Which of the following would be of MOST concern for an IS auditor reviewing back-up
facilities?
A. adequate fire insurance exists.

B. regular hardware maintenance is performed.
C. offsite storage of transaction and master files exists.
D. backup processing facilities are fully tested.
Module 7

1. B. The plan must be reviewed at appropriate intervals, depending upon the nature of the
business and the rate of change of systems and personnel, otherwise it may quickly become
out of date and may no longer be effective (for example, hardware or software changes in
the live processing environment are not reflected in the plan). The plan must be subjected
to regular testing, but the period between tests will depend on nature of the organisation and
relative importance of IS. Three months or even annually may be appropriate in different
circumstances. Although the disaster recovery plan should receive the approval of senior
management, it need not be the CEO if another executive officer is equally, or more
appropriate. For a purely IS-related plan, the executive responsible for technology may have
approved the plan. the IS disaster recovery plan will usually be a technical document and
relevant to IS and communications staff only.
2. D. Without data to process, all other components of the recovery effort are in vain. Even in
the absence of a plan, recovery efforts of any type would not be practical without data to
process.
3. C. More than one person would need to have a key to the vault and location of the vault is
important, but not as important as the files being synchronized. Choice A is incorrect
because more than one person would typically need to have a key to the vault to ensure that
individuals responsible for the offsite vault can take vacations and rotate duties. Choice B is
not correct because the IS auditor would not be concerned whether paper documents are
stored in the offsite vault. In fact, paper documents such as procedural documents and a
copy of the contingency plan would most likely be stored in the offsite vault.
4. B. Back-up procedures are designed to restore programs and data to a previous state prior
to computer or system disruption. These backup procedures merely copy data and do not
test or validate integrity. Back-up procedures will also not prevent changes to program and
data. On the contrary, changes will simply be copied. Although backup procedures can ease
the recovery process following a disaster, they are not sufficient in themselves.
5. B. Operations documentation should contain recovery/restart procedures so that

operations can return to normal processing in a timely manner. Turning off the UPS and
then turning off the power might create a situation for recovery and restart, but the
negative effect on operations would prove this method to be undesirable. The review of
program code and documentation generally does not provide evidence regarding
recovery/restart procedures.
6. C. Adequate fire insurance and fully tested backup processing facilities are important
elements for recovery, but without the offsite storage of transaction and master files, it
is generally impossible to recover. Regular hardware maintenance does not relate to
recovery.
7. A. The offsite facility should not be easily identified from the outside. Signs identifying
the company and the contents of the facility should not be present. This is to prevent
intentional sabotage of the offsite facility should the destruction of the originating site be
from malicious attack. The offsite facility should not be subject to the same natural
disaster that affected the originating site. The offsite facility must also be secured and
controlled just as the originating site. This includes adequate physical access controls
such as locked doors, no windows and human surveillance.
8. A. Quantitatively measuring the results of the test involves a generic statement

measuring all the activities performed during BCP, which gives the best assurance of
an effective plan. Although choices B and C are also quantitative, they relate to specific
areas or an analysis of results from one viewpoint, namely the accuracy of the results
and the elapsed time.
9. D. The primary concern is to establish a workable disaster recovery plan which reflects
current processing volumes to protect the organisation from any disruptive incident.
Censuring the deputy CEO will not achieve this, and is generally not within the scope of
an IS Auditor to recommend anyway. Setting up a board to review the plan, which is two
years out of date, may achieve an updated plan, but is not likely to be a speedy operation
and issuing the existing plan would be folly without first ensuring that it is workable. The
best way to achieve a disaster recovery plan in a short timescale is to make an
experienced manager responsible for coordinating the knowledge of other managers,
as established by the audit interviews, into a single, formal document within a defined
time limit.
10. C Adequate fire insurance and fully tested backup processing facilities are important
elements for recovery, but without the offsite storage of transaction and master files, it is
generally impossible to recover. Regular hardware maintenance does not relate to recovery.
DISA Review Questions, Answers Manual
The Institute of Chartered Accountants of India

(Set up by an Act of Parliament)
New Delhi
© The Institute of Chartered Accountants of India
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system,
or transmitted, in any form, or by any means, electronic mechanical, photocopying, recording,
or otherwise, without prior permission, in writing, from the publisher.
DISCLAIMER
The views expressed in this material are those of author(s). The Institute of Chartered
Accountants of India (ICAI) may not necessarily subscribe to the views expressed by the
author(s).
The information in this material has been contributed by various authors based on their
expertise and research. While every effort has been made to keep the information cited in this
material error free, the Institute or its officers do not take the responsibility for any
typographical or clerical error which may have crept in while compiling the information
provided in this material. There are no warranties/claims for ready use of this material as this
material is for educational purpose. The information provided in this material are subject to
changes in technology, business and regulatory environment. Hence, members are advised to
apply this using professional judgement. Please visit CIT portal for the latest updates. All
copyrights are acknowledged. Use of specific hardware/software in the material is not an
endorsement by ICAI.
Revised Edition : May 2018
Committee/Department : Digital Accounting and Assurance Board
Email : [email protected]; [email protected]
Website : www.icai.org/ http://pqc.icai.org
Price : `
ISBN No : 978-81-8441-810-1
Published by : The Publication Department on behalf of the Institute of

Chartered Accountants of India, ICAI Bhawan, Post Box No.
7100, Indraprastha Marg, New Delhi-110 002.
Printed by : Sahitya Bhawan Publications, Hospital Road,

Agra - 282 003.
Contents
1. Primer on Information Technology, IS Infrastructure & Emerging Technologies 1
2. Information Systems Assurances Services 181
3. Governance and Management of Enterprise Information Technology,
Risk Management & Compliance 208
4. Protection of Information Assets 257
5. Systems Development – Acquisition, Maintenance and Implementation 369
6. Business Application Software Audit 393
7. Business Continuity Management 409
Module 1
Primer on Information Technology, IS
Infrastructure & Emerging Technologies
1. The KEY components of IT Infrastructure are ___________________

A. Users, Applications, DBMS, System Software, Network & Hardware
B. Computing systems, satellite dishes, ISDN lines, Radio towers
C. Concrete building, air conditioning, fire extinguishers, sprinklers
D. Large servers, desktop computers, laptops, tablets
KEY A
Justification
A. All information systems will have these elements as common to them since
interactions will take place between them in such systems. This is explained in
para 1.2.
B. B, C and D are incorrect since they are not speaking of the common elements of
any information systems but are various types of equipment alone (B), physical
infrastructure alone (C) or merely various types of computing devices
2. Auditors dealing with organizations deploying IT need to have ______________
A. Adequate working knowledge of IT hardware & software
B. Expertise in all areas of IT technology
C. Thorough knowledge on the financial aspects alone
D. Expertise both in financial and IT technology aspects
KEY A
Justification
A. C.A.s knowledge of IT technology need not and cannot be complete and total.
They only need adequate knowledge to effectively audit the IT functions of an
organization
B. C.A.s cannot be expected to be experts in all areas of IT technology; this is not
their role
C. Knowledge of financial aspects alone in a technology oriented function like IT will

not facilitate effective auditing of the IT function
D. A C.A. cannot be expected to have thorough knowledge of both financial & IT
technology aspects
3. People, the most import element of information systems, comprise
________________
A. Users of the system in the head office and branches
B. All users of the system and all information system personnel
C. All employees except information system personnel
D. Employees involved with maintenance of the information system
KEY B
Justification
A. It does not exclude the people managing the IT system
B. As brought out in paragraph 1.2.1, the scope of IT covers both the actual users
as well as those involved in managing the IT system
C. It includes the information system management personnel
D. The actual users of the system are also KEY to the IT system
4. Application software is a collection of programs which ______________
A. Operates computer hardware & facilitates use of system software
B. Exclusively use for generating applications to govt. bodies
C. Addresses a real life problem for its end users
D. Helps users generate complaints to IT services dept. alone
KEY C
Justification
It is system software which helps run hardware & facilitates use of application software.
Options B & D are also wrong & are not generic definitions of application software. As
explained in paragraph 1.2.2, application software are programmes that help address
business, scientific or other needs of its end users
5. Hardware refers to___________________
A. All computer parts except those which are soft, made of glass or plastic
B. Devices performing Input, output, processing & data storage functions of a
computer
2
Primer on Information Technology, IS Infrastructure & Emerging Technologies
C. All connecting tubes, hoses, joints, cables and pipelines carrying IT cables
D. All parts of the computer which are complex and hard to understand
KEY B
Justification
A. A, C & D are clearly wrong answers which have no relation to the definition in
paragraph 1.2.6
B. As defined clearly in paragraph 1.2.6
6. The basic sequential steps of the machine cycle performed by the CPU are
_____________
A. Fetch, Decode, Execute and Store
B. Decode, Execute, Store and Fetch
C. Store, Fetch, Decode and Execute
D. Execute, Fetch, Decode and Store
KEY A
Justification
As defined clearly in paragraph 1.3.2
B,C & D are clearly wrong answers which contain the wrong sequence
7. Cache memory ________________
A. Is a large, slow memory which is no longer used in computers
B. Helps bridge speed difference between Registers and Primary Memory
C. Is a virtual memory which is an image of another memory
D. Is a memory where only valuable, secret information is stored
KEY B
Justification
Cache memory is a small & fast memory very much in use even today.
As brought out in paragraph 1.3.3
It is not a virtual memory
It maintains copies of most frequently used data from main memories and not only for
secret information
8. Secondary Memory _______________
3
A. Is volatile memory with large storage capacities

B. Is non-volatile memory which is fast & responsive
C. Is non-volatile memory with large storage capacities
D. Involves higher cost per unit of information than RAM
KEY C
Justification
Secondary memory is not volatile.
It is not fast.
As brought out in paragraph 1.3.3, secondary memory is non-volatile, with large storage
capacities. It is, however, slower than registers or primary storage.
Its cost per unit of information is lower than RAM
9. One Megabyte is equal to ___________________
A. 1024 x 1024 Bytes
B. 1000 Kilobytes
C. 1000 Bytes
D. 1,000,000 Bytes
KEY A
Justification
1 Megabyte equals 1024 Kilobytes or 1024 x 1024 Bytes.
All the other answers are, therefore, obviously wrong.
10. Unicode _____________
A. Uses 16 Bytes for character coding & has replaced other major coding systems
B. Uses 7 bits for character coding
C. Uses 16 bits for character coding & has replaced other major coding systems
D. Uses 8 bits for character coding
KEY C
Justification
A B & D answers are, obviously wrong.
C. Unicode uses 16 bits for character coding & has replaced other major coding
systems as brought out in paragraph 1.4
4
11. Implementing Hardware Monitoring Procedures ______________

A. Is expensive and not cost effective
B. Reduces Total Cost of Ownership & improves Return on Investment
C. Is cumbersome & time consuming
D. Leads to increased server downtime
KEY B
Justification
Pra 1.5.3 establishes that the other options are wrong & it makes sense to implement
hardware monitoring procedures.
As brought out in paragraph 1.5.3
12. Some factors that affect the requirement & capacity of various hardware are
____________
A. Number of employees in the organization
B. Variety of markets in which operations happen
C. Nature of the products dealt with in the organization
D. Transaction volume, Computation complexity
KEY D
Justification
As brought out in paragraph 1.5.4. This para also establishes that the other options are
wrong.
13. A KEY issue in retirement of hardware is security & disposal of data. Robust
policies need to be in place for hardware retirement cycles, archiving of data,
closure of licensing and/or contracts.
A. FALSE
B. TRUE
KEY B
Justification
As brought out in paragraph 1.5.5, this statement is factually correct
14. Hardware Auditing ________________
A. Is best carried out by the purchase department of the I.T. department
B. Primarily encompasses hardware acquisition & capacity management
5
C. Should be restricted to the financial aspects of hardware usage

D. Is not as critical as software auditing which can be a more vulnerable area
KEY B
Hardware is a vulnerable area which needs to be closely reviewed by Audit. Hence, the
other three options are not correct
Paragraph1.6 elaborates on the criticality of hardware acquisition & capacity
management as KEY Areas of Hardware auditing.
15. Software _________________
A. Software consists of clearly-defined instruction sets that upon execution, tell a
computer what to do
B. Refers to all the soft parts of any computer system
C. Is not as important as hardware; a system can operate even without it
D. Are only those programs which convert machine language to English
KEY A
Justification
Paragraph 2.1 incorporates this definition.
While option B is obviously incorrect, C is wrong since it would be impossible to operate
any computer without software. D, too, is wrong since software plays a role much
beyond that of converting machine language to English
16. System Software _______________
A. Is specific to each application software and cannot be interchanged
B. Co-ordinates instructions between application software and hardware
C. Cannot be used for application development
D. Is not involved in I/O devices connectivity
KEY B
Justification
Definition as per paragraph 2.1.1. It is actually generic and can be used with any
application (option A). It can actually be the basis for development of application
development (option C). It enables I/O devices connectivity
17. Application Software __________________
A. Microsoft Office is not an example of application software
6
B. Cannot be directly interacted with by end users

C. Is a set of software that performs a function directly for the end user
D. Can be directly used on a computer even without system software
KEY C
Justification
As clearly defined in 2.1.2. Microsoft Office is, indeed, an example of application
software. (option A). A KEY Aspect of application software is that it can be directly
interacted with by end users (option B). Lastly, a computer cannot be run without
system software as brought out in earlier notes
18. An Operating System is ______________
A. An intermediary agent that manages computer resources among various
processes
B. An application software which is in operation in a computer network
C. A new type of software which has been introduced in the latest computers only
D. A computer system which has been switched on and is in proper operation
KEY A
Justification
The definition is as per paragraph 2.2. As for the other options, an operating system is,
obviously a system software and not an application software (option B). It is not a new
type of software and has been an intrinsic part of all computer systems for long (option
C). Though option D may not appear to be factually incorrect, this is not the sense in
which the term Operating System is used in this context.
19. State True or False : Operating Systems can be single user / multi user,
multi processing or real time.
A. FALSE
B. TRUE
KEY B
Justification
This has been clearly elaborated in paragraph 2.2.1
20. Processor Management refers to _______________
A. Management of the various processors by the Systems Executive
B. Training of the end-user for optimal user of computer systems
7
C. Optimisation of use of application software on a personal computer

D. Process or task scheduling carried out by the Operating System
KEY D
Justification
As brought out in paragraph 2.2.2, Processor Management is one of the KEY roles
played by an Operating system. It enables process scheduling. The Operating system is
part of the main computer system and one of its KEY roles is process scheduling. It has
nothing to do with the management role of Systems Executives or with training of end
users (options A & B). It is not relevant to application software optimisation (option C).
21. Which of the following is performed by the Operating System ________________
A. Supports virtual memory by carving out an area of hard disk
B. Supports virtual memory on external storage device
C. Supports secondary memory by allocating an area of hard disk
D. Supports end user in carrying out specific functions
KEY A
Justification
The Operating System supports RAM by carving out an area of hard disk to create a
virtual memory (option A). It does not do this on any external storage device (option B).
The OS can only assist expansion of RAM space by carving out hard disk space, not
secondary memory (option C). The OS is only an intermediary agent and does not
interact directly with the end user (option D).
22. Which of the following is a role of the Operating System ______________
A. Helps manage Data bases of various types
B. Facilitates use of spread sheets by end users
C. Manages device communication with respective drivers
D. Helps programmers to create computer programs
KEY C
Justification:
One of the KEY functions of the Operating system is insulating the end user from the
peculiarities of each hardware device (option C). OS are not directly involved in use of
Data Bases or spread sheets; nor are they useful for writing programs. One would need
program development software for that purpose (options A,B & D)
8
23. Fifth Generation programming language _________________

A. It comprises machine language & code
B. Is mainly used in Artificial intelligence
C. Cannot solve a problem without a programmer
D. It uses long instructions & is machine dependent
KEY B
Justification:
Fifth generation programming language is the most advanced of the languages & is
used in artificial intelligence. It is, thus, not based upon primitive machine language and
code. It is also pre-programmed with options in such a way that minimum intervention of
a programmer is required. It is much simpler and platform independent as compared to
first generation programming languages (options A, C & D).
24. What is the function of a Compiler ?
A. It translates Assembly language into Machine language
B. It translates statements of a program into machine code, line by line
C. A compiler translates a high level language program into a machine language
program
D. It allows a user to create and edit files
KEY C
Justification
A compiler basically translates a high level program into machine code. It does not
operate at the level of converting Assembly language into machine code or, like an
Interpreter, translate into machine code line by line (options A and B) It is also not an
Editor program to create and edit files (D).
25. Which software controls, among other things, ownership assignment of all data
for accountability ?
A. Access Control Software
B. Data Communications Software
C. Utility programs
D. Defragmenters
9
KEY A
Justification
It is access control software which is vested with the responsibility for assigning
ownership of all data for purposes of accountability (para 2.3.2). Data Communications
software generally assists the OS for local and remote terminal access (option B). Utility
programs and defragmenters basically help improve computer efficiency and
performance and have nothing to do with ownership assignment of all data.
26. Access control lists in the OS manage OS Controls. The lowest level of control
that can be exercised is, generally, up to :
A. The level of an individual directory
B. The level of a particular page in a file
C. The level of individual words in a file
D. The level of individual files
KEY D
Justification
Most systems are designed to exercise access control only up to the level of a file and
not below. Hence the choice of D as the right option above and the rejection of the
other options
27. State Yes or No
In a newly formed organization, the System Administrator is faced with requests for
access to particular files from multiple users. On closer scrutiny, he finds that though
the users are different, he is able to detect a pattern whereby individuals handling
particular functions all seek access to the same files. The System Administrator is
aware that, while the individuals handling these functions may change, the actual
functions, by and large, are permanent. He feels that it would be simpler to provide
access control for files to particular functions and would like to know the feasibility of
doing so in the Operating system. What is your view ? Is it possible to provide access to
‘Roles’ which could comprise multiple users, instead of creating individual access
controls for each of the users ? :
A. Yes, it would be possible
B. No, it would not be possible
10
KEY A
Justification
Access control lists are widely used with Roles comprising multiple users. The individual
users can keep changing depending upon the roles they take up. Hence, Option A
above is correct.
28. What is the first step in Software acquisition ?
A. Establish criteria for selecting and rejecting alternatives
B. Carry out Cost/Benefit analysis, including make or buy decision
C. Establish scope, objectives background & project charter
D. Determine supplier’s technical capabilities & support services
KEY C
Justification
Without first establishing the scope and objectives, software acquisition may end up
failing on fundamental aspects of meeting end user needs. This would be the starting
point, therefore, for any acquisition exercise. The other options get ruled out by default.
29. What is an Endpoint device ?
A. A device used as a pointer during Power point presentations
B. The key-board or a mouse on a computer
C. A device which identifies the end of each software program
D. An internet-capable computer hardware device on a TCP/IP network
KEY D
Justification
Endpoint devices can be computers, smart phones, thin clients, etc. which have
connectivity to the internet as brought out in option D. The very fact that they have this
connectivity raises concerns of security with respect to possible leakage of information
to the outside world or vulnerability to virus or other malicious software which may
attempt to enter the system from the internet.
30. What is Digital Rights Management ?
A. Management of binary digit codes in the system software
B. Technology used for preventing users from using the content in any manner other
than that permitted by the content provider
C. Conversion of analog records to digital mode
D. Optimization of binary digit codes in application software
11
KEY B
Justification
Digital Rights Management refers to the control on use of copyrighted / IPR material
and, hence, option B is correct. The other options are wrong.
31. Does the Operating system need auditing ?
A. Yes; there is risk of the OS being compromised
B. No; the application software prevents direct access to the OS
C. No; the OS is a robust system which cannot be tampered with
D. No, it is adequate if the application software are audited
KEY A
Justification
Though, in the normal course, end-users to do not have direct access to the OS, they
could find ways of by-passing the application software and reaching out to the OS.
Unlike the application software which has high security features to prevent end users
tampering with data which is not open to them, the OS is relatively more vulnerable
since it sees all data as simple bits/bytes & cannot even distinguish between different
types of data of different criticality
32. Which of the following is the correct sequence of data hierarchy?
A. File, Database, Record, Field, Characters
B. Database, Record, File, Field, Characters
C. Database, File, Record, Field, Characters
D. Database, File, Field, Character, Records
KEY C
Justification
The sequence of hierarchy from higher to lower levels is clearly as per Option C and the
sequence of hierarchy for the other options are, therefore, wrong.
33. What are Characters ?
A. Characters are a group of bytes
B. Characters are a collection of bits
C. Characters are a group of 8 records
D. Characters are a group of 16 records
12
KEY B
Justification
Characters are at the lowest in the Data hierarchy and comprise a collection of bits
(Option B). The other options are wrong.
34. What are some of the major outcomes of the non-existence of an efficient
database ?
A. High redundancy and low data integrity
B. Improved data sharing
C. Reduced dependence between data and application software
D. Better linkages between data originating from different sources
KEY A
Justification
An efficient data base can reduce redundancy and improve data integrity (option A).
The absence of a database will hinder data sharing & increase dependence between
data and application software. An efficiently configured database will provide excellent
networking of data from different sources.
35. What is a Database Management System?
A. A set of pre-loaded data relating to specific industries
B. Customer profile data used for managing an organization
C. Software for creation, control & manipulation of a database
D. Hardware specifically designed to handle databases
KEY C
Justification
A database management system is a software which assists in the process of managing
a database as brought out in option C. It is not just a set of data or hardware as
indicated in the other options.
36. What are the major risks of having a Database management system ?
A. Reduced speed of access to records
B. High redundancy & duplication
C. Reduced data integrity
D. Cost and data security threats
13
KEY D
Justification
The major risks involved are the cost (including time for implementation of a new
system) and increased vulnerability owing to centralisation of information as indicated in
Option D. Contrary to what is stated in the other options, a database management
system improves speed of access to records, reduces redundancy and improves data
integrity.
37. Which of the following is the logic typical of a Relational Database Management
System ?
A. Records have a one to many relationship in parent/child format
B. Collection of one or more relations in two dimensional table form
C. Records have many-to-many relationship in network form
D. Data is organized in a tree structure, in hierarchical format
KEY B
Justification
The logic behind RDBMS is in table form with domain & entity constraints which ensure
robustness of the system (Option B). The other options relate to the hierarchical and
network types of database and are, hence, wrong..
38. Use of integrity constraints and normalisation is strongly typical of which type of
software?
A. Relational Database Management System
B. Network Database Management System
C. Hierarchical Database Management System
D. Foxpro, Excel systems of spreadsheet
KEY A
Justification:
The use of integrity constraints and normalization is typical of RDBMS and not of the
other three options.
39. Which of the following defines the logical structure of the database, its relations
& constraints ?
A. Internal Schema
B. External Schema
14
C. Conceptual Schema
D. Logic unit in CPU
KEY C
Justification:
It is the Conceptual Schema which defines the logical structure of the database
including its relations and constraints and not the other options indicated.
40. Which of the following is a database language used to define & describe data &
relationships ?
A. Data Manipulation Language or DML
B. Data Control Language or DCL
C. Data Definition Language or DDL
D. Excel and Lotus 123
KEY C
Justification:
DDL is a collection of instructions and commands used to define and describe data and
relationships (Option C). DML, DCL & the spread sheet softwares are not the
appropriate answer.
41. Which of the following are typical features of Data Definition Language?
A. Not used by Database administrators or designers
B. SQL commands dealing with data
C. Generally used by a common user
D. Used to define both conceptual & internal schemas
KEY D
Justification:
DDL is a database language used by administrators and designers to define both
conceptual & internal schemas. It does not deal with data but only with the structure. It
is generally not used by the common user. Hence, only Option D is correct.
42. Which of the following are typical of Data Manipulation Language ?
A. Cannot be used for querying the database
B. Used to retrieve, insert, delete or modify data
C. SQL commands which do not allow changing of data
15
D. Application software will not be able to access it

KEY B
Justification:
DML is a database language used to query & manipulate data. Application software are
able to meet user needs only by interacting with the DML. Hence, only Option B is
correct.
43. What is a Data Dictionary ?
A. It provides a definition of terms and data elements
B. A dictionary which facilitates conversion of bytes into numbers
C. A software which helps convert machine language to English
D. A software which helps convert assembly language to English
KEY A
Justification:
It is the documentation of database providing detailed description of every data in the
database. It provides a standard definition of terms and data elements (Option A). The
other options are factually wrong..
44. What are Meta Data ?
A. Metadata refers to data of large sizes, millions, billions, etc.
B. Metadata is data about one or more aspects of data
C. Metadata is data relating to meteorological parameters
D. Metadata is data that is universal to different types of software
KEY B
Justification:
Metadata is data about data. It covers aspects like meaning, purpose, time & date of
creation, etc. of data. Option B, obviously, is the correct choice. The other options are
incorrect.
45. Centralised Deployment Strategy involves _______________
A. Centralized database & de-centralized decision making
B. De-centralized database and centralized decision making
C. Centralized database & centralized decision making
D. Multiple server usage
16
KEY C
Justification
Centralized deployment strategy uses a central database with all user communication
being directed to it. Decision making, too, therefore, gets centralized as a consequence
(Option C). Such a strategy use of a single hardware/software platform & a single
server; hence, the other options are not correct.
46. An important drawback of Centralised Deployment Strategy is _________________
A. Vulnerability to single point of failure
B. Resource sharing of reduced order
C. Poorer economies of scale
D. Reduced security
KEY A
Justification
Centralized deployment strategy concentrates all its resources at one central point
making it vulnerable to total system failure in the event of this central point being
compromised in any manner (Option A). Resource sharing, in fact, is a strong plus point
for centralised deployment. Similarly, this system has better economies of scale owing
to use of large size hardware & larger number of software licences. Since everything is
centralized, possibilities of leakages are reduced since the number of exposed points
are lesser. Hence, the other options are not correct.
47. An important feature of Decentralized deployment strategy would be
_____________
A. Information systems would be more compatible
B. Reduced duplication of records, processes
C. Business strategy based localisation of database possible
D. Adequate centralised control through security implementation
KEY C
Justification
The single major advantage of decentralized deployment strategy is its potential for
tweaking the database to suit local requirements (Option C). However, compatibility of
information systems may take a hit since multiple versions could be involved depending
upon the geographic or business segment-wise spread of the organization. Risk of
duplication of records is higher since multiple versions at different locations may be
involved. Centralized control and security management would also be to a reduced
extent. Hence, the other options are not correct.
17
48. A KEY disadvantage of Decentralised Deployment Strategy is ______________

A. Less flexibility to cope with internal/external changes
B. Potentially higher CAPEX requirement
C. Slower system development
D. Information systems could be mutually incompatible
KEY D
Justification
A major disadvantage of decentralized deployment strategy is that, with de-centralized
decision making, different tailor-made information systems may be created at different
locations leading to potential incompatibility (Option D). On the other hand, given their
de-centralized structure, they would have greater flexibility to cope with changes and
can be developed/implemented quickly. Capex requirement could also be lesser owing
ability to carry out changes in phases. Hence, the other options are not correct.
49. The IT components of a Core Banking Solution Data Centre would mainly depend
upon ___________
A. Number of employees in the Bank
B. Type of services offered, risk management & control requirements
C. Annual Business volume
D. Nature of software applications used
KEY B
Justification
The complexity of services offered including the response time, risk management
objectives and control goals would drive the IT components of a CBS Data Centre
(Option B). The elements in the other three options would have limited impact on the
configuration of the data centre.
50. A near site facility is _______________
A. A data replication facility
B. Disaster recovery facility
C. Facility for storing data of secondary importance
D. Facility for storing employee data alone
18
KEY A
Justification
A near-site facility is normally used as a data replication facility only (Option A). It would
not be a prudent choice for a disaster recovery facility since, as a proximate location,
the probability of its getting exposed to the same geographical risks is very high. In the
usual course, no separate facility is created for secondary data or for employee data
alone. Hence, the other options are not correct.
51. Configuration Identification involves ________________
A. Identification of all Information Systems components without reference to version
B. Identification of software components of Information Systems alone
C. Identification of all Information Systems components in a system
D. Identification of hardware components of Information Systems alone
KEY C
Justification
Configuration identification involves identification of all versions & updates of both
software and hardware. This facilitates continuous monitoring during the life cycle of the
product & becomes useful at the time of any proposed changes in the components
(Option C). Option A is wrong since it ignores the version, which is vital. B and D are
incorrect since they are addressing either the software or hardware alone.
52. Hardening of Systems is _____________
A.Use of robust hardware to strengthen the system
B.Securely configuring systems to minimize security risks
C. Optimising configuration of hardware systems alone
D. Auditing configuration of software systems
KEY B
Justification
Hardening of systems is the process of securely configuring computer systems to
eliminate as many security risks as possible (Option B). It does not refer to use of
robust hardware (Option A); nor does it limit itself to hardware alone (Option C) or
software alone (Option D).
53. In IT, a network refers to ________________
A.Two or more devices which are able to exchange data between each other
19
B. Two or more computers which are able to exchange data between each other
C. Minimum of 8 computers which are able to exchange data between each other
D. Several computers separated over a minimum distance of 100 metres from each
other
KEY A
Justification
In IT, a network refers to two or more of any devices which are able to exchange data
between each other; it includes devices like printers, computer terminals & other
devices of communication (Option A). It is not limited to computers alone (Option B). A
network could operate even out of the same building & there is no minimum stipulated
distance between the devices (Options C & D)
54. In IT, a node refers to ______________
A. Every junction of cables in a computer network
B. Every computer in a computer network
C. Each component in a computer network
D. Every internet device in a computer network
KEY C
Justification
In IT, a node refers to each component in a computer network (Option C). It does not
refer to cable junctions (Option A). It is not restricted to computers alone but covers
every type of device in the network (Option B). It is not restricted to internet devices in a
network (Options D).
55. The main reason for networking computers is _______________
A. Reduce hardware cost
B. Reduce software cost
C. Resource sharing and communication
D. Essentially, to increase speed of computing
20
KEY C
Justification
The main benefit of networking computers is sharing of resources and facilitating
communications (Option C). Networking does not have the objective of reducing either
hardware or software costs; nor does it have the advantage of improving speed of
computing (Options A, B, & D).
56. One major benefit of networking computers is ________________
A. Facilitating user communication
B. Compartmentalisation of data
C. Reduced computing power
D. Reduced software costs
KEY A
Justification
A. Facilitation of user communication is a major advantage of computer networking
(Option A). Networking helps sharing of data and increases availability of
computing power. It may not necessarily reduce software costs; in fact, they may
increase on account of multiple licences being required for several terminals.
Hence, the other options are not correct.
57. Protocol, in IT, is __________________
A. The basis for allotment of new computers
B. Arrangement of employee directories
C. A set of rules for Communication between systems
D. Proper behaviour while using computers
KEY C
Justification
Protocol is a set of rules that makes communication possible (Option C). It does not
refer to the basis for allotment of new computers, the arrangement of employee
directories or behaviour while using computers (Options A,B, & D).
58. Data transmission _____________
A. Can be only through a voltage signal & not through radio or microwave
B. Is always digital in nature; one cannot transfer data in analog form
C. Ìs the physical transfer of data over a communication channel
D. Can happen only through a copper wire or optical fibre
21
KEY C
Justification
Data transmission is the physical transfer of data. It can be through electrical, radio,
microwave or infrared signals. It can be over copper wires, optical fibres, wireless
channels or through a storage medium. It can be either digital or analog. Hence, only
Option C is correct and the other options are wrong.
59. Simplex communication _________________
A. Always involves uni-directional transmission of data
B. Can involve uni-directional or multi-dimensional data transmission
C. Can handle two-way communication
D. facilitates return of error or control signals to the transmitter
KEY A
Justification
A. In simplex communication data always flows from one node to another it is
always uni-directional. It does not involve multi-dimensional transmission of data.
It also cannot handle two-way communication or allow sending back of error or
control signals to the transmitter. Hence, only Option A is correct & the other
options are wrong.
60. Half Duplex communication ________________
A. has capability to send and receive simultaneously
B. is cheaper than the Simplex system
C. is costlier than the full Duplex system
D. has facilities to send and receive but only one operation can be performed at a
time
KEY D
Justification
Half Duplex communication has the capability to both send and receive but with the
restriction that only one activity can be done at a time. It is more expensive than the
Simplex system but cheaper than the full Duplex system. Hence, only Option D is
correct.
61. Full Duplex communication __________________
A. Cannot handle two way communication
22
B. Is the most expensive method in terms of equipment cost

C. Cannot handle simultaneous two way communication
D. is cheaper than Simplex communication
KEY B
Justification
B. Full Duplex communication has the capability to handle simultaneous two way
communication. It is like two Simplex systems put together and, hence, is
expensive. Hence, only Option B is correct.
62. Asynchronous transmission ___________________
A. Is a communication technique where signal timing is not used for determining
byte boundary
B. Does not require start and stop bits that provide byte timing
C. Is not suited for applications where messages are generated at irregular intervals
D. Is faster since it does not require insertion of start & stop bits into the bit stream
KEY A
Justification
Asynchronous transmission involves the use of start and stop bits that provide byte
timing. Hence, signal timing is not important & communication can happen between
devices of dissimilar speed. However, speed is slower owing to the intervening start and
stop bits. Hence, only Option A is correct.
63. Synchronous transmission _____________
A. Does not place the responsibility for grouping the bits on the receiver
B. Is a communication technique where start and stop bits are not used
C. Requires no synchronization between clocks of the sender & receiver
D. Is slow and can handle limited data rate
KEY B
Justification
Synchronous transmission does away with the use of start and stop bits that provide
byte timing. It shifts the responsibility for grouping of the bits to the receiver. It,
however, requires synchronization of the clocks between sender and receiver. It is
faster than asynchronous transmission and can support high data rates. Hence, only
Option B is correct.
23
64. What are the features of a Local Area Network (LAN) ?

A. Connectivity is established only as and when required
B. Its security is low and error rates high
C. It interconnects devices within a limited geographical area
D. Installation and maintenance is cumbersome
KEY C
Justification
LANs interconnect devices within a limited geographical area. Connectivity is ongoing
and permanent. Its security is high and error rates low. Installation and maintenance are
relatively easy. Hence, only Option C is correct.
65. What are the features of a Wide Area Network (LAN) ?
A. A WAN comprises interconnected switching nodes covering a wide area
B. Connectivity is established on a permanent basis
C. WANs use only private networks
D. All devices in a WAN will have the same network ID
KEY A
Justification
WANs interconnect devices over a large geographical area using both private and
public networks. The connected devices, therefore, could have different network Ids.
Connectivity can be on demand or permanent. Hence, only Option A is correct.
66. A KEY characteristic of a Metropolitan Area Network (MAN) is __________
A. Can provide only for data transmission
B. Feasibility to service customers in a large city-wide area
C. Can handle only voice & video transmission
D. Higher cost than service from telephone company
KEY B
Justification
MANs play a role in meeting the growing needs of an organization with lower costs and
higher capacity. It can provide for both data and voice transmission. Its cost & efficiency
are generally more favourable as compared to telephone company services. Hence,
only Option B is correct.
24
67. Client Server architecture is characterized by ________________

A. Computational & interface-oriented logic are married together
B. Client process does not avail services of server
C. A dedicated server that provides resources to clients
D. Client executes in the same address space as the server
KEY C
Justification
Client Server architecture is characterized by a dedicated file server that runs the
network, granting other nodes or clients access to resources. The computational and
interface-oriented logic are separated rather than the computers themselves. The client
executes in a different address space from the server. Hence, only Option C is correct.
68. Peer-to-Peer Networking is characterized by _____________________
A. Sharing of resources without use of a separate server computer
B. Need for a network administrator in lieu of the server
C. Security and integrity of data is better than in client server configuration
D. Horizontal & vertical scalability of architecture feasible
KEY A
Justification
Peer-to-Peer networking involves connection of two or more computers and sharing of
resourced without any separate server. All the computers share equal responsibility for
processing data. No network administrator is required. Security and integrity of data is
more vulnerable as compared to client server architecture. Vertical scalability of
architecture is not possible since no server is involved. Hence, only Option A is correct.
69. What are the features of Middleware ?
A. They manage all activities except transporting, queuing and scheduling
B. They can operate with devices/systems on a single platform alone
C. They control communication, leaving authentication/delivery to the server
D. They are software that help clients communicate with server applications
25
KEY D
Justification
Middleware are programs which help clients communicate with server applications.
They control communication, authentication as well as delivery. They manage
transporting, queuing as well as scheduling. They have the capability to work with
diverse platforms. Hence, only Option D is correct.
70. What are the features of a co-axial cable?
A. The axes of the two conductors in the co-axial cable are different
B. It comprises a core conductor enclosed by a plastic cladding, a wire mesh &
plastic cladding
C. It is easy to install but has high attenuation loss
D. It is cheaper than twister pair cables but more expensive than optical fibre cable
KEY B
Justification
Co-axial cables consist of a central core conductor surrounded by a plastic cladding, an
outer wire mesh and a protective outer plastic cladding. The axis of both the conductors
is the same & hence the name co-axial. It is easy to install and has low attenuation loss.
It is moderately expensive but cheaper than optical fibre cable. Hence, only Option B is
correct.
71. What are the characteristics of a Twisted pair cable ?
A. Comprises 2 separate insulated wires in a twisted pattern that run parallel to
each other
B. Comprises 4 separate insulated wires in a twisted pattern run parallel to each
other
C. Comprises 2 separate insulated wires in a twisted but non parallel pattern
D. It is a form of unguided transmission media
KEY A
Justification
Twisted pair cables consist of 2 separate insulated wires in a twisted pattern run parallel
to each other. It is a form of guided transmission media with reduced electro magnetic
interference. Option A is the only correct option.
26
72. What are the characteristics of an Optical Fibre cable ?

A. It has high integrity and high attenuation over long distances
B. It has lower carrying capacity as compared to metallic conductors
C. It has an inner core which works through light based signalling
D. It consumes more power since signals degrade faster in the system
KEY C
Justification
C. An Optic fibre cable consists of an inner core made of glass/plastic/polymer/
acrylic which uses light based signalling. It has high integrity as well as low
attenuation over long distances. It has higher carrying capacity & consumer
lesser power since signals do not degrade as fast as in other systems. Hence,
Option C is the only correct option.
73. Which of the following are un-guided transmission media ?
A. Optical Fibre Cables
B. Co-axial cables
C. Twisted pair cables
D. Radio Waves
KEY D
Justification
D. Options A B, C are all instances of guided transmission media wherein data
signals are guided through a specific path. Radio waves, on the other hand, are
transmitted without any cables & are un-guided. Hence, only Option D is correct.
74. In guided media transmission, signals are propagated through _____________
A. Ground wave propagation
B. Various types of cables
C. Ionospheric propagation
D. Line-of-sight propagation
KEY B
Justification
Options A, C and D are all instances of unguided transmission media wherein data
signals are not guided through a specific path. Propagation through cables, on the other
hand, is a form of guided media transmission wherein the data signals are guided along
a specific path through the cable. Hence, only Option B is correct.
27
75. What is a Hub ?

A. It is a hardware device that provides multiport connectivity
B. It offers intelligence in interpreting data received by it
C. It is a expensive device for transport of data between devices
D. Hubs are exclusively passive & cannot do anything with the signal
KEY A
Justification
A hub is a hardware device that contains multiple independent ports matching the cable
type. It does not offer any intelligence in dealing with data received by it. However, an
active hub can amplify/regenerate incoming signals before onward transmission. It is
relatively inexpensive. The correct answer is in Option A.
76. What is a Switch ?
A. It does not offer intelligence in interpreting data received by it
B. It increases congestion & slows up the network
C. It is a special type of hub with additional layer of intelligence which reads the
MAC address
D. It is a type of network interface card operating without a switching table
KEY C
Justification
A switch is a special type of hub with an additional layer of intelligence. It reads the
MAC address of each frame received by it and, based upon the switching table, carries
out onward transmission to the node to which the frame is addressed. It decreases
congestion and speeds up the network. It is not a type of network interface card. The
correct answer is in Option C.
77. What are Bridges ?
A. Bridges are used to extend or segment networks
B. Bridges sit within a segment & manage incoming/outgoing data
C. Bridges cannot block or forward the data
D. Bridges can forward the data to the relevant address but not block it
28
KEY A
Justification
bridge is used to extend or segment networks. It sits between two physical segments &
manages the flow of data. It can choose to either block or forward the data. The correct
answer, hence, is in Option A.
78. What is a typical feature of a Router ?
A. It is a networking device used to forward data packets along networks
B. It is always a dedicated hardware device & cannot be a computer
C. It copies the packets to all connected destinations without discrimination
D. It does not contain any database of network addresses or pathways
KEY A
Justification
A router is a dedicated networking device or computer system with more than one
network interface. It is used to forward data packets along networks utilising its
database of network addresses and alternate pathways. It selectively forwards data
packets to the next hope in the route to the destination. The correct answer, hence, is in
Option A.
79. What is a typical feature of a Gateway ?
A. It is necessary for connecting networks with identical protocols
B. It is a device that translates one data format to another
C. It translates both the data format as well as the data itself
D. It is used to forward data packets along networks
KEY B
Justification
A gateway is a device that translates one data format to another, eg Email gateways. It
is useful in connecting networks with different protocols. It does not tinker with the
actual data & only translates the data format.. The correct answer is Option B
80. What is typical of Bus topology ?
A. Bus topology contains a single hub connecting all nodes
B. Connects computers on a single circle of cable
C. Computers are connected on a single backbone cable
D. In this system, every node is connected to every other node
29
KEY C
Justification
In Bus topology, all the computers in the network are connected on a single backbone
cable. All the computers in the network receive incoming messages from any other
computer; however, only the intended recipient accepts and processes the message. It
is not on a single hub or circle of cable and each of the nodes are not connected to
each other. The correct answer is Option C.
81. What is typical of Star topology ?
A. Contains a central hub or switch to which each node is connected
B. All the computers are connected to a single backbone hub
C. Connects computers on a single circle of cable
D. In this system, every node is directly connected to every other node
KEY A
Justification
Star topology comprises a system of a central hub or switch to which each node is
connected. Separate cables are drawn from each and every node to the central hub. It
does not involve a single backbone hub or a single circle of cable. Every node is
connected to the central hub or switch and not to each other. The correct answer,
therefore, is Option A.
82. What are the features of Ring topology ?
A. All the computers are connected to a single backbone hub
B. Connects computers to a central hub or switch
C. In this system, every node is directly connected to every other node
D. It connects computers on a single ring of cable
KEY D
Justification
D. In star topology, every computer is connected to two other neighbours for
communication. Messages travel uni-directionally, either clockwise or anti-
clockwise. It does not involve use of a single backbone hub or a central
hub/switch. The correct answer, therefore, is Option D.
30
83. What are the features of Mesh topology ?

A. All the computers are connected to a single backbone hub
B. Involves physical connection of every node with every other node
C. Connects computers to a central hub or switch
D. Ideally suited for systems with need for low degree of fault tolerance
KEY B
Justification
This involves physical connection of every node with every other node. It is rather
complex and requires maximum number of cables. However, it is ideally suited for large
telecommunication companies or an internet service provider who cannot afford to have
a high degree of fault tolerance. It is not connected to a single backbone or hub/switch.
The correct answer, therefore, is Option B.
84. What are the features of Circuit switching ?
A. Involves temporary connection between 2 devices for transmission duration
B. Signal transmission can commence even without end-to-end connection
establishment
C. Data transfer can be only through binary data & not through analog/digital voice
D. Special training/protocol required to handle data traffic
KEY A
Justification
Circuit switching is a type of communication when temporary physical connection is
established between 2 devices for the duration of the transmission session. Signal
transmission can commence only after establishment of end-to-end connection.
Information transfer can be through binary data as well as analog/digitabl voice. No
special training/protocol is required. The correct answer, therefore, is Option A.
85. What are the features of Packet switching ?
A. Requires point-to-point connection establishment for transmission
B. It breaks up a message into smaller packets for transmission
C. Packets in each message need to travel in the same path & sequence
D. Since sequential transmission happens, destination devices need not reassemble
them
31
KEY B
Justification
Packet switching involves the breaking up of a message into smaller packets for
transmission session. Since each packet has the destination address, packets need not
travel in the same path or sequence; the destination device reassembles them into
proper sequence. The correct answer, therefore, is Option B.
86. What are the features of Message switching ?
A. Data is stored at switching point & sent forward whenever pathway is available
B. Data is not stored at switching points & transmitted continuously
C. Data is transmitted in packets transmitted in the same path & sequence
D. Physical path establishment is a pre-requisite to transmission
KEY A
Justification
Message switching or store-and-forward switching involves accumulation of data at
switching points and onward transmission as and when pathway is available. No
physical path is established in advance between the sender and the receiver. Data is
not transmitted in packets. The correct answer, therefore, is Option A.
87. What is multiplexing ?
A. Permits sequential transmission of multiple signals on a single carrier
B. Facilitates transmission of signals in sequence, one at a time
C. It is the simultaneous transmission of multiple signals on a single carrier
D. Refers to simultaneous transmission of multiple signals on multiple carriers
KEY C
Justification
Multiplexing refers to simultaneous transmission of multiple signals on a single carrier
(Option C). The other options are factually incorrect.
88. Frequency division multiplexing involves _________
A. Assigning non-overlapping frequency ranges to different signals/users
B. Assigning overlapping frequency ranges to different signals/users
C. Assigning non-overlapping frequency ranges to a single signal/user
D. Use of digital technology when the link bandwidth is greater than sum of signal
bandwidths
32
KEY A
Justification
FDM assigns non-overlapping frequency ranges to different signals/users. It is an
analog technique that can be applied when the bandwidth of the link is greater than the
combined bandwidth of the signals to be transmitted. Hence, only Option A is correct .
89. Time Division Multiplexing involves ________________
A. Primarily analog technology in which several signals/bitstreams are transferred
apparently simultaneously
B. Combination of analog & digital technology in which several signal/ bitstreams
are transferred simultaneously
C. Solely analog technology in which several signals/bitstreams are transferred
simultaneously
D. Division of time domain into several concurrent time slots of fixed length, one for
each sub-channel
KEY D
Justification
TDM involves a type of digital technology (rarely analog) in which several signals/bit
streams are transferred apparently simultaneously. In actual practice, however, it uses
sub channels & each signal takes turns on the channel . Hence, only Option D is correct
90. Wavelength Division Multiplexing is _____________
A. Conceptually similar to Time Division Multiplexing but using various wavelengths
of light
B. Conceptually similar to Frequency Division Multiplexing but uses a single
wavelength of light
C. Conceptually similar to Frequency Division Multiplexing but using various
wavelengths of light
D. Conceptually similar to Time Division Multiplexing and uses a single wavelength
of light
KEY C
Justification
C. WDM is conceptually like FDM and which multiplexes multiple optical carrier
signals on a single optical fibre by using different wavelengths of laser light.
Hence, only Option C is correct
33
91. Connection oriented networking involves ________________

A. Transmission of data prior to establishment of connection
B. Establishment of connection prior to data exchange
C. Simultaneous establishment of connection & data exchange
D. Networking arrangements based upon priority of connection nodes
KEY B
Justification
Connection oriented networking involves establishment of connection prior to data
exchange. The other options are factually incorrect and, hence, only Option B is correct
92. Connection less networking involves ______________
A. Data is exchanged without any prior establishment of connection
B. Transmission of data after establishment of connection
C. Simultaneous establishment of connection & data exchange
D. Exchanged data has no contact information of recipient
KEY A
Justification
Connectionless networking involves data exchange without any prior establishment of
connection. The exchanged data has complete contact information of recipient. The
other options are factually incorrect and, hence, only Option A is correct
93. Hardware __________________
A. Includes the physical computer as well as all the software loaded on to it
B. Includes the physical computer as well as the operating system loaded on it
C. Refers to the tangible portion of a computer
D. Comprises the cables, the pipes, etc. which carry information in and out of the
computer
KEY C
Justification
As defined clearly in paragraph 1.2.6. Hardware does not include the software loaded
on to a computer. It also excludes the operating system, which itself is a piece of
software. It is definitely not the cables, pipes, etc. Hence, A,B & D are clearly wrong
answers which have no relation to the definition in paragraph 1.2.6
34
94. Input devices include ______________

A. Printer
B. Cathode ray tube or monitor
C. KEYboard
D. Speaker
KEY C
Justification
As defined clearly in paragraph 1.3.1, a keyboard helps input information into the
computer
The other devices falling under Options A B & D are all instances of output devices. .
Hence, A B & D are clearly wrong answers.
95. Output devices include __________
A. Liquid Crystal Display
B. Microphone
C. KEYboard
D. Mouse
KEY A
Justification
As defined clearly in paragraph 1.3.1, a liquid crystal display is a monitor for display or
output of information from the computer. Hence it is an output device
The other devices falling under Options B to D are all instances of input devices. .
Hence, B,C & D are clearly wrong answers.
96. The Arithmetical & Logical unit of the CPU _________________
A. Can also be Accumulators
B. Performs mathematical & logical operations
C. Can also be Address Registers
D. Controls flow of data & instructions to and from memory
KEY B
Justification As defined clearly in paragraph 1.3.2, The Arithmetic and Logical Control
unit performs mathematical and logical operations.
The arithmetic & logic unit cannot be called accumulators or address registers. It also
35
does not control flow of data and instructions. Hence, A,C & D are clearly wrong
answers.
97. Storage Registers _____________
A. Can store memory addresses that tell the CPU where in memory an instruction is
located
B. Can keep running totals of arithmetic values
C. Can temporarily store data coming from or being sent to system memory
D. Can help move data from one location in the computer to another
KEY C
Justification
As defined clearly in paragraph 1.3.2, Storage Registers can temporarily store data
coming from or being sent to system memory.
Storage Registers do not store memory addresses; this function is carried out by
address registers. Arithmetic and logical operations are handled by the Arithmetic &
Logical unit of the computer and not the storage register. Lastly, only buses move data
from one location of the computer to another. Hence, A, B, & D are clearly wrong
answers.
98. Open Systems Interconnection (OSI)_______________
A. Deals with interconnection of Open systems software
B. Is effective in dealing with Open-source software
C. Deals with communication process without truncation in managing internetwork
D. Splits communication process to small portions in managing internetwork
KEY D
Justification
Open Systems Interconnection of OSI is a model which enables integration of various
technologies & provides solutions for managing the internetwork environment. It does
this by splitting communication processes into small portions. It has nothing to do with
Open systems or Open-source software.
Hence, only Option D is correct.
99. What is ARPANET ?
A. Network of computers in Arabia & Pakistan
B. New cloud computing network being set up by the U.S.
36
C. Computer network set up under auspices of U.S. dept. Of Defence in 1969

D. Network of the Association of Resource Planners
KEY C
Justification
ARPANET is a network of computers set up under the auspices of the U.S. dept. Of
Defence in 1969 and a precursor to the internet. The answers in options A, B, and D are
imaginary & incorrect.
Hence, only Option C is correct.
100. The suite of network protocol TCP/ IP evolved from _______________
A. Conventions developed by ARPA
B. Pioneering work & norm developed by Intel
C. International conference of global IT experts
D. Norms developed by Indian IT developers
KEY A
Justification
The suite of TCP/IP protocol evolved from the conventions developed by ARPANET to
specify how individual computers could communicate across a network. The answers in
options B, C & D are all imaginary and incorrect.
Hence, only Option A is correct.
101. Which international body takes a lead role in developing common protocols for
the World Wide Web to promote its evolution and ensure its inter-operability ?
A. The Internet Society (ISOC)
B. The Internet Architecture Board
C. World Wide Web Consortium (W3C)
D. The Internet Engineering Task Force (IETF)
KEY C
Justification
It is the W3C which handles the role indicated in the question above. The organizations
mentioned in the other options handle other responsibilities connected to the internet.
37
102. Which international body handles governance of generic Top Level Domain
(gTLD) & other related responsibilities ?
A. The Internet Corporation for Assigned Names and Numbers (ICANN)
B. World Wide Web Consortium (W3C)
C. The Internet Society (ISOC)
D. The Internet Architecture Board (IAB)
KEY A
Justification
It is the ICANN which handles the role indicated in the question above. The
organizations mentioned in the other options handle other responsibilities connected to
the internet.
103. Which international body bears the responsibility for technical activities of the
Internet, including writing specifications & protocols ?
A. World Wide Web Consortium (W3C)
B. The Internet Society (ISOC)
C. The Internet Engineering Task Force (IETF)
D. The Internet Architecture Board (IAB)
KEY C
Justification
It is the IETF which handles the role indicated in the question above. The organizations
mentioned in the other options handle other responsibilities connected to the internet.
104. Networking Protocol ______________
A. Is a set of rules that governs what, how and when data is communicated over a
network
B. Is the set of international norms laid down for country priority in communication
over a network
C. Is the set of international norms laid down for voice data communication alone
D. Is the set of international norms laid down for use of hardware in a network
38
KEY A
Justification
Networking protocol is the set of rules that governs what, how and when data is
communicated over a network. The protocol does not prescribe any country priority for
network communication. Its coverage is not exclusive to voice data alone. It does not
apply to usage of hardware in a network.
105. Syntax in Protocol represents __________
A. How data is communicated
B. When data is communicated
C. What is communicated
D. What, When & How data is communicated
KEY C
Justification
Syntax represents only What is communicated. There are other terms which represent
the How and the When of data communication.
106. Semantics in Protocol represents ________________
A. What is communicated
B. When data is communicated
C. What, When & How data is communicated
D. How data is communicated
KEY D
Justification
Semantics represents only How data is communicated. There are other terms which
represent the What and the When of data communication.
107. Timing in Protocol represents _______________
A. When data is transmitted but not how fast
B. The global time zones when data can be transmitted
C. When data is communicated & how fast
D. What, When & How data is communicated
39
KEY C
Justification
Timing in Protocol represents How data is communicated & how fast. There are other
terms which represent the What and the When of data communication. Hence, only
Option C is correct.
108. The Open System Interaction (OSI) reference model ________________
A. Makes inter-operability across heterogeneous technology environments possible
B. Is a 5 layered model, each specifying particular network functions
C. Is a 9 layered model, each specifying particular network functions
D. Has layers which are not self-contained & hence, dependent upon other layers
KEY A
Justification
The OSI model describes how information from a software application in one computer
moves through a network medium to a software application in another computer. When
messages are sent across heterogeneous networks with a large variety of hardware
technologies, networking devices and protocols, etc, OSI makes inter-operability across
these differing environments possible. It is a 7 layered model which are quite
independent and self-contained.
109. In an OSI model, interfaces _______________
A. Describe (horizontal) communication between adjacent layers
B. Describe (vertical) communication between any two layers
C. Describe (horizontal) communication between any two layers
D. Describe (vertical) communication between adjacent layers
KEY D
Justification
In an OSI model, interfaces describe (vertical) communication between adjacent layers.
The answers falling in options A to C are factually incorrect.
110. In an OSI model, protocols _____________
A. Describe (vertical) communication between adjacent layers
40
B. Describe (vertical) communication between any two layers

C. Describe (horizontal) communication between layers
D. Describe (horizontal & vertical) communication between adjacent layers
KEY C
Justification
In an OSI model, protocols describe (horizontal) communication between layers. The
answers falling in options A, B and D are factually incorrect & only Option C is correct.
111. The sequence of layers in a typical OSI model is ____________
A. Application, Presentation, Session, Transport, Network, Data link, Physical
B. Application, Presentation, Session, Transport, Network, Data link, Application
C. Application, Presentation, Session, Transport, Network, Presentation, Application
D. Physical, Application, Presentation, Session, Transport, Network, Application,
Physical
KEY A
Justification
In an OSI model, the sequence of layers is as in Option A. The answers falling in
options B to D are factually incorrect & only Option A is correct.
112. TCP/IP protocol suite is a bundle of protocols that area segmented into
__________
A. Five layers
B. Seven layers
C. Nine layers
D. Six layers
KEY A
Justification
TCP/IP protocol is segmented into Five layers & only Option A is correct.
113. The sequence of layers in a typical TCP/IP protocol suite is __________
A. Application, Presentation, Session, Transport, Network, Data link, Application
B. Application, Presentation, Session, Transport, Network, Data Link, Physical
C. Application, Transport, Internet, Data link, Physical
41
D. Physical, Application, Presentation, Session, Transport, Network, Physical

KEY C
Justification
TCP/IP protocol is segmented into five layers, sequenced as shown in Option C.
The answers falling in options A B and D are factually incorrect & only Option C is
correct.
114. The protocol typically used for web browsing is _____________
A. Simple Mail Transfer Protocol
B. Hyper Text Transfer Protocol
C. Simple Network Management Protocol
D. Domain Name System
KEY B
Justification
The protocol used for web browsing is HTTP and not the protocols indicated in Options
A, C and D.
Only Option B is correct.
115. The protocol typically used for sending messages to other computer users based
on email addresses is _____________
A. Hyper Text Transfer Protocol
B. Simple Network Management Protocol
C. Simple Mail Transfer Protocol
KEY C
Justification
The protocol used for sending messages to other computers using email addresses is
SMTP and not the protocols indicated in Options A B and D.
Only Option C is correct.
116. The protocol typically used for logging on to a remote server is ___________
A. Terminal Network or TELNET protocol
B. Simple Mail Transfer Protocol
42
C. Hyper Text Transfer Protocol

KEY A
Justification
The protocol used for logging on to a remote server is TELNET and not the protocols
indicated in Options B to D.
Only Option A is correct.
117. The protocol typically used for transferring files from one computer to another is
_______________
A. Terminal Network or TELNET protocol
B. File Transfer Protocol
D. Hyper Text Transfer Protocol
KEY B
Justification
The protocol used for transferring files from one computer to another is FTP and not the
protocols indicated in Options A C and D..
Only Option B is correct.
118. The protocol that allows images, audio & non-ASCII formats to be included in
email messages is __________________
A. Post Office Protocol
B. Internet Message Access Protocol
C. Hyper Text Transfer Protocol
D. Multipurpose Internet Mail Extensions
KEY D
Justification
The protocol that allows images, audio & non-ASCII formats to be included in email
messages is MIME. The other protocols indicated in Options A B and C are not
appropriate.
Only Option D is correct.
43
119. One type of protocol used for retrieving email is ______________

A. Multipurpose Internet Mail Extensions
B. Hyper Text Transfer Protocol
C. Post Office Protocol
D. Internet Message Access Protocol
KEY C
Justification
One type of protocol used for retrieving email is POP. The other protocols indicated in
Options A B and D are not appropriate.
Only Option C is correct.
120. One typical characteristic of Transmission Control Protocol is _______________
A. It is not responsible for recovery of packets lost during transmission
B. It is not responsible for re-assembling the message at the other end
C. It is responsible for recovery of packets lost during transmission
D. It is not responsible for re-sending anything that is lost in transit
KEY C
Justification
TCP is responsible for recovery of packets lost during transmission as mentioned in
Option C. The choices in other options are factually incorrect. Only Option C is correct
121. Positive Acknowledgement with Re-transmission (PAR), the mechanism that
sends data to a recipient repeatedly till it receives a Data OK signal, is an inherent
part of _____________
A. Transmission Control Protocol
B. Internet Message Access Protocol
D. Terminal Network Protocol
KEY A
Justification
PAR is an inherent part of TCP and not the other protocols indicated in Options B to D.
44
122. The objective of Network Layer is _______________

A. To provide security by building in fail-safe protection
B. To decide which physical path the information should follow from source to
destination
C. Accelerate the flow of data through encryption
D. To validate the data & ensure delivery is completed without errors
KEY B
Justification
The objective of Network Layer is to decide which physical path the information should
follow from source to destination. The answers given in the other options A, C and D
are not correct.
Hence, only Option B is correct.
123. What is Internet Control Message Protocol (ICMP) ?
A. A mechanism to ascertain the IP address given a physical address (MAC)
B. A method of ascertaining the physical address (MAC), given the IP address
C. A mechanism to send notification of datagram problems back to sender
D. A system by which new internet IP addresses can be created
KEY C
Justification
ICMP is a mechanism to send notification of datagram problems back to sender. It
cannot help locate the IP address or physical address, given the other element. Nor can
it help create new IP addresses. Hence, only Option C is correct
124. What is Address Resolution Protocol (ARP) ?
A. A method of ascertaining the physical address (MAC), given the IP address
B. A mechanism to ascertain the IP address given a physical address (MAC)
C. A mechanism to send notification of datagram problems back to sender
KEY A
Justification
ARP is a method of ascertaining the physical address (MAC), given the IP address. It
cannot help locate the IP address given a physical address. It is also not a mechanism
45
to send notification of datagram problems back to sender. Nor can it help create new IP
addresses.
125. What is Reverse Address Resolution Protocol (RARP) ?
A. A mechanism to ascertain the physical address (MAC), given an IP address
B. A mechanism to send notification of datagram problems back to sender
C. A method of ascertaining the IP address, given the physical address (MAC)
KEY C
Justification
RARP is a method of ascertaining the IP address, given the physical address (MAC). It
cannot help locate the physical address given an IP address. It is also not a mechanism
to send notification of datagram problems back to sender. Nor can it help create new IP
addresses.
126. The protocol data unit for Transport layer of TCP/IP is called __________
A. A Segment
B. A Packet
C. A Frame
D. A Bit
KEY A
Justification
The protocol data unit for Transport Layer of TCP/IP is called a Segment; the others
refer to names used for other layers. Hence, only Option A is correct.
127. The protocol data unit for Network Layer of TCP/IP is called ___________
A. A Segment
B. A Bit
C. A Packet
D. A Frame
46
KEY C
Justification
The protocol data unit for Network Layer of TCP/IP is called a Packet; the others refer
to names used for other layers.
128. The protocol data unit for Data Link Layer of TCP/IP is called _____________
A. A Segment
B. A Frame
C. A Packet
D. A Bit
KEY B
Justification
The protocol data unit for Data Link Layer of TCP/IP is called a Frame; the others refer
to names used for other layers.
129. The protocol data unit for Physical Layer of TCP/IP is called ?
A. A Packet
B. A Frame
C. A Bit
D. A Segment
KEY C
Justification
The protocol data unit for Physical Layer of TCP/IP is called a Bit; the others refer to
names used for other layers.
130. The Data Link Layer ____________
A. Performs the task of delivery over local networks and error detection
B. Enables us to find the best way from origin to destination
C. Runs application to access other layers’ services & defines protocols
D. Provides the path through which data moves among network devices
47
KEY A
Justification
The Data Link Layer performs the task of delivery over local networks and error
detection. The other options refer to functions of other layers of TCP/IP protocol.
131. The Application Layer __________
A. Performs the task of delivery over local networks and error detection
B. Provides the path through which data moves among network devices
C. Runs application to access other layers’ services & defines protocols
D. Enables us to find the best way from origin to destination
KEY C
Justification
The Application Layer runs various applications which provide them the ability to access
the services of the other layers and define the protocols that applications use to
exchange data. The other options refer to functions of other layers of TCP/IP protocol.
132. The Cyclic Redundancy Check ________________
A. Is a check conducted by Application Layer
B. Is a check carried out by the Physical Layer on each stream of bits
C. Is a calculated value of the Data Link Layer for error detection
D. Is a check carried out by the Network Layer to identify the shortest route
KEY C
Justification
The Cyclic Redundancy Check is a calculated value that is place in the Data Link trailer
that is added to the message frame. It helps detect errors. The information given in the
other options A B and D are incorrect.
133. One characteristic of the Physical Layer of TCP/IP is ___________
A. The sender and receiver need not be synchronized at the bit level
B. It deals in zeroes and ones and voltages
48
C. The bits need not be encoded into electrical/optical signals for purposes of
transmission
D. Its data unit is called a segment
KEY B
Justification
The Physical Layer deals in zeroes and ones and voltages. The sender and receiver
need to be synchronized at the bit level. The bits themselves need to be encoded as
electrical or optical signals before transmission. Its data unit is called a bit.
134. Wi-Fi ____________
A. Is a wireless networking technology that uses radio waves
B. Has typical access range of about 130 metres
C. Can handle internet connectivity but not to other networks
D. Is a networking technology that requires physical cable connections
KEY A
Justification
Wi-Fi is a wireless networking technology using radio waves that can handle both
internet and other network connections. The typical range of Wi-Fi is about 32 metres.
Being a wireless facility, it does not require any physical cabling for access.
135. Bluetooth Technology ______________
A. Has typical access range of about 200 metres
B. Can handle data but not voice transmission
C. Aims at unifying different platforms & devices
D. Has a major drawback, that of data security
KEY C
Justification
Bluetooth technology, a wireless technology for exchange of data over short distances,
aims at unifying different platforms and devices. It has a typical range of about 50
metres. Both data as well as voice can be transmitted through it. Data security is fairly
good.
49
136. An IP Network ____________

A. Uses Internet Protocol to send/receive messages between computers
B. Can be implemented only in internet networks
C. Can operate even in the absence of an IP address
D. Is designed to function effectively without configuration of the hosts with the
TCP/IP suite
KEY A
Justification
An IP Network uses Inter Protocol to send/receive messages between two or more
computers. It can be implemented over internet networks, LAN & enterprise networks.
Its fundamental pre-requisites are the need for an IP address to identify the host as also
configuration of the host with the TCP/IP suite.
137. IP Addresses _____________
A. Are allocated to computer servers alone on the network
B. Are allocated to client devices alone on the network
C. Are given by IP Addressing Scheme for identifying hosts
D. For the destination host alone are contained in every IP packet
KEY C
Justification
IP addresses are, indeed allocated by the IP Addressing Scheme for every host,
whether client, server or network device. While transmitting messages, each IP packet
contains both the source host IP address as well as the destination host IP address.
138. IP Version 4 ________________
A. Is an address which is 8-bits in length
B. Is an address which is 32-bits in length
C. Is an address which is 16-bits in length
D. Varies in address length depending upon the message
50
KEY B
Justification
IP Version 4 addresses are invariably of 32-bit length; the choices given in Options A C
& D are incorrect.
139. IP Version 4 is written in the form of ______________
A. 32 bytes separated by dots
B. 16 bytes separated by dots
C. 4 Octets or bytes separated by dots
D. 4 bits separated by dots
KEY C
Justification
IP Version 4 is written in the form of 4 Octets or bytes separated by dots. The choices in
options A B and D are erroneous.
140. An IP Version 4 address can have a value from _____________
A. to 11111111.11111111.11111111.11111111
B. to 99999999.99999999.99999999.99999999
C. to 88888888.88888888.88888888.88888888
D. to 32000000.32000000.32000000.32000000
KEY A
Justification
An IP Version 4 can have a value from 00000000.00000000.00000000.00000000 to
11111111.11111111.11111111.11111111 since each bit is binary and can take either a
0 or 1 value. All the other choices from B to D above are incorrect. Only option A is
correct.
141. Each Octet in an IP Version 4 address ____________
A. Could have as many as 32 values
B. Could have as many as 1 billion values
C. Could have only two values 0 or 1
D. Could have as many as 256 values
51
KEY D
Justification
Each Octet in an IP Version 4 address could have a value ranging from 0000 to 1111 or
0 to 255 in binary language. Thus 256 values in total are possible.
142. A Network IP has ______________
A. All zeros in the host bit
B. All ones in the network bit
C. All zeros in the network bit
D. All ones in the host bit
KEY A
Justification
A Network IP has all zeros in the host bit whereas a Broadcast IP has all ones in the
host bit.
143. A Broadcast IP has ___________
A. All zeros in the network bit
B. All ones in the host bit
C. All ones in the network bit
D. All zeros in the host bit
KEY B
Justification
A Broadcast IP has all ones in the host bit whereas a Network IP has all zeros in the
host bit.
144. The objective of the IP Classful Addressing Scheme is _____________
A. To Designate separate classes based upon software used
B. Designate separate classes based upon geographical location
C. Designate separate classes based upon year of allocation
D. improve efficiency in address allocation
52
KEY D
Justification
The purpose of the IP Classful Addressing Scheme is to improve efficiency in address
allocation. It has nothing to do with discrimination based upon software, geographical
location or timing of allocation.
145. The Octet decimal range of Class A of the IP Classful Addressing Scheme is
_____________
A. 1 to 126
B. 0 to 126
C. 155 to 201
D. 224 to 239
KEY A
Justification
The Octet decimal range of Class A of the IP Classful Addressing Scheme is 1 to 126
as indicated in Option A.
The other options are neither of Class A nor of the other major classes of the
addressing scheme and are, hence, wrong.
146. The Octet decimal range of Class B of the IP Classful Addressing Scheme is
______________
A. 138 to 191
B. 201 to 239
C. 128 to 191
D. 205 to 255
KEY C
Justification
The Octet decimal range of Class B of the IP Classful Addressing Scheme is 128 to 191
as indicated in Option C.
The other options are neither of Class B nor of the other major classes of the
147. The Octet decimal range of Class C of the IP Classful Addressing Scheme is
_______
53
A. 201 to 223
B. 1 to 126
C. 205 to 255
D. 192 to 223
KEY D
Justification
The Octet decimal range of Class C of the IP Classful Addressing Scheme is 192 to 223
as indicated in Option D.
The other options are neither of Class C nor of the other major classes of the
148. The Octet decimal range of Class D of the IP Classful Addressing Scheme is
____________
A. 224 to 239
B. 201 to 239
C. 1 to 126
D. 205 to 255
KEY A
Justification
The Octet decimal range of Class D of the IP Classful Addressing Scheme is 224 to 239
as indicated in Option A.
The other options are neither of Class D nor of the other major classes of the
149. The Octet decimal range of Class E of the IP Classful Addressing Scheme is
____________
A. 240 to 256
B. 240 to 254
C. 1 to 126
D. 205 to 255
KEY B
Justification
The Octet decimal range of Class E of the IP Classful Addressing Scheme is 240 to 254
as indicated in Option B.
54
The other options are neither of Class E nor of the other major classes of the
150. The Higher Order bit in the first Octet of Class A of the IP Classful Addressing
Scheme is _______________
A. 0000
B. 1
C. 1111
D. 0
KEY D
Justification
The higher order bit in the first Octet of Class A of the IP Classful Addressing Scheme
is 0 as shown in Option D.
The other options are not true.
151. The Higher Order bit in the first Octet of Class B of the IP Classful Addressing
Scheme is ______________
A. 110
B. 11
C. 10
D. 1111
KEY C
Justification
The higher order bit in the first Octet of Class B of the IP Classful Addressing Scheme
is 10 as shown in Option C.
152. The Higher Order bit in the first Octet of Class C of the IP Classful Addressing
Scheme is _____________________
A. 110
B. 30
C. 111
D. 1111
55
KEY A
Justification
The higher order bit in the first Octet of Class C of the IP Classful Addressing Scheme
is 110 as shown in Option A. The other options are not true.
153. The Higher Order bit in the first Octet of Class D of the IP Classful Addressing
Scheme is ___________________
A. 9999
B. 111
C. 1110
D. 1111
KEY C
Justification
The higher order bit in the first Octet of Class D of the IP Classful Addressing Scheme
is 1110 as shown in Option C.
154. The Higher Order bit in the first Octet of Class E of the IP Classful Addressing
Scheme is ___________________
A. 9999
B. 1111
C. 1110
D. 1010
KEY B
Justification
The higher order bit in the first Octet of Class E of the IP Classful Addressing Scheme
is 1111 as shown in Option B.
155. The Network (N)/Host (H) id of Class A of the IP Classful Addressing Scheme is
__________________
A. N.H.H.H
B. H.N.N.N
C. N.N.H.H.
D. H.H.N.N
56
KEY A
Justification
The Network (N)/Host (H) id of Class A of the IP Classful Addressing Scheme is
N.H.H.H as indicated in Option A.
156. The Network (N)/Host (H) id of Class B of the IP Classful Addressing Scheme is
_________________
A. H.N.N.N
B. N.H.H.H.
C. H.H.N.N
D. N.N.H.H
KEY D
Justification
The Network (N)/Host (H) id of Class B of the IP Classful Addressing Scheme is
N.N.H.H as indicated in Option D.
157. The Network (N)/Host (H) id of Class C of the IP Classful Addressing Scheme is
_________________
A. H.H.H.N
B. N.N.N.H
C. N.H.H.H.
D. H.H.N.N
KEY B
Justification
The Network (N)/Host (H) id of Class C of the IP Classful Addressing Scheme is
N.N.N.H as indicated in Option B.
158. The default sub-net mask of Class A of the IP Classful Addressing Scheme is
_________________
A. H.H.H.N
B. N.H.H.H.
57
C. 255.255.0.0
D. 255.0.0.0
KEY D
Justification:
The default sub-net mask of Class A of the IP Classful Addressing Scheme is 255.0.0.0
as indicated in Option D. The other options are not true.
159. The default sub-net mask of Class B of the IP Classful Addressing Scheme
is __________________
A. 255.255.0.0
B. H.H.H.N
C. N.H.H.H.
D. 255.255.255.0
KEY A
Justification
The default sub-net mask of Class B of the IP Classful Addressing Scheme is
255.255.0.0 as indicated in Option A.
160. The default sub-net mask of Class C of the IP Classful Addressing Scheme is
_____________
A. 255.255.0.0
B. N.H.H.H.
C. 255.255.255.0
D. 256.256.256.0
KEY C
Justification
The default sub-net mask of Class C of the IP Classful Addressing Scheme is
255.255.255.0 as indicated in Option C
161. The number of networks that can be accommodated in Class A of the IP Classful
Addressing Scheme is __________________
A. 255
58
B. 1 million
C. 365
D. 126
KEY D
Justification
The number of networks that can be accommodated in Class A of the IP Classful
Addressing Scheme is 126 as indicated in Option D. The figures given in the other
options are not true.
162. The number of networks that can be accommodated in Class B of the IP Classful
Addressing Scheme is ____________
A. 16,382
B. 126
C. 1 million
D. 255
KEY A
Justification
The number of networks that can be accommodated in Class B of the IP Classful
Addressing Scheme is 16,382 as indicated in Option A. The figures given in the other
options are not true.
163. The number of networks that can be accommodated in Class C of the IP Classful
Addressing Scheme is _____________
A. 16382
B. 1 million
C. 20,97,150
D. 255
KEY C
Justification
The number of networks that can be accommodated in Class C of the IP Classful
Addressing Scheme is 20,97,150 as indicated in Option C. The figures given in the
other options are not true.
59
164. The number of hosts per network (usable addresses) that can be accommodated
in Class A of the IP Classful Addressing Scheme is ______________
A. (224 -2) or 1,67,77,214
B. (210-2) or 1022
C. 126
D. 255
KEY A
Justification
The number of hosts per network that can be accommodated in Class A of the IP
Classful Addressing Scheme is (224-2) or 1,67,77,214 as indicated in Option A. The
figures given in the other options are not true.
in Class B of the IP Classful Addressing Scheme is _____________
A. 126
B. 256
C. (224 -2) or 1,67,77,214
D. (216-2) or 65,534
KEY D
Justification
The number of hosts per network that can be accommodated in Class B of the IP
Classful Addressing Scheme is (216-2) or 65,534 as indicated in Option D. The figures
given in the other options are not true.
in Class C of the IP Classful Addressing Scheme is _______________
A. 126
B. (216-2) or 65,534
C. (28-2) or 254
D. (224 -2) or 1,67,77,214
KEY C
Justification
The number of hosts per network that can be accommodated in Class C of the IP
Classful Addressing Scheme is (28-2) or 254 as indicated in Option C. The figures given
in the other options are not true.
60
167. In IP Addressing, Unicast addressing mode involves ______________

A. Sending of data only to one destined host
B. Sending of data universally to all hosts on a network
C. Sending of data to all hosts on all networks
D. Configuration disabling sending of data to all except one host
KEY A
Justification
Unicast addressing mode involves sending of data only to one destined host as
indicated in Option A. The information in the other options are not correct.
168. In IP Addressing, Broadcast addressing mode involves _______________
A. Sending of data to a single host on a network
B. Sending of data to all hosts on all networks
C. addressing of data packet to all hosts in a network segment
D. Configuration disabling sending of data to individual hosts
KEY C
Justification
Broadcast addressing mode involves addressing of data packets to all hosts in a
network segment, as indicated in Option C. The information in the other options are not
correct.
169. In IP Addressing, Multicast addressing mode involves addressing of data packets
_________________
A. Sending of data to a single host on a network
B. to hosts at special addresses in a network segment
C. Sending of data to all hosts on all networks
D. Configuration disabling sending of data to individual hosts
KEY B
Justification
Multicast addressing mode involves addressing of data packets to hosts at special
addresses in a network segment, as indicated in Option B. The information in the other
options are not correct.
61
170. In IP Addressing scheme, which of the following class / classes are defined for
universal Unicast Addressing ?
A. Classes C alone
B. Class D
C. Classes A, B & C
D. Class E
KEY C
Justification
Classes A, B and C are defined for Universal Unicast addressing as indicated in Option
C. The information in the other options are not correct.
171. In IP Addressing scheme, which of the following class / classes are reserved for
Multicasting ?
A. Class D
B. Classes A & B alone
C. Class C
D. Class E
KEY A
Justification
Class D alone is reserved for Multicast addressing as indicated in Option A. The
information in the other options are not correct.
172. In IP Addressing scheme, which of the following class / classes are reserved for
Experimental purposes ?
A. Classes D
B. Class A
C. Class E
D. Classes B & C
KEY C
Justification
Class E alone is reserved for Experimental & research purposes as indicated in Option
C. The information in the other options are not correct.
62
173. Which class/classes of networks are reserved for government agencies & huge
companies ?
A. Classes D
B. Class E
C. Classes D & E
D. Class A
KEY D
Justification
Class A alone is reserved for Government agencies and huge companies as indicated
in Option D. The information in the other options are not correct.
174. A characteristic of a private address in an IP Network is ?
A. Hosts within the same local network can use the same private address
B. Its IP address will be unique in the internet network as a whole
C. A user in Company A cannot have the same address as a user in Company B
D. Its IP address should not be from the three blocks created by IANA
KEY A
Justification
Multiple hosts within a specified network can use the same private address out of the
three blocks spelt out by IANA. Their individual addresses need not be unique in the
internet network as a whole; a user in one company can have the same IP address as
another user in another company. Hence, Option A alone is correct. The information in
the other options are not correct.
175. A characteristic of a public address in an IP Network is ?
A. Hosts within the same local network cannot use the same public address
B. A user in Company A can have the same public address as a user in Company B
C. Its IP address will be unique in the internet network as a whole
D. Its IP address should be from the three blocks created by IANA
KEY C
Justification
A public address is exposed to the internet network & is unique. Multiple hosts within a
specified network cannot use the same public address. The public address should be
one which is not out of the three blocks spelt out by IANA for use as private addresses.
Hence, Option C alone is correct. The information in the other options are not correct.
63
176. The start address for private networks with Class A addressing is ?
A. 10.0.0.0
B. 192.168.0.0
C. 100.100.100.0
D. 172.16.0.0
KEY A
Justification
The start address for private networks with Class A addressing is 10.0.0.0 as indicated
in Option A. The other options are not correct.
177. The start address for private networks with Class B addressing is ?
A. 192.168.0.0
B. 100.100.100.0
C. 172.16.0.0
D. 10.10.0.0
KEY C
Justification
The start address for private networks with Class B addressing is 172.16.0.0 as
indicated in Option C. The other options are not correct.
178. The start address for private networks with Class C addressing is ?
A. 192.168.0.0
B. 100.100.100.0
C. 172.16.0.0
D. 10.10.0.0
KEY A
Justification
The start address for private networks with Class C addressing is 192.168.0.0 as
indicated in Option A. The other options are not correct.
179. The finish address for private networks with Class A addressing is ?
A. 999.999.999.000
B. 10.255.255.255
64
C. 172.31.255.255
D. 000.000.000.000
KEY B
Justification
The finish address for private networks with Class A addressing is 10.255.255.255 as
indicated in Option B. The other options are not correct.
180. The finish address for private networks with Class B addressing is ?
A. 10.255.255.255
B. 000.000.000.000
C. 999.999.999.000
D. 172.31.255.255
KEY D
Justification
The finish address for private networks with Class B addressing is 172.31.255.255 as
indicated in Option D. The other options are not correct.
181. The finish address for private networks with Class C addressing is ?
A. 192.168.255.255
B. 172.31.255.255
C. 101.255.255.255
D. 999.999.999.000
KEY A
Justification
The finish address for private networks with Class C addressing is 192.168.255.255 as
indicated in Option A. The other options are not correct.
182. Private IP addresses ___________
A. are translated into public IP addresses through IANA process
B. cannot be translated into public IP addresses using NAT process
C. are translated into public IP addresses through NAT process
D. are translated into public IP addresses through SMTP
65
KEY C
Justification
Private IP addresses are translated into public IP addresses through Network Address
Translation or NAT. Thus, multiple hosts with a private IP addresses are enabled to
access using one or two public IP addresses as indicated by Option C above. The other
183. Dynamic Host Control Protocol is a software _____________
A. That can de-link particular hosts from a network during congestion
B. That allows definition of a range of dynamic IP addresses
C. That allows definition of a range of static IP addresses
D. That regulates host access to a network depending upon priority
KEY B
Justification
Dynamic Host Control Protocol is a software that allows definition of a range of dynamic
IP addresses for a specified period of time. Hence, Option B above is correct and the
other options are incorrect.
184. What is the IP network address of a default gateway ?
A. 1.1.1.1
B. 255.255.255.255
C. 0.0.0.0
D. 255.255.255.000
KEY C
Justification
As indicated in Option C above, the IP network address for a default gateway is 0.0.0.0.
The other options are incorrect.
185. Which IP address is called a Loopback address ?
A. 100.001.100.001
B. 121.0.0.121
C. 127.0.0.127
D. 127.0.0.1
66
KEY D
Justification
The Loopback address is 127.0.0.1 as indicated in Option D above. It is used to simplify
programme testing and troubleshooting. The other options are incorrect.
186. A Loopback address ______________
A. Is used to simplify programme testing and troubleshooting
B. Helps communicate with local host using local address
C. Facilitates getting acknowledgement for delivery of messages
D. Helps catalogue errors in communication for future use
KEY A
Justification
The Loopback address is used to simplify programme testing and troubleshooting. The
other options are incorrect. Hence, Option A above alone is correct.
187. Which one of the following is a non-reserved address in IP networks ?
A. Broadcast address
B. Default gateway address
C. Loopback address
D. Dynamic IP addresses
KEY D
Justification
The Broadcast, Default gateway and Loopback addresses are all reserved addresses.
The Dynamic IP address is not a reserved address and allows hosts to be allotted
different IP addresses within a specified range. Hence, Option D above is alone correct.
188. A Subnet Mask is ?
A. Comprises 32 bits divided into 2 octets
B. Comprises 8 bits which are not divided further
C. Used for deriving network & host portions from an IP address
D. Comprises 16 bits which are divided into 2 octets
KEY C
67
Justification
A subnet mask comprises 32 bits divided into 4 octets. It is used for deriving network
and host portions from an IP address and helps minimize waste of IP addresses. The
information in Options A B and D is erroneous. Hence, Option C above alone is correct.
189. IP version 6 ___________
A. Is a 64 bit addressing scheme
B. Is a 96 bit addressing scheme
C. Is a160 bit addressing scheme
D. Is a 128 bit addressing scheme
KEY D
Justification
IP version 6 is a128 bit version as against the 32 bit of the IP 4 version. The information
in Options A to C is erroneous. Hence, Option D above alone is correct.
190. IP version 6 _____________
A. Can accommodate as many as 2128 addresses
B. Can handle as many as 264 addresses
C. Can handle as many as 232 addresses
D. Can handle only 216 addresses
KEY A
Justification
As against IP version 4,IP version 6 is a128 bit version which can thus accommodate as
many as 2128 addresses. The information in Options B to D is erroneous. Hence, Option
A above alone is correct.
191. Migration from IP version 4 to IP version 6 ____________
A. Has not commenced in India yet; they are unwilling to do so
B. Is not possible until all devices are migrated globally
C. Has commenced in India under NASSCOM leadership
D. Is underway but many devices continue to be under version 4
KEY D
68
Justification
Migration from version 4 to version 6 is underway & India is one of the countries
undergoing the transition. The process is anchored by the Telecom Regulatory Authority
of India. Till complete migration takes place, it is possible to have both systems in
operation with appropriate mechanisms in place. Hence, Option D above alone is
correct.
192. IP version 6 is in the form of _____________
A. Heptadecimals
B. Decimals
C. Hexadecimals
D. Octodecimals
KEY C
Justification
As against IP version 4, IP version 6 is in Hexadecimal form. The information in Options
A, B and D are erroneous. Option C above alone is correct.
193. IP version 6 addresses are separated by _________________
A. Single Colons
B. Double Colons
C. Single Periods
D. Semi Colons
KEY A
Justification
As against IP version 4 which uses periods for separation, IP version 6 uses single
colons. The information in Options B to D is not correct. Option A above alone is
correct.
194. A Port forms a socket along with an IP address. It is composed of ___________
A. 8 bits
B. 32 bits
C. 16 bits
D. 64 bits
KEY C
69
Justification
A port comprises 16 bits. The information in Options A, B and D is not correct. Option C
above alone is correct.
195. The maximum number of ports possible per IP network address is
_______________
A. 216
B. 232
C. 264
D. 28
KEY A
Justification
A port comprises 16 bits & hence the maximum number of ports possible is 216. The
information in Options B to D is not correct. Option A above alone is correct.
196. Destination ports ______________
A. Are used to route packets from source to a destination host computer
B. Are used to route packets on a server to the appropriate network application
C. Are used only for HTTP traffic which are processed by a web server
D. Of numbers 0 to 1023 are used by vendors for proprietary applications
KEY B
Justification
Destination ports are used to route packets on a server to the appropriate network
application, as indicated in Option B. It is used for various purposes like HTTP, FTP &
SMTP traffic. The numbers used by vendors of proprietary applications are from 1024 to
49151. Hence, Option B above alone is correct.
197. Source ports ______________
A. Are assigned to clients & used for tracking user sessions
B. Are the ports through which data packets originate from the source
C. Are allocated numbers ranging from 49,152 to 68,568
D. Are allocated numbers ranging from 0 to 49,152
KEY A
70
Justification
Source ports are assigned to clients and used for tracking user sessions as indicated in
Option A. These can be any random number and no specific range is defined. Hence,
Option A above alone is correct.
198. Domain Name System ________________
A. Has the host name in binary & heptadecimal form
B. When it is in non-generic category, can be used by any person/organization
C. Envisages that both the host name & IP address are a must for communication
D. Is a distributed database with host name & IP address for all domains
KEY D
Justification
The Domain Name system is a distributed database with host name & IP address for all
domains, as indicated in Option D. It has the host name in normal English and the IP
address as per decimal format (IP Version 4) of hexadecimal format (IP Version 6).
Only the generic category of domain names are available for use by any organization of
person for any use. It is possible for us, through the Domain Name system, to identify
the IP address, given the host name and vice versa. Hence, Option D above alone is
correct.
199. On Demand Computing _______________
A. Is less economical for users with volatility in quality/volume of computing needs
B. Is not an issue in terms of privacy or security
C. Envisages provision of computing resources on as-needed/when-needed basis
D. Is ideally suited for users who have consistent quality & volume of computing
needs
KEY C
Justification
On Demand Computing envisages provision of computing resources on as-
needed/when-needed basis & is best suited to users who have uncertain volume of
demand for computing services. It helps them minimise capital expenditure & hire
computing resources on need basis. The concept’s biggest concern is privacy and
security of data. Hence, Option C alone is correct.
71
200. Firewall _____________

A. Can be only software programme designed to secure networks
B. Protects systems/networks of systems from network-based security threats
C. Can be only hardware devices designed to secure networks
D. Needs to be installed well within the perimeter of the network
KEY B
Justification
Firewalls can be either software programmes or hardware devices designed to protect
systems/networks of systems from network-based security threats. For best results they
need to be installed at the entry point or perimeter of the network. Hence, only Option B
is correct.
201. Role of Firewall _________
A. Burns malicious programmes entering the network
B. Allows users free access to external network but blocks entry of suspect
programmes
C. Filters both in-bound and out-bound traffic from secured network
D. Blocks users from free access to external network but allows free entry from
external network
KEY C
Justification
Firewalls play the dual role of filtering in-bound and out-bound traffic from a secured
network. Only Option C above is correct.
202. The nature & scope of the Firewall depends upon ____________
A. The security policy laid down by the secured network’s organization
B. The rules laid down by TELNET protocol
C. Directives of the Internet Architecture Board (IAB)
D. Rules prescribed by the Internet Engineering Task Force (IETF)
KEY A
Justification
The nature & scope of Firewalls is determined by the security policy laid down by the
secured network’s organization. It will vary from organization to organization depending
upon their perception of the underlying risks, the economics of security software, etc.
None of the internet bodies prescribe any rules regarding the firewalls to be erected by
any organization. Hence, only Option A above is correct.
72
203. Firewall can filter _______________

A. Only incoming application software but not its data contents
B. Outgoing software but not block access to external networks
C. Incoming application software as well as its data contents
D. Only outgoing software but not its data contents
KEY C
Justification
A well designed firewall can filter both incoming software as well as its data contents for
maliciousness. In respect of outgoing information, it can prevent access to undesirable
or risky sites as also block sending out of sensitive data. Hence, only Option C above is
correct.
204. Firewalls can be configured _______________
A. Cannot be configured for maintaining logs or issuing alerts on firewall policy
B. Can be configured to maintain logs but not for issuing alerts on firewall policy
C. Can be configured to maintain logs and issue alerts on firewall policy
D. Can be configured to issue alerts but not for maintaining logs
KEY C
Justification
A well designed firewall can be configured both to maintain logs as well as issuing
alerts on firewall policy violations. Hence, only Option C above is correct.
205. Firewalls authenticate access ____________
A. Post establishment of connection
B. Prior to establishment of connection
C. Prior to establishment of connection &, thereafter, periodically during the session
D. Post establishment of connection &, thereafter, periodically during the session
KEY B
Justification
A robust firewall system will authenticate access prior to establishment of connection.
Once authenticated, the user will no longer be prompted for authentication.
Authentication post establishment of connection will not serve the purpose since
security of the system could have been compromised by then. Hence, only Option B
above is correct.
73
206. The Default Deny Access Control Policy _______________

A. Envisages denial of all traffic & selectively allowing certain traffic through the
firewall
B. Prescribes allowing all traffic & selectively denying certain traffic through the
firewall
C. Is frequently used for granting access from a trusted network to an external
systems
D. Is also called Discretionary Access Control Policy
KEY A
Justification
The Default Deny Access Control Policy envisages denial of all traffic by default and
selectively allowing certain traffic alone through the firewall. It is frequently used for
granting access from an un-trusted source to a protected system. It is also called
Mandatory Access Control Policy. Hence, only Option A above is correct.
207. The Allow All Access Control Policy _____________
A. Prescribes blocking of all traffic by default & allowing certain traffic alone
selectively the firewall
B. Is frequently used for granting access from an un-trusted source to a protected
system
C. Envisages allowing of all traffic & selectively denying certain traffic through the
firewall
D. Is also called Mandatory Access Control Policy
KEY C
Justification
The Allow All Access Control Policy envisages allowing of all traffic by default and
selectively denying certain traffic alone through the firewall. It is frequently used for
granting access from a trusted network to external systems like the Internet. It is also
called Discretionary Access Control Policy. Hence, only Option C above is correct.
208. Network Address Translation (NAT) ______________
A. Permits a single unique IP address to represent a group of computers & is now a
function of most firewalls by concealing the internal network
B. Permits multiple unique IP addresses to represent a group of computers & is now
a function of most firewalls
74
C. Provide firewall protection to systems behind the firewall by allowing connections

that originate both from systems inside of the firewall as well as outside the
firewall
D. Provide firewall protection to systems behind the firewall by transparently
showing the internal network
KEY A
Justification
NAT systems allow a network to use one set of network addresses internally and
another unique IP address when dealing with external networks. They, thus, conceal the
internal network, thus protecting it from external access. They have thus become an
important element of Firewall systems. Hence, only Option A above is correct.
209. A Network Based Firewall __________________
A. Is a device deployed within networks for restricting movement of selected traffic
types within the networks
B. Is a device deployed on a single host within a network, thus restricting
incoming/outgoing traffic for that host alone
C. Is a device deployed between networks for restricting movement of selected
traffic types from one network to another
D. Is a device deployed between networks for protecting the network linkages but
not the hosts on the network
KEY C
Justification
A Network based firewall, as stated in Option C above, is a device deployed between
networks for restricting movement of selected traffic types from one network to another.
It is not deployed on a single host within a network. Hence, only Option C above is
correct.
210. A Host Based Firewall ______________
A. Is a device deployed between networks for restricting movement of selected
traffic types from one network to another
B. Is a device deployed within networks for restricting movement of selected traffic
types within the networks
C. Is a device deployed between networks for protecting the network linkages but
not the hosts on the network
D. Is a device deployed on a single host within a network, thus restricting
incoming/outgoing traffic for that host alone
75
KEY D
Justification
A Host based firewall, as stated in Option D above, is a device deployed on a single
host within a network, thus restricting incoming/outgoing traffic for that host alone. It is
not deployed between networks or within an entire network for restricting movement of
selected traffic types. Hence, only Option D above is correct.
211. A Personal Firewall _____________
A. Controls traffic between a personal computer/workstation and the
Internet/enterprise network
B. Can be used only on home computers but not in the corporate environment
C. Is typically a piece of hardware installed on a personal computer at home
D. Assumes that inbound traffic can be permitted and outbound traffic has to be
inspected
KEY A
Justification
A Personal Firewall controls traffic between a personal computer or workstation on the
one side and the Internet / enterprise network on the other. It is normally a piece of
software and can be installed on a personal computer at home or even in a corporate
environment. It assumes that outbound traffic can be freely permitted and inbound
traffic has to be inspected & controlled. Hence, only Option A above is correct.
212. A Personal Firewall Appliance _______________
A. Envisages protection to a single computer through a hardware device installed on
it
B. Envisages protection to multiple computers & is housed on a router connected to
them
C. Is typically a hardware installed on a router which provides protection to a single
SOHO computer
D. Is typically built into the operating system of individual computers
KEY B
Justification
A Personal Firewall Appliance refers to housing of firewall functionality on the router
connected to multiple computers, generally in a SOHO environment. This is unlike the
normal personal firewall which tends to be installed in the computer’s operating system.
Hence, only Option B above is correct.
76
213. The Firewall term, Dual Homed ___________

A. Means two houses. It is a firewall system which serves two computers
B. Means two houses. It is a computer that has at least 2 computers with minimum 2
network interfaces, both of which are connected to insecure sides
C. Means a house with two doors. It is a computer that has at least 2 network
interfaces one connected to a secure side and the other to an unsecure side
D. Means a house with two doors. It is a computer that has at least 2 network
interfaces, both of which are connected to insecure sides
KEY C
Justification
The Firewall term, Dual Homed, means a house with two doors. It refers to a computer
that has at least 2 network interfaces with one connected to a secure side and the other
to an unsecure side. Hence, only Option C above is correct.
214. De-Militarized Zone (DMZ) ___________
A. Is the zone between computers which has firewalls on either side
B. Refers to the border between North & South Korea wherein no IT firewalls are
installed
C. Houses the IT components which do not require public access
D. Houses the IT components which require public access like mail server, etc.
KEY D
Justification
A DMZ houses the IT components which require public access like mail server, etc as
pointed out in Option D. The answers in the other options are incorrect.
215. Bastion Hosts ___________
A. Are computer systems that have Hardened systems
B. Are Hardened systems that are not exposed to the Internet
C. Are Hardened systems having non-essential services installed on them
D. Allow free access to all hosts since they have Hardened systems anyway
77
KEY A
Justification
Bastion Hosts are computer systems that have Hardened systems because they are
vulnerable to attack & are exposed to the internet and are also a main point of contact
for internal network users. They have essential services installed on them & restrict
access to specific hosts alone. Hence, answer in Option A is correct. The answers in
the other options are incorrect.
216. Bastion Hosts ______________
A. Cannot maintain detailed logs of all traffic
B. Are Hardened systems having non-essential services installed on them
C. Have each proxy independent of other proxies loaded on them
D. Allow free access to all hosts since they have Hardened systems anyway
KEY C
Justification
Bastion Hosts are computer systems that have Hardened systems because they are
vulnerable to attack & are exposed to the internet and are also a main point of contact
for internal network users. A Bastion Host has each proxy independent of other proxies
loaded on it. It has essential services installed on it & restricts access to specific hosts
alone. Hence, answer in Option C is correct. The answers in the other options are
incorrect.
217. Packet Filtering Router Firewall ______________
A. Has no default parameter and drops any traffic whose header does not match
firewall rules
B. Is deployed on a router within a private network
C. Matches the header content with the firewall rules to allow or block traffic
D. Is deployed on a router within a public network
KEY C
Justification
Packet Filtering Router Firewall is deployed on a screening router between a private
and a public network. It operates by matching the header content of each packet with
the firewall rules. If the content matches the firewall rule & it permits, it allows it. In case
the rule matches but does not permit, it blocks the traffic. If no match is found, the
router goes by the default parameter. Hence, answer in Option C is correct. The
answers in the other options are incorrect.
78
218. Packet Filtering Router Firewall _______________

A. Works at the Internet layer of the TCP/IP model
B. Works at the Internet Layer of the OSI model
C. Is deployed on a router within a private network
D. Is deployed on a router within a public network
KEY A
Justification
Packet Filtering Router Firewall works at the Internet layer of the TCP/IP model or at
Network layer of the OSI model. It is deployed on a screening router between a private
and a public network. It operates by matching the header content of each packet with
the firewall rules. If the content matches the firewall rule & it permits, it allows it. In case
the rule matches but does not permit, it blocks the traffic. If no match is found, the
router goes by the default parameter. Hence, answer in Option A is correct. The
A. Works at the Network Layer of the TCP/IP model
B. Works at the Network Layer of the OSI model
C. Has two main weaknesses speed and flexibility
D. Is one of the simplest but most expensive of firewalls
KEY B
Justification
Network layer of the OSI model. It is a very simple and relatively inexpensive firewall
model. Its strength lies in its speed and flexibility. It is deployed on a screening router
between a private and a public network. It operates by matching the header content of
each packet with the firewall rules. If the content matches the firewall rule & it permits, it
allows it. In case the rule matches but does not permit, it blocks the traffic. If no match
is found, the router goes by the default parameter. Hence, answer in Option B is
correct. The answers in the other options are incorrect.
A. Mostly does not support advanced user authentication schemes
B. Works at the Network Layer of the TCP/IP model
79
C. Has two main weaknesses speed and flexibility

D. Have high impact on network performance
KEY A
Justification
model. Its strengths lies in its speed and flexibility as also low impact on network
performance. One major drawback of this type of firewall is that it does not support most
advanced user authentication schemes. Hence, answer in Option A is correct. The
221. Packet Filtering Route Firewalls _______________
A. Have the advantage of ease of defining access criteria as also configuration
B. Has two main weaknesses speed and flexibility
C. Are ideal for high speed environments where logging & user authentication is not
important
D. Have high impact on network performance
KEY C
Justification
Packet Filtering Router Firewall are ideal for high speed environments where logging
and user authentication is not important. One major drawback of this type of firewall is
that it does not support most advanced user authentication schemes. It works at the
Internet layer of the TCP/IP model or at Network layer of the OSI model. It is a very
simple and relatively inexpensive firewall model. Its strengths lies in its speed and
flexibility as also low impact on network performance. Hence, answer in Option C is
222. Packet Filtering Route Firewalls _____________
A. Are not vulnerable to IP Address spoofing attack
B. Are not vulnerable to Source Routing attack
C. Are not very costly & have low impact on network performance
D. Have the advantage of ease of defining access criteria as also configuration
80
KEY C
Justification
model. It is vulnerable to attacks like the IP Address spoofing attack as also Source
Routing Attack. Hence, answer in Option C is correct. The answers in the other options
are incorrect.
223. What are Stateful Inspection Packet Filtering Firewall ______________
A. They ignore current connection while allowing traffic to pass through
B. They are packet filters that incorporate added awareness of OSI model data
C. They possess packet characteristics but ignore session status
D. They are less secure than Packet Filtering Router Firewall
KEY B
Justification
Stateful Inspection Packet Filtering Firewall are packet filters (like Packet Filtering
Firewalls) but incorporate added awareness of OSI model data. They keep track of
current connection to ensure that only permitted traffic is allowed to pass. They keep
track of both packet characteristics as well as session checks to make sure that a
specific session is allowed. They are more secure because they track client ports
individually rather than opening all ‘high numbered ports’ for external access. Hence,
answer in Option B is correct. The answers in the other options are incorrect.
224. Stateful Inspection Packet Filtering Firewall ____________
A. They possess packet characteristics but ignore session status
B. They are less secure than Packet Filtering Router Firewall
C. Uses a ‘State Table’ to validate inbound traffic
D. They ignore current connection while allowing traffic to pass through
KEY C
Justification
Stateful Inspection Packet Filtering Firewall are packet filters (like Packet Filtering
Firewalls) but incorporate added awareness of OSI model data. They keep track of
current connection to ensure that only permitted traffic is allowed to pass. They keep
track of both packet characteristics as well as session checks to make sure that a
specific session is allowed. They use a State Table to validate inbound traffic. They are
more secure because they track client ports individually rather than opening all ‘high
numbered ports’ for external access. Hence, answer in Option C is correct. The
81
225. Circuit Level Gateways ____________

A. Used when internal users cannot be trusted to decide what external devices to
access
B. Validate connections before data is exchanged
C. Filter individual packets of data which pass through them
D. They do not hide information about the network they protect
KEY B
Justification
Circuit Level Gateways validate connections before data is exchanged. They do not
filter individual packets of data which pass through them; instead they merely decide
which connections can be allowed. They do have the advantage of hiding information
about the private network they protect. Hence, they are used when internal users can
be trusted to decide what external devices to access. Hence, answer in Option B is
226. Circuit Level Gateways ____________
A. Function at the Session layer of the OSI
B. Are relatively expensive in usage
C. Filter individual packets of data which pass through them
D. Scrutinize the application-level content of packets relayed through them
KEY A
Justification
Circuit Level Gateways operate at the Sessions layer of the OSI & validate connections
before data is exchanged. They do not examine the application-level content / filter
individual packets of data which pass through them; instead they merely decide which
connections can be allowed. They do have the advantage of hiding information about
the private network they protect. Hence, they are used when internal users can be
trusted to decide what external devices to access. Hence, answer in Option A is correct.
The answers in the other options are incorrect.
227. What is a characteristic of Application Level Gateway Firewall ?
A. It is not operated on hardened operating systems
B. Like Circuit level gateways, it ignores the content of traffic
C. It functions at the Application layer of the OSI
D. It authenticates devices and not individuals
82
KEY C
Justification
Application Level Gateways operate at the Applications layer of the OSI. They are
similar to Circuit gateways with the exception that they are application specific &
monitor content of the application. They have the advantage of authenticating
individuals rather than devices. They are operated on hardened operating systems.
Hence, answer in Option C is correct. The answers in the other options are incorrect.
228. Application Level Gateway Firewalls ______________
A. It is not operated on hardened operating systems
B. Are implemented on hardened operating systems
C. Cannot control access based upon content or source address
D. Will result in compromising the entire network in the event of a break-in
KEY B
Justification
monitor content of the application. Among other things, they can control access based
upon content as also source address. They have the advantage of authenticating
individuals rather than devices. They are operated on hardened operating systems. Any
break-in will only compromise the firewall and not the entire network. Hence, answer in
Option B is correct. The answers in the other options are incorrect.
229. Application Level Gateway Firewalls ____________
A. Are process intensive & can cause performance issues
B. Are not vulnerable to bugs in the running application / operating system
C. Cannot provide auditing & logging functions for future review
D. Will result in compromising the entire network in the event of a break-in
KEY A
Justification
monitor content of the application. Among other things, they can control access based
upon content as also source address. They have the advantage of authenticating
individuals rather than devices. They are operated on hardened operating systems. Any
83
break-in will only compromise the firewall and not the entire network. Their drawbacks
include vulnerability to bugs in the running application / operating system as also
performance issues arising out of process intensive nature. Hence, answer in Option A
is correct. The answers in the other options are incorrect.
230. Application Level Gateway Firewalls ______________
A. Are not vulnerable to bugs in the running application / operating system
B. Cannot provide auditing & logging functions for future review
C. Will not result in compromising the entire network in the event of a break-in
D. Are less secure than Packet Filters and Stateful Inspection Firewalls
KEY C
Justification
Any break-in will only compromise the firewall and not the entire network in the case of
Application Level Gateway firewalls. They can provide auditing and logging functions.
They are more secure than Packet Filters and Stateful Inspection Firewalls. Their
drawbacks include vulnerability to bugs in the running application / operating system as
also performance issues arising out of process intensive nature. Hence, answer in
Option C is correct. The answers in the other options are incorrect.
231. One of the major drawbacks of Application Level Gateway Firewalls is
_____________
A. Compromise the entire network in the event of a break-in
B. Cannot provide auditing & logging functions for future review
C. Are less secure than Packet Filters and Stateful Inspection Firewalls
D. They are process intensive & cause performance issues
KEY D
Justification
Application level gateway firewalls are process intensive and cause performance
issues. However, any break-in will only compromise the firewall and not the entire
network in the case of Application Level Gateway firewalls. They can provide auditing
and logging functions. They are more secure than Packet Filters and Stateful Inspection
Firewalls. Hence, answer in Option D is correct. The answers in the other options are
incorrect.
84
232. One of the major drawbacks of Application Level Gateway Firewalls is

______________
A. Compromise the entire network in the event of a break-in
B. They are vulnerable to bugs in the running application & operating system
KEY B
Justification
Application level gateway firewalls are process intensive and cause performance
issues. However, any break-in will only compromise the firewall and not the entire
network in the case of Application Level Gateway firewalls. They can provide auditing
and logging functions. They are more secure than Packet Filters and Stateful Inspection
Firewalls. Hence, answer in Option B is correct. The answers in the other options are
incorrect.
233. Application Level Gateway Firewalls _____________
A. Are also called proxies & are similar to circuit-level gateways but application-
specific
B. Compromise the entire network in the event of a break-in
KEY A
Justification
Application level gateway firewalls are also called proxies and are similar to circuit-level
gateways. However, they are application-specific & monitor the contents of applications
before allowing traffic. However, any break-in will only compromise the firewall and not
the entire network in the case of Application Level Gateway firewalls. They can provide
auditing and logging functions. They are more secure than Packet Filters and Stateful
Inspection Firewalls. Hence, answer in Option A is correct. The answers in the other
options are incorrect.
234. Single Homed Firewalls ______________
A. Bypass the Packet Filtering router & allow packets directly to the proxy server
B. Have increased traffic and load on the proxy server despite the Packet Filtering
router
85
C. Combines the Packet Filtering router with a separate, dedicated firewall

D. Screen only for applications and not content, making them more vulnerable
KEY C
Justification
Single Homed Firewalls combine the Packet Filtering router with a separate dedicated
firewall called a Bastion proxy server. The system envisages traffic passing through the
Packet Filtering router first before crossing the proxy server. This reduces the traffic
and the load on the proxy server. They screen both for applications as well as content.
Hence, answer in Option C is correct. The answers in the other options are incorrect.
235. One Single Homed Firewalls characteristic is that ____________
A. They screen only for applications and not content, making them more vulnerable
B. They do not allow traffic to flow directly between the internet and other hosts on
the private network
C. Have increased traffic and load on the proxy server despite the Packet Filtering
router.
D. They ensure greater security than a packet filtering router or application level
gateway firewall alone
KEY D
Justification
and the load on the proxy server. They screen both for applications as well as content.
They are considered to be more secure than a packet filtering router or application level
gateway firewall alone. A disadvantage is that traffic can flow directly between the
internet and other hosts on the network if the packet filtering firewall is compromised.
Hence, answer in Option D is correct. The answers in the other options are incorrect.
236. An advantage of a Single Homed Firewall is _______________
A. It screens only for applications and not content
B. It allows traffic to flow directly between the internet and other hosts on the private
network if the packet filtering router is compromised
C. An intruder has to penetrate two systems before security of internal network is
compromised
D. It has increased traffic and load on the proxy server despite the Packet Filtering
router
86
KEY C
Justification
and the load on the proxy server. Also, an intruder has to penetrate two systems before
security of internal network is compromised. They screen both for applications as well
as content. They are considered to be more secure than a packet filtering router or
application level gateway firewall alone. A disadvantage is that traffic can flow directly
between the internet and other hosts on the network if the packet filtering firewall is
compromised. Hence, answer in Option C is correct. The answers in the other options
are incorrect.
237. A Dual Homed Host Firewall is different from Single Homed Firewall in that
____________
A. It has two NICs one connected to the external & the other connected to the
internal network
B. It screens only for applications and not content
C. It does not allow traffic to flow directly between the internet and other hosts on
the private network if the packet filtering router is compromised
D. It has increased traffic and load on the proxy server despite the Packet Filtering
router
KEY A
Justification
and the load on the proxy server. It has two NICs; one connected to the external and
the other connected to the internal network. Also, an intruder has to penetrate two
systems before security of internal network is compromised. They screen both for
applications as well as content. They are considered to be more secure than a packet
filtering router or application level gateway firewall alone. A disadvantage is that traffic
can flow directly between the internet and other hosts on the network if the packet
filtering firewall is compromised. Hence, answer in Option A is correct. The answers in
the other options are incorrect.
238. Screened Subnet Firewalls with DMZ ___________
A. Has four packet filtering routers, two each between bastion host/internet &
bastion host/internal network
87
B. Screens only the applications but not the content, making their networks more
vulnerable to attack
C. Are the best configuration for most secure environment
D. The private network is not invisible to the internet / unsecured network
KEY C
Justification
Screened Subnet firewalls are the best configuration for most secure environment. They
have two packet filtering routers, one each between the bastion host & internet and
between bastion host & internal network. They screen both for application as well as
content. Since the outside router advertises the DMZ to the external network or Internet,
the internal private network becomes invisible to it. Hence, answer in Option C is
239. Screened Subnet Firewalls with DMZ ______________
A. Have two packet filtering routers, one each between bastion host/internet &
B. Are vulnerable in that Internet systems can see through the DMZ into the internal
private network & initiate attacks
C. Permit internal users’ risky behaviour of bypassing the proxy server on the
bastion system to access the Internet directly
D. Are the least robust of firewall systems, providing limited security to internal
network systems
KEY A
Justification
the internal private network becomes invisible to it. Similarly, the internal user is forced
to go through the proxy server on the bastion system to access the Internet, minimizing
risky behaviour. Hence, answer in Option A is correct. The answers in the other options
are incorrect.
240. Screened Subnet Firewalls with DMZ ______________
A. Have four packet filtering routers, two each between bastion host/internet &
B. Are robust in that Internet systems cannot see through the DMZ into the internal
88
C. Are the least robust of firewall systems, providing limited security to internal
network systems
D. Permit internal users’ risky behaviour of bypassing the proxy server on the
bastion system to access the Internet directly
KEY B
Justification
risky behaviour. Hence, answer in Option B is correct. The answers in the other options
are incorrect.
241. Screened Subnet Firewalls with DMZ _______________
A. Are vulnerable in that Internet systems can see through the DMZ into the internal
B. Ensure that internal users access the Internet via the proxy services residing on
the bastion host
C. Have four packet filtering routers, two each between bastion host/internet &
D. Are the least robust of firewall systems, providing limited security to internal
network systems
KEY B
Justification
risky behaviour. Hence, answer in Option B is correct. The answers in the other options
are incorrect.
242. Screened Subnet Firewalls with DMZ ___________
A. Are the least robust of firewall systems, providing limited security to internal
network systems
89
B. Have four packet filtering routers, two each between bastion host/internet &
C. Will need a Network Address Translator (NAT) to be installed on the bastion host
to eliminate the need to re-number or re-subnet the private network
D. Are vulnerable in that Internet systems can see through the DMZ into the internal
KEY C
Justification
risky behaviour. Since the DMZ network is different from the private network, a NAT can
be installed on the bastion host to eliminate the need to re-number or re-subnet the
private network. Hence, answer in Option C is correct. The answers in the other options
are incorrect.
243. In general, Firewalls ____________
A. Can enforce password policy and prevent misuse of passwords
B. Are very effective against non-technical security risks such as social engineering
C. Can block internal users from accessing websites with malicious codes
D. Cannot prevent users or attackers with modems from dialling into or out of the
internal network, bypassing the firewall
KEY D
Justification
Firewalls have quite a few limitations. They cannot prevent users or attackers with
modems from dialling into or out of the internal network. They cannot enforce password
policy or prevent misuse of passwords. They are not very effective against non-
technical security risks like social engineering. They cannot, also, block internal users
from accessing websites with malicious codes. Hence, answer in Option D is correct.
244. In general, Firewalls _________
A. Cannot enforce password policy and prevent misuse of passwords
90
B. Can prevent users or attackers with modems from dialling into or out of the
C. Can provide complete protection against viruses
D. Can block internal users from accessing websites with malicious codes
KEY A
Justification
Firewalls have quite a few limitations. They cannot enforce password policy and prevent
misuse of passwords. They cannot prevent users or attackers with modems from
dialling into or out of the internal network. They cannot enforce password policy or
prevent misuse of passwords. They are not very effective against non-technical security
risks like social engineering. They cannot provide complete protection against viruses.
They cannot, also, block internal users from accessing websites with malicious codes.
Hence, answer in Option A is correct. The answers in the other options are incorrect.
245. In general, Firewalls __________
A. Can enforce password policy and prevent misuse of passwords
B. Can prevent users or attackers with modems from dialling into or out of the
C. Cannot provide complete protection against viruses
D. Can block internal users from accessing websites with malicious codes
KEY C
Justification
Firewalls have quite a few limitations. They cannot provide complete protection against
viruses. They cannot enforce password policy and prevent misuse of passwords. They
cannot prevent users or attackers with modems from dialling into or out of the internal
network. They cannot enforce password policy or prevent misuse of passwords. They
cannot, also, block internal users from accessing websites with malicious codes. Hence,
answer in Option C is correct. The answers in the other options are incorrect.
246. Appliance based firewall ___________
A. Is a firewall software installed on top of commercial operating systems
B. Is less secure than those deployed on top of commercial operating systems
C. Is scalable depending upon changing requirements of business
D. Refers to appliances with firewall software embedded as firmware
KEY D
91
Justification
Appliance based Firewalls refer to appliances with firewall software embedded as
firmware. They are more secure than those deployed on top of commercial operating
systems since the latter are more vulnerable. Their major drawback is the limitation on
scalability. Hence, answer in Option D is correct. The answers in the other options are
incorrect.
247. Appliance based firewall ______________
A. Does not include appliances with firewall software embedded as firmware
B. Is more secure than those deployed on top of commercial operating systems
C. Is a firewall software installed on top of commercial operating systems
D. Are scalable depending upon changing requirements of business
KEY B
Justification
scalability. Hence, answer in Option B is correct. The answers in the other options are
incorrect.
248. Appliance based firewall __________
A. Is less secure than those deployed on top of commercial operating systems
B. Does not include appliances with firewall software embedded as firmware
C. Suffers from scalability issues & inability to meet changed environmental needs
D. Is a firewall software installed on top of commercial operating systems
KEY C
Justification
scalability. Hence, answer in Option C is correct. The answers in the other options are
incorrect.
92
249. Software Based Firewall __________

A. Suffers from scalability issues & inability to meet changed environmental needs
B. Is deployed on top of commercial operating systems
C. Is more secure than those deployed on top of commercial operating systems
D. Includes appliances with firewall software embedded as firmware
KEY B
Justification
Software based firewalls are deployed on top of commercial operating systems. They
are less secure than Appliance based Firewalls in view of the vulnerability of the
operating system itself. Their major advantage, however, is scalability in the face of
changes in the environment. They exclude appliances with firewall software embedded
as firmware. Hence, answer in Option B is correct. The answers in the other options are
incorrect.
250. Software Based Firewall ____________
A. Enjoys the major advantage of scalability in the face of changed environment
B. Is never deployed on top of commercial operating systems
C. Is more secure than those deployed on top of commercial operating systems
D. Includes appliances with firewall software embedded as firmware
KEY A
Justification
Software based firewalls are deployed on top of commercial operating systems. They
are less secure than Appliance based Firewalls in view of the vulnerability of the
operating system itself. Their major advantage, however, is scalability in the face of
changes in the environment. They exclude appliances with firewall software embedded
as firmware. Hence, answer in Option A is correct. The answers in the other options are
incorrect.
251. Unified Threat Management _____________
A. Cannot operate on a simple plug and play architecture
B. Has increased technical training requirements owing to its complexity
C. Is the Evolution of the traditional firewall into an all-inclusive security product
D. Complicates installation of security products
93
KEY C
Justification
Unified Threat Management is the evolution of the traditional firewall into an all-
inclusive security product able to perform multiple security functions within one single
appliance. It can operate on a simple plug and play architecture. It has reduced
technical training requirements since only one product has to be learnt and understood.
Installation of security products is also easier and maintenance/vendor issues become
simpler. Answer in Option C is correct. The answers in the other options are incorrect.
252. Unified Threat Management ____________
A. Is the Evolution of the traditional firewall into a compound security system with
multiple products
C. Complicates installation of security products
D. Can support various functionalities like VPN, gate-way anti-virus/anti-spam, etc.
apart from firewall
KEY D
Justification
appliance. Apart from the firewall, it can support VPN, gate-way anti-virus/anti-spam,
intrusion prevention, content filtering, bandwidth management, etc. It can operate on
simple plug and play architecture. It has reduced technical training requirements since
only one product has to be learnt and understood. Installation of security products is
also easier and maintenance/vendor issues become simpler. Answer in Option D is
253. Unified Threat Management _____________
A. Can support firewall but not various functionalities like VPN, gate-way anti-
virus/anti-spam, etc.
B. Can provide centralized support with complete control for globalized operations
C. Is the Evolution of the traditional firewall into a compound security system with
multiple products
D. Has increased technical training requirements owing to its complexity
94
KEY B
Justification
appliance. Apart from the firewall, it can support VPN, gate-way anti-virus/anti-spam,
intrusion prevention, content filtering, bandwidth management, etc. It has reduced
technical training requirements since only one product has to be learnt and understood.
Installation of security products is also easier and maintenance/vendor issues become
simpler. Overall, it is very well suited to an organization with global operations wherein
it can provide centralized support with complete control. Answer in Option B is correct.
254. Unified Threat Management ______________
A. Can support firewall but not various functionalities like VPN, gate-way anti-
virus/anti-spam, etc.
B. Is the Evolution of the traditional firewall into a compound security system with
multiple products
C. Can also support data-loss prevention by blocking accidental or incidental loss of
KEY data
D. Has increased technical training requirements owing to its complexity
KEY C
Justification
Apart from the firewall, Unified Threat Management can support VPN, gate-way anti-
virus/anti-spam, intrusion prevention, content filtering, bandwidth management, etc. It
can also support data-loss prevention by blocking accidental or incidental loss of
confidential, proprietary or regulated data. It has reduced technical training
requirements since only one product has to be learnt and understood. Installation of
security products is also easier and maintenance/vendor issues become simpler.
Overall, it is very well suited to an organization with global operations wherein it can
provide centralized support with complete control. Answer in Option C is correct. The
255. A disadvantage of Unified Threat Management is ____________
A. That it becomes a Single Point of Failure (SPOF) for network traffic
B. It cannot support various functionalities like VPN, gate-way anti-virus/anti-spam,
etc.
C. Has increased technical training requirements owing to its complexity
D. It cannot support GUI interface for manageability
95
KEY A
Justification
The single biggest disadvantage of Unified Threat Management (UTM) is the obvious
risks of centralization it becomes a Single Point of Failure (SPOF). The other major
drawback is that its deployment may have an impact on latency and band width when
the UTM cannot keep up with the traffic. Apart from the firewall, it can, indeed, support
VPN, gate-way anti-virus/anti-spam, intrusion prevention, content filtering, bandwidth
management, etc. It has reduced technical training requirements since only one product
has to be learnt and understood. It can comfortably support GUI interface for
manageability. Hence, answer in Option A is correct. The answers in the other options
are incorrect.
256. A disadvantage of Unified Threat Management is ____________
A. It cannot support GUI interface for manageability
C. That it can have impact on latency and bandwidth when it cannot cope with the
traffic
D. It cannot support various functionalities like VPN, gate-way anti-virus/anti-spam,
etc.
KEY C
Justification
A major drawback of UTM is that its deployment may have an impact on latency and
band width when the UTM cannot keep up with the traffic. Apart from the firewall, it can,
indeed, support VPN, gate-way anti-virus/anti-spam, intrusion prevention, content
filtering, bandwidth management, etc. It has reduced technical training requirements
since only one product has to be learnt and understood. It can comfortably support GUI
interface for manageability. Hence, answer in Option C is correct. The answers in the
257. Baseline Configuration of Firewall __________
A. Should have a default policy of allowing all traffic/connections unless not
specifically permitted
B. Should not allow remote users access through VPN
C. Should be preceded by a general risk assessment & cost-benefit analysis
D. Should not allow deployment of Web & other publicly accessible servers on a
DMZ in respect of multi-location organizations
96
KEY C
Justification
Baseline configuration of a firewall should be preceded by a general risk assessment &
cost-benefit analysis. It should have a default policy of not allowing any
traffic/connections unless specifically permitted. It should permit remote users access
through VPN. In respect of large multi-location organizations, it should ideally have the
Web & other publicly accessible servers place on a DMZ for best security. Hence,
answer in Option C is correct. The answers in the other options are incorrect.
258. Baseline Configuration of Firewall _________________
A. Should have a default policy of not allowing any traffic/connections unless
specifically permitted
B. Need not have an additional firewall for internal users since the main firewall
would be adequate
C. Should not allow deployment of Web & other publicly accessible servers on a
DMZ in respect of multi-location organizations
D. Should not allow remote users access through VPN
KEY A
Justification
Baseline configuration should have a default policy of not allowing any
traffic/connections unless specifically permitted. It should permit remote users access
through VPN. In respect of large multi-location organizations, it should ideally have the
Web & other publicly accessible servers place on a DMZ for best security. It should also
ensure that internal users should be protected with an additional firewall. Hence,
answer in Option A is correct. The answers in the other options are incorrect.
259. Personal Firewalls
A. Are based upon different methods & techniques as compared to an enterprise
firewall
B. Are more complicated compared to an enterprise firewall & require technical
expertise to operate
C. Are software installed on a user’s computer protecting against unwanted intrusion
& attacks from the Internet
D. Control incoming traffic from the Internet alone, based upon defined security
policy
97
KEY C
Justification
Personal Firewalls are software installed on a user’s computer for protection against
unwanted intrusion and attacks from the Internet. They are based upon the same
methods and techniques as firewalls for enterprises. They are simpler and can be
handled by less technically savvy persons too. Like the firewalls for enterprises, they,
too, control and monitor both incoming as well as outgoing traffic based upon a defined
security policy. Answer in Option C above is correct whereas the other answers are
obviously wrong.
260. Personal firewalls ________________
A. Are hardware devices installed on a user’s computer protecting against unwanted
intrusion & attacks from the Internet
B. Need not be monitored as constantly as firewalls for enterprises
C. Control incoming traffic from the Internet alone, based upon defined security
policy
D. Are based upon different methods & techniques as compared to an enterprise
firewall
KEY B
Justification
Personal Firewalls are software installed on a user’s computer for protection against
unwanted intrusion and attacks from the Internet. They are based upon the same
methods and techniques as firewalls for enterprises. They are simpler and can be
handled by less technically savvy persons too. Like the firewalls for enterprises, they,
too, control and monitor both incoming as well as outgoing traffic based upon a defined
security policy. They need not be monitored as constantly as enterprise firewalls.
Answer in Option B above is correct whereas the other answers are obviously wrong.
261. Personal Firewall __________________
A. Cannot block or alert the user about outgoing connection attempts
B. Cannot provide information about destination server with which an application is
trying to communicate
C. Is based upon security policy of the computer whereas enterprise firewall is
based on enterprise security policy
D. Are hardware devices installed on a user’s computer protecting against unwanted
98
KEY C
Justification
A Personal Firewall is based upon the security policy of the individual computer
whereas enterprise firewall is based on enterprise security policy. It is a software
installed on a user’s computer for protection against unwanted intrusion and attacks
from the Internet. Like the firewalls for enterprises, it controls and monitors both
incoming as well as outgoing traffic based upon a defined security policy. It can block
and alert the user about outgoing connection attempts too. It can go to the extent of
providing information about a destination server with which an application is trying to
communicate.
Answer in Option C above is correct whereas the other answers are obviously wrong.
262. Personal Firewall ________________
A. Can protect a computer from unwanted incoming connection attempts
B. Are hardware devices installed on a user’s computer protecting against unwanted
C. Cannot provide information about destination server with which an application is
trying to communicate
D. Cannot block or alert the user about outgoing connection attempts
KEY A
Justification
A Personal Firewall is based upon the security policy of the individual computer
whereas enterprise firewall is based on enterprise security policy. It is a software
installed on a user’s computer for protection against unwanted intrusion and attacks
from the Internet. Like the firewalls for enterprises, it controls and monitors both
incoming as well as outgoing traffic based upon a defined security policy. It can protect
a computer from unwanted incoming connection attempts. It can block and alert the
user about outgoing connection attempts too. It can go to the extent of providing
information about a destination server with which an application is trying to
communicate. Answer in Option A above is correct whereas the other answers are
obviously wrong.
263. State True or False One of the limitations of Personal Firewall is that many
malwares can compromise the system, manipulate the firewall & even shut it
down.
A. TRUE
B. FALSE
99
KEY A
Justification
It is true that some malwares exist which can penetrate & compromise the firewall
system , disarming it in the process, leaving the internal network exposed to security
risks. Hence, answer in Option A above is correct.
264. State True or False Personal Firewalls could be impacted by vulnerabilities in the
Operating System.
A. TRUE
B. FALSE
KEY A
Justification
It is true that vulnerabilities in the Operating system itself could impinge on the security
of the firewall system. Hence, answer in Option A above is correct.
265. State True or False These personal firewalls could sometimes generate false
alerts which could irritate non tech-savvy users.
A. TRUE
B. FALSE
KEY A
Justification
It is true that some could sometimes generate false alerts which could irritate non tech-
savvy users. Hence, answer in Option A above is correct.
266. Windows 7 software _______________
A. Has no inbuilt firewall system; we would need to go in for a third party product for
security
B. Has a network-based firewall system, not host-based system
C. Has an inbuilt stateful, host-based firewall that filters incoming and outgoing
connections
D. Has a Firewall that cannot block or alert the user about outgoing connection
attempts
100
KEY C
Justification
Windows 7 software has an inbuilt, stateful, host-based Firewall system that can filter
both incoming as well as outgoing connections. It can block or alert the user against
outgoing connection attempts too. Answer in Option C above is correct whereas the
other answers are obviously wrong.
267. Windows 7 software ______________
A. Has two network location types with advanced security
B. Has a network-based firewall system, not host-based system
C. Is a network location-aware host firewall
D. Has a Firewall that cannot block or alert the user about outgoing connection
attempts
KEY C
Justification
Windows 7 software is a network location-aware host firewall. It has three network
location types with advanced security Domain, public & private. It has a Firewall system
that can filter both incoming as well as outgoing connections. It can block or alert the
user against outgoing connection attempts too. Answer in Option C above is correct
whereas the other answers are obviously wrong.
268. Windows 7 software ______________
A. Has a Firewall that cannot block or alert the user about outgoing connection
attempts
B. Stores firewall properties based on location types or profiles
C. Has a network-based firewall system, not host-based system
D. Has two network location types with advanced security
KEY B
Justification
Windows 7 software is a network location-aware host firewall. It stores firewall
properties based on location types called profiles. It has three network location types
with advanced security Domain, public & private. It has a Firewall system that can filter
both incoming as well as outgoing connections. It can block or alert the user against
outgoing connection attempts too. Answer in Option B above is correct whereas the
101
269. Intrusion Detection Systems (IDS) _______________

A. Like Firewalls, they are a method of preventive control
B. Monitors, alerts & corrects the problem
C. Cannot detect network scans, packet-spoofing & Denial of service
D. Will alert us if there are intruders in the host or the network
KEY D
Justification
Intrusion Detection Systems (IDS) are a detective control system which will alert us post
intrusion into the host or the network. They will monitor & alert the user about
exceptions but will not correct the problem. They can, indeed, detect network scans,
packet-spoofing & denial of service. Answer in Option D above is correct whereas the
270. Network Intrusion Detection Systems (NIDS) ____________
A. Are placed at choke points on the network & monitor traffic to & from devices on
the network
B. Do not check the content of individual packets for malicious traffic
C. Create substantial system overhead
D. Does not inhibit the effectiveness of packet analysis even with encrypted
payloads and high-speed networks
KEY A
Justification
NIDS are placed at choke points like routers, switches, etc. within the network and they
monitor to and from devices on the network. In operations, they do check the content of
individual packets for malicious traffic. They do not create any significant system
overhead. The effectiveness of packet analysis, however, is inhibited with encrypted
payloads and high-speed networks. Answer in Option A above is correct whereas the
other answers are wrong.
271. Host Intrusion Detection Systems (HIDS) ______________
A. Monitors all packets but does not alert the administrator when suspicious activity
is detected
B. Involve lesser deployment and reduced maintenance cost
C. Monitors all packets to and fro the hosts only.
D. Are not implemented on individual hosts or network devices
102
KEY C
Justification
HIDS are implemented on individual hosts or devices on the network and they monitor
all packets to and from the hosts only. They alert the administrator when suspicious
activity is detected. Since they are deployed on each computer, they involved higher
deployment and proportionately higher maintenance cost. Answer in Option C above is
correct whereas the other answers are wrong.
272. Signature based IDS _____________________
A. Monitors packets on network but does not validate them since they do not have a
database for comparison
B. Will be able to detect attacks pre-emptively, even before the event
C. Can successfully handle even new attacks
D. Monitors packets on network and compares them against large databases of
attack signatures
KEY D
Justification
SIDS are signature based IDS that monitor packets on networks and compare them
against large databases of attack signatures. They cannot, however, detect attacks pre-
emptively and cannot handle new attacks since a comparable signature would not be
available with them. Answer in Option D above is correct whereas the other answers
are wrong.
273. Statistical Anomaly / Behaviour based IDS ________________
A. Monitors packets on network and validates them by comparing the signature in
the database
B. Assume that an intrusion can be detected by observing a normal behaviour of the
system/users
C. Will not be able to detect attacks pre-emptively, before the event
D. Cannot handle effectively new attacks
KEY B
Justification
SAB IDS monitor packet traffic on networks and compare them against an established
baseline of behaviour. They can detect attempts to exploit new and unforeseen
vulnerabilities. Their downside is that they generate a large number of false positives.
Answer in Option B above is correct whereas the other answers are wrong.
103
274. Cryptography is _____________

A. The process of transforming data into something that can be understood
B. The process of transforming data into something that cannot be understood with
some additional information
C. The practice and study of hiding information
D. Cannot provide mechanisms for authenticating users on a network
KEY C
Justification
Cryptography is the practice and study of hiding information. It involves the process of
transforming data into something that cannot be understood without additional
information. It provides mechanisms for authenticating users on a network. Answer in
Option C above is correct whereas the other answers are wrong.
275. Cryptography_________________
A. Involves use of encryption for transforming data into something that can be
understood
B. Is the process of transforming data into something that cannot be understood
even with some additional information
C. Cannot provide mechanisms for authenticating users on a network
D. Is the theory and practice of secure communication
KEY D
Justification
Cryptography is the practice and study of hiding information with the objective of secure
communication. It involves the use of encryption for transforming data into unintelligible
form. The unintelligible form can be converted back into understandable information
with the help of some additional information like a code or a key. It does provide
mechanisms for authenticating users on a network. Answer in Option D above is correct
whereas the other answers are wrong.
276. Cryptography ____________
A. Provides mechanisms for preventing users from repudiating ownership of
messages
B. Cannot provide mechanisms for authenticating users on a network
C. Is the process of transforming data into something that cannot be understood
D. Involves use of encryption for transforming data into something that is intelligible
104
KEY A
Justification
mechanisms for authenticating users on a network. It also enables prevention of users
from repudiating ownership of their messages. Answer in Option A above is correct
whereas the other answers are wrong.
277. Cryptography _________________
A. Helps assure the receiver about the integrity of the message
B. Does not help in preventing users from repudiating ownership of messages
C. Cannot provide mechanisms for authenticating users on a network
D. Is the process of transforming data into something that cannot be understood
E. Involves use of encryption for transforming data into something that is intelligible
KEY A
Justification
from repudiating ownership of their messages. It helps the receiver in ensuring that the
message received by him has not been altered in any fashion; ie, protect the integrity of
the message. Answer in Option A above is correct whereas the other answers are
wrong.
278. Cryptography ________________
A. Does not help in preventing users from repudiating ownership of messages
B. Cannot provide mechanisms for authenticating users on a network
C. Ensures the privacy or confidentiality of the contents of the message
D. Involves use of encryption for transforming data into something that is intelligible
105
KEY C
Justification
Cryptography ensures the privacy or confidentiality of a message i.e. it ensures that no
one except the intended receiver of the message can read the message. Cryptography
is the practice and study of hiding information with the objective of secure
from repudiating ownership of their messages. It helps the receiver in ensuring that the
message received by him has not been altered in any fashion; ie, protect the integrity of
the message. Answer in Option C above is correct whereas the other answers are
wrong.
279. Cryptography ______________
A. Involves use of encryption for transforming data into something that is intelligible
B. Authenticates & convinces the receiver that the message has actually come from
the sender
C. Does not help in preventing users from repudiating ownership of messages
D. Cannot provide mechanisms for authenticating users on a network
KEY B
Justification
Cryptography authenticates & convinces the recipient that the message has actually
come from the sender. It involves the use of encryption for transforming data into
unintelligible form. The unintelligible form can be converted back into understandable
information with the help of some additional information like a code or a key. It does
provide mechanisms for authenticating users on a network. It also enables prevention of
users from repudiating ownership of their messages. Answer in Option B above is
correct whereas the other answers are wrong.
280. Any message that is intelligible is considered to be in _________________
A. Encrypted form
B. Coded form
C. Plaintext form
D. Ciphertext form
106
KEY C
Justification
Any message that is intelligible is considered to be in plaintext form. An encrypted form
will not be intelligible without the use of additional information. A ciphertext form would
be in unintelligible form till it is decrypted into plaintext form. Hence, answer in Option C
above is correct whereas the other answers are wrong.
281. Any message that is converted into un-intelligible form is considered to be in
_________
A. Ciphertext form
B. Plaintext form
C. Understandable form
D. Coded form
KEY A
Justification
A ciphertext form arises post encryption & would be in unintelligible form till it is
decrypted into plaintext form. Any message that is intelligible is considered to be in
plaintext form. An encrypted form will not be intelligible without the use of additional
information. Hence, answer in Option A above is correct whereas the other answers
are wrong.
282. The process of converting a given plaintext into ciphertext form is called
____________
A. Decryption
B. Translation
C. Transcription
D. Encryption
KEY D
Justification
The conversion of a given plaintext into ciphertext form is called encryption. This form
would be in unintelligible form till it is decrypted into plaintext form through decryption.
will not be intelligible without the use of additional information. Hence, answer in Option
D above is correct whereas the other answers are wrong.
107
283. The process of converting ciphertext back into plaintext form is called
_____________
A. Transcription
B. Encryption
C. Decryption
D. Translation
KEY C
Justification
The conversion of a given plaintext into ciphertext form is called encryption. This form
would be in unintelligible form till it is decrypted into plaintext form through decryption.
will not be intelligible without the use of additional information. Hence, answer in Option
C above is correct whereas the other answers are wrong.
284. The mathematical function used for encryption & decryption is ______________.
A. Binomial analysis
B. Cryptographic Algorithm
C. Transcription Algorithm
D. Exponential function
KEY B
Justification
The mathematical function used for encryption & decryption is called the cryptographic
algorithm or Cipher. Answer in Option B above is correct whereas the other answers are
wrong.
285. The mathematical function used for encryption & decryption is _______________.
A. Transcription Algorithm
B. Binomial analysis
C. Cipher
108
KEY C
Justification
algorithm or Cipher. Answer in Option C above is correct whereas the other answers
are wrong.
286. A Cipher is also called _______________
A. A Cryptographic Algorithm
B. Transcription Algorithm
C. Binomial analysis
KEY A
Justification
algorithm or Cipher. Answer in Option A above is correct whereas the other answers are
wrong.
287. A Cryptographic algorithm _______________
A. Must be difficult to use but easy to crack
B. Must be easy both to use and crack
C. Must be easy to use but difficult to crack
D. Must be difficult to use as well as to crack
KEY C
Justification
An effective cryptographic algorithm must be easy to use but difficult to crack.
Answer in Option C above is correct whereas the other answers are wrong.
288. A Cryptographic algorithm ____________
A. Can be used for one function encryption alone
B. Can be used for one function decryption alone
C. Can be used for one function creation of a key
D. Can be used for two functions encryption as well as decryption
109
KEY D
Justification
A cryptographic algorithm can be used for encryption as well as decryption.
Answer in Option D above is correct whereas the other answers are wrong.
289. KEYs ______________
A. Are not required in the encryption or decryption process
B. Should be difficult to use but easy to break
C. Are additional secret data in the cryptographic process
D. Should be easy to use as well as to break
KEY C
Justification
KEYs are additional secret data which are used in the encryption or decryption process
of cryptography. They need to be long enough to make breaking difficult but short
enough to use and transmit. Answer in Option C above is correct whereas the other
answers are wrong.
290. KEYs ______________
A. Should be difficult to use but easy to break
B. Should be easy to use as well as to break
C. Are not required in the encryption or decryption process
D. Prevent the message from being decoded even if the algorithm is known
KEY D
Justification
of cryptography. They need to be long enough to make breaking difficult but short
enough to use and transmit. Without the keys, even if the mathematical algorithm of
encryption were known, decryption into plaintext is not possible.
291. The Caesar cipher was used to transmit messages during Roman wars. It was
actually a ‘shift by 3’ rule wherein alphabet A is replaced by the third alphabet D,
B by E and so on. In this case, the KEY is ___________
A. 3
B. Alphabet A
110
C. Alphabet D
D. Alphabet B
KEY A
Justification
of cryptography. In this case, the recipient of the message needs to know the algorithm
of shifting the alphabet by a few positions. However, in this specific instance, the
shifting of the alphabet is by three positions. Hence, the KEY is 3. In another situation,
the KEY can be changed to 5 or any other number depending upon security
requirements without changing the basic algorithm.
Answer in Option A above is correct whereas the other answers are wrong.
292. Symmetric KEY Cryptography _____________
A. Envisages the use of different keys for encryption and decryption
B. Envisages the use of a single KEY both for encryption as well as decryption
C. Suffers from no difficulty in terms of distribution of the key
D. Envisages the use of one KEY by the sender & another by the receiver
KEY B
Justification
Symmetric KEY cryptography envisages the use of a single KEY both for encryption as
well as decryption. Thus, the receiver uses the same KEY for decryption as was used
by the sender for encryption. The difficulty lies in distribution of the key.
Answer in Option B above is correct whereas the other answers are wrong.
293. The Digital Encryption Standard __________________
A. Is a NIST standard using 256 keys
B. Continues to be used by NIST even today
C. Is a NIST standard using 228 keys
D. Is not a Symmetric Encryption Standard
KEY A
Justification
DES is a National Institute for Standards and Technology Symmetric Encryption
Standard using 256 keys. It has been replaced by the Advanced Encryption standard
which deploys 128, 192 and 256 bits and proportionately more keys for better security.
111
294. The Advanced Encryption Standard _________________

A. Has been discontinued for use by NIST
B. Is a NIST standard using 228 keys
C. Is not a Symmetric Encryption Standard
D. Is a NIST standard using up to 256 bits or 2256 keys
KEY D
Justification
AES is a National Institute for Standards and Technology Symmetric Encryption
Standard using up to 256 bits or 2256 keys. It has replaced the DES in the interest of for
better security.
295. Asymmetric or Public KEY Cryptography ___________
A. Involves the use of a single KEY both for encryption as well as decryption
B. Is inferior to Symmetric KEY since safe distribution of the KEY to the recipient is
an issue
C. Involves the use of a pair of keys, one for encryption & the other for decryption
D. Involves the use of two pairs of keys, one each for encryption and decryption
KEY C
Justification
Asymmetric or Public KEY cryptography involves the use of a pair of keys, one for
encryption and the other for decryption. It overcomes the difficulty of KEY distribution
faced in the case of symmetric KEY cryptography.
296. Asymmetric or Public KEY Cryptography ____________
A. Involves the use of a public KEY of the individual in a private domain
B. Involves the use of a private KEY of the individual in a public domain
C. Is thousands of times slower than symmetric KEY cryptography
112
KEY C
Justification
encryption and the other for decryption. The public KEY of the individual would be in the
public domain whereas the private KEY would remain secret and not revealed. It
overcomes the difficulty of KEY distribution faced in the case of symmetric KEY
cryptography. This process, however, is thousands of times slower than the symmetric
KEY cryptography process.
297. Asymmetric or Public KEY Cryptography _______________
A. Can be initiated by using either of the two keys first
B. Is not used for exchange of symmetric keys
C. Is not used for exchange of Digital signatures
KEY A
Justification
encryption and the other for decryption. Either of the two keys can be used, without any
particular sequence. The public KEY of the individual would be in the public domain
whereas the private KEY would remain secret and not revealed. It overcomes the
difficulty of KEY distribution faced in the case of symmetric KEY cryptography. This
process, however, is thousands of times slower than the symmetric KEY cryptography
process. Its use, therefore, is mainly in exchange of symmetric keys and digital
signatures.
298. Asymmetric or Public KEY Cryptography ___________________
A. Is not used for exchange of symmetric keys
B. Is not used for exchange of Digital signatures
C. Uses more computer resources compared to Symmetric KEY cryptography
D. Provides lesser security as compared to Symmetric KEY cryptography
113
KEY C
Justification
process, however, is thousands of times slower than the symmetric KEY cryptography
process and uses up more computer resources too. Its use, therefore, is mainly in
exchange of symmetric keys and digital signatures.
299. Asymmetric or Public KEY Cryptography ___________
A. Uses less computer resources compared to Symmetric KEY cryptography
B. Generally has larger KEY size as compared to Symmetric KEY cryptography
C. Provides lesser security as compared to Symmetric KEY cryptography
D. Is not used for exchange of symmetric keys
KEY B
Justification
process, however, involves larger KEY sizes, is thousands of times slower than the
symmetric KEY cryptography process and uses up more computer resources too. Its
use, therefore, is mainly in exchange of symmetric keys and digital signatures. .Answer
in Option B above is correct whereas the other answers are wrong.
300. RSA is _________________
A. A form of cryptography which uses 24096 keys
B. Not used in common software products
C. The most common form of Asymmetric KEY Cryptography in use
D. An acronym for its developers Robin Sharma, Sundararaman and Anjaneyulu
114
KEY C
Justification
RSA was developed by Ronald Rivest, Adi Shamir and Leonard Adleman & hence its
name. It is the most common form of Asymmetric KEY Cryptography in use. It currently
uses 22048 keys for high security. It is used extensively in common software products for
KEY exchange, digital signatures or encryption for small blocks of data.
301. What are Message Hash Functions ?
A. They are algorithms involved in computing a fixed length hash value
B. They are algorithms from which the contents & length of the plaintext can be
recovered
C. They are algorithms whose limitation is that they cannot guarantee message
integrity
They are algorithms involved in computing a variable length hash value
KEY A
Justification
Message Hash Functions are algorithms involved in computing a fixed length hash
value. In lieu of a key, a fixed length hash value is computed based upon the plaintext
that makes it impossible to recover the contents or length of the plaintext. The hash
value is recalculated at the receiver’s end and matched with that generated by the
sender. If they match, the message has not been altered during transmission.
Hence, Option A alone is correct.
302. Message Hash Functions __________
A. Are algorithms involved in computing a fixed length hash value
B. Are algorithms from which the contents & length of the plaintext can be recovered
C. Are algorithms whose limitation is that they cannot guarantee message integrity
D. Are also called Message Digests and One-way hash functions
KEY D
Justification
Message Hash Functions are algorithms involved in computing a fixed length hash
value. They are also called Message Digests and One-way hash functions. In lieu of a
key, a fixed length hash value is computed based upon the plaintext that makes it
impossible to recover the contents or length of the plaintext. The hash value is
115
recalculated at the receiver’s end and matched with that generated by the sender. If
they match, the message has not been altered during transmission.
Hence, Option D alone is correct.
303. What are Digital Signatures ?
A. Are data strings dependent only on a secret known only to the sender
B. Are data strings dependent on a secret known only to the sender & the message
content
C. Are cryptography tools which depend upon use of Symmetric KEYs
D. They are algorithms whose limitation is that they cannot guarantee message
integrity
KEY B
Justification
Digital signatures are data strings dependent on a secret known only to the sender and,
additionally, on the content of the message. They use Asymmetric KEYs and Hash.
They meet the communication objectives of authentication, integrity and
repudiation. .Option B alone is correct.
304. What are Digital Signatures ?
A. They are algorithms whose limitation is that they cannot guarantee message
integrity
B. Are data strings dependent on a secret built into the message content alone
C. Are cryptography tools which depend upon use of Asymmetric KEYs & Message
Hash content
D. Are data strings dependent only on a secret known only to the sender
KEY C
Justification
additionally, on the content of the message. They use Asymmetric KEYs and Hash.
They meet the communication objectives of authentication, integrity and repudiation.
Option C alone is correct.
305. What are the characteristics of Digital Signatures ?
A. They achieve the communication objectives of confidentiality, authentication &
integrity
B. They comply with the goals of authentication, access control and non-repudiation
116
C. They are algorithms whose limitation is that they cannot guarantee message
integrity
D. They achieve the communication objectives of authentication, integrity & non-
repudiation
KEY D
Justification
additionally, on the content of the message. They use Asymmetric KEYs and Hash &
involve the use of private and public keys. They meet the communication objectives of
authentication, integrity and repudiation.
Option D alone is correct.
306. What are the characteristics of Public KEY Infrastructure (PKI) ?
A. They achieve the communication objectives of confidentiality & authentication
alone
B. They achieve all the five basic communication objectives
C. They provide the infrastructure for generation, storage and security of public keys
D. They are algorithms which are not as effective as Digital signatures
KEY B
Justification
PKI are advanced cryptographic tools which help achieve all the five basic
communication objectives of confidentiality, authentication, integrity, non-repudiation
and access control. It involves the use of a digital envelope, which, in turn, deploys both
secret KEY and public KEY cryptography methods to send the secret KEY to the
recipient. It thus combines public-KEY encryption and digital signature services to
create a comprehensive system.
Hence, Option B alone is correct.
307. What are characteristic of Public KEY Infrastructure (PKI) ?
A. Digital certificates are used with support from Certificate authority & LDAP
directory
B. They provide the infrastructure for generation, storage and security of public keys
C. They achieve the communication objectives of confidentiality & authentication
alone
D. They are algorithms which are not as effective as Digital signatures
117
KEY A
Justification
PKI are advanced cryptographic tools which help achieve all the five basic
communication objectives of confidentiality, authentication, integrity, non-repudiation
and access control. It involves the use of a digital envelope, which, in turn, deploys both
secret KEY and public KEY cryptography methods to send the secret KEY to the
recipient. It thus combines public-KEY encryption and digital signature services to
create a comprehensive system. The system leans heavily on a robust Certification
authority and Lightweight Directory Access Protocol (LDAP) directory. Hence, Option A
alone is correct.
308. What are the typical characteristics of a Digital Certificate ?
A. It is a digitally signed document used to verify that a private KEY belongs to an
individual
B. It is a digitally signed document used to verify that a public KEY belongs to an
individual
C. It is a digitally signed document which is permanent, without any validity/expiry
date
D. It is a digitally signed document used to verify both public & private keys of an
individual
KEY B
Justification A Digital certificate is a digitally signed document that associates a public
KEY with a user. It will be signed by a Certification Authority. Its contents would include
serial number, subject, signature, issuer, validity dates(valid from, expiry date), public
key, thumbprint algorithm and thumbprint. Hence, Option B alone is correct.
309. Who are Certifying Authorities ?
A. In India, Certifying authorities are not regulated/ licensed & hence, certificates
have no legal validity
B. They are not responsible for verification of registration, suspension and
revocation requests
C. They are Trusted Third Parties to verify and vouch for the identities of entities in
an electronic environment
D. In India, Certifying authorities are regulated/licensed by NASSCOM
118
KEY C
Justification
Certifying Authorities (CAs) are Trusted Third Parties to verify and vouch for the
identities of entities in an electronic environment. In India, the IT Act provides for the
Controller of Certifying Authorities, a body under the Ministry of Communications &
Information Technology, is responsible for the licensing and regulation of Certifying
Authorities & to ensure that the IT Act provisions are complied with. The main role of a
CA is to digitally sign and publish the public KEY bound to a given user. One of the
major roles & responsibilities is verification of registration, suspension and revocation
requests.
Hence, answer in Option C is correct.
310. Who are Registering Authorities ?
A. They authenticate the identity of a person before the CA releases the digital
certificate
B. They are independent of the CA and are responsible to NASSCOM
C. They are not responsible for verification of identity but only for formal registration
D. They are a Government department who register the Certifying Authority
KEY A
Justification
Registering Authorities are work under the control of Certifying authorities (CAs) and
are responsible for authenticating the identity of a person prior to issue of a digital
certificate by the CA. They are also the body who interact with subscribers for providing
CA services. The CAs themselves, who are independent entities, are licensed and
regulated by the Controller of Certifying Authorities, a government body under the
Ministry of Communications and Information Technology.
Hence, only the answer in Option A is correct.
311. Certification Revocation Lists (CRLs) ______________
A. Are lists of Certifying Authorities who have been de-licensed by the CCA
B. Are issued by a Certifying Authority different from one that issued the original
certificate
C. Are lists of serial numbers of certificates which have been revoked
D. Are issued by Registering Authorities and not signed by the Certifying Authority
119
KEY C
Justification
Certificate Revocations Lists (CRLs) are lists of serial numbers of digital certificates
which have been revoked along with reasons for revocation. These certificates are
themselves signed by the Certifying Authority (CA) themselves. The CRL is always
issued by the CA who issued the corresponding certificate. Entities presenting those
certificates can no longer be trusted.
Hence, only the answer in Option C is correct.
312. Certification Practice Statement is a statement of the practices which a
Certification Authority employs in issuing and managing certificates.
A. TRUE
B. FALSE
KEY A
Justification
Certification Practice Statement is a statement of the practices which a Certification
Authority employs in issuing and managing certificates. It carries various types of
information like policies, procedures & processes involved in certificate issue, policies
for revocation, policies for renewal, certificate lifetime, etc.
The answer in Option A is correct.
313. Which of the following is true off Cryptanalysis ?
A. Analysis of data for encryption using Symmetric key
B. Analysis of encryption/decryption records for audit purposes
C. Refers to methods of recovering plaintext from ciphertext without using the key
D. It is used to study strengths of a cryptosystem
KEY C
Justification
Cryptanalysis refers to methods of recovering plaintext from ciphertext without using the
key. In other words, it is the study of methods for obtaining the meaning of encrypted
information, without access to the secret information which is normally required to do
so. It also deals with identifying weaknesses in the cryptosystem. The term
cryptanalysis is also used to refer to attempts to break the security of other types of
cryptographic algorithms and protocols, apart from encryption.
The answer in Option C only is correct.
120
314. How does a Cryptanalyst manage to identify the KEY for launching a Known
plaintext attack ?
A. He ascertains the KEY by compromising the Certifying Authority’s servers
B. He programs his computer to continuously check random keys till he finds the
right one
C. He breaks into the sender’s system and identifies the private KEY for the
transmission
D. He deduces the KEY by accessing both ciphertext as well as plaintext of several
messages
KEY D
Justification
The Cryptanalyst can deduce the KEY by accessing & comparing both the ciphertext as
well as the plaintext of several messages. He can then launch a Known plaintext attack.
The answer in Option D only is correct.
315. Secure Socket Layer (SSL) _____________
A. Cannot work with any program using TCP, even with modifications
B. Is a protocol that provides a secure communication channel between two
machines
C. Has limited flexibility in choice of encryption used
D. Does not have built-in data compression capability
KEY B
Justification
SSL is a protocol that provides a secure communication channel between two machines
operating on the Internet or an internal network. Any program using TCP can be
modified to use SSL connection. SSL is also flexible in choice of symmetric encryption,
authentication and message digest that can be used. It does have in-built data
compression capability.
Hence, the answer in Option B only is correct.
316. Secure Socket Layer (SSL) __________
A. Subsequently became an internet standard known as Transport Layer Security
B. Does not have built-in data compression capability
121
D. Is not widely used currently in the international communication network

KEY A
Justification
SSL was originally developed by Netscape and subsequently became the Internet
standard known as Transport Layer Security (TLS). It is a protocol that provides a
secure communication channel between two machines operating on the Internet or an
internal network. Any program using TCP can be modified to use SSL connection. SSL
is also flexible in choice of symmetric encryption, authentication and message digest
that can be used. It does have in-built data compression capability. It is the most widely
used security protocol system in the world currently.
Hence, the answer in Option A only is correct.
317. Secure Socket Layer (SSL) __________
A. Does not have built-in data compression capability
B. Has limited flexibility in choice of encryption used
C. Is the most widely deployed security protocol used today
D. Is not used for handling sensitive information like credit card/social security
numbers, etc.
KEY C
Justification
internal network. SSL is also flexible in choice of symmetric encryption, authentication
and message digest that can be used. It does have in-built data compression capability.
It is the most widely used system in the world currently. In particular, it is capable of
handling sensitive information like credit card numbers, social security numbers and
login credentials to be transmitted securely.
Hence, the answer in Option C only is correct.
318. Secure Socket Layer (SSL) ______________
A. Has limited flexibility in choice of encryption used
B. Cannot work with any program using TCP, even with modifications
C. Does not have built-in data compression capability
D. Has the capability to handle sensitive information like credit card/social security
numbers, etc.
KEY D
122
Justification
and message digest that can be used. Any program using TCP can be modified to use
SSL connection. It does have in-built data compression capability. It is the most widely
used system in the world currently. In particular, it is capable of handling sensitive
information like credit card numbers, social security numbers and login credentials to be
transmitted securely.
Hence, the answer in Option D only is correct.
A. Is a transparent protocol requiring little user interaction for establishing a secure
session
B. Cannot secure cloud-based computing platforms
D. Cannot secure connection between E-mail Client and E-mail Server
KEY A
Justification
and message digest that can be used. It is a transparent protocol requiring little end
user interaction for establishing a secure session.
A. Alerts users to its presence by displaying an eagle’s head in the browser
B. Alerts users to its presence by displaying a padlock in the browser
C. Cannot secure system logins and any sensitive information exchanged online
D. Cannot secure connection between E-mail Client and E-mail Server
123
KEY B
Justification
SSL is a protocol that provides a secure communication channel between two machines
operating on the Internet or an internal network. It is a transparent protocol requiring
little end user interaction for establishing a secure session. It alerts users to its
presence by displaying a padlock in the browser. Among other things, it can secure
system logins and other sensitive information normally exchanged online. It can also
secure connection between E-mail Client and E-mail Server.
321. HTTP Secure _______________
A. Is used widely except for payment transactions & other sensitive transactions
B. Is an advanced version of HTTP which is superior to SSL/TLS protocol
C. Is basically layering of HTTP protocol over the SSL/TLS protocol
D. Requires both the client as well as the remote server to be authenticated
compulsorily
KEY C
Justification
HTTP Secure is basically layering of HTTP protocol over the proven Secure Sockets
Layer (SSL) protocol. It is used widely, especially for payment transactions, emails, etc.
While the SSL portion can comfortably authenticate both ends of a session, in the
normal course only the server end is authenticated by the client.
322. HTTP Secure _____________
A. Is an advanced version of HTTP which is superior to SSL/TLS protocol
B. Requires both the client as well as the remote server to be authenticated
compulsorily
C. Has a basic limitation of slowing down the web service
D. Is used widely except for payment transactions & other sensitive transactions
124
KEY C
Justification
HTTP Secure is basically layering of HTTP protocol over the proven Secure Sockets
Layer (SSL) protocol. It is used widely, especially for payment transactions, emails, etc.
While the SSL portion can comfortably authenticate both ends of a session, in the
normal course only the server end is authenticated by the client. Its one limitation is that
it slows down the web service.
323. Virtual Private Network (VPN) _______________
A. Can operate between two private networks but not the Internet
B. Does not provide confidentiality & integrity over un-trusted intermediate networks
C. Not compatible for operations with IPSec
D. Can link two networks or individual systems providing privacy & strong
authentication
KEY D
Justification
VPNs can link two individual systems or networks providing privacy and strong
authentication. The networks can be private networks or the Internet. They provide
confidentiality & integrity over un-trusted intermediate networks. IPSec enables VPN
and creates a virtual tunnel with encryption to ensure secure communication.
324. IPSec ___________
A. Protects application data across IP Networks
B. Requires applications to be specifically designed to work with it
C. Cannot be of help for implementation of VPN
D. Cannot be of help for remote user access through dial-up connection
KEY A
Justification
IPSec protects application data across IP Networks. It is encrypted at network layer of
IP. Hence, it does not require applications to be specifically designed for use with it. It is
useful for implementation of VPN as also for remote user access through dial-up
connection. Hence, the answer in Option A only is correct.
125
325. IPSec ______________

A. Is encrypted at IP(Transport layer)
B. Is implemented at end routers/firewalls
C. Cannot be of help for implementation of VPN
D. Cannot be of help for remote user access through dial-up connection
KEY B
Justification
connection.
326. IPSec _____________
A. Is encrypted at IP(Transport layer)
B. Can operate in transport mode with both data & packet header encrypted
C. Has as its basic goals authenticity and data integrity
D. Can operate in tunnel mode with entire IP packet encrypted & old header added
KEY C
Justification
connection. It has as its basic goals authenticity and data integrity. It can operate in two
modes transport & tunnel. In transport mode, it provides secure connection between two
end points. In this mode, the data is encrypted and the packet header is not encrypted.
In tunnel mode, used for VPN, the entire IP packet is encrypted and a new header
added to the packet for transmission.
327. Transport Mode of IPSec _____________
A. Involves encryption of data but not of the packet header
B. Involves encryption of the entire packet, for use in VPN
C. Can operate with entire IP packet encrypted & old header added
D. Provides secure connection between two points
126
KEY D
Justification
modes transport & tunnel. In transport mode, it provides secure connection between two
end points. In this mode, the data is encrypted and the packet header is not encrypted.
In tunnel mode, used for VPN, the entire IP packet is encrypted and a new header
added to the packet for transmission.
328. Tunnel Mode of IPSec _____________
A. Is used to create Virtual Private Networks
B. Involves encryption of data but not of the packet header
C. Involves encryption of the entire packet, for use in non-VPN functions
D. Can operate with entire IP packet encrypted & old header added
KEY A
Justification
modes transport & tunnel. In tunnel mode, used for VPN, the entire IP packet is
encrypted and a new header added to the packet for transmission.
329. Secure Shell (SSH) is a protocol ____________
A. Which is basically VPN layered on SSL protocol
B. Which cannot operation in conjunction with Telnet
C. Used for secure remote login & for command execution over an insecure network
D. Works only for peer-to-peer mode
127
KEY C
Justification
SSH is a protocol used for remote login and for executing commands over an insecure
network. It is basically Telnet +SSL+ some other features. It works well for client-server
mode, with both ends authenticated using certificates. It is usually used on UNIX
systems.
The correct answer is as in Option C
A. That cannot be used for remote login or command execution
B. Comprising Telnet+SSL+other features
C. Which is basically VPN layered on SSL protocol
D. Which cannot operation in conjunction with Telnet
KEY B
Justification
systems.
The correct answer is as in Option B.
A. Which cannot operation in conjunction with Telnet
B. Which is basically VPN layered on SSL protocol
C. That cannot be used for remote login or command execution
D. That is usually used on UNIX systems
KEY D
Justification
systems.
The correct answer is as in Option D.
128
332. Secure Electronic Transaction (SET) _____________

A. Was originally developed by Visa & Master card for secured electronic
transactions
B. Uses a system involving three signatures
C. Uses a system involving two signatures, one each of the customer and the
merchant
D. Uses a system involving three signatures, one each of the customer, the
merchant & the bank
KEY A
Justification
SET is a protocol originally developed by Visa & Master card for securing electronic
transactions. It uses a system of Dual Signatures. The objective is to link two messages
that are intended for two different recipients. In a typical case, the message to the
merchant will not allow reading of the credit card details and that to the bank will not
give access to the order number details. The customer will have a link between order
information & payment information for resolving disputes, if any.
The correct answer is as in Option A.
333. Secure Electronic Transaction (SET) ________________
A. Uses a system involving three signatures, one each of the customer, the
merchant & the bank
B. Is basically a combination of Telnet+SSL
C. Used exclusively on UNIX based systems
D. Uses a system of Dual signature to link two messages intended for two different
recipients
KEY D
Justification
SET uses a system of Dual Signatures. The objective is to link two messages that are
intended for two different recipients. In a typical case, the message to the merchant will
not allow reading of the credit card details and that to the bank will not give access to
the order number details. The customer will have a link between order information &
payment information for resolving disputes, if any.
It uses a combination of RSA public KEY cryptography, DES private KEY cryptography
& digital certificates to ensure security of transactions. It is not a combination of Telnet
+ SSL; nor is it used exclusively on UNIX based systems.
The correct answer is as in Option D
129
334. Secure Electronic Transaction (SET) _______________

A. Uses a system involving three signatures, one each of the customer, the
merchant & the bank
B. Used exclusively on UNIX based systems
C. Uses a cryptography combination of RSA public key, DES private KEY & digital
certificates
D. Is basically a combination of Telnet + SSL
KEY C
Justification
SET uses a system of Dual Signatures. The objective is to link two messages that are
intended for two different recipients. In a typical case, the message to the merchant will
not allow reading of the credit card details and that to the bank will not give access to
the order number details. The customer will have a link between order information &
payment information for resolving disputes, if any.
It uses a combination of RSA public KEY cryptography, DES private KEY cryptography
& digital certificates to ensure security of transactions. It is not a combination of Telnet
+ SSL; nor is it used exclusively on UNIX based systems.
The correct answer is as in Option C
335. Secure Multipurpose Internet Mail Extension _________________
A. Uses the DES encryption system
B. Is a secure method for VPN access & remote log in
C. Is a secure method for Internet payment transactions
D. Is a secure method of sending emails and extensions
KEY D
Justification
S/MIME is a secure method for sending emails and extensions. It is based on public
KEY cryptography, using RSA encryption system. It does not use the DES encryption
system. It is also not used for VPN/remote log in or for internet payment transactions.
The correct answer is as in Option D
336. Secure Multipurpose Internet Mail Extension _____________
A. Is based on public KEY cryptography & uses RSA encryption system
B. Is a secure method for Internet payment transactions
130
C. Is a secure method for VPN access & remote log in

D. Cannot handle emails and attachments
KEY A
Justification
S/MIME is a secure method for sending emails and extensions. It is based on public
KEY cryptography, using RSA encryption system. It does not use the DES encryption
system. It is also not used for VPN/remote log in or for internet payment transactions.
The correct answer is as in Option A.
337. The prime drivers of choice of network technology for a typical large bank will be
______________
A. Primarily Business Focus followed by Risk Management
B. Business Focus, Risk Management & Govt. / Compliance needs
C. Primarily Risk Management followed by Govt. / Compliance needs
D. Solely Business Needs
KEY B
Justification
The prime drivers for choice of networking technology would be all the three major
factors of Business Focus, Risk Management & Govt. / Compliance needs.
The correct answer is, thus, as in Option B
338. The architecture of an enterprise-wide network in a bank ________________
A. Would be dual-layered, comprising Security & Internet
B. Would be dual-layered, comprising WAN Network Topology & Security
C. Would vary significantly, depending upon size, structure & goals of each bank
D. Would be multi-layered, comprising WAN Network Topology, Security &
Interfaces to Service delivery & Internet
KEY D
Justification
The architecture of an enterprise-wise network in a bank should ideally be multi-layered,
comprising WAN Network Topology, Security & Interfaces to Service Delivery &
Internet. It would be able to address the core needs of the bank in terms of business
focus, security, Government & compliance needs.
The correct answer is, thus, as in Option D
131
339. The most popular choice of backbone network technology is ___________

A. IP core technology
B. IP/ATM technologies
C. Multi-Protocol Label Switching or MPLS technology
D. AT&T technology
KEY C
Justification
MPLS technology supported networks are being used extensively as the backbone in
view of the high usage of data, voice & video.
The correct answer is, thus, as in Option C
340. One feature of WAN Network Topology is ____________
A. The backbone is usually of optical fibre, with redundant routes
B. The last mile connects the central or head office to nearby Service Provider POP
C. The last mile primary links, in most cases, are VSATs
D. The Data Centre & the Disaster Recovery Centre are in the same safe seismic
zone
KEY A
Justification
The backbone in a typical WAN Network Topology is usually of optical fibre with
redundant routes. The last mile connects the branch / small office to the POP of the
service provider. The last mile links, in most cases, are leased lines backed up by a
secondary link ISDN, WiFi or satellite link. The Data Centre and the Disaster Recovery
Centre are invariably located in different seismic zones to prevent the possibility of both
being impacted simultaneously.
The correct answer is, thus, as in Option A.
A. The backbone is usually of traditional copper wire used for telephony
B. The Data Centre & the Disaster Recovery Centre are in different seismic zones
C. The last mile connects the central or head office to nearby Service Provider POP
D. The last mile primary links, in most cases, are VSATs
132
KEY B
Justification
The backbone in a typical WAN Network Topology is usually of optical fibre with
redundant routes. The last mile connects the branch / small office to the POP of the
service provider. The last mile links, in most cases, are leased lines backed up by a
secondary link ISDN, WiFi or satellite link. The Data Centre and the Disaster Recovery
Centre are invariably located in different seismic zones to prevent the possibility of both
being impacted simultaneously.
The correct answer is, thus, as in Option B
A. The Near-site DC is normally located in a different room/floor within the same
complex as the DC
B. The DC, Near-site DC and DRC are not connected, to prevent spread of
malicious viruses, etc.
C. Banks maintain a Near-site Data Centre (Near DC) in addition to the Data centre
(DC) & Disaster Recovery Centre (DRC)
D. The DC and the DRC are invariably located in the same seismically safe area
KEY C
Justification
The Data Centre and the Disaster Recovery Centre are invariably located in different
seismic zones to prevent the possibility of both being impacted simultaneously. The
Near-site Data Centre is maintained in addition to the DRC within a radius of about 20-
30 kms of the DC. The Near DC is connected both to the DC as well as the DRC
through redundant links and would serve as the back-up for operational data in case of
failure of the DC.
343. One feature of WAN Network Topology is ____________________
A. Data to & from the WAN to branches, DC, Near DC & DRC is in plaintext & not
encrypted
B. The DC, Near-site DC and DRC are not connected, to prevent spread of
C. The DC and the DRC are invariably located in the same seismically safe area
D. Domain services are hosted in the Data centre (DC), Near-site Data Centre (Near
DC) & Disaster Recovery Centre (DRC) in different De-Militarized Zones (DMZs)
133
KEY D
Justification
Domain services are hosted in the DC, Near DC & DRC in different DMZs. The Data
Centre and the Disaster Recovery Centre are invariably located in different seismic
zones to prevent the possibility of both being impacted simultaneously. The Near-site
Data Centre is maintained in addition to the DRC within a radius of about 20-30 kms of
the DC. The Near DC is connected both to the DC as well as the DRC through
redundant links and would serve as the back-up for operational data in case of failure of
the DC. Data to and from the WAN to branches, DC, Near DC & DRC is all encrypted.
The correct answer is, thus, as in Option D
344. This is a feature of WAN Network Topology.
A. Redundancy is built in at DC, with links from minimum of two ISPs
B. The DC and the DRC are invariably located in the same seismically safe area
C. Data to & from the WAN to branches, DC, Near DC & DRC is in plaintext & not
encrypted
D. The DC, Near-site DC and DRC are not connected, to prevent spread of
KEY A
Justification
To pre-empt the risk of failure of ISP (Internet Service Provider) link, redundancy is built
in at the DC with links from a minimum of two ISPs. The Data Centre and the Disaster
Recovery Centre are invariably located in different seismic zones to prevent the
possibility of both being impacted simultaneously. The Near-site Data Centre is
maintained in addition to the DRC within a radius of about 20-30 kms of the DC. The
Near DC is connected both to the DC as well as the DRC through redundant links and
would serve as the back-up for operational data in case of failure of the DC. Data to and
from the WAN to branches, DC, Near DC & DRC is all encrypted.
The correct answer is, thus, as in Option A.
345. Chartered Accountants are impacted by IT mainly in the following way
_______________
A. The IT industry is becoming global
B. The IT industry is being dominated by India
C. Automation of their clients’ operations & their data going digital
D. The Institute of Chartered Accountants is going digital
134
KEY C
Justification
CAs are impacted by IT primarily by the automation of their client’s operations & their
data going digital. Also, CA firms themselves have to use IT in their own offices to
provide services.
The correct answer is, thus, as in Option C.
346. Chartered Accountants are impacted by IT mainly in the following way _________
A. The Institute of Chartered Accountants is going digital
B. The IT industry is being dominated by India
C. CA firms themselves will need to use IT for servicing their customers
D. The IT industry is becoming global
KEY C
Justification
CAs are impacted by IT primarily by the automation of their client’s operations & their
data going digital. Also, CA firms themselves have to use IT in their own offices to
provide services.
347. A Data Warehouse is a collection of decision-support data that is
_________________
A. Volatile & updated on a daily basis
B. Exclusively relating to sales & marketing
C. Historical, supporting analysis & reporting functions
D. De-centralized with warehouses distributed over the country
KEY C
Justification
A data warehouse is a centralized analytically oriented, integrated, time-oriented & non-
volatile collection of data. It relates to all areas of operations which have relevance to
business goals. Hence, only Option C is correct.
348. A Data Mart ___________
A. Contains detailed data relating to a single aspect of business in large companies
135
B. Refers to a data storage product marketed by a business intelligence company

C. Stores all marketing related data alone for a company
D. Is a software used by Data Warehouses
KEY A
Justification
A Data Mart is a subset of a Data Warehouse & contains detailed data about a single
aspect of business in large companies. Hence, only Option A is correct.
349. Data Mining ____________
A. Is the recovery of all hidden data
B. Refers to the automated extraction of hidden predictive information
C. Helps analyse historical data but has little predictive value
D. Helps summarize data for regular MIS reporting systems
KEY B
Justification
Data Mining refers to the automated extraction of hidden predictive information. The
KEY Aspect is detection of hidden information which helps predict the future through
identification of patterns, etc.. Hence, only Option B is correct.
350. Which are the business activities which are strong contenders for conversion to
e-commerce ?
A. Those relating to software development
B. Those relating to the ‘electronic’ aspects of commerce
C. Those that are paper-based, time consuming & inconvenient for customers
D. Those that are not paper-based, speedy & convenient for customers
KEY C
Justification
Maximum mileage can be gained from e-commerce by converting those business
activities which are paper-based, time consuming & inconvenient for customers as
indicated in Option C. This will help us reduce paperwork, accelerate delivery & make it
convenient for customers to operate from the comfort of their homes as also at any
other place of their convenience. Hence, the other options are wrong.
136
351. Your daughter orders five salwar-kameez sets on the Myntra website for door
delivery. She uses the Government wireless communication facility for carrying
out this task. Which model of e-commerce would this fall in ?
A. Business-to-business
B. Consumer-to-consumer
C. Business-to-Government
D. Business-to-consumer
KEY D
Justification
This would obviously be a case of a business-to-consumer model &, hence, only Option
D is correct.
352. Cloud computing refers to ___________
A. On demand, networked access to a shared pool of computing resources
B. Computing carried out using software loaded on satellites
C. Strategic planning carried out through computerised simulations
D. Computing with light & minimal software
KEY A
Justification
Cloud computing refers to on demand, networked access to a shared pool of computing
resources as indicated in Option A. It is generally offered as a utility to users, payable
on the basis of consumption. Hence Option A is correct & the other options incorrect.
353. The Front-end in Cloud computing refers to _________
A. The Client’s computer alone; the access software is available on the cloud
B. The various computers, servers & data storage systems in the cloud system
C. The software available on the cloud computing systems
D. The Client’s computer as well as the software required to access the cloud
KEY D
Justification
The Front-end in Cloud computing comprises the Client’s computer as well as the
software required to access the cloud. Hence, Option D is correct whereas the other
137
354. The Back-end in Cloud computing refers to ___________

A. The Client’s computer as well as the software required to access the cloud
B. The various computers, servers & data storage systems in the cloud system
C. The Client’s computer alone; the access software is available on the cloud
D. Solely, the software available on the cloud computing systems
KEY B
Justification
The Back-end in Cloud computing comprises the various computers, servers & data
storage systems in the cloud system. Hence, Option B is correct whereas the other
355. Which of the following falls outside the typical features of Cloud computing ?
A. Resource Pooling capability
B. Rapid elasticity in meeting changed client demands
C. A large, offsite, remotely accessible computing facility created by a large
enterprise for self use
D. Measured services with pay per use facility for clients
KEY C
Justification
Cloud computing basically involves pooling of resources for use by multiple agencies
featuring the various attributes listed in Options B to D. Option A alone doesn’t fall
within the typical features of cloud computing since it speaks simply of a internal
computing facility which happens to be located at a remote site. Hence, Option C is
correct whereas the other options are incorrect.
356. What is a Hybrid Cloud computing facility ?
A. It provides both hardware as well as software services to its clients
B. It combines analog as well as digital computing capabilities
C. It provides free services to certain clients while charging others
D. It provides both private & public Cloud computing services
138
KEY D
Justification
Hybrid Cloud computing provides both private & public computing services, as indicated
in Option D. Hence, the other options are incorrect.
357. A Platform as a Service (PaaS) Cloud Computing model allows clients access to
______________
A. Hardware & operating system on the cloud but not the underlying infrastructure
B. Hardware & operating system on the cloud and also the underlying infrastructure
C. A variety of software provided on the cloud
D. Infrastructure, in terms of processing, storage & other computer networks, alone
KEY A
Justification
Option A above captures the correct services offered by PaaS; the other options are
incorrect.
358. A Software as a Service (SaaS) Cloud Computing model allows clients access to
______________
A. Hardware & operating system on the cloud but not the underlying infrastructure
B. Hardware & operating system on the cloud and also the underlying infrastructure
C. Infrastructure, in terms of processing, storage & other computer networks, alone
D. A variety of software applications made available by the provider on the cloud
KEY D
Justification
Option D above captures the correct services offered by SaaS; the other options are
incorrect.
359. One of the major risks associated with Cloud computing is __________________
A. Increased cost of operations
B. Greater dependency on third parties & vulnerability to risk
C. Increase in manpower requirements
D. Loss of competitive advantage
139
KEY B
Justification
Options at A,C & D are incorrect; cloud computing should actually help reduce costs,
improve competitive advantage & not lead to increased manpower requirements.
However, to the extent one is forced to use a third party cloud computing service, the
client’s dependency increases with consequent risk perception. Hence, Option B alone
is correct.
360. What are the major perspectives in the role of a Chartered Accountant (CA) in the
post implementation stage of Enterprise Resource Planning (ERP) software ?
A. Defining criticality of the business & applying priorities
B. Cost-benefit analysis of customization
C. Optimization & security of the software system
D. Reports required for monitoring and control
KEY C
Justification
Post implementation, the CA would have already helped map the business processes &
arrived at the best configuration of the software and its applications. His focus would,
hence, be on optimization of the system & ensure adequate security. Hence, Option C
alone is correct.
361. What are some of the major challenges of using Enterprise Resource Planning
(ERP) software ?
A. Reduced data access
B. Need for redundant legacy systems to be maintained in parallel
C. Expenses & time in implementation
D. Increased operating costs
KEY C
Justification
The large expenditure involved in purchase as also the intricacies of implementation of
this software are the major challenges which would be faced by an individual launching
ERP software. Implementation of the ERP system would actually help improve data
access, reduce operating costs & eliminate the need for legacy systems, contradicting
the answers in Options A, B and D. Hence, Option C alone is correct.
362. Your client has a diversified business with manufacturing units & offices at multi-
locations. He is now trying to streamline operations by opting for a centralized
140
ERP system. You have assisted him in screening potential products & arriving at
the one best suited to his needs. The next step which would be critical for
optimizing the ERP software & aligning it to the business’s needs would be
_______________
A. Understanding business processes, identifying priorities & incorporating best
practices
B. Eliminating legacy systems
C. Implementing the system immediately to save on time & reap the benefits quickly
D. Implementing the system in a part of the organization alone, to start with
KEY A
Justification
Before commencing implementation of the ERP software, it is important to get a
thorough understanding of the business processes involved & identifying priority areas
(as mentioned in Option A). Based upon this, relevant best practices & benchmark
indices can be identified & incorporated in the final model in order to extract maximum
benefit from the software. Legacy systems elimination can be undertaken only after
successful commissioning of the ERP (at least at the pilot level). While it may seem
attractive to accelerate the implementation with the objective of generating savings
earlier, it would be far better to ensure that the approved model is robust & flexible
enough to accommodate potential changes in the environment. Lastly, an ERP is ideally
implemented enterprise-wide in order to harness the power of the software.
Implementing it in part of the organization would leave it in a stunted & sub-optimal
form. Hence, Option A alone is correct.
363. Which of the following is true of a typical Enterprise Resource Planning (ERP)
system ?
A. Capable of operation only on batch processing basis; cannot be real-time based
B. At any point of time, the same data, on real-time basis, can be accessed by
people in different parts of the organization
C. Capable of generating a balance sheet and P&L statement even on a daily basis
D. Implementation of a new ERP system can be done very quickly since it is
modular
141
KEY C
Justification
ERP systems allow all users access to real-time data. Of course, access may be limited
to individual users on a ‘need-to-know’ basis. Once configured & implemented, it should
technically be possible to generate financial statements even on a daily basis. One of
the limitations of any robust ERP system is the time taken for implementation. For best
results, the implementation process has to be rigorous & scrupulously adhered to. Short
cuts can be counter-productive. Hence, Option C alone is correct.
364. One of the major risks of Enterprise Resource Planning (ERP) systems is ?
A. Increased complexity of simply legacy processes
B. Increased manpower requirement, particularly in the accounting area
C. Risk of depending upon one ERP vendor for all the critical operations of the
organization
D. Increased operating costs
KEY C
Justification
A major risk with ERP systems is the fact that they cover the entire operations of an
organization & any default or failure on the part of the ERP system vendor can have
catastrophic consequences for operations. The situation is further compounded by the
fact that there are very few dependable ERP system vendors, leaving little choice. A
well implemented ERP would actually simplify legacy business processes. A major
positive outcome of ERP implementation is generally a reduction in manpower,
particularly in the accounting department. Costs would, obviously be lower than before.
Hence, Option C alone is correct.
365. You are a budding entrepreneur running a Small & Medium Enterprise. The SME is
on a rapid growth path & you have ambitious expansion plans. You have invested
substantial sums in creating a robust IT system for the organization keeping in
mind your future plans. You realize that the success of any system lies in checks
and balances, including a proper auditing system & decide on appointing an
auditor. The qualities you would pragmatically expect an ideal auditor to possess
for this role would be ______________
A. Expertise in all areas of IT technology
B. Thorough knowledge on the financial aspects alone
C. Adequate working knowledge of IT hardware & software
D. Expertise both in financial and IT technology aspects
142
KEY C
Justification
C.A.s knowledge of IT technology need not and cannot be complete and total. They
only need adequate knowledge to effectively audit the IT functions of an organization
C.A.s cannot be expected to be experts in all areas of IT technology; this is not their
role
Knowledge of financial aspects alone in a technology oriented function like IT will not
facilitate effective auditing of the IT function
A C.A. cannot be expected to have thorough knowledge of both financial & IT
technology aspects
366. You are a Sales Manager in a consumer product company equipped with the
latest laptop computer. You use the laptop for analysing territory-wise sales
trends, customer preferences, etc. After a recent upgrade of software by your
company’s IT department, you observe that you are no longer able to analyze
historical sales trends. However, when you check the database in the computer,
the historical sales data is very much available. The problem you are facing is
probably due to ___________
A. A bug or inadequacy in the operating system
B. A bug or inadequacy in the application software
C. Insufficient memory space in the computer
D. Defective hardware in the laptop
KEY B
Justification
The problem has arisen after upgrade of the application software by the IT department.
The database clearly has the relevant data & it is the access to and/or manipulation of
this data which is the issue. Hence, Option B is correct. The other options are not
correct since they are not likely to create the problem encountered by the Sales
Manager.
367. Following an orientation programme on Information Technology, four members
from the group of participants are picked up and named Mr Fetch, Mr Decode, Ms
Execute and Ms Store as representative parts of the CPUs machine cycle. In
which sequence should these individuals queue up in order to accurately
demonstrate the machine cycle performed by the CPU ?
A. Mr Decode, Ms Execute, Ms Store and Mr Fetch
143
B. Ms Store, Mr Fetch, Mr Decode and Ms Execute

C. Ms Execute, Mr Fetch, Mr Decode and Ms Store
D. Mr Fetch, Mr Decode, Ms Execute and Ms Store
KEY D
Justification
As defined clearly in paragraph 1.3.2
A B, & C are clearly wrong answers which contain the wrong sequence
368. Your client’s business volume has been stagnating & he is keen to explore ways
and means of growing it. With the objective of drawing up an appropriate strategy,
you advise him to conduct a SWOT analysis for which he collects a lot of
operational information related to marketing, manufacturing, etc.. He realizes that
his information system is now faced with information overload & he needs to
supplement his Secondary Memory capacity. Secondary memory ___________
A. Is non-volatile memory with large storage capacities
B. Is volatile memory with large storage capacities
C. Is non-volatile memory which is fast & responsive
D. Involves higher cost per unit of information than RAM
KEY A
Justification
As brought out in paragraph 1.3.3, secondary memory is non-volatile, with large storage
capacities. It is, however, slower than registers or primary storage.
Secondary memory is not volatile.
It is not fast.
Its cost per unit of information is lower than RAM
369. You are auditing the recent purchase of IT hardware equipment in your client’s
office. You study the Mean Time before failure (MTBF) as also Mean Time to
Repair (MTTR) of the equipment. Ideally, ____________
A. MTBF must be low and MTTR must be high
B. MTBF must be high and MTTR must be low
C. Both MTBF and MTTR must be high
D. MTBF and MTTR must be equal to each other.
144
KEY B
Justification
As brought out in paragraph 1.5.2., Mean Time Between Failures must be high and
Mean Time To Repair must be low.
All the other answers are, therefore, obviously wrong.
370. As a Chartered Accountant, you feel that Hardware Auditing __________
A. Is best carried out by the purchase department of the I.T. department
B. Should be restricted to the financial aspects of hardware usage
C. Primarily encompasses hardware acquisition & capacity management
D. Is not as critical as software auditing which can be a more vulnerable area
KEY C
Justification
Paragraph1.6 elaborates on the criticality of hardware acquisition & capacity
management as KEY Areas of Hardware auditing.
Hardware is a vulnerable area which needs to be closely reviewed by Audit. Hence, the
other three options are not correct
371. Your client reports to you concern about security of the data in his organization
and would like to install software which effectively manages ownership
assignment of all data for accountability. What type of software would you
recommend him to install ?
A. Data Communications Software
B. Access Control Software
C. Utility programs
D. Defragmenters
KEY B
Justification
It is access control software which is vested with the responsibility for assigning
ownership of all data for purposes of accountability (para 2.3.2). Data Communications
software generally assists the OS for local and remote terminal access (option A). Utility
programs and defragmenters basically help improve computer efficiency and
performance and have nothing to do with ownership assignment of all data.
145
372. You are auditing a major software purchase transaction by your client. In your
opinion, what should your client have done as a first step in acquiring the
software ?
A. Establish scope, objectives background & project charter
B. Establish criteria for selecting and rejecting alternatives
C. Carry out Cost/Benefit analysis, including make or buy decision
D. Determine supplier’s technical capabilities & support services
KEY A
Justification
Without first establishing the scope and objectives, software acquisition may end up
failing on fundamental aspects of meeting end user needs. This would be the starting
point, therefore, for any acquisition exercise. The other options get ruled out by default.
373. Your client is in the process of deploying IT in his business operations & seeks
advice about the potential drawbacks of following a Centralised Deployment
Strategy. Your answer would be that the major drawback of this strategy would be
____________
A. Resource sharing of reduced order
B. Poorer economies of scale
C. Reduced security
D. Vulnerability due to single point of failure
KEY D
Justification
Centralized deployment strategy concentrates all its resources at one central point
making it vulnerable to total system failure in the event of this central point being
compromised in any manner (Option D). Resource sharing, in fact, is a strong plus point
for centralised deployment. Similarly, this system has better economies of scale owing
to use of large size hardware & larger number of software licences. Since everything is
centralized, possibilities of leakages are reduced since the number of exposed points
are lesser. Hence, the other options are not correct.
374. Your client is in the process of deploying IT in his business operations & seeks
advice about the potential drawbacks of following a De-centralised Deployment
Strategy. Your answer would be that the major drawback of this strategy would be
_____________
A. Less flexibility to cope with internal/external changes
146
B. Potentially higher CAPEX requirement

C. Information systems could be mutually incompatible
D. Slower system development
KEY C
Justification
A major disadvantage of decentralized deployment strategy is that, with de-centralized
decision making, different tailor-made information systems may be created at different
locations leading to potential incompatibility (Option C). On the other hand, given their
de-centralized structure, they would have greater flexibility to cope with changes and
can be developed/implemented quickly. Capex requirement could also be lesser owing
ability to carry out changes in phases. Hence, the other options are not correct.
375. A large private sector bank offering Core Banking Solutions has sought your
assistance in auditing its Data centre operations. While drawing up your auditing
approach to this bank, you would primarily focus upon ________
A. Number of employees in the Bank
B. Annual Business volume
C. Nature of software applications used
D. Type of services offered, risk management & control requirements
KEY D
Justification
The complexity of services offered including the response time, risk management
objectives and control goals would drive the IT components of a CBS Data Centre
(Option D). The elements in the other three options would have limited impact on the
configuration of the data centre.
376. A large international airline has entered Indian airspace & is setting up IT and
other infrastructure in a metro city in India. Its business is strongly dependent
upon the internet & accuracy and prompt availability of data is critical to
successful operations. It has already decided on backing up of all information as
also storing of all transactional information at a remote site to overcome the
contingency of any break-down of the infrastructure at its metro city office. As a
Consultant to the business, what other measures of redundancy would you
suggest to improve reliability, fault tolerance & accessibility, without, however,
compromising on security?
A. A near-site data replication facility
147
B. A near-site Disaster recovery facility

C. Filing of hard copies of all transaction documents
D. Hiring cloud storage facilities as an additional back up
KEY A
Justification
A near-site facility is normally used as a data replication facility only (Option A). It would
not be a prudent choice for a disaster recovery facility since, as a proximate location,
the probability of its getting exposed to the same geographical risks is very high. Use of
hard copies of documents would be a retrograde step which would only delay processes
& add costs. While cloud storage could be a solution, it could raise issues of data
security. Hence, the other options are not correct.
377. You have been appointed as a Consultant to a SME which is slowly outgrowing its
status & morphing into a large enterprise. The organization has invested in
various types of software at different stages of its growth but now seeks to
rationalize its IT infrastructure with an eye on future growth. Faced with the
complexity of the existing Information System, you decide on first implementing a
process of Configuration Identification (CI). This involves ___________
A. Identification of all IS components without reference to version
B. Identification of software components of IS alone
C. Identification of all IS components in a system
D. Identification of hardware components of IS alone
KEY C
Justification
Configuration identification involves identification of all versions & updates of both
software and hardware. This facilitates continuous monitoring during the life cycle of the
product & becomes useful at the time of any proposed changes in the components
(Option C). Option A is wrong since it ignores the version, which is vital. B and D are
incorrect since they are addressing either the software or hardware alone.
378. A SME which is slowly outgrowing its status & morphing into a large enterprise
has appointed you as a Consultant. The organization has invested in various
types of software & hardware at different points of time. You have realized that
this disorganized and unplanned method of software & hardware acquisition has
made it very vulnerable. Your considered view is that the first step towards
securing the systems is to carry out Hardening of the Systems. This involves
__________
148
A. Use of robust hardware to strengthen the system

B. Optimising configuration of hardware systems alone
C. Auditing configuration of software systems alone
D. Securely configuring systems to minimize security risks
KEY D
Justification
Hardening of systems is the process of securely configuring computer systems to
eliminate as many security risks as possible (Option D). It does not refer to use of
robust hardware (Option A); nor does it limit itself to hardware alone (Option B) or
software alone (Option C).
379. Your client asks you as to which type of Communication system facilitates
simultaneous two way communication. You would then advise them to go in for
___________
A. Half Duplex communication system
B. Full Duplex communication system
C. Simplex communication system
D. Combination of Simplex and Half Duplex systems
KEY B
Justification
Full Duplex communication has the capability to handle simultaneous two way
communication. It is like two Simplex systems put together. A half duplex system /
simplex system or a combination of these cannot meet this objective.
380. You are being briefed by an accountant in your client’s office who has limited
knowledge of cable technology. He speaks of the type of cable which has been
chosen by his IT department for transmission of information. He explains that the
cable’s positive features include high integrity, low attenuation over long
distances, high carrying capacity & lesser power consumption. He also feels that
it comprises an inner core made of glass or plastic type of material. What is your
educated guess of the nature of this cable ?
A. Optical fibre cable
B. Co-axial cable
C. Twisted pair cable
D. Bi-metallic cable
149
KEY A
Justification
An Optic fibre cable consists of an inner core made of glass/plastic/polymer/acrylic
which uses light based signalling. It has high integrity as well as low attenuation over
long distances. It has higher carrying capacity & consumer lesser power since signals
do not degrade as fast as in other systems. Hence, Option A is the only correct option.
381. You have recently taken on a Travel agency as your client. You are familiarizing
yourself with the agency & its operations. You are told that they use a network of
computers which are designed as per Bus topology. You realize then that the
agency’s computer system involves ____________
A. A single hub connecting all nodes
B. Connection of its computers on a single circle of cable
C. Connection of computers on a single backbone cable
D. Connection of every node to every other node
KEY C
Justification
In Bus topology, all the computers in the network are connected on a single backbone
cable. All the computers in the network receive incoming messages from any other
computer; however, only the intended recipient accepts and processes the message. It
is not on a single hub or circle of cable and each of the nodes are not connected to
each other. The correct answer is Option C
382. You have signed on for an audit of an Internet service provider. What sort of
network topology do you expect this organization to have adopted ?
A. Ring topology, involving connection of all the computers on a single ring of cable
B. Star topology, connecting all the computers to a central hub or switch
C. Mesh topology, involving physical connection of every node with every other
node
D. Bus topology with all systems Ideally suited for systems with need for low degree
of fault tolerance
150
KEY C
Justification
This involves physical connection of every node with every other node. It is rather
complex and requires maximum number of cables. However, it is ideally suited for large
telecommunication companies or an internet service provider who cannot afford to have
a high degree of fault tolerance. It is not connected to a single backbone or hub/switch.
The correct answer, therefore, is Option C.
383. Your client has noted that a user with a particular IP address has been trying to
access its server & wishes to identify the physical address (MAC) of the user.
Which is the protocol which would have to be used for doing this ?
A. Internet Control Message Protocol (ICMP)
B. Transmission Control Protocl (TCP)
C. Simple Mail Transfer Protocol (SMTP)
D. Address Resolution Protocol or ARP
KEY D
Justification
ARP is a method of ascertaining the physical address (MAC), given the IP address. The
other protocols in Options B to C have other capabilities. Hence, only Option D is
correct.
384. You observe that the first Octet of the IP address of one of your clients is 195 in
decimal range. In which Class of the IPv4 Classful Addressing Scheme does this
fall ?
A. C
B. D
C. A
D. E
KEY A
Justification
The first Octet of Class C of the IPv4 Classful Addressing Scheme is any number
ranging between 192 and 223 & the client’s number of 195 falls within this range.
Hence, the answer in Option A is correct. The other options are incorrect.
385. Technology development by design from a strategic perspective by CA firms
could _____________
151
A. Be a promotional tool for CA firms, attracting more clients

B. Be a Growth Catalyst / KEY differentiator for current/new services to existing /
new customers
C. Be an expensive proposition with doubtful long term benefits
D. Be a wasteful exercise since IT technology is very volatile & could become
obsolete quickly
KEY B
Justification
Technology development by design from a strategic perspective by CA firms could be a
growth catalyst and KEY differentiator for current as well as new services for existing
and new clients.
The correct answer is, thus, as in Option B.
386. You have just taken on as your client, a huge international organization with a
large presence on internet networks. To which class of IPv4 Classful Addressing
Scheme do you expect its IP address to belong & within what range would the
first Octet of its address fall ?
A. Class B, 128-191
B. Class C, 192-223
C. Class A, 1-126
D. Class E, 240-254
KEY C
Justification
Large organizations with extensive presence on the internet are generally included in
Class A of the IPv4 Classful Addressing scheme. The first Octet would then fall within a
range of 1 – 126. Option C, thus, gives the correct answer & the other options are
incorrect.
387. Your client company is involved in research & development on the internet.
Which class of IPv4 Classful Addressing Scheme do you expect it to use & within
what range would the first Octet of that address fall ?
A. Class A, 1-126
B. Class B, 128-191
C. Class C, 192-223
D. Class E, 240-254
152
KEY D
Justification
Class E of the IPv4 Classful Addressing scheme is reserved for research &
development / study. The first Octet would fall within a range of 240 to 254. Option D,
thus, gives the correct answer & the other options are incorrect.
388. You have just taken on as your client, a huge international organization with a
large presence on internet networks. Which of the following types of Network
(N)/Host (H) id of the IPv4 Classful Addressing Scheme would you expect the
client to have ?
A. N.H.H.H
B. H.N.N.N
C. N.N.H.H.
D. H.H.N.N
KEY A
Justification
Class A of the IPv4 Classful Addressing scheme. The first Octet would then represent
the network id and the other Octets, the host id, as indicated in Option A. The other
389. Your new client advises you that its IP address falls under Class C of the IPv4
Classful Addressing Scheme. Which of the following types of Network (N)/Host
(H) id would you expect the client to have ?
A. H.N.N.N
B. N.N.H.H.
C. N.N.N.H
D. H.H.N.N
KEY C
Justification
Class A of the IPv4 Classful Addressing scheme. The first Octet would then represent
the network id and the other Octets, the host id, as indicated in Option C. The other
153
390. If your client’s IT manager advises you that his company’s default sub-net mask
under the IP Classful Addressing Scheme is 255.255.0.0, which of the following IP
classes does his company’s network belong ?
A. Class A
B. Class C
C. Class B
D. Class E
KEY C
Justification
The default sub-net mask of Class B of the IP Classful Addressing Scheme is
255.255.0.0; hence, Option C is correct. The other options are not correct.
391. You are with the IT Manager of your client, trying to understand their systems.
The IT Manager is a person who revels in creating puzzles. When you ask him
about his company’s IP address, he tells you that it belongs to an IPv4 class that
can accommodate the least number of networks but the maximum number of
hosts per network (usable addresses). To which IP class is he referring ?
A. Class A
B. Class B
C. Class C
D. Class D
KEY A
Justification
The IP class A of IPv4 can handle the least number of networks (126) and maximum
number of usable addresses (1,67,77,214). Hence, Option A is correct & the other
392. You are with the IT Manager of your client, trying to understand their systems.
The IT Manager is a person who revels in playing with puzzles. When you ask him
about his company’s IP address, he tells you that it belongs to an IPv4 class that
can accommodate nearly 21 lakh networks. He adds, however, that the flip side is
that the number of useable addresses per network would be a measly figure of
about 250. To which IP class is he referring ?
A. Class A
B. Class B
154
C. Class D
D. Class C
KEY D
Justification
The IP class C of IPv4 can handle as many as 20,97,150 networks but number of
usable addresses can be only 254. Hence, Option D is correct & the other options are
incorrect.
393. As an experienced Chartered Accountant, you are addressing a group of freshers
on the subject of the massive quantities of information available to any
organization. In this background, what would you stress as most critical for
successful business operations ?
A. Establishing hardware infrastructure to handle voluminous information
B. Recruiting more IT personnel to handle large volume of data
C. Building more storage space for the voluminous data
D. Capability to pick out the KEY Aspects which can help serve the customer better
KEY D
Justification
The most critical factor for business success in the current information age is the
capability to sift the grain from the chaff, pick out the exceptions & appreciate customer
preferences & nuances of demand. The other options of creating infrastructure, adding
people or storage space are, at best, short term measures for coping with dealing with
‘big data’ rather than means of identifying customer needs & satisfying them.
A retail grocery chain store analyses data of its sales over different time periods over
the day. It observes that in many of its markets, substantial sales happen throughout
the day but in certain specific markets, sales peaked late in the evening. In these
markets, frequent instances were also reported of staff having to send away customers
as late as 10 pm in the night since closing time for the store had been crossed. On
carrying out a more detailed analysis of the profile of the customers in these markets, it
discovered that these were dominated by young employees of IT & BPO companies,
many of whom worked in line with U.S. and European markets & returned home late in
the night.
394. The store then decided to experiment with extended timings, up till midnight, for
the stores in such markets & was delighted to find sales burgeoning. Which of the
following best describes this initiative ?
A. Leveraging Business Intelligence to identify latent customer needs
155
B. Increasing investments in people for higher returns

C. Improved channel management
D. Cost saving experiment
KEY A
Justification
This is a clear case of leveraging business intelligence to identify latent customer
needs. But for the capability to collect, analyse data & draw insightful conclusions there-
from, this success could not have been achieved. Option A, therefore, is correct. The
other answers may be the incidental outcomes of the action taken in the process of
leveraging business intelligence and not the actual initiative per se.
395. You are a Consultant to a budding Small & Medium Enterprise which is aiming at
growing into a large enterprise. You carry out a detailed study of the current state
of the enterprise in terms of people, systems, procedures, etc. You decide to
focus on systems and IT, in particular, as the backbone for the enterprise’s future
growth plans. You observe that the existing system has limitations in terms of
lack of uniformity of software, databases, delay in availability of analysed data,
etc. Your recommended solution would be for ___________
A. Up-gradation of all the current versions of software
B. Installation of an Enterprise Resource Planning software
C. Up-gradation of the current versions of software & addition of fresh software
D. Installation of a new Database Management system
KEY B
Justification
Answers at Options A, C & D could at best achieve partial solutions. A robust ERP
software system, however, will help integrate all aspects of the business and support
online recording as well as speedy analysis & decision support. This could help
eliminate multiple legacy systems & help improve business processes. Hence, Option B
would be the correct recommendation of the Consultant.
396. The Indian fertilizer industry depends heavily on Government subsidies since
they are expected to sell their products to customers at prices far below the cost
of production. The Government has evolved a complicated mechanism for
deciding the subsidy level for each type of fertilizer depending upon various
dynamic factors like the international price of the raw material / finished product,
the Rupee/dollar exchange rate, conversion & added costs, etc. The industry
association decides to set up a common cloud facility for helping the individual
units manage the work of raising regular subsidy claims linked to the various cost
156
factors as also sales elements, etc. Such a cloud facility would be deemed to be a
______________
A. Public Cloud facility
B. Private Cloud facility
C. Community Cloud facility
D. Hybrid Cloud facility
KEY C
Justification
When several businesses share a common cloud computing resource, it is called a
community cloud facility. Hence, Option C is correct whereas the other options are
incorrect.
397. One of your client’s managers tells you that they have recently opted for some
cloud computing facilities. Being a non-IT official, he says he does not
understand what exactly is meant by the term but he has been told that they have
opted for a model of Infrastructure as a Service (IaaS). With your own background
knowledge of the subject, you explain to him that an IaaS model involves
_____________
A. Provision of processing, storage networks & other basic computing resources
B. Provision of various types of software on the cloud which can be used by any
client
C. Provision of hardware & operating system platform alone
D. Provision of manpower on remote access basis
KEY A
Justification
The Iaas model involves provision of processing, storage networks & other basic
computing resources as brought out in Option A. Hence, the other options are incorrect.
398. Your client hires the services of an e-auction platform for launching its reverse
auction for purchase of various raw materials. The client accesses the platform
through the internet. Several suppliers register themselves with the platform &
participate in the reverse auction on the planned date. Which model of e-
commerce would this fall in _____________
A. Business-to-Government
B. Business-to-consumer
C. Business-to-business
157
D. Consumer-to-consumer
KEY C
Justification
This would obviously be a case of a business-to-business model &, hence, only Option
C is correct.
399. The Tamil Nadu State Government has announced that payment of house taxes,
electricity bills, etc. can be made by citizens through the respective portals using
internet banking or credit / debit cards. Which model of e-commerce would this
fall in ______________
A. Business-to-business
B. Business-to-Government
C. Consumer-to-consumer
D. E-Government
KEY D
Justification
This would obviously be a case of E-Government, facilitating payment of taxes & bills
through an Internet based facility. Hence, only Option D is correct.
400. You are a Google account holder. Google informs you that they have begun to
offer cloud computing facilities to its users & that, as an existing user, you will be
allowed up to 15 GB of data storage on the cloud free of cost & thereafter, a
nominal $ 0.026 per GB per month. Delighted, you begin using the facility with
your laptop. Soon, you receive an alert on the system that you have exhausted
the 15 GB free storage space & would need to begin paying for securing more
storage space. Which of the characteristics of Cloud computing does this
demonstrate ?
A. Resource Pooling
B. Network access from any device
C. Measured services & on-demand self-service
D. Access to software & computing capabilities
158
KEY C
Justification
In the given instance, the client is being offered measured services & on-demand self
service as brought out in Option C. The example does not throw up any specific
information about Resource pooling or facility for accessing the cloud through any
device other than the laptop being used. It does not also speak of other Cloud
computing services like access to software, etc. Hence, only Option C is correct.
401. The Bring Your Own Device (BYOD) concept _____________
A. Envisages permitting employees to use their own personal devices for official
work
B. Envisages permitting employees to do their personal work on official devices
C. Is a risk free & beneficial system for corporate
D. Envisages storage of both official & personal information on the same device
without any demarcation
KEY A
Justification
The BYOD concept envisages permitting employees to use their own personal devices
for official work. It has the advantage of saving IT infrastructure expenditure &
convenience for employees. It does not envisage usage of company properties by
employees for their personal work. While it has many advantages, it is vulnerable to
some risks. In general, when the same device is used both for personal as well as
official use, virtual demarcation is made of the information storage system & adequate
firewalls incorporated. Thus, Option A alone is correct.
402. eXtensible Markup Language or XML _______________
A. Describes how data can be presented in the form of web pages
B. Involves use of pre-determined tags
C. Is a platform-independent, standard data exchange format
D. Is less powerful than Hypertext Markup Language or HTML
KEY C
Justification
As indicated in Option A above, XML is a platform-independent, standard data
exchange format. It performs presentation, communication & storage of data. It does
not involve use of pre-determined tags; instead, users need to define their own tags.
XML is more powerful than HTML since it facilitates automatic manipulation &
interpretation of data. Thus, Option C alone is correct.
159
403. eXtensible Markup Language or XML _________________

A. Can handle data transfer only when the data is in a compatible format
B. Facilitates exchange of data even in incompatible formats
C. Is supported only by some of the major software products
D. Involves use of pre-determined tags
KEY B
Justification
The main strength of XML is its ability to create data in a format which can be read by
different applications. It is portable, supported by major software products & is in easily
readable format. It does not involve use of pre-determined tags; instead, users need to
define their own tags. Hence, Option B is correct.
404. A limitation of eXtensible Markup Language or XML is that it ___________
A. Software developers do not build their new products on it, limiting interoperability
B. Can handle data transfer only when the data is in a compatible format
C. Is less powerful than Hypertext Markup Language or HTML
D. Lacks inherent security; any means of validation, confidentiality or integrity
KEY D
Justification
One weakness of XML is that it lacks inherent security, any means of validation,
confidentiality or integrity. However, its main strength is its ability to create data in a
format which can be read by different applications & can handle data even when it is not
in compatible format. It is supported by major software products & is in easily readable
format. XML is, in fact, more powerful than HTML since it facilitates automatic
manipulation & interpretation of data. Hence, Option D is correct.
405. An advantage of eXtensible Business Reporting Language or XBRL over
eXtensible Markup Language or XML is that the former ___________
A. Can help create data that can be read by different applications
B. Is portable and vendor neutral
C. Is a standard that has been accepted & adopted the world over
D. Provides a standard format for data exchange
160
KEY C
Justification
As indicated in Option A above, XBRL has the advantage of being a standard that has
been accepted and adopted the world over. The other answers in Options A B and D
are equally applicable both to XML as well as XBRL. Hence, the correct answer is only
in Option C.
eXtensible Markup Language or XML is that the former _______________
A. Is much faster and allows real-time preparation of reports
B. Provides a standard format for data exchange
C. Is portable and vendor neutral
D. Can help create data that can be read by different applications
KEY A
Justification
As indicated in Option A above, XBRL has the advantage of facilitating faster and real-
time preparation of business reports. The other answers in Options B to D are equally
applicable both to XML as well as XBRL. Hence, the correct answer is only in Option A.
eXtensible Markup Language or XML is that the former ______________
A. Provides a standard format for data exchange
B. Is portable and vendor neutral
C. Can express more than one relationship amongst elements
D. Can help create data that can be read by different applications
KEY C
Justification
As indicated in Option A above, XBRL has the advantage of being capable of
expressing more than one relationship amongst elements, such as multiple hierarchies.
This is because it defines relationships separately from elements, unlike XML. The
answers in Options A B and D are equally applicable both to XML as well as XBRL.
Hence, the correct answer is only in Option C.
408. A feature of eXtensible Business Reporting Language or XBRL which is not found
in eXtensible Markup Language or XML is that the former _________
161
A. Uses Taxonomy & Instance documents

B. Uses XML standard
C. Can define elements & relationships for data used internally
D. Is supported by XML validation tools
KEY A
Justification
As indicated in Option A above, XBRL uses Taxonomy (procedure for creating files with
relevant business terminology, etc. along with the rules that they must follow) &
Instance documents (documents containing the data in well-formed XML.) The answers
in Options B to D are applicable equally both to XML as well as XBRL. Hence, the
correct answer is only in Option A.
409. CAs need to be well versed with the benefits & control issues of eXtensible
Business Reporting Language or XBRL because _____________
A. It uses XML standard
B. More and more countries are mandating the use of XBRL
C. It can define elements & relationships for data used internally
D. It is supported by XML validation tools
KEY B
Justification
As indicated in Option B above, more and more countries are mandating the use of
XBRL because it has been validated and declared as a standard. It also has the
advantages of being able to ensure compatibility with regulatory standards, improved
data quality & is faster in report preparation. The answers in Options A, C and D are
applicable equally both to XML as well as XBRL &, hence, cannot account for the
significant difference in importance of XBRL. Hence, the correct answer is only in
Option B.
410. Which of the following is an example of Social Media _________
A. LinkedIn
B. Times of India newspaper
C. Society monthly magazine
D. National Geographic magazine
162
KEY A
Justification
Social media is social interaction among people in which they create, share or
exchange information & ideas in virtual communities and networks. LinkedIn as an
example of social networking is an example of social media. The other instances are
examples of magazines and newspapers which do not fall within the ambits of social
media. Hence, the correct answer is only in Option A.
411. State True or False. In Social Media, content is supplied and managed by user
himself through the use of tools and platforms supplied by social media sites.
A. TRUE
B. FALSE
KEY A
Justification
exchange information & ideas in virtual communities and networks. Social media sites
like Facebook do allow users to supply & manage content using the tools and platform
provided by the sites. Hence, the correct answer is as in Option A.
412. What is the major aspect of Social Media which is relevant to business, in general
____________
A. It helps sell more software related to tools of social media
B. It renders physical markets and direct contact with customers redundant
C. It facilitates a platform for business to interact with customers
D. It is relevant only to members of the higher income group in society
KEY C
Justification
exchange information & ideas in virtual communities and networks. It provides
businesses a platform to interact with customers to conduct market research, carry out
sales promotion, reward campaigns, etc. The prospect of selling relevant software is not
a generalized benefit but restricted to a narrow spectrum of business. While it does
increase the importance of presence in social media, it does not, necessarily, reduce
the importance of physical markets & direct customer contact. It is also not true to say
that social media is more relevant only to members of the higher income group in
society. Hence, the correct answer is as in Option C.
163
413. Breach of privacy, fear of legal action, potential for negative reputation, etc. are
potential risks for business leveraging social media. What is the other major type
of risk which a CA may have to address ______________
A. The risk of ignoring customers who are not members of the social media
B. The risk of development of new social media platforms
C. The risk of use of social media by employees on organization networks/devices
D. The risk of the collapse of all social media
KEY C
Justification
The risk of use of social media by employees on organization networks and devices is
the other major risk which CAs would have to be alert to. For, this could lead to
intentional or accidental leak of organizational data as also provide a route for hackers
to access the organization’s data base. The other risks outlined in Options A B and D
are not significant enough to cause concern. Hence, the correct answer is as in Option
C.
414. What is one of the important measures required for mitigating security concerns
in using Social Media?
A. The organization avoiding use of Social media
B. Creation of & compliance with a robust, comprehensive Social Media policy
C. Banning employees from being members of social media
D. Creating firewalls blocking out potential hackers
KEY B
Justification
The single major initiative that an organization can take is the creation of a robust &
comprehensive Social Media policy. Avoiding use of social media is a sub-optimal &
escapist solution which will not benefit the organization. Banning employees is too
tyrannical a measure to take in an era when most people, particularly, from the younger
generation, are members of some form or social media. This may actually deter
potential employees from joining the organization. The use of firewalls is required as a
matter of standard policy, whether the organization is using social media or not. Hence,
the correct answer is as in Option B.
415. How is Geolocation different from Global Positioning System (GPS) ?
A. It is not different; it is just another term for GPS
164
B. Geolocation ascertains location of satellites rather than individuals/devices on the

earth
C. Geolocation helps identify the ideal location for installation of disaster recovery
systems
D. Geolocation focuses more on a meaningful location rather than mere
geographical co-ordinates
KEY D
Justification
Geolocation, as brought out in Option D above, focuses more on a meaningful location
rather than just determining the bare geographical co-ordinates which GPS. Hence, the
correct answer is as in Option D.
416. State True or False. A major risk involved with the use of Geolocation services is
the concern of source, ownership & misuse of data owing to involvement of
multiple data controllers.
A. TRUE
B. FALSE
KEY A
Justification
One of the major risks involved with the use of Geolocation services is, indeed, the
concern regarding source, ownership & misuse of data arising from the involvement of
multiple data controllers. Hence, the correct answer is as in Option A.
417. The Business Information System used for handling structured problems as also
doing routine transactional jobs is _________________
A. Transaction Processing System or TPS
B. Decision Support System or DSS
C. Executive Support System or ESS
D. Structured Query Language or SQL
KEY A
Justification
The Business Information System used for handling structured problems as also
transactional jobs is the Transaction Processing System or TPS. DSS & ESS are higher
level systems which aim more at problem solving & also address strategic concerns.
Hence, the correct answer is as in Option A.
165
418. The Business Information System which provides answers to semi-structured

problems used for handling structured problems & for validation of business
decisions is ________________
A. Structured Query Language or SQL
B. Transaction Processing System or TPS
C. Decision Support System or DSS
D. Executive Support System or ESS
KEY C
Justification
The Business Information System used for handling semi-structured problems & for
validation of business decisions is the Decision Support System or DSS. TPS address
lower level needs while ESS deals with higher level systems which aim more at problem
solving & also address strategic concerns. Hence, the correct answer is as in Option C.
419. The Business Information System which provides answers to un-structured
problems & supports Executive management in planning strategy & vision is
______________
A. Structured Query Language or SQL
B. Executive Support System or ESS
C. Transaction Processing System or TPS
D. Decision Support System or DSS
KEY B
Justification
The Business Information System used for handling un-structured problems & for
supporting Executive management in planning strategy & vision is validation of
business decisions is the ESS. TPS & DSS address lower level needs. Hence, the
correct answer is as in Option B.
420. In an inter school competition on Artificial Intelligence, four children develop
software which perform the following different functions respectively. Which of
them is a correct example of the use of basic Artificial Intelligence ?
A. A calculation software which arrives at the arithmetic total of figures keyed in
B. A password system which allows access based upon keying in of the correct
password
C. Predictive & self learning word-processing software
D. A software which rejects invalid dates like 32 nd March 2014
166
KEY C
Justification
The word-processing software pops up suggested words based upon the first few words
keyed in by the user. Also, when the user keys in a new word which is not available in
its repertoire, it adds it to its collection & reflects it as an option the next time similar
letters are initiated. In effect, the software is able to observe & record patterns and
improves through ‘learning’. The other answers in Options A B and D involve the basic
computing functions of a computer which is based on a ‘go / no-go’ logic which does not
involve pattern recognition or further learning. Hence, the correct answer is only as in
Option C which displays characteristics of artificial intelligence.
421. Artificial Intelligence works with the help of two concepts; one of them is Artificial
neurons. The other is ?
A. ‘If-then’ statements and logics
B. ‘What-if’ scenarios
C. The four ‘W’s What, When, Where & Why
D. ‘How-Why’ statements
KEY A
Justification
Artificial intelligence works with the help of Artificial neurons as also ‘If-then’ statements
/logics. The answers in the other options are no correct. Hence, the correct answer is
only as in Option A.
422. Artificial Intelligence works with the help of two concepts; one of them is Artificial
neurons. The other is ?
A. ‘What-if’ scenarios
B. The four ‘W’s What, When, Where & Why
C. ‘If-then’ statements and logics
D. ‘How-Why’ statements
KEY C
Justification
Artificial intelligence works with the help of Artificial neurons as also ‘If-then’ statements
/logics. The answers in the other options are no correct. Hence, the correct answer is
only as in Option C.
423. An Expert System _____________
167
A. Is a software that supersedes the operation of other software

B. Is a panel of software experts who are consulted for solving security threats
C. Is a computer hardware that manages other hardware in a computer system
D. Is a software that comprises specialized human knowledge in a specific, narrow
domain
KEY D
Justification
As indicated in Option A above, an Expert system is a software that contains a
significant portion of the specialized knowledge of one or more human experts in a
specific, narrow domain. The answers given in the other options are not correct .
Hence, the correct answer is only as in Option D.
424. A characteristic of Expert Systems is ______________
A. They cannot be used in embedded systems
B. They will have either a knowledge base or a set of rules for application, not both
C. They are used for structured logic like if- then-else
D. They are best suited to situations not requiring precision & error-free operations
KEY C
Justification
As indicated in Option A above, Expert systems are used for structured logic like if-
then-else. They are best suited to situations requiring precision and error-free
operations & hence, are best suited for use in embedded systems, atomic power plants,
space stations, etc. They will have both a knowledge base as well as a set of rules for
application. Hence, the correct answer is only as in Option C.
425. You have received an alert about the due date for payment of your post paid
mobile phone charges. You log on to the service provider’s website and attempt
to transfer the payment through net banking. However, while you were able to
complete the formalities involved at your bank’s portal, the system hangs later on
and a message is flashed saying that there is a problem with the service
provider’s system & asking users to try later. This is an issue with the service
provider’s ___________
A. Transaction Processing System
B. Expert systems
168
C. Decision Support systems

D. Executive Support systems
KEY A
Justification
The service provider’s transaction processing system has obviously failed & hence the
difficulty the user is facing in completing the payment process for his bill. The answers
in the options B to D are incorrect. Hence, the correct answer is only as in Option A.
426. You are an active player on the stock market & place buy / sell orders for shares
throughout the working day with your broker. In the middle of a day characterised
by particularly volatile movements in share prices & potential risk of losses, you
wish to make an assessment of your positions. However, when you speak to your
broker and ask him for a report of the transactions carried out on that day till that
point of time, the broker responds saying that you would be able to access an
online report by the end of the day, for all the transactions of the day at one go.
This is an example of ____________________.
A. Online Transaction Processing system
B. Online Expert System
C. Batch Transaction Processing System
D. Online Executive Support systems
KEY C
Justification
The service provider’s transaction processing system obviously operates on a batch
process & reports are run at the end of a particular period, in this case, one day. The
answers in Options A, B and D are wrong. Hence, the correct answer is only as in
Option C.
427. You are an active player on the stock market & place buy / sell orders for shares
throughout the working day with your broker. In the middle of a day characterised
by particularly volatile movements in share prices & potential risk of losses, you
wish to make an assessment of your positions. You speak to your broker and ask
him for a report of the transactions carried out on that day till that point of time.
The broker responds saying that you could access their website & be able to
generate a report at any point of time in the day & get a report for all the
transactions of the day at one go. This is an example of _______________
A. Online Transaction Processing system
B. Online Executive Support systems
169
C. Online Expert System

D. Batch Transaction Processing System
KEY A
Justification
The service provider’s transaction processing system obviously operates on online
transaction processing system since transactions are reflected in their reports at any
point of time in the day. Hence, the answers in Options B to D are wrong. The correct
answer is only as in Option A.
428. Your client is in the process of growing his business from the level of a Small &
Medium Business into a larger organization. His operations have been
computerized & customer transactions are being managed reasonably well.
However, in order to take the next leap forward, he would like to get more insights
into his business, appreciate customer needs better and would like data from his
systems help him take business decisions which would propel him towards his
goal of an enlarged business. You realise that his existing computer systems are
basically Transaction Processing Systems (TPS) and he needs to transform them
into Decision Support Systems (DSS) to enable him achieve his objective. One of
the major advantages of DSS over TPS is ________________
A. It can handle huge amounts of data from various sources
B. It responds rapidly
C. It is reliable
D. It provides information which helps the manager assess alternatives & choose
the best
KEY D
Justification
DSS have as their primary role the provision of information which can help a manager
take a decision. The answers in Options A ,B and C are applicable to TPS too and are
not exclusive to DSS. Hence, the answers in Options A, B to C are wrong. The correct
answer is only as in Option D..
429. State TRUE or FALSE. ‘Decision Support Systems can support both semi-
structured as well as structured problems; they can be useful both to operational
as well strategic decision-making’
A. TRUE
B. FALSE
KEY A
170
Justification
DSS have the capability to support both semi-structured as well as structured problems.
Their configuration is such that they can be used by managers as an aid to both
operational as well as strategic decision-making. Hence, the above statement is true
and Option A is correct.
430. A KEY differentiator for a Decision Support System over a Transaction
Processing System is _______________.
A. It can handle large amounts of data in batch as well as online mode
B. It is more interactive & model-driven, performing mathematical & qualitative
analysis
C. It has a larger database as compared to the transaction processing system
D. It can more reliably handle large volume of information relating to transactions
KEY B
Justification
Decision support systems are far more interactive and model-driven, as brought out in
Option A above. The answers in Options A,C and D are not correct and probably relate
more to Transaction processing systems. They are surely not KEY differentiators.
Hence, the correct answer is only as in Option B.
431. The type of software support system which would generally be suited for top-level
decision-making, like spinning-off a portion of the company, acquiring another
company, entering a new business, etc. is ____________
A. Decision Support System
B. Data Base Management System
C. Executive Support System
D. Delphi system
KEY C
Justification
Executive support systems are the appropriate choice for such top-level decision
making support, as brought out in Option C above. The answers in Options A, B and D
are not correct. The correct answer is only as in Option C.
171
432. Executive Support Systems address ______________

A. External, un-structured and uncertain information through a structured approach
B. Internal & structured information through a un-structured approach
C. Day-to-day information for operational control & monitoring
D. Analysis of routine transactional data
KEY A
Justification
Executive support systems are the appropriate choice for top-level decision making
support. They are futuristic and deal with the macro world & potential changes in the
environment & changed times. Hence, intrinsically, it deals with uncertain information
substantially into the future but through a structured, well thought out approach. Hence,
the answer in Option A above is correct. The answers in Options B to D are not correct.
433. Big Data refers to ____________
A. Data connected to the top few companies in each industry
B. Trillions of records from various sources with potentially high value
C. Data related to space research, involving great distances in the galaxy
D. Data relating to the largest selling products of each organization
KEY B
Justification
Big Data refers to a large collection of data from various sources with potentially high
value. The high value emanates from the insights which it is possible to derive from a
careful analysis of the available data. Hence, the answer in Option B above is correct.
The answers in Options A C and D are not correct.
434. The main value of Big Data arises from ____________
A. Having more data than the competition
B. Having comprehensive information about all aspects of the business
C. Insights that can be gleaned about niche customers from large data
D. Its ability to cover all transactions with customers
172
KEY C
Justification
Data collection in large quantities, per se, carries limited value. It is the careful analysis
of humongous volumes of data to elicit patterns of customer behaviour, market trends,
etc. that are the major prize won through Big Data. Such exercises help companies to
tap new markets, implicit demand, etc. and thus, be one up on the competition. Hence,
the answer in Option C above alone is correct. The answers in Options A B and D are
not correct.
435. What is the major control aspect of dealing with Big Data which a Chartered
Accountant needs to be aware of ?
A. Privacy, security & legal aspects of dealing with customer & other parties’
information
B. Providing adequate storage space for the large volumes of data
C. Instituting adequate steps for collection & collation of the data
D. Ensuring adequate storage security through redundancy
KEY A
Justification
There are potential risks involved in collecting, storing & utilising customer data. There
is a need for ensuring the entire process is carried out in a legal manner without
causing dis-comfort or loss of faith with the customer. Protecting information passed on
by a customer based upon trust, is another KEY Aspect. Thus, the answer in Option A
above is correct & the other answers are wrong.
436. Returning from school one day, your daughter cannot wait to talk about what they
taught her on that day regarding environmental degradation & global warming.
She tells you that electricity is generated by power plants to meet our energy
needs but they are, at the same time, releasing greenhouse gases like Carbon
dioxide which contribute to global warming, leading to cascading effects. An
impact of this sort, created by an organization, individual or activity is referred to
as _________
A. Carbon credits
B. Carbonification
C. Carbon footprint
D. Oxidisation
173
KEY C
Justification
The level of green house gases generated by activities & actions of an individual or
organization is referred to as a ‘carbon footprint’. Hence, the girl’s description of her
learnings at school refer to the carbon footprint of setting up a power plant. Thus, the
answer in Option C above is correct & the other answers are wrong.
437. Apart from the conscious choices of minimising the carbon foot print &
networking hardware, Green Information Technology involves ______________
A. Use or organic products in the organization
B. Minimizing use of water in the organization
C. Avoiding air conditioning, utilising natural cooling and light
D. Minimization of computer devices’ energy consumption
KEY D
Justification
The third of the choices to be made in Green Information technology is minimization of
computer devices’ energy consumption over their life cycle, as indicated in Option D
above. The answers in the other options are not correct.
438. One of following actions could be an intrinsic part of Green Information
Technology implementation ________________
A. Moving back storage & processing capacity from the cloud
B. Replacing a single server system with multiple servers
C. Installation of automatic shutdown/power-up processes
D. Avoiding replacement of old equipment with new ones
KEY C
Justification
The answers in Options A, B and D would act, by and large, counter to the goals of
Green information technology. Moving to cloud computing helps improved utilisation of
resources; similarly, a single server system is probably more energy efficient than
multiple servers. Though it may appear worthwhile continuing to sweat old equipment,
new equipment are generally more energy efficient and can more than compensate the
benefits of retaining the old equipment. The answer in Option C, however, is relevant &
will make a meaningful contribution to the goals of Green IT. Hence, only Option C is
the correct answer.
174
439. One of the initiatives in Green Information Technology implementation could be

______________
A. Using single power efficient server combined with virtualization
B. Avoiding replacement of old equipment with new ones
C. Replacing a single server system with multiple servers
D. Moving back storage & processing capacity from the cloud
KEY A
Justification
The answers in Options B to D would act, by and large, counter to the goals of Green
information technology. Though it may appear worthwhile continuing to sweat old
equipment, new equipment are generally more energy efficient and can more than
compensate the benefits of retaining the old equipment. Moving to cloud computing
helps improved utilisation of resources; similarly, a single server system is probably
more energy efficient than multiple servers. The answer in Option A, however, is
relevant & will make a meaningful contribution to the goals of Green IT. Hence, only
Option A is the correct answer.
440. Effective Green Information Technology implementation could involve
_______________
A. Replacing a single server system with multiple servers
B. Avoiding replacement of old equipment with new ones
C. Using power efficient hardware & thin clients
KEY C
Justification
The answers in Options A, B and D would act, by and large, counter to the goals of
Green information technology. Moving to cloud computing helps improved utilisation of
new equipment are generally more energy efficient and can more than compensate the
benefits of retaining the old equipment. The answer in Option C, however, is relevant &
will make a meaningful contribution to the goals of Green IT. Hence, only Option C is
the correct answer.
441. An useful step in Green Information Technology implementation could be
________________
175
A. Setting of clear goals for power reduction, decreased carbon footprint, etc.
B. Replacing a single server system with multiple servers
C. Avoiding replacement of old equipment with new ones
KEY A
Justification
The answers in Options B to D would act, by and large, counter to the goals of Green
information technology. Moving to cloud computing helps improved utilisation of
new equipment are generally more energy efficient and can more than compensate for
the benefits of retaining the old equipment. The answer in Option A, however, is
relevant & will make a meaningful contribution to the goals of Green IT. The setting of
clear goals helps direct focus to the effort. Hence, only Option A is the correct answer.
442. What is characteristic of Web 2.0 ?
A. Communication from one person/unit to many
B. HTML Web pages & email newsletters
C. Facilitates collaboration & information sharing online
D. Two-way communication not possible
KEY C
Justification
The Web 2.0 version is a two-way communication facility covering blogs, wikis and
social networking sites. It facilitates collaboration & information sharing online, as
indicated in Option C. It is not a case of communication from only one person to many.
It is also an improvement over the Web 1.0 version which comprised HTML web pages
& email newsletters. Hence, Option C is the correct answer.
443. What is a distinguishing feature of Web 3.0 ?
A. Communication from one person/unit to many
B. Facilitates convergence of mobile phones, smartphone apps, etc.
C. HTML Web pages & email newsletters
D. Two-way communication not possible
176
KEY B
Justification
The Web 3.0 version is an evolving system which is an improvement over Web 2.0. It
facilitates convergence of mobile phones, smart phone apps, tablets, etc. It is not a
case of communication from only one person to many. Like Web 2.9, it is also an
improvement over the Web 1.0 version which comprised HTML web pages & email
newsletters. Hence, Option B is the correct answer.
444. What is one of the controls that can be practically established for overcoming the
risks of Web 2.0 without compromising on operational efficiencies ?
A. Blocking social networking sites like Facebook
B. Restricting access to blog sites
C. Blocking access to forums
D. Using extended validation, SSL certification for websites
KEY D
Justification
Blocking out features like social networking, forums, blogs, etc. would prevent utilization
of some of the KEY features of Web 2.0 and, hence, would be a sub-optimal approach.
It would be better to build in preventive measures like website validation, as brought out
in Option D. Hence, Option D is the correct answer.
445. One practical control that can be established for overcoming the risks of Web 2.0
without compromising on operational efficiencies is ?
A. To develop & implement internal policies for safeguarding against risks
B. Restricting access to blog sites
C. Blocking access to forums
D. Blocking social networking sites like Facebook
KEY A
Justification
Blocking out features like social networking, forums, blogs, etc. would prevent utilization
of some of the KEY features of Web 2.0 and, hence, would be a sub-optimal approach.
It would be better to draw up a robust policy which addresses all the potential risks of
Web 2.0 and the preventive measures required to minimizing them. Hence, only answer
in Option A is correct.
446. What is an example of Click jacking ?
177
A. Malicious take-over of a computer on remote basis

B. Stealing files in a computer from a remote location
C. Stealing of keyed in credentials information
D. Resolution of software issues on a device from remote location
KEY C
Justification
Click jacking is the malicious stealing of keyed in credentials information through a
transparent second layer. The answers in Options A,B and D are incorrect; only the
answer in Option C is correct.
447. What is the Web of Everything ?
A. Coverage of all theoretical concepts by the Internet
B. Encompasses the Internet as well as all forms of telecommunication
C. Comprises the Internet, all telecommunication as well as satellites
D. Expansion of Internet to objects like cars, refrigerators, etc.
KEY D
Justification
The Web of Everything or the Internet of Everything is the integration of objects like
cars, refrigerators, etc. into the internet. It basically merges the physical world with the
digital world. The answers in Options A B and C are incorrect; only the answer in Option
D is correct.
448. What is 3D printing ?
A. Printing of a 3 dimensional video or movie on to paper
B. Technology for printing images on paper in 3-dimensional form
C. An additive manufacturing process for printing 3-dimensional objects
D. Technology which permits printing of images incorporating movement/change
KEY C
Justification
3D printing in an exciting development in printing technology which permits the use of
various types of materials, including metals, to create 3 dimensional objects. This is
done through a process of additive manufacturing (AM) and can be used for creating
virtually any 3 dimensional object. Answer at Option C is, hence, correct whereas the
other answers are wrong.
178
449. Which is one of the major areas of emerging technology wherein CAs need to play
a KEY role ?
A. Management of social media & the risks associated with it
B. Development of new software technology
C. New techniques of marketing of products
D. Developments in the field of integrated circuits
KEY A
Justification
One major area of importance to CAs in the changing global environment is that of
management of social media & the risk associated with it. For, organizations are
increasingly shifting their marketing focus from the physical to the virtual market,
exploiting the strengths of the Internet. As more and more products get linked to the
Internet, the value of social media will increase tremendously as will the risks
associated with it. Hence, Option A is the correct answer. The other answers from
Options B to D are not correct.
450. Which one of the following is a KEY Area to be focussed upon by CAs in the
current era of emerging technologies ?
A. New techniques of marketing of products
B. Developments in the field of integrated circuits
C. Security of Systems and Data
D. Development of new software technology
KEY C
Justification
Apart from social media, the other major area of importance to CAs in the changing
global environment is security of systems and data. With the explosion of the Internet &
connected devices and expanded use of the Internet, the number of interfaces between
an organization & its customers / stake holders has grown exponentially. As a
consequence, security risks have mushroomed & the CA would have to focus on this as
a KEY element driving not just the success of an organization but also in preventing
failures in the organization. Thus, the answer in Option C is the correct answer. The
other answers from Options A, B and D are not correct.
451. Information System Audit encompasses independent review & evaluation of
___________
A. Automated information systems, related manual systems & their interfaces
179
B. All computerised information systems alone

C. All financial information stored in computers
D. All financial & regulatory information stored in computers
KEY A
Justification
IS Audit encompasses all automated information systems (containing both financial as
well as non-financial information), related manual systems and the interfaces between
them. Hence, Answer at Option A is correct & the other answers are incorrect.
180
Module 2
Information Systems Assurance Services
452. In COBIT 5 enablers are factors that influence that something will work in
governance & management of enterprise IT. How many such categories of
enablers does the COBIT 5 system identify ?
A. 7 categories of enablers
B. 5 categories of enablers
C. 8 categories of enablers
D. 10 categories of enablers
KEY A
Justification
COBIT5 is a framework for governance & management of enterprise IT. It helps
organizations manage risk & ensure compliance, continuity, security & privacy. One of
its 5 KEY principles is meeting stakeholders’ needs. This principle creates value by
balancing the benefits against the optimization of risk & the use of resources. The
system identifies 7 categories of enablers that facilitate governance & management of
enterprise IT. Hence, the answer in Option A is correct and the other options are wrong.
453. Guidance on evaluating and assessing the internal controls implemented in an
enterprise is available in _________________
A. MEA 02 of COBIT 5
B. ITAF 1200 series
C. IS/IEF 27001
D. ITAF 1400 series
KEY A
Justification
COBIT5 is a framework for governance & management of enterprise IT. MEA 02 of
COBIT5 is a process which provides guidance on evaluating and assessing the internal
controls implemented in an enterprise. Hence, the answer in Option A is correct and the
other options are wrong.
454. You have been engaged as a Consultant to carry out IS Audit of a large
organization. What is the first step you would take while commencing your work ?
A. Commence auditing of the financials
B. List all the software and hardware used in the organization
C. Peruse financials for the previous three years
D. Identify all risks present in the IT environment of the organization
KEY D
Justification
The first step in audit engagement is risk assessment based upon which the auditing
programme can be developed, giving more importance to high risk areas. Thus, the
auditor needs to identify all the risks present in the IT environment of the organization.
Hence, the answer in Option D is correct and the other options are wrong.
455. What is the minimum frequency of risk assessment to be carried out as per ISACA
guidelines ?
A. Once in 6 months
B. Once in 3 years
C. Once a year
D. Once in 2 years or whenever any major change in systems takes place
KEY C
Justification
The minimum frequency of risk assessment to be carried out as per ISACA guidance is
one year. Hence, the answer in Option C is correct and the other options are wrong.
456. State TRUE or FALSE. As per ISACA guidance, the IS auditor can complete the
risk assessment process and present the final findings to the stake holders. The
auditor needs to maintain his independence and does not need to seek the
specific approval of the stake holders for the findings.
A. FALSE
B. TRUE
KEY A
Justification
As per ISACA guidance, the IS auditor needs to seek approval of the risk assessment
from the audit stake holders and other appropriate parties Hence, the statement in the
question stem is false & the answer in Option A is correct.
182
457. State True or False. Standards on Risk assessment pertaining to IS Audit are
different from those prescribed by ICAI under SA315. IS Audit follow a different
set of standards laid down by ISACA.
A. TRUE
B. FALSE
KEY B
Justification
The standards on risk assessment pertaining to IS audit as prescribed by ICAI under
SA315 are also applicable to risk assessment under IS Audit. Hence, the statement in
the question stem is false & the answer in Option B is correct.
458. For effective risk assessment, auditors should ideally supplement the regular risk
assessment procedures with _______________
A. Observation, inspection & analytical procedures
B. Interviews with client’s competitors
C. Intensive analysis of historical data
D. Interviews with client’s suppliers
KEY A
Justification
While the risk assessment procedures outlined by ISACA, ICAI, etc. provide a ready-
made template that helps ensure typically vulnerable areas to be captured, observation,
inspection & analytical procedures help zero in on risk areas which are peculiar to the
particular business or specific period of time. The approaches in the other options may
also add value but may not be as significant as that achievable through the answer at
Option A. Hence, the statement in the question stem is false & the answer in Option A is
correct.
459. The ideal risk assessment technique _____________
A. Is a computerized scoring system based upon evaluation of risk factors
B. Is judgemental, based upon the auditor’s personal assessment
C. Depends upon the complexity level & detail appropriate for the organization
D. Is a combination of computerized scoring & judgemental system
183
KEY C
Justification
The ideal risk assessment technique depends upon the complexity level & detail
appropriate for the particular organization. It could be one or a combination of more
than one technique. Hence, the statement in the question stem is false & the answer in
460. An IS Auditor carries out a preliminary visit to his client’s site to get a feel of the
operations and identify risks, if any, missed out during his initial study of the
records of the organization. In the server room, he feels uncomfortable and
realizes that the humidity level as well as the ambient temperature are quite high.
On further probing, he discovers that the air conditioning equipment had failed &
the original supplier had ceased operations. The administration manager was
struggling to find an alternate agency to set the problem right. Also, no fall back
system was in place. The IS Auditor is wondering whether this would fall within
the purview of his IT General Controls Review. What is your view ?
A. Yes, it would fall within the purview of IT General Control Review
B. No, it would not fall within the purview of IT General Control review
KEY A
Justification
A general control review would include infrastructure and environment controls too.
Hence, the answer in Option A is correct.
461. As part of his exploratory trips to his client’s office, an IS Auditor meets up with
the Server Manager. The manager is despondent and the auditor learns it is
because of his network cable supervisor’s resignation and impending relief. The
manager is unable to find a substitute immediately and dreads the thought of
managing any network cabling issues in the interim. The auditor discusses the
matter with the manager who feels that the incumbent supervisor is virtually
indispensable and he has no subordinate who could step into his shoes.
The auditor probes further and also visits some of the locations wherein cable
inspection slots were located. He discovers that the cabling junctions had been
done in a very haphazard fashion and were not even labelled. Nor was there any
manual or chart identifying the network of cables, their junctions/ports, etc. He
realizes that the incumbent supervisor had become indispensable on account of
this disorganized cabling system as also the absence of any manual. Ideally, the
cabling should have been carried out more scientifically, there should have been
a ready-reckoner or manual showing the details of the network and a second-in-
184
line should have been in place to stand in for the supervisor in the event of his
short term absence or resignation.
Would the auditor be well within his rights to include this aspect as a lacuna in
the general controls review ?
A. No, he would not be right to include this as a lacuna in his general controls
review
B. Yes, he would be right in including this aspect as a lacuna in his general controls
review
KEY B
Justification
A general control review would include infrastructure and environment controls too.
Hence, the answer in Option B is correct.
462. Is segregation of duties useful as an Organizational control ? Why ?
A. Yes, it reduces employee cost
B. Yes, it reduces fraud risk & facilitates accuracy check of one person’s work by
another
C. No, it is not an advantage; it increases employee cost
D. No, it complicates the role of the manager who has to manage more employees
KEY B
Justification
Segregation of duties is an important control tool whereby, conflicting roles in particular,
are segregated and handled by different individuals. It reduces the risk of fraud since
one person cannot independently commit any fraud but would need to collude with the
second. Also, since the output of one individual may become the input of another, an
independent accuracy check of one person’s work by another person becomes a built-in
reality. This may increase head-count and, hence, manpower cost but, employed
judiciously, the higher manpower cost can be more than compensated by the reduced
risks to the organization. Hence, the answer in Option B is correct.
463. A newly appointed Senior executive in an organization, who happened to be a
close relative of the promoter, is miffed when the IT Manager refuses access to
him to the Server room citing policy guidelines. The executive shares with you,
the Auditor of the organization, what he perceives to be insulting behaviour by
the IT Manager. You question him about the purpose of the visit and learn that the
executive just wanted to have a tour of the facility, as part of his induction. Do
you agree or disagree with the executive ? Why ?
185
A. Yes, I would agree. As a close relative of the promoter, he would surely have the
organization’s best interests at heart.
B. No, I would not agree. As a new employee, he should not be given access to the
server room
C. Yes, I would agree. The server, in any case, would be password protected & no
harm can be done
D. No, I would not agree. Physical access control to the server is an important
control mechanism
KEY D
Justification
Physical access control to the server room is an important part of IT General controls in
any organization. The server is a sensitive equipment with certain commands & settings
being exclusive to it. Un-authorized access to it could compromise the security of the IT
system & the organization, obviously, has a clearly defined access policy which has to
be respected. Relationship to the promoter cannot be an excuse for breaking the policy;
if, indeed, he had genuine need to visit the server room, he could have got the
necessary clearances. Denial of access cannot be owing to the newness of the
employee. Lastly, any robust system operates at different levels of redundancy & the
mere existence of password protected access to the server does not prevent a second
level of defence, in the form of access control, being done away with. Hence, the
answer in Option D is correct.
464. As a measure of IT General control, an organization decides to separate those
who can input data from those that can reconcile or approve data. Is this a good
move ? Why ?
A. No, it is not a good move; the person who inputs the data is the best person to
approve the data too
B. Yes, it is a good move; it can help prevent unauthorised data entry
C. Yes, it is a good move; inputting data & reconciling data requires different skills
D. No, it is not a good move; data entry errors would be compounded
KEY B
Justification
reality
Hence, the answer in Option B is correct.
186

who can test programs (e.g. Users) from those who can develop programs (e.g.
Application programmers). Is this a good move ? Why ?
A. No, it is not a good move; the person who develops the program is the best
person to test it too
B. Yes, it is a good move; program testing and program development require
different skills
C. Yes, it is a good move; it can help prevent unauthorised programs from being run
D. No, it is not a good move; significant time would be lost in the process
KEY C
Justification
reality. In this case, conflict in roles is clearly existing. Time savings could, perhaps, be
gained by using the same person but this would mean paying the expensive price of
potentially unauthorised programs being run. Hence, the answer in Option C is correct.
who can run live programs (e.g. Operations department) from those who can
change programs (e.g. programmers). Is this a good move ? Why ?
A. Yes, it is a good move; it can help prevent unauthorised programs from being run
B. No, it is not a good move; the user dept. knows best & should be allowed to
change programs
C. Yes, it is a good move; since the programmers would have no work to do
otherwise
D. No, it is not a good move; significant time would be lost in the process & potential
savings lost
KEY A
Justification
187
reality. In this case, conflict in roles is clearly existing. Also, while the user dept. may
have the need for a change, it is up to the programmer to devise an appropriate method
of programming logic to satisfy the user’s requirement. Time savings could, perhaps, be
gained by using the same person but this would mean paying the expensive price of
potentially unauthorised & defective programs being run. Hence, the answer in Option A
is correct.
467. Thanks to its growing popularity, a family-run fast food restaurant is transforming
itself into a chain of branded restaurants & has created a formal organization
structure to manage the growing organization. Having identified young and
upcoming IT industry employees as their core base of customers, the family
decides to build a strong backbone of IT to facilitate online ordering of food,
creation of customer database, etc. Since the immediate primary purpose is to
enable online payments for the purchases by customers, the trustworthy family
retainer & Junior Accountant is given the responsibility of installing and
maintaining the IT system.
As an IS Auditor, do you think the family was right in giving the Junior
Accountant the responsibility ? Why ?
A. No. A senior management representative should take responsibility in the interest
of IT General Control
B. Yes, since the accountant is the main beneficiary of the IT system
C. No. The Senior Accountant in the chain should have been given the responsibility
D. Yes, this role requires a trustworthy person & the family retainer is the best fit
KEY A
Justification
Responsibility for IT systems should lie with the top management with appropriate
delegation to lower levels. This would not only ensure that the highly vulnerable IT
systems are properly controlled at the highest levels in the company but also ensure
that appropriate IT policies are framed, keeping in mind organizational objectives and
goals. The perspective of an accountant, whether junior or senior, would be rather
limited to his area of operations and responsibility; it may lack the breadth of vision
which would be essential at the top management level as also the interfaces between
various functions in the business. In any professional organization, no positive bias can
be allowed for the dominance of so-called ‘family retainers’ however trustworthy they
may be. The operations have to be system driven & not personality driven. Hence, the
answer in Option A is correct.
188
468. An important element of Management Control for the Information System in an

organization is the Information Technology Steering Committee. The Committee
_________
A. Will be exclusively representatives from the IT division
B. Will cover core IT alone, excluding telecommunication, automation systems, etc.
C. Will handle operational issues only; overall goals & strategies would be outside
its purview
D. Will include members from all areas of business, apart from IT personnel
KEY D
Justification
The IT Committee in an organization would drive IT in line with organizational goals,
vision & mission. It will be manned by senior officials from all areas of the
business, apart from IT professionals. Its scope will include all types of IT related
operations including telecommunication, automation systems, manufacturing
processing systems, etc. Hence, the answer in Option D is correct.
469. A leading exporter of cut & polished diamonds has a specially designed vault for
storing its raw as well as processed diamonds. At any point of time, the material
stored in the vault is worth several crores of rupees.
The exporter has laid down a clear procedure for operation of the vault. It can be
opened or closed using two different keys which are held by the Operations Head
and the Finance Head respectively. These officials cannot pass on their individual
KEY to the other official or any other official. They have to be necessarily present
and operate their KEY themselves. Both at the time of every opening the vault as
also every closing of the vault, a vault register is signed by both these officials
after filling in relevant information. The vault is also sealed with individual unique
seals of these officials & checked every time before the vault is opened afresh.
Thus, the vault can be opened only when both these officials are present & a
record is also maintained of every transaction. These officials carry their
individual keys home but never travel together while coming to the office or while
leaving it.
What type of control is being exercised by this Diamond exporter through this
process ?
A. Dual Finance Control
B. Physical Access Control
C. Operating System Control
D. Management Control
189
KEY A
Justification
This is a dual control system which falls under Finance control mechanism since it
entails two people simultaneously accessing an asset. Hence, the answer in Option A is
correct.
470. What is the first step for an Auditor in an Application software review ?
A. Ascertain the creator of the application software
B. Ascertain the validity of the user licence for the software
C. Ascertain the business function or activity that the software performs
D. Identify the users who have been granted access to the software
KEY C
Justification
The first step for an Auditor is to ascertain the business function or activity that the
software performs. The auditor needs to understand the intricacies of the business and
the way in which the software facilitates the business. Hence, the answer in Option C is
correct.
471. As an IS Auditor reviewing Application software in your new client’s organization,
you have started by thoroughly understanding the nature of the business and the
manner in which the Application software meets the business requirements. What
is the next step which you would take in the process of the Application software
review ?
A. Identify the users who have been granted access to the software
B. Ascertain the creator of the application software
C. Ascertain the validity of the user licence for the software
D. Check how the software handles the risks associated with the particular area of
business dealt with by it
KEY D
Justification
The next important step for an Auditor is to identify the potential risks associated with
the business activity/function served by the software & see how the risks are handled by
the software. Hence, the answer in Option D is correct.
472. State True or False. IT Application controls are controls which are in-built in the
software application itself.
190
A. FALSE
B. TRUE
KEY B
Justification
IT application controls are, indeed, controls which are in-built in the software application
itself. Hence, the answer in Option B is correct.
473. Which of the following are one of the KEY Areas that should be covered during an
IS Audit of Application software ?
A. List of authorised users of the software
B. Adherence to business rules in the flow & processing accuracy
C. Validity of software licence
D. Cost of the software & availability of cheaper alternatives
KEY B
Justification
One of the KEY Areas to be covered is the software’s adherence to business rules in
the flow and processing accuracy. The other answers in Options A, C and D are not of
immediate relevance or urgency. The answer in Option B is correct.
A. Cost of the software & availability of cheaper alternatives
B. List of authorised users of the software
C. Validations of various data inputs
D. Validity of software licence
KEY C
Justification
One of the KEY Areas to be covered is the validation of various data inputs. The other
answers in Options A, B and D are not of immediate relevance or urgency. The answer
in Option C is correct.
A. Logical access control and authorization
191
B. Validity of software licence

C. Cost of the software & availability of cheaper alternatives
D. List of authorised users of the software
KEY A
Justification
One of the KEY Areas to be covered is logical access control and authorization. The
other answers in Options B to D are not of immediate relevance or urgency. The answer
in Option A is correct.
A. Validity of software licence
B. Cost of the software & availability of cheaper alternatives
C. Exception handling and logging
D. List of authorised users of the software
KEY C
Justification
One of the KEY Areas to be covered is exception handling and logging. The other
answers in Options A, B and D are not of immediate relevance or urgency. The answer
in Option C is correct.
477. Audit Sampling _____________
A. Involves application of audit procedures to less than 100 % of the population
B. Can be carried out only through rigorous statistical sampling
C. Can be applied only for compliance and not for substantive testing
D. Involves use of Auditing standard SA 350 in the auditing process
KEY A
Justification
When it is not practically feasible to check every one of the elements in a population &
the population is reasonably random, sampling is resorted to as an indication of the
nature of the population as a whole. It can be carried out both through statistical
sampling as well as non-statistical sampling. It can be applied both for compliance as
well as substantive testing. Auditing standard SA 530 is the relevant one applicable to
use of sampling in the auditing process. Hence, the answer in Option A is the correct
one.
192
478. Audit Sampling _______________

A. Involves use of Auditing standard SA 350 in the auditing process
B. Can be carried out only through rigorous statistical random sampling
C. For IS Audit can be done using ISACA’s guidelines
D. Can be applied only for compliance and not for substantive testing
KEY C
Justification
When it is not practically feasible to check every one of the elements in a population &
the population is reasonably random, sampling is resorted to as an indication of the
nature of the population as a whole. It can be carried out both through statistical
sampling as well as non-statistical sampling. The statistical sampling could be either
random or systematic. It can be applied both for compliance as well as substantive
testing. Auditing standard SA 530 is the relevant one applicable to use of sampling in
the auditing process. ISACA guidelines in this regard can also be followed. Hence, the
answer in Option C is the correct one.
479. In IS Audit, sample design would be driven by ________________
A. Resource availability & auditor’s convenience
B. Type of sampling whether statistical or haphazard/judgemental
C. The advice of the auditee, based upon his past experience
D. Objectives of test & attributes of the population
KEY D
Justification
Sample design would be driven by test objectives and attributes of the population. The
sample size & complexity cannot be compromised owing to resource constraint on the
part of the auditor; the outcome could be sub-standard. The sampling type chosen
would not have that significant impact on the sample size. The auditee’s advice will not
be the basis for sample design for obvious reasons. Hence, the answer in Option D is
the only correct answer.
480. What are CAATs ?
A. Computer Assisted Audit Tools
B. Council for Association of Auditors & Trainers
C. Chartered Accountants’ Audit Tools
D. Corporate Audit & Accounting Tools
193
KEY A
Justification
CAATs are basically computer assisted audit tools which help auditors sift through large
volumes of information to identify control issues, defaults, etc. They can greatly
enhance the efficiency and effectiveness of IS auditors. The answer in Option A is the
correct one.
481. What are some of the KEY reasons for establishing controls and auditing in a
computerized environment ?
A. Computers are more prone to make errors in handling subjective big data
B. There is more scope for fraud & error in a computerized environment
C. Data may be entered into the system without supporting documents
D. There is no choice since most operations are computerized
KEY C
Justification
A KEY vulnerability of computerized systems is the fact that, at times, data may be
entered into the system without supporting documents. This is a fundamental principle
of accounting which we cannot afford to ignore. Hence, the answer in Option C is the
correct one. The others are incorrect Computer are not more prone than humans in
making errors & one cannot say that there is increased scope for fraud & error in a
computerized environment.
482. What are some of the KEY reasons for establishing controls and auditing in a
computerized environment ?
A. Transaction trail may be partly in machine language & retained only for a limited
period
B. There is more scope for fraud & error in a computerized environment
C. Computers are more prone to make errors in handling subjective big data
D. There is no choice since most operations are computerized
KEY A
Justification
A KEY vulnerability of computerized systems is the fact that, at times, data may be
entered into the system without supporting documents. This is a fundamental principle
of accounting which we cannot afford to ignore. Another aspect is the fact that
transaction trails may not be visible they may be partly in machine language & retained
194
only for a limited period. Hence, the answer in Option A is the correct one. The others
are incorrect Computer are not more prone than humans in making errors & one cannot
say that there is increased scope for fraud & error in a computerized environment.
483. What is one of the KEY tests which can be ideally carried out using Computer
Assisted Audit Tools (CAATs) ?
A. Projections on future trends for specific parameters
B. Carrying out employees’ reference checks
C. Identification of exceptional transactions based upon set criteria
D. Carry out employee appraisals
KEY C
Justification
One of the many Key tests that can be carried out by CAATs is identification of
exceptional transactions based upon set criteria. The IS auditor can set the criteria
based upon the sort of transactions which are not expected to occur basis the controls
which are to have been incorporated in the organization’s systems. CAATs are more in
the nature of audit tools & would not be ideal for the other purposes listed in Options A,
B and D above. Hence, answer at Option C alone is correct.
484. What is one of the Key tests which can be ideally carried out using
Computer Assisted Audit Tools (CAATs) ?
A. Carry out employee appraisals
B. Identify potential areas of fraud
C. Projections on future trends for specific parameters
D. Carrying out employees’ reference checks
KEY B
Justification
One of the many Key tests that can be carried out by CAATs is identification of potential
areas of fraud. The IS auditor can set the criteria based upon the sort of transactions
which are not expected to occur basis the controls which are to have been incorporated
in the organization’s systems. CAATs are more in the nature of audit tools & would not
be ideal for the other purposes listed in other options above. Hence, answer at Option B
alone is correct.
485. What is one of the Key tests which can be ideally carried out using Computer
195

B. Projections on future trends for specific parameters
C. Identify data which is inconsistent or erroneous
D. Carrying out employees’ reference checks
KEY C
Justification
One of the many KEY tests that can be carried out by CAATs is identification of data
which is inconsistent or erroneous. The IS auditor can set the criteria based upon the
sort of data which are not expected to occur basis the controls which are to have been
incorporated in the organization’s systems. CAATs are more in the nature of audit tools
& would not be ideal for the other purposes listed in Options A,B and D above. Hence,
answer at Option C alone is correct.
486. What is one of the key tests which can be ideally carried out using Computer
C. Carrying out employees’ reference checks
D. Perform various types of statistical analysis
KEY D
Justification
One of the many key tests that can be carried out by CAATs is the carrying out of
various types of statistical analysis which could throw up areas of in-consistencies,
defaults, etc. CAATs are more in the nature of audit tools & would not be ideal for the
other purposes listed in Options A to C above. Hence, answer at Option D alone is
correct.
A. Establishing whether the set controls are working as prescribed
B. Carry out employee appraisals
C. Projections on future trends for specific parameters
D. Estimation of competitor activity
196
KEY A
Justification
One of the many KEY tests that can be carried out by CAATs is establishing whether
the set controls are working as intended. CAATs are more in the nature of audit tools &
would not be ideal for the other purposes listed in Options B to D above. Hence, answer
at Option A alone is correct.
A. Carry out market surveys for a new product launch
C. Establishing relationship between two or more areas & identify duplicate
transactions
D. Estimation of competitor activity
KEY C
Justification
One of the many KEY tests that can be carried out by CAATs is establishing whether
the set controls are working as intended. CAATs are more in the nature of audit tools &
would not be ideal for the other purposes listed in Options A, B and D above. Hence,
answer at Option C alone is correct.
489. What is Compliance testing ?
A. Testing any activity in compliance with Government rules and regulations
B. Checking whether the organization has remitted employee provident fund into the
relevant account
C. Checking whether the office employees are checking into and leaving the office
as per approved working hours
D. Checking whether controls are operated in compliance with management
policies/procedures
KEY D
Justification
Compliance testing deals with checking the controls which have been established in the
organization rather than checking compliance of any specific activity per se. Hence,
answer at Option D alone is correct. The answers in other options deal with the actual
activity rather than the controls and, hence, are not correct.
197
490. What are Substantive tests ?

A. Tests which validate the internal controls exercised over financial transactions
B. Tests which are done only by choice, if required, rather than by default
C. Tests to evaluate the integrity of individual transactions, data, etc.
D. Tests which are not used for checking for monetary errors affecting financial
parameters
KEY C
Justification
Compliance testing deals with checking the controls which have been established in the
organization. In contrast, Substantive testing tests to evaluate the completeness,
accuracy, etc. or the integrity, in general, of individual transactions, data, information,
etc. They are carried out in most audits & are often called default procedures. They are
often used for checking for monetary errors affecting financial statement balances.
Hence, answer at Option C alone is correct. The answers in other options are obviously
not correct.
491. How can design effectiveness for compliance for a process be evaluated ?
A. By a walkthrough of the business process and the risk controls
B. By carrying out substantive testing
C. By carrying out compliance testing
D. By checking the financials for errors & inconsistencies
KEY A
Justification
Design effectiveness for compliance for a process can be evaluated by a walkthrough of
the business process This will help identifying the existence of controls, the design of
the risk controls as well as the accuracy of process documentation. Compliance testing
deals with checking the controls which have been established in the organization. In
contrast, Substantive testing tests to evaluate the completeness, accuracy, etc. or the
integrity, in general, of individual transactions, data, information, etc. In isolation,
neither of them will comprehensively address design effectiveness. Merely checking the
financials will also not achieve the desired objective. Hence, answer at Option A alone
is correct.
492. In IS Audit, Operational Effectiveness ______________
A. Refers to effectiveness of the organization’s operations
198
B. Refers to effectiveness of the IS Audit

C. Refers to actual performance of the Control in IT environment
D. Refers to achievements in line with overall organizational strategy
KEY C
Justification
In IS Audit, Operational Effectiveness refers to the actual performance of the Control in
IT environment. This is in contrast with the intended design or goal. Answer at Option C
alone is correct.
493. In IS audit, for manual controls, documented evidence substantiating control
performance as per design is ______________
A. Through physical records created when the controls have been operated
B. Through appropriate reports and screen shots from the system
C. Through records of interviews with operational staff
D. Through software trail of the various components of the control process
KEY A
Justification
For manual controls, documented evidence substantiating control performance as per
design is through physical records created when the controls have been operated. This
can be supplemented by samples of samples to ensure that purported reviews
conducted by an individual have actually taken place. Answer at Option A alone is
correct.
494. Audit evidence in IS Audit ____________
A. Excludes IS Auditor observations, notes from interviews etc.
B. Is not subject to the usual audit rules of sufficiency & competency
C. Is information substantiating alignment with objectives & supporting audit
conclusions
D. That which would stand scrutiny in a court of law
KEY C
Justification
Audit evidence in IS Audit is any information that substantiates alignment of that
particular aspect with the intended objectives and that also support audit conclusions.
Thus, the answer at Option C alone is correct.
199
495. In IS Audit, when is evidence said to be competent ?

A. When it is given by an individual who is competent
B. When it is both valid and relevant
C. When the evidence is backed by senior management of the organization
D. When the evidence has been historically demonstrated
KEY B
Justification
In IS Audit, evidence is said to be competent when it is both valid and relevant. Thus,
the answer at Option B alone is correct.
496. In IS Audit, how is sufficiency of evidence assessed ?
A. Through Audit judgement
B. When the evidence is valid at the two standard deviation level
C. When the evidence is valid at the three standard deviation level
D. When more than 90 % of the relevant transactions can be explained
KEY A
Justification
In IS Audit, sufficiency of evidence is assessed through Audit judgement. Thus, the
answer at Option A alone is correct.
497. Which is the ICAI standard on auditing which deals with the Auditor’s
responsibility to prepare audit documentation for financial statements ?
A. SA 500
B. SA 580
C. SA 230
D. SA 1205
KEY C
Justification
The ICAI standard on auditing which deals with the Auditor’s responsibility to prepare
audit documentation for financial statements is SA 230. Hence, the answer at Option C
alone is correct.
200
498. Which is the ICAI standard on auditing which deals with what constitutes audit
evidence in an audit of financial statements as also with the Auditor’s
responsibility to design and perform audit procedures ?
A. SA 230
B. SA 500
C. SA 1205
D. SA 580
KEY B
Justification
SA 500 is the ICAI standard on auditing which deals with what constitutes audit
evidence in an audit of financial statements as also with the Auditor’s responsibility to
design and perform audit procedures. Hence, the answer at Option B alone is correct.
499. Which is the ICAI standard on auditing which deals with the Auditor’s
responsibility to obtain written representations from the management as also
those charged with governance ?
A. SA 580
B. SA 230
C. SA 1205
D. SA 500
KEY A
Justification
SA 580 is the ICAI standard on auditing which deals with the Auditor’s responsibility to
obtain written representations from the management as also those charged with
governance. Hence, the answer at Option A alone is correct.
500. Which is the ISACA standard on evidence which IS auditors are required to
comply with?
A. 230
B. 1206
C. 500
D. 1205
201
KEY D
Justification
The ISACA standard on evidence which IS auditors are required to comply with is 1205.
Hence, the answer at Option D alone is correct.
501. What are Test working papers in IS Audit Documentation ?
A. Draft of the final IS audit report prepared for the Board of Directors
B. Those prepared or obtained as a result of compliance/testing procedures
C. Draft of the preliminary IS audit report submitted to senior management for
comments
D. IS audit team’s answers to test questions on the auditee’s business &
environment
KEY B
Justification
Test working papers in IS Audit documentation are those prepared or obtained as a
result of compliance/testing procedures. Hence, the answer at Option B alone is correct.
502. Which is the ISACA standard relating to use of services of external experts ?
A. 1206
B. 230
C. 1205
D. 500
KEY A
Justification
The ISACA standard relating to use of services of external experts is 1206. Hence, the
answer at Option A alone is correct.
503. Which is the tool used in IS audit for assessing the proper level of controls ?
A. ISACA method 230
B. Random sampling of transactions
C. A control matrix, comparing known types of errors with known type of controls
D. ICAI guidelines on the appropriate level of controls
202
KEY C
Justification
The tool used in IS audit for assessing the proper level of controls is the control matrix.
This basically involves comparison of known types of errors with known types of
controls. Hence, the answer at Option C alone is correct.
504. Prior to reporting a control weakness, an IS auditor ______________
A. Should carry out random sampling of transactions
B. Should check whether there are 2 or more weak controls
C. Should check for a minimum of 3 strong controls
D. Should look for compensating controls
KEY D
Justification
Prior to reporting a control weakness, an IS auditor should look for compensating
controls. . Hence, the answer at Option D alone is correct.
505. State True or False. Materiality of an IS auditor’s findings will not be different for
different levels of management. The auditor will have to report his findings
impartially & consistently whether it be to the lower echelons of management or
senior management.
A. FALSE
B. TRUE
KEY A
Justification
Materiality of an IS auditor’s findings to different levels of management would depend
upon its significance to each level. Thus, what may be material to a lower level of the
management may not be so for the higher level and vice versa. Hence, the cited
statement is false & the answer at Option A alone is correct.
506. What is Forensic Audit ?
A. Audit specializing in discovering, disclosing and following up on frauds and
crimes
B. Audit relating to the Chemical and Pesticide industry
C. Audit relating to environmental matters, including pollution
D. Audit relating to hospitals and healthcare facilities
203
KEY A
Justification
Forensic audit specializes in discovering, disclosing and following up on frauds and
crimes. It is assuming increasing significance owing to the enhanced risks involved with
increased use of IT and globalization. Answer at Option A alone is correct.
507. What are Control Self-Assessments ?
A. These are self- assessments of the auditing process adopted by auditors
B. These are self- assessments by business process owners independent of
auditors
C. These are conducted by business process owners but facilitated by auditors
D. These are compliance audits carried out by auditors
KEY C
Justification
Control Self-Assessments are those that are conducted by business process owners on
their own but facilitated by auditors. Answer at Option C alone is correct.
508. Protective / Preventative controls and Detective controls are two of the three
fundamental types of controls. Which is the third type of control ?
A. Forensic Controls
B. Security Controls
C. Reactive / Corrective Controls
D. Legislative Controls
KEY C
Justification
The third type of Controls is Reactive/Corrective Control. Answer at Option C alone is
correct.
509. Reactive / Corrective Controls and Detective controls are two of the three
fundamental types of controls. Which is the third type of control ?
A. Protective / Preventative controls
B. Security Controls
C. Forensic Controls
D. Legislative Controls
204
KEY A
Justification
The third type of Controls is Protective / Preventative Control. Answer at Option A alone
is correct.
510. Reactive / Corrective Controls and Protective / Preventative controls are two of
the three fundamental types of controls. Which is the third type of control ?
A. Legislative Controls
B. Detective controls
C. Security Controls
D. Forensic Controls
KEY B
Justification
The third type of Controls is Detective Control. Answer at Option B alone is correct.
511. What is Cyber fraud ?
A. A fraud that involves use of computers and computer networks
B. A fraud committed exclusively through the internet
C. A fraud exceeding U.S. $ 1 million in value
D. A fraud involving software alone
KEY A
Justification
Cyber fraud is a fraud that involves use of computers and computer networks. Answer
at Option A alone is correct.
512. Which standard of auditing defines fraud & the management’s responsibility ?
A. SIA 2
B. SIA 17
C. SIA 11
D. SIA 21
KEY C
Justification
SIA 11 defines fraud & lays the responsibility on the management for prevention &
detection of frauds. Answer at Option C alone is correct.
205
513. A holistic approach to deterrence & prevention of fraud would be ?

A. Focussing on integrity of new recruits
B. Establishing severe punishment for fraud
C. Compensating employees adequately to minimize temptation
D. Strengthening of Governance and management framework
KEY D
Justification
A holistic approach to deterrence and prevention of fraud would require strengthening of
governance and management framework. The answers in options A to C address the
issue in bits and pieces and, hence, are not the right answers . Answer at Option D
alone is correct.
514. State True or False. Computer Forensics deals only with digital evidence
acceptable to a court of law; non-digital evidence would not fall under this
category.
A. TRUE
B. FALSE
KEY A
Justification
Computer Forensics is the process of identifying, preserving, analysing and presenting
digital evidence in a manner that is legally admissible in legal proceedings. Hence,
answer at Option A is correct.
515. Evidence loses its value in legal proceedings in the absence of _______________
A. Recency of information
B. Validation by the I.T. dept. of the police
C. Professional maintenance of the chain of custody
D. Authenticated hard copies
KEY C
Justification
Evidence loses its value in legal proceedings in the absence of professional
maintenance of the chain of custody. Hence, answer at Option C is correct.
516. Demonstrating integrity & reliability of evidence are KEY for it to be acceptable to
law enforcement enforcers. This can be done through identification of evidence,
206
preservation of evidence including documentation of chain of custody, analysis &

interpretation of data and _______________.
A. Recency of information
B. Validation by the I.T. dept. of the police
C. Use of authenticated hard copies
D. Presentation to relevant parties for acceptance of evidence
KEY D
Justification
Evidence loses its value in legal proceedings in the absence of professional
maintenance of the chain of custody. Hence, answer at Option D is correct.
517. Which is one of the most effective tools and techniques to combat fraud ?
A. Computer Assisted Audit Techniques (CAAT)
B. Threats of severe punishment
C. Validation by the I.T. dept. of the police
D. Use of authenticated hard copies
KEY A
Justification
CAAT is one of the time-tested tools required for carrying out the above exercise. .
Hence, answer at Option A is correct.
207
Module 3
Governance and Management of Enterprise
Information Technology, Risk Management &
Compliance
518. Distinguish between Enterprise Governance and Corporate Governance.

A. Corporate governance is applying the principles of enterprise governance to the
corporate structure of enterprises
B. Corporate governance relates to principles applying to the top management of a
company whereas enterprise governance relates to all the employees of the
company or enterprise
C. Corporate governance relates to compliance related to regulatory mechanisms
whereas enterprise governance relates to protection of shareholders’ interests
D. Corporate governance pertains to conformance whereas enterprise governance
relates to performance
KEY A
Justification
As indicated in Option A, corporate governance is applying the principles of enterprise
governance to the corporate structure of enterprises. The answers in the other Options
are not factually correct.
519. Which of the following provides for mandatory Internal Audit and reporting on
Internal financial controls for companies in India?
A. Companies Act, 2013
B. IT Act, 2008
C. Sarbanes Oxley Act, 2002
D. Shops and Establishments Act
KEY A
Justification
As indicated in Option A, the Companies Act, 2013, under section 138, provides for
mandatory Internal Audit and reporting on internal financial controls. Hence, the
answers in the other Options are not factually correct.
Governance and Management of Enterprise Information Technology, Risk …
520. Which of the following provides for compliance requirements & maintenance of
privacy of information for companies in India?
A. IT Act, amended 2008
B. Companies Act, 2013
D. Shops and Establishments Act
KEY A
Justification
As indicated in Option A, the IT Act amended during 2013 provides for maintaining
privacy of information & compliance requirements on management, including penalties
for non-compliance. Hence, the answers in the other Options are not factually correct.
521. Which of the following prescribes mandatory audit covering corporate
governance as per clause 49 ?
A. IT Act, amended 2008
B. Companies Act, 2013
C. SEBI, for listed companies
D. Sarbanes Oxley Act, 2002
KEY C
Justification
As indicated in Option C, SEBI has provided for mandatory audit as per clause 49 of the
equity listing agreement. The audit primarily covers governance. Hence, the answers in
the other Options are not factually correct.
522. As per Clause 49 V (C) and (D) of the SEBI Equity listing agreement, which of the
following are held responsible for establishment and maintenance of internal
controls for financial reporting ?
A. Managing Director of listed companies
B. The Board of Directors of listed companies
C. Audit Committee of the Board of Directors of listed companies
D. CEO/CFO of listed companies
209
KEY D
Justification
As per Clause 49 V (C) and (D) of the SEBI Equity listing agreement, the CEO/CFO are
held responsible for establishment and maintenance of internal controls for financial
reporting. Hence, the answer in Option D is correct and those in the other Options are
not factually correct.
523. Good governance alone cannot make an organization successful. Governance
should ideally be implemented with the right balance in two dimensions of
conformance and a second element. What is the second element ?
A. Risk protection
B. Internal Audit
C. Performance
D. Trust
KEY C
Justification
Good governance alone cannot make an organization successful. Governance should
ideally be implemented with the right balance in two dimensions of conformance and a
second element, performance. Hence, the answer in Option C is correct and those in
the other Options are not factually correct.
524. Which is one of the major oversight mechanisms available to the Board of
Directors to ensure that corporate governance processes are effective ?
A. Incentive schemes for Directors
B. The company’s annual report
C. Committees like audit committee comprising independent non-executive Directors
D. Quarterly Board meetings
KEY C
Justification
One of the major oversight mechanisms available to the Board of Directors to ensure
that corporate governance is effective are mandatory committees like the Audit
committee.
525. State TRUE or FALSE. ‘Unlike the conformance dimension of Corporate
Governance, which is backed by an audit committee manned by independent
directors, the performance dimension has no dedicated oversee mechanism.’
210
A. TRUE
B. FALSE
KEY A
Justification
It is true that the performance dimension of Corporate governance has no dedicated
oversee mechanism, unlike the conformance dimension. Hence, answer at Option A is
correct.
526. There are oversight mechanisms for the Performance and Conformance
dimensions of business governance. One other KEY Aspect of business
conformance that is often left out is _____________
A. Profitability
B. Information Technology
C. Strategy
D. Capital investments
KEY C
Justification
The neglected aspect of oversight is generally that of strategy. Hence, answer at Option
C is correct.
527. What is the key benefit of Governance of Enterprise IT (GEIT) ?
A. It ensures the efficiency of the IT system
B. It facilitates the Balance Score card system
C. It facilitates capital investment decision making
D. It provides a consistent approach integrated & aligned with enterprise
governance
KEY D
Justification
The key benefit of GEIT is that it provides a consistent approach, integrated & aligned
with enterprise governance. Hence, answer at Option D is correct.
528. State True or False. With reference to Governance of Enterprise IT, the Reserve
Bank of India issues guidelines covering various aspects of secure technology
deployment. These guidelines are prepared based on various global practices
such as COBIT & ISO 27001.
211
A. TRUE
B. FALSE
KEY A
Justification
Yes, the RBI does issue guidelines covering various aspects of secure technology
deployment which are based upon various global practices such as COBIT & ISO
27001. Hence, answer at Option A is correct.
529. Benefit realization & Risk optimization are two of the three areas of focus of
Governance of Enterprise IT as specified under COBIT 5. What is the third area of
focus ?
A. The third area of focus is Personnel Policies
B. The third area of focus is Information Technology
C. The third area of focus is Resource optimization
D. COBIT 5 specifies only two areas of focus
KEY C
Justification
The third area of focus prescribed by COBIT 5 is Resource optimization. Hence, answer
at Option C is correct.
530. Resource optimization & Risk optimization are two of the three areas of focus of
Governance of Enterprise IT as specified under COBIT 5. What is the third area of
focus ?
A. The third area of focus is Information Technology
B. The third area of focus is Personnel Policies
C. The third area of focus is Benefit realization
D. COBIT 5 specifies only two areas of focus
KEY C
Justification
The third area of focus prescribed by COBIT 5 is Benefit realization. Hence, answer at
531. Which of the following could be a recommended framework for internal controls &
risk management ?
A. COSO 2013 (Council of Sponsoring Organizations of the Tread way Commission)
212
B. ISO 17001
C. ITAF 1200 series
D. COBIT 5
KEY A
Justification
COSO 2013 framework would be ideal for internal controls and risk management.
Hence, answer at Option A is correct.
532. GEIT involves both Conformance as well as Performance perspectives. What
would be the KEY Areas of focus of GEIT from the Conformance perspective ?
A. Strategic decision making and value creation
B. Best practices, tools and techniques
C. Board Structure, Roles and Remuneration
D. Balanced Score Card
KEY C
Justification
The Board Structure, Roles and Remuneration would be the KEY focus areas of GEIT
from the Conformance perspective. Hence, answer at Option C is correct. The other
533. GEIT involves both Conformance as well as Performance perspectives. What
would be the KEY Areas of focus of GEIT from the Performance perspective ?
A. Board Structure, Roles and Remuneration
B. Standards and Codes
C. Strategic decision making and value creation
D. Audit Committee
KEY C
Justification
From the Business performance angle, quite obviously, strategic decision making and
value creation would be the KEY focus areas for GEIT. The other options from A,B to D
are incorrect. Hence, answer at Option C is correct.
534. Operations and reporting are two of the three categories of objectives of the
COSO 2013 framework. What is the third category of objectives ?
213
A. Information Technology
B. Security
C. Compliance
D. Risk Management
KEY C
Justification
Compliance is the third category of objectives of the COSO 2013 framework as
indicated in Option C. The answers in the other options are incorrect.
535. Reporting and Compliance are two of the three categories of objectives of the
COSO 2013 framework. What is the third category of objectives ?
A. Information Technology
B. Security
C. Operations
D. Risk Management
KEY C
Justification
Compliance is the third category of objective of the COSO 2013 framework as indicated
in Option C. The answers in the other options are incorrect.
536. Control environment, risk assessment, control activities and information &
communication are four of the five integrated components of internal control in
COSO. What is the fifth component ?
A. Risk Management
C. Security
D. Monitoring activities
KEY D
Justification
Monitoring activities is the fifth component of internal controls in COSO as indicated in
Option D. The answers in the other options are incorrect.
537. Control environment, control activities, information & communication and
monitoring activities are four of the five integrated components of internal control
in COSO. What is the fifth component ?
214
A. Risk Management
C. Risk assessment
D. Security
KEY C
Justification
Risk assessment is the fifth component of internal controls in COSO as indicated in
Option C. The answers in the other options are incorrect.
538. Risk assessment, control environment, control activities and monitoring activities
are four of the five integrated components of internal control in COSO. What is
the fifth component ?
A. Information & communication
B. Risk Management
C. Information Technology
D. Security
KEY A
Justification
Information and communication is the fifth component of internal controls in COSO as
indicated in Option A. The answers in the other options are incorrect.
539. State True or False. The COSO 2013 framework prescribes the controls to be
selected, developed and deployed for effective internal control. The management
is not left with any choice in the matter and has to rigorously comply with the
COSO 2013 framework.
A. FALSE
B. TRUE
KEY A
Justification
The COSO 2013 framework does not prescribe the controls to be selected, developed
and deployed. It is a function of management judgement based upon factors unique to
the entity. Hence, the statement in the stem is false and Option A is correct.
540. State True or False. What COSO 2013 is to internal controls, COBIT 5 is to
governance in Governance of Enterprise Information Technology.
215
A. FALSE
B. TRUE
KEY B
Justification
In GEIT, COBIT 5 is the business framework of governance and management of IT.
COSO 2013 is a framework for managing internal controls. Hence, the statement in the
stem above is correct and the answer is true as per Option B above.
541. COBIT 5 ______________
A. Is best suited for large corporates
B. Is best suited for small and medium enterprises
C. Is a set of globally accepted principles, practices, analytical tools and models
D. Is not ideally suited for non-profit and government enterprises
KEY C
Justification
As indicated in Option C above, COBIT 5 is a set of globally accepted principles,
practices, analytical tools and models for governance. It can be used by all types and
sizes of organizations, whether profit-oriented or otherwise. Hence, answers at Options
A,B and D are wrong.
542. Meeting stakeholder needs, Covering the enterprise end-to-end, Applying a single
integrated framework and Enabling a holistic approach are 4 of the 5 KEY
principles of COBIT 5. Which is the fifth principle ?
A. Separating Governance from Management
B. Risk management
C. Human resources management
D. Strategic and long term planning
KEY A
Justification
The fifth principle of governance of COBIT 5 is Separating Government from
Management. The answers in Options B to D are, hence, wrong and Option A is correct.
543. Covering the enterprise end-to-end, Applying a single integrated framework,
Enabling a holistic approach and Separating Governance from Management are 4
of the 5 KEY principles of COBIT 5. Which is the fifth principle ?
216
A. Risk management
B. Human resources management
C. Meeting Stakeholder needs
KEY C
Justification
The fifth principle of governance of COBIT 5 is Meeting Stakeholder needs. The
answers in Options A,B and D are, hence, wrong and Option C is correct.
544. Meeting Stakeholder needs, Covering the enterprise end-to-end, Applying a single
integrated framework, and Separating Governance from Management are 4 of the
5 KEY principles of COBIT 5. Which is the fifth principle ?
A. Enabling a holistic approach
B. Human resources management
C. Risk management
KEY A
Justification
The fifth principle of governance of COBIT 5 is Enabling a holistic approach. The
answers in Options B to D are, hence, wrong and Option A is correct.
545. Which is the ISO standard for corporate governance ?
A. ISO 31000
B. ISO 27001
C. ISO 20100
D. ISO 38500
KEY D
Justification
The ISO standard for corporate governance is ISO 38500. The other Options are,
hence, wrong and Option D is correct.
546. Which is the ISO standard for IT risk management ?
A. ISO 31000
B. ISO 38500
217
C. ISO 27001
D. ISO 20100
KEY A
Justification
The ISO standard for IT risk management is ISO 31000. The answers in Options B to D
are, hence, wrong and Option A is correct.
547. Which is the ISO standard for Risk management ?
A. ISO 38500
B. ISO 27001
C. ISO 31000
D. ISO 20100
KEY C
Justification
The ISO standard for IT risk management is ISO 31000. The answers in other Options
are, hence, wrong and Option C is correct.
548. A company has developed a mobile phone which is unique for its simplicity and
ease of use. During laboratory tests, it finds that the product is really robust and
rarely fails. The industry norm is that mobile phone manufacturers invariably offer
customers the comfort of prompt and efficient after sales service, including repair.
After a lot of introspection, the company decides that the probability of failure of
their product was so low and it would not be worth their while to invest in a
network of servicing facilities. They decided, instead to offer a free replacement
in the event of failure of their product. In fact, they decided to leverage this itself
as a marketing strategy for their product and it turned out to be a roaring success.
What type of risk management strategy has the company adopted in this case ?
A. Terminate/eliminate the risk
B. Transfer/share the risk
C. Tolerate/accept the risk
D. Treat/mitigate the risk
KEY C
Justification
The company has obviously chose to tolerate/accept the risk in view of the low
probability of its occurrence and likely lower cost of incurring the risk. The answers in
other Options are, hence, wrong and Option C is correct.
218
549. A company markets agro chemicals on a pan India basis. Farmers use agro
chemicals, typically, only when they perceive a pest attack and would like to act
immediately then to save their crop. Hence, prompt and speedy availability is the
main driver for sales of this product. The company, which had its manufacturing
facility located in South India, found that it invariably lost out in meeting the
demand from the Northern States owing to their inability to reach their product in
time to meet such unpredictable demand. Since the market size being lost out
was substantial as compared to the cost of setting up a new plant, they ultimately
decide to set up a new manufacturing facility in Punjab which could ensure
availability of product in a timely fashion. What type of risk management strategy
has the company adopted in this case ?
A. Terminate/eliminate the risk
B. Tolerate/accept the risk
C. Transfer/share the risk
D. Treat/mitigate the risk
KEY A
Justification
The company has obviously chosen to terminate/eliminate the risk after weighing the
pros and cons of loss of business/profit versus cost of setting up a new manufacturing
facility. The answers in Options B to D are, hence, wrong and Option A is correct.
550. Section 49 C of the Listing Agreement of SEBI addresses the need for
_________________
A. Minimum public shareholding percentage
B. Creation of a board sub-committee for auditing
C. Board disclosures related to risk management & states
D. Compliance with government regulations
KEY C
Justification
This section relates to need for Board disclosures related to risk management & states.
Hence, answer at Option C is correct and the other options are incorrect.
551. Section 49 V of the Listing Agreement of SEBI deals with _________
A. Board disclosures related to risk management & states
B. Minimum public shareholding percentage
219
C. Creation of a board sub-committee for auditing

D. CEO/CFO certification, among other things, of internal controls
KEY D
Justification
This section of SEBI’s Listing agreement relates to need for CEO/CFO certification
accepting, among other things, responsibility for establishing and maintaining internal
controls. Hence, answer at Option D is correct and the other options are incorrect.
552. Section 49 (VII) of the Listing Agreement of SEBI deals with ____________
A. Creation of a board sub-committee for auditing
B. Compliance aspects & certificate of compliance
C. Minimum public shareholding percentage
D. Compliance with government regulations
KEY B
Justification
This section of the Listing Agreement of SEBI deals with compliance aspects and the
need for certificate either from the auditors or the company secretary regarding
compliance of conditions of corporate governance. Hence, answer at Option B is correct
and the other options are incorrect.
553. How can a Governance-Risk-Compliance (GRC) program be enhanced from
merely ensuring compliance to ensuring performance too ?
A. Reward compliance at all levels
B. Ensure Risk-Reward ratio is commensurate with the cost/investment
C. Implement GRC program using GEIT (Governance of Enterprise IT) framework
D. Implement GRC utilising external resource like auditor
KEY C
Justification
A GRC program will basically ensure compliance. However, the GEIT framework
focuses on benefit realization, risk optimization and resource optimization. Hence,
implementing a GRC program using the GEIT framework will help achieve both the
objectives of compliance as well as performance. Hence, Option C is the correct
answer.
220
554. Apart from Clause 49 of the SEBI Listing agreement, which is based upon SOX
provisions, which other mandatory provision exists on internal controls for
corporate in India ?
A. The Indian Companies Act, The Companies (Auditor’s Report) Order 2003
B. Information Technology Act 2008
D. COBIT 5
KEY A
Justification
Mandatory provisions on internal controls do exist, as per CARO, as brought out in
Option A above. The IT Act has no such provision, the SOX Act applies in the USA and
COBIT 5 is not an Act but a framework. Hence, answer at Option A above is correct.
555. State True or False. Under GRC (Governance, Risk and Compliance) norms,
compliance refers exclusively to compliance with statutory Laws and
Regulations; compliances with internal policies of an organization are not a part
of it.
A. TRUE
B. FALSE
KEY B
Justification
Compliance under GRC refers both to external compliances, in terms of statutory laws
and regulations, as also internal compliances with regard to policies of an organization.
Hence, the above statement is false and answer at Option B is correct.
556. Principles, policies & framework, (b) Processes, (c) Organization structure, (d)
Roles, responsibilities & risks of IT department, (e) Information and (f) Services,
infrastructure & applications are six of the seven enablers of COBIT 5. Which is
the 7th enabler ?
A. Planning & communication
B. Delegation of authority
C. Compliance with statutory regulations
D. Culture, ethics & behaviour
221
KEY D
Justification
Culture, Ethics & Behaviour is the 7th enabler under COBIT 5. Hence, answer at Option
D is the correct one.
557. Principles, policies & framework, (b) Processes, (c) Organization structure, (d)
Roles, responsibilities & risks of IT department, (e) Culture, ethics & behaviour
and (f) Services, infrastructure & applications are six of the seven enablers of
COBIT 5. Which is the 7th enabler?
A. Information
B. Planning & communication
C. Delegation of authority
D. Compliance with statutory regulations
KEY A
Justification
Information is the 7th enabler under COBIT 5. Hence, answer at Option A is the correct
one.
558. What is the purpose of Principles, policies and framework in an organization ?
A. To control the employees
B. To arrive at the business strategy of the organization
C. To convey the management’s direction & instruction
D. To comply with statutory regulations
KEY C
Justification
The purpose of Principles, policies and framework in an organization is to communicate
downward the direction the management would like the organization to take and the
means through which this can be done. They reflect the culture, ethics and values of the
organization. The objective is not to control the employees; not are they in compliance
with statutory regulations. Principles, policies and framework are not drawn up for the
purpose of business strategy; however, the strategy will evolve based upon these
elements and other strategic inputs like the market, competition, etc. Hence, answer at
Option C is the correct one.
559. Apart from being effective and efficient, what other characteristic should a good
policy possess ?
222
A. To control the employees

B. Making sense & appearing logical to those who have to comply with them
C. To arrive at the business strategy of the organization
D. To comply with statutory regulations
KEY B
Justification
The third important attribute of any good policy is that it makes sense and appears
logical to those who are required to comply with them. But for this, policies would fail in
actual practice during implementation for want of buy in. Hence, answer at Option B is
the correct one.
560. Processes are one of the 7 enablers of Governance of Enterprise IT under COBIT
5. What are the types of processes distinguished under COBIT 5 ?
A. Strategy processes and action processes
B. Group processes versus individual processes
C. Governance processes and management processes
D. Macro versus micro processes
KEY C
Justification
COBIT 5 distinguishes between governance and management processes with the latter
concerned more with performance matters. Answer at Option C is the correct one.
561. How does the RACI (Responsible, Accountable, Consulted, Informed) model help
in an organization ?
A. Helps clarify roles and responsibilities
B. Facilitates documentation of processes
C. Basis for development of organization chart
D. Accelerates decision-making process
KEY A
Justification
The RACI model helps clarify roles and responsibilities and is particularly of value in
cross departmental projects and processes. Answer at Option A is the correct one.
223
562. In Governance of Enterprise IT, the IT Strategy Committee should include

_____________
A. Board members alone, considering the strategic content
B. Non-Board members alone, considering the need for implementation support
C. Both Board as well as non-Board members
D. Board members and IT managers alone
KEY C
Justification
The IT Strategy Committee should have representation from Board as well as non-
Board members, with representation from all divisions. Answer at Option C is the
correct one.
563. Which of the following has primary responsibility for implementation of
Governance of Enterprise IT ?
A. The Managing Director or CEO of the Organization
B. The CIO of the organization
C. The IT Strategy Committee
D. The IT Steering Committee
KEY C
Justification
It is the IT Strategy Committee whose primary responsibility it is to implement GEIT,
while the accountability is of the Board of Directors itself. Answer at Option C is the
correct one.
564. Which of the 7 enablers of COBIT 5 is considered the most important ?
A. Organization structure
B. Principles, policies & framework
C. Processes
D. Information
KEY D
Justification
Information is considered the most important of the enablers of COBIT 5. Answer at
Option D is the correct one.
224
565. What is most important in developing a performance management system ?

A. Deciding on incentive schemes
B. Identifying enterprise goals & their linkage to operating environment
C. Developing clear organization structure
D. Benchmarking with industry
KEY B
Justification
The most important aspect of performance management development is ensuring that
organizational goals, vision, mission are cascaded downwards to all, establishing a
clear linkage. But for this, the entire exercise would be fruitless since the performance
could be directed at goals other than those established through the vision / mission of
the organization. Answer at Option B is the correct one.
566. A good performance management system assesses performance against goals
through Key Goal Indicators. Simultaneously, it monitors performance of process
through _________
A. Work flow indicators
B. Moving average indicators
C. KEY Process Indicators
D. Industry benchmarks
KEY C
Justification
Monitoring of performance of process is through the KEY Process Indicator. Hence, the
answer at Option C is the correct one.
567. The approach of using lead indicators for performance measurement is called
__________
A. Reactive approach
B. Retroactive approach
C. Proactive approach
D. Retrospective approach
225
KEY C
Justification
The approach of using lead indicators for performance measurement is called Proactive
approach. Hence, the answer at Option C is the correct one.
568. The approach of using lag indicators for performance measurement is called ?
A. Proactive approach
B. Reactive approach
C. Retroactive approach
D. Retrospective approach
KEY B
Justification
The approach of using lag indicators for performance measurement is called Reactive
approach. Hence, the answer at Option B is the correct one.
569. Where is the Capability Maturity framework of Performance Management Systems
generally used?
A. Hardware Development Company
B. Research & Development institution
C. Software Development Company
D. Educational institutions
KEY C
Justification
The Capability Maturity framework of Performance Management Systems is generally
used in the software development companies. . Hence, the answer at Option C is the
correct one.
570. Mr Johnson has just taken charge as Head of a fledgling educational institution
which has not had a good track record. He feels that he has his task cut out for
him he needs to focus more on the lead parameters rather than lag indicators so
that he can create sustainable results. Which of the following would be an
example of lead indicators ?
A. Number of passes by students in the Matriculation examination
B. Number of all-India rank holders from the school in the Matriculation examination
C. Number of failures in the Matriculation examination
226
D. Number of hours of refresher courses attended by teachers

KEY D
Justification
The correct answer would obviously be the number of hours of refresher courses.
Hence, the answer at Option D is the correct one.
571. In Governance, value creation happens through Benefits Realisation, Risk
optimization & Resource Optimization decisions taking into account _________
A. All Stakeholders’ needs
B. All Shareholders’ needs
C. Organizational goals
D. Organizational vision, mission
KEY A
Justification
In Governance, all stakeholders’ needs should be taken into account while taking
decisions related to benefits realization, risk optimization & resource Optimization.
Hence, the answer at Option A is the correct one.
572. Which framework specifically enables users to relate their enterprise’s current
business & IT environment to specific objectives & relevant processes ?
A. Quality management system
B. Six Sigma approach
C. COBIT 5 framework
D. Blue Ocean framework
KEY C
Justification
While many frameworks may address such linkages generically, the advantage of
COBIT 5 is that it specifically enables users to relate their enterprise’s current business
and IT environment to specific objectives and relevant processes. Hence, the answer at
Option C is the correct one.
573. The Balanced Score Card is an invaluable management tool that helps translate
strategy into action and also for ________________
A. Balancing share holders needs with employee needs
B. Bringing non-financial indicators into better focus
227
C. Balancing needs of multiple functions within an organization

D. Balancing lead and lag indicators
KEY B
Justification
As brought out in Option B above, one of the major advantages of the Balanced score
card mechanism is its ability to focus on non-financial indicators too, thus bringing in a
balance between financial & non-financial parameters. The answers in other Options
are incorrect.
574. The Balanced Score Card is designed to ensure that performance metrics and
strategic themes are balanced with financial & non-financial, operational &
financial, lead & lag indicators. Financial, Customer & Internal Business process
perspectives are three of the four perspectives of BSC. The fourth perspective is
_________________.
A. Learning & Growth
B. Shareholders versus Employees
C. Short term versus Long term
D. Lead and lag indicators
KEY A
Justification
As brought out in Option A above, the fourth perspective of BSC is Learning & Growth.
The answers in Options B to D are incorrect.
575. The Balanced Score Card ____________
A. Is meant for the use of only the senior level executives
B. Cannot be linked to the IT goals & objectives
C. Cannot be the basis for performance incentives
D. Can be cascaded down to all levels of the organization
KEY D
Justification
As brought out in Option D above, the BSC can, indeed, be cascaded down to all the
levels of organization. The answers in other options are incorrect.
228
576. What is the most important aspect of the CIMA Strategic Score Card approach ?
A. Focuses exclusively on strategy matters
B. Focuses exclusively on IT governance & strategy aspects
C. Addresses conformance as well as performance, focussing on strategic issues
D. Unlike the Balanced Score card, it focuses on lead indicators alone
KEY C
Justification
The CIMA Strategic Score Card approach addresses both conformance as well as
performance, focussing on strategic issues. The answers in other options are incorrect.
577. Strategic position, Strategic options and Strategic implementation are three of the
four basic elements of the CIMA Strategic Score card. What is the fourth
element ?
A. Strategic Risks
B. Strategic Conformance
C. Strategic Performance
D. Strategic IT
KEY A
Justification
The fourth element of the CIMA Strategic Score Card approach is Strategic Risks. The
answers in Options B to D are incorrect.
578. What is fundamental to the Capability Maturity Model Integration (CMMI) ?
A. Used universally, except in the I.T. industry
B. Is superior to COBIT 5 which does not have process capability
C. It is a process improvement approach
D. Focuses on internal process alone
KEY C
Justification
The CMMI model is a process improvement approach & is a preferred model for the IT
industry. COBIT 5, too, has process capability built in. CMMI addresses all processes.
Hence, answer at Option C above alone is correct.
229
579. What is the essence of Total Quality Management strategy ?

A. Focus exclusively on products & services rather than processes
B. Producing best quality products
C. Focus on exclusively on processes as a means to an end
D. Achieving long term success through customer satisfaction
KEY D
Justification
TQM strategy aims at achieving long term success through customer satisfaction. It
aims to do this through quality management at all levels, improving products, services,
processes as also culture. Hence, answer at Option D above alone is correct.
580. State True or False. The guidelines for specific processes and procedures in
COBIT 5 have been designed robustly with the latest best practices incorporated.
While implementing the framework, these processes / procedures need to be kept
intact and not tweaked or tinkered with.
A. FALSE
B. TRUE
KEY A
Justification
The design of processes and procedures suggested in COBIT 5 need to be tailored
appropriately to suit the needs of the enterprise’s culture, management style & IT
environment. The recommended best practices, too, should be adapted to suit the
particular enterprise where it is being implemented. Hence, the statement in the Stem is
incorrect and the answer at Option A is correct.
581. One of the primary reasons for implementing Governance of Enterprise IT (GEIT)
is to alleviate pain points in the organization. Another major reason is
______________
A. Ensure up-to-date technology
B. Trigger events like merger/acquisition, new regulations, etc.
C. Achieve stake holder satisfaction
D. Higher vulnerability of IT compared to other functions
230
KEY B
Justification
The other major reasons for implementing GEIT are trigger events which create
changes in the environment. Answers in Options A and C may also be factually true but
are not necessarily major reasons for implementing GEIT. Answer in Option D is not
correct.
Hence, the answer at Option B is correct.
582. Which one of the following could be a Critical Success factor in GEIT
implementation ?
A. The project is handled exclusively & in isolation to day-to-day business
B. Execution authority & responsibility is retained at the highest levels
C. Top management provides direction and mandate
D. Trigger events like merger/acquisition, new regulations, etc.
KEY C
Justification
One of the critical success factors above is the need for top management to provide
direction and mandate for the project, as indicated in Option C. Integration of the project
with day-to-business is essential for the success of the project contrary to what is stated
in Option B. Similarly, authority & responsibility have to be cascaded down to the level
at which project implementation happens, ideally at the level of an anchor person.
Trigger events may precipitate the implementation of GEIT but cannot be critical
success factors. Hence, the answer at Option C is correct
583. Which one of the following could be a Critical Success factor in GEIT
implementation ?
A. Trigger events like merger/acquisition, new regulations, etc.
B. The project is handled exclusively & in isolation to day-to-day business
C. Focus on quick wins to demonstrate benefit & build confidence
D. Execution authority & responsibility is retained at the highest levels
KEY C
Justification
Early successes help instil confidence in the initiative & stimulate co-operation, as
indicated in Option C. Trigger events may precipitate the implementation of GEIT but
cannot be critical success factors. Integration of the project with day-to-business is
231
essential for the success of the project contrary to what is stated in Option A. Similarly,
authority & responsibility have to be cascaded down to the level at which project
implementation happens, ideally at the level of an anchor person.
Hence, the answer at Option C is correct.
584. What should be the first phase of GEIT implementation ?
A. Forming an implementation team
B. Communication desired vision
C. Enable operation & use
D. Establish desire to change, stressing pain points, trigger events
KEY D
Justification
The first phase of GEIT implementation is preparing the ground for the project to take
off and targeting the mind sets of the people concerned. This can be done by identifying
the pain points / trigger events as also the consequences of inaction for the
organization as well as the individual. The answers in other options can be successive
steps in the project implementation and not the initial one.
Hence, the answer at Option D is correct.
585. What should be the final phase of GEIT implementation ?
A. Establish desire to change, stressing pain points, trigger events
B. Communication desired vision
C. Sustain changes through conscious reinforcement
D. Enable operation & use
KEY C
Justification
Any initiative, however good it may be, will not yield the desired results unless
mechanisms are built in for sustaining the momentum which has been gained in the
initial launch. This can be done, as pointed out in Option C above, through conscious
reinforcement & continuous top management commitment. The answers in the other
options are intermediate phases in the GEIT implementation process and, hence, are
not correct.
586. In line with ISO/IEC 38500, Governance processes under COBIT 5 are based upon
the principles of ______________
A. Evaluate, Direct, Monitor
232
B. Align, Plan & Organize

C. Monitor, Evaluate & Assess
D. Build, Acquire and Implement
KEY A
Justification
Governance process under COBIT 5 are based upon the principles of Evaluation of
strategic options, Direction to IT & Monitoring of the outcome. Hence, answer in Option
A above is correct and the other answers are wrong.
587. The most critical factor in implementing GEIT is ______________
A. Taking a bottom-up perspective
B. Identifying implementation scope & objectives, prioritization of processes
C. Availability of trained individuals to spearhead the project
D. Organization chart combined with Delegation of Authority
KEY B
Justification
The most critical factor in implementing GEIT is identifying implementation scope and
objectives as also prioritization of processes, as shown in Option B. Answers in other
options are not correct. Hence, answer in Option B above is correct.
588. How is alignment of strategic IT Plans with business done?
A. Holding regular meetings with IT department participation
B. Having an IT department nominee in non-IT meetings
C. Clearly communicating the objectives & accountabilities
D. Taking a bottom-up perspective
KEY C
Justification
Alignment of strategic IT Plans with business is done by clearly communicating the
objectives & accountabilities so that they are understood by all & IT strategic options
are integrated with the business plans as required. Hence, Option C is the correct
answer.
589. Which one of the following is a KEY management practice for aligning IT strategy
with enterprise strategy ?
233
A. Identify gaps between current & target environments

B. Taking a bottom-up perspective
C. Holding regular meetings with IT department participation
D. Having an IT department nominee in non-IT meetings
KEY A
Justification
Identifying gaps between the current & target environments is one of the KEY
management practices for aligning IT strategy with enterprise strategy. Hence, Option A
is the correct answer.
590. How is Value Optimization of IT achieved ?
A. Going in for low cost IT equipment
B. Replacing full time IT employees with outsourced personnel
C. Taking a bottom-up perspective
D. Value Optimization of business processes, IT services & assets
KEY D
Justification
Value Optimization of IT is achieved through value optimization of business processes,
IT services & IT assets. Hence, Option D is the correct answer.
591. Which of the following metrics could be used for evaluation of value
optimization ?
A. Number of low cost IT equipment procured during a financial year
B. Replacing full time IT employees with outsourced personnel
C. Percentage of IT enabled investments where claimed benefits were met or
exceeded
D. Wage cost reduction through non-filling of some vacant IT positions
KEY C
Justification
One metric which could be used for evaluation of value optimization could be the
percentage of IT enabled investments where claimed benefits were met or exceeded.
Answers in other options, however, will not meet the requirement. Hence, Option C is
the correct answer.
234
592. COBIT 5 has a resource governance process to ensure that resources needs of
the enterprise are met in an optimal manner. Which one of the following is KEY
governance process to be followed ?
A. Evaluate, Direct and Monitor resource management
B. Build, Acquire and Implement
C. Align, Plan & Organize
D. Monitor, Evaluate & Assess
KEY A
Justification
The KEY governance process to be followed in this case is Evaluate, Direct and Monitor
resource management as brought out in Option A. The answers in the other options B
to D are incorrect and not applicable to the instant case.
593. Which one of the following is an important tool used for managing & monitoring
service providers ?
A. Regular meetings
B. Third party inspection arrangements
C. Service Level Agreements (SLAs)
D. Cost comparison through industry benchmarking
KEY C
Justification
While all the answers in the options above may be true to some extent or the other, the
most important tool used for managing & monitoring service providers are Service Level
Agreements which play the role not only of enforceability of commitments but,
simultaneously, of capturing clearly the responsibilities of both parties as also other
aspects like delivery expectations, escalation clauses, penalties, etc. Hence, the answer
in Option C above is correct and the rest can be deemed to be wrong.
594. The success of capacity management would depend most upon which one of the
following factors ?
A. Historical trend of capacity expansions
B. Availability of precise and timely business forecasts
C. Cost comparison through industry benchmarking
D. Availability of adequate funds for procurement
235
KEY B
Justification
Capacity Management success would depend to a great extent upon the availability of
precise and timely business forecast, as indicated in the answer in Option B. The
answers in other options are incorrect.
595. With reference to Capex & Opex, how can valuation of any business be
improved ?
A. Increasing Capex & proportionately reducing Opex
B. Reduction in Opex irrespective of impact on day-to-day operations
C. With Capex constant, reduction in Opex without hurting day-to-day operations
D. Increasing both Capex & Opex with the objective of increased profits
KEY C
Justification
In general, industry prefers to restrict Capex & also optimize Opex to get best results for
stakeholders. Capex is considered undesirable owing to restrictions on dividend cost
being allowed as a business cost for tax purposes unlike Opex. However reduction in
Opex can hurt operations too, leading to reduced profits. Hence, the ideal situation
would be, while Capex is kept constant, Opex is reduced without hurting day-to-
operations, as indicated in Option C above. The answers in other 0ptions are incorrect.
596. What is Information ?
A. It is a collection of data which need not necessarily have meaning for its user
B. It is restricted to data in the form of numbers
C. It is data which is not necessarily specific & organized
D. It is all data processed in a meaningful context
KEY D
Justification
Information is data processed in a meaningful context. It is specific & organized and has
value to the user. It includes all forms of information like numbers, text, images, sound,
codes, etc. Hence, the answer at Option D is correct & the other options incorrect.
597. State TRUE or FALSE. When the Information System Auditor delegates work to
others, he will continue to be responsible for forming and expressing his opinion
on auditee environment as per the scope and objectives of the audit.
236
A. TRUE
B. FALSE
KEY A
Justification
The responsibility for forming and expressing opinion on auditee environment rests with
the IS Auditor even in respect of work he delegates to others. Hence, answer at Option
A above is correct.
598. Are Audit professionals considered to be the most appropriate professionals to
audit Information Systems (rather than IT professionals) ?
A. No; since they do not have adequate expertise in Information Technology
B. Yes; since it involves the evaluation of internal controls in computerized business
processes
C. No; since Information systems have built-in safeguards and an audit would be
superfluous
D. Yes; but only to the extent of regulatory matters about which they are proficient
KEY B
Justification
Audit professionals are, indeed, considered to be the most appropriate professionals to
audit Information systems since knowledge of business processes is extremely critical
for such audit, more than that of technical knowledge of Information technology. What is
required is an audit professional who has supplemented his audit/financial/regulatory
background with knowledge of the basics of Information technology. Hence, answer at
Option B above is correct. IS can build safeguards to meet all contingencies. The other
answers are, therefore, incorrect.
599. Risk in Information Technology ____________
A. Can be depicted as hierarchically dependent upon other risk categories
B. Does not impact on long term strategy
C. Can also be defined as Threat exploiting Vulnerabilities
D. Is not considered operational in financial industry as per Basel II framework
237
KEY C
Justification
Since Information systems impinge on each and every part of an organization’s
business today, any risks in IT would automatically extend to all aspects of the
business. It is, in fact, considered even an operational risk in the financial industry as
per Basel II framework. However, since it is relevant to different aspects of an
organization, it is not to be depicted as hierarchically dependent upon other risk
categories. Hence, answers in Options A, B and D are incorrect. However, the definition
given in Option C is correct it is, in a way, threat exploiting vulnerabilities. Hence,
answer at Option C above is correct.
600. What is the Risk Universe ?
A. Is restricted to selected components of the business
B. Is restricted to the enterprise & excludes suppliers, service providers, clients
C. It needs to be defined & frozen for a reasonable period of time of about 5 years
D. It defines the overall environment & provides a structure for managing the IT risk
KEY D
Justification
The Risk Universe extends to the overall environment, covering all stake holders
including suppliers, service providers & clients. It aims at providing a structure for
managing IT risk. It crosses functional silos and is intended to cover end-to-end
business perspective. It needs to be dynamic & updated regularly to be aligned with
changes in the environment. Hence, answer at Option D alone is correct.
601. During 2009, the Satyam Computers scandal broke out. The Company’s Chairman
admitted to falsification of accounts to the tune of U.S. $ 1.47 billion. The auditors
for this company were mainly exposed to what type of risk ?
A. Audit Risk
B. Financial Risk
C. Procedural Risk
D. IT Risk
238
KEY A
Justification
Audit risk refers to the risk that an auditor may issue unqualified report due to the
auditor’s failure to detect material misstatement either due to error or fraud. The cited
example clearly refers to such a situation and, hence, answer at Option A above is the
correct answer.
602. Audit risk is _______________
A. A product of control risk & detection risk
B. A product of inherent risk, control risk & detection risk
C. Sum of inherent risk, control risk & detection risk
D. A product of inherent risk and detection risk
KEY B
Justification
Audit risk refers to the risk that an auditor may issue unqualified report due to the
auditor’s failure to detect material misstatement either due to error or fraud. It is a
product of inherent risk, control risk & detection risk. Hence, answer at Option B alone
is correct.
603. In the case of IS Audit, materiality is _____________
A. Based upon value and volume of transactions
B. Based on impact of non compliance
C. Consequence of risk in terms of potential loss
KEY C
Justification
Materiality in IS Audit is a consequence of risk in terms of potential loss. Hence, answer
at Option C is correct while the other answers are incorrect.
604. In the case of Financial audit, materiality is ______________
B. Based on impact of non compliance
C. Consequence of risk in terms of potential loss
239
KEY A
Justification
Materiality in Financial Audit is based upon value and volume of transactions and the
relevant error or discrepancy or control weakness detected. Hence, answer at Option A
is correct while the other answers are incorrect.
605. In the case of Regulatory audit, materiality is _________________
B. Consequence of risk in terms of potential loss
C. Based on impact of non- compliance
KEY C
Justification
Materiality in Regulatory Audit is based upon the impact of non-compliance with
regulations. Hence, answer at Option C is correct while the other answers are incorrect.
606. Internal Controls _______________
A. Are restricted to tools for prevention of risks alone
B. Focus exclusively on financial rather than non-financial risks
C. Are driven exclusively by automated computerised systems
D. Facilitate achievement of business objectives & management of risks
KEY D
Justification
Internal controls are designed to assure the management that the organization’s
business objectives will be achieved and risk events prevented or detected and
corrected. They target prevention as well as detection & correction and are aimed at
both financial as well as non-financial risks. They can be driven either by automated
computerised systems or even manual systems. Hence, answer at Option D alone is
correct.
607. Internal Controls ________________
A. Target risk management rather than achievement of business objectives
B. Comprise Preventive, Detective & Corrective controls
D. Focus exclusively on financial rather than non-financial risks
240
KEY B
Justification
computerised systems or even manual systems. Hence, answer at Option B alone is
correct.
608. Internal Controls _______________
A. Are the sum total of IT General controls and IT Application Controls
B. Focus exclusively on prevention of errors or irregularities
D. Focus exclusively on financial rather than non-financial risks
KEY A
Justification
computerised systems or even manual systems. They include General controls which
encompass all administrative areas and Application controls which are related to
specific application software. Hence, answer at Option A alone is correct.
609. The authority, scope and responsibility of the Information System Audit function
is ________________
A. Defined by the I.T. Head of the organization, as the expert in the matter
B. Defined by the various functional divisions, depending upon criticality
C. Defined by the audit charter approved by the senior management/Board
D. Generated by the Audit division of the organization
KEY C
Justification
The authority, scope and responsibility of the Information system audit is invariably
defined by the audit charter which is approved by the senior management and, most
often, by the Board of Directors. It is not left to the Audit division, the IT Head or the
functional heads to decide on this. Hence, answer at Option C alone is correct..
241
610. Audit objectives, in general _____________

A. Are not concerned with substantiation of internal controls
B. Refer to the specific goals that must be met by audit
C. Are not concerned with how internal controls function
D. Are derived & stated at the end of the audit process
KEY B
Justification
Audit objectives refer to the specific goals that must be met by audit. This is in contrast
to a control objective which refers to how an internal control functions. They often focus
on substantiating the existence of internal controls & the appropriateness of functioning.
They are invariably set down at the beginning of the audit process. Hence answer at
Option B alone is correct.
611. The major purpose of Information Systems Audit is whether _____________
A. Internal control system design is robust & operated effectively
B. Financials are properly reflected in the books of the organization
C. All the hardware in the organization have appropriate warranties
D. All the software in the organization have valid licences
KEY A
Justification
A major purpose of Information Systems audit is whether the internal control system
design is robust and is operated effectively. It is not directly related to ensuring financial
correctness or to validate warranties/licences for hardware/software. Hence, answer at
Option A alone is correct.
612. A Request for Proposal (RFP) _______________
A. Is sent by prospective supplier to buyer, seeking information
B. Will help identify the lowest-priced bidder as the successful bidder
C. Is used for acquiring services &, sometimes, goods
D. Is used exclusively for buying goods and not services
242
KEY C
Justification
A RFP is used primarily for acquiring services and, on occasion, goods. It comprises a
complete description of the buyer’s requirements of the service/product. The successful
bidder in this process need not necessarily be the lowest-priced; non-financial aspects
like credibility, technical superiority, etc. will also be taken into account to arrive at the
optimal supplier. Hence, answer at Option C alone is correct.
613. You are advising your client on the selection & appointment of an IT service
provider. You suggest that the client should go through a Request for Proposal
(RFP) process for best results. Your client is happy with your suggestion but
requests that not all aspects of the selection process be publicised up-front. For,
the client had faced situations in the past wherein, openness in such matters had
lead to issues of disputes with suppliers who were rejected in the selection
process. The client’s argument is that, in any case, the selection will be on a fair
and equitable basis & the idea is just to avoid giving too much information to the
bidders and create the potential for nuisance attacks by mischievous,
unsuccessful bidders. As a Chartered Accountant, would your suggestion be to
clearly spell out the selection criteria or leave it ambiguous ?
A. Clearly spell out the selection criteria
B. Leave the selection criteria ambiguous
KEY A
Justification
It would be best to clearly spell out all the selection criteria. For, it would give
confidence to the potential bidders about the credibility of the buyer and also avoid build
up of un-necessary cushions to take care of any unknown contingencies. Also,
ambiguities cut both ways & may provide loopholes for unscrupulous bidders to wriggle
out of commitments or raise disputes. Contractually & legally speaking, too, such a RFP
will strengthen the organization’s hands in the event of any default or failure on the part
of the chosen supplier. Hence, answer at Option A alone is correct.
614. What are the elements common to both the Audit Charter and Audit Engagement
Letter ?
A. Responsibility, Authority & Professional Fees payable
B. Responsibility, Authority & Travel expenses budget for auditors
C. Responsibility, Authority & Accountability
243
KEY C
Justification
The elements common to both the Audit Charter & Audit Engagement Letter are
Responsibility, Authority & Accountability. Aspects like the Professional fees payable,
travel expenses budget for auditors, etc. are generally dealt with in the Engagement
Letter and not in the Charter. Hence, answer at Option C alone is correct.
615. Based upon scope, objectives, etc. drawn up in consultation with the senior
management of an organization, an experienced audit team which has sound
knowledge of I.T. has completed & filed its preliminary audit report of the I.T.
department of the organization. On receiving the draft report, the officials in the
I.T. department react negatively to the report. They argue that the bulk of the
conclusions drawn in the report, the information reported, etc. are erroneous.
They question the validity of the findings. In your view, which one of the following
could be the likely major cause for this situation ?
A. Lack of adequate technical IT knowledge of the auditing team
B. Poor quality of audit by the team
C. Malafide intentions of the auditee team
D. In-effective communication with Auditee & buy-in
KEY D
Justification
It is clear that the auditing team is a competent one with sound knowledge of I.T. It is
unlikely that the auditee team deliberately sought to scuttle the auditing team’s report.
For, given the fact that they have the top management’s approval, the I.T. department
cannot hope to gain anything by throwing mud on the auditing team. If the auditee still
questions the validity of the team’s report, the single major cause which can be inferred
from the question stem is that the communication to the auditee has not been carried
out in an effective manner & adequate steps have not been taken to secure auditee
buy-in for the process . Hence, answer at Option D appears to be more appropriate.
616. You have just taken on the Audit of a large, established multinational company
with operations spread geographically across continents. You need to draw up
detailed scope of the proposed audit of the organization in consultation with its
top management. Your approach would be to focus upon _____________
A. Areas identified to be high risk &/or high significance to the organization
B. Sample audit of each and every geographical unit of the organization
244
C. Sample audit of each and every function in the organization

D. Areas related to I.T. software and hardware alone
KEY A
Justification
Given the fact that any audit team would have limitations in terms of auditing resources
as well as budget, it would have to get maximum mileage for the auditee with the limited
resources at its disposal. Hence, rather than spreading itself too thin by trying to audit
as many areas as possible, the ideal strategy would be to arrive at a consensus
regarding a few areas of high risk as also high significance for the organization.
Auditing these areas alone initially would help maximise the value of the auditing
exercise. Hence, answer at Option A is the most appropriate one.
617. You have just taken on the Audit of a large, established company with diverse
businesses involving manufacturing as well as trading. You are now at the
planning stage & need to draw up your draft audit plan for clearance by the top
management. What is the most important planning activity involved at this stage
of the exercise ?
A. Historical financial for the organization
B. Cost of carrying out the audit
C. Thorough understanding of the nature of each of the businesses & nuances
D. Number of people required for carrying out the auditing exercise
KEY C
Justification
Considering the diverse nature of the organization’s businesses as also its existence
both in trading as well as manufacturing, the fundamental drivers of these areas of
business are likely to be totally different. The most important part of the planning
exercise would hence be the thorough understanding of each of the organization’s
businesses & its nuances. This alone will help the auditor to appreciate the areas of
significance & high risk so that focus can be shifted to these areas for maximum results.
Hence, answer at Option C above is the most appropriate.
618. Which are the three major categories of IS Controls ?
A. Fiduciary, Quality & Security
B. Financial, Quality & Security
C. Audit, Quality & Security
D. Economic, Financial & Quality
245
KEY A
Justification
The major categories of IS Controls are Fiduciary, Quality & Security. Hence, answer at
Option A above is the correct one.
619. The basic principles of Fiduciary Controls in Information Systems are
____________
A. Efficiency & Effectiveness of process, service or activity
B. Reliability of information & Compliance with laws, regulations, etc.
C. Confidentiality & Integrity of information
D. Confidentiality, Integrity & Availability of information
KEY B
Justification
The basic principle of Fiduciary Controls in IS are reliability of information & compliance
with laws, regulations, etc.. Hence, the correct answer is as per Option B. The other
answers are incorrect.
620. The basic principles of Quality Controls in Information Systems are ____________
A. Reliability of information & Compliance with laws, regulations, etc.
B. Confidentiality & Integrity of information
C. Efficiency & Effectiveness of process, service or activity
D. Confidentiality, Integrity & Availability of information
KEY C
Justification
The basic principle of Quality Controls in IS are efficiency & effectiveness of processes,
services or activities. Hence, the correct answer is as per Option C. The other answers
are incorrect.
621. The basic principles of Security Controls in Information Systems are
____________
A. Confidentiality, Integrity & Availability of information
B. Reliability of information & Compliance with laws, regulations, etc.
D. Confidentiality & Integrity of information
246
KEY A
Justification
The basic principle of Security Controls in IS are Confidentiality, Integrity & Availability
of information. Hence, the correct answer is as per Option A. The other answers are
incorrect.
622. Which of the following is one of the four KEY Areas which have to be understood
by Information System Auditors prior to commencement of audit ?
A. Thorough understanding of the business of the entity
B. Efficiency & Effectiveness of process, service or activity
C. Sales turnover & employee strength of the entity
D. Status of entity whether government or private
KEY A
Justification
One of the KEY Areas which have to be understood by Information System Auditors is
thorough understanding of the business of the entity. Hence, the correct answer is as
per Option A. The other answers are incorrect.
A. Status of entity whether government or private
C. Organization structure, roles, responsibilities, policy framework, etc.
D. Sales turnover & employee strength of the entity
KEY C
Justification
the organization structure, roles, responsibilities, policy framework. Hence, the correct
answer is as per Option C The other answers are incorrect.
A. Status of entity whether government or private
C. Sales turnover & employee strength of the entity
D. IT infrastructure including capacities, age of software/hardware, etc.
247
KEY D
Justification
the IT infrastructure in terms of capacities, age of software/hardware, etc. Hence, the
correct answer is as per Option D. The other answers are incorrect.
A. Statutory regulations, standards, frameworks
B. Status of entity whether government or private
D. Sales turnover & employee strength of the entity
KEY A
Justification
One of the KEY Areas which have to be understood by Information System Auditors
includes statutory regulations, standards & frameworks. Hence, the correct answer is as
per Option A. The other answers are incorrect.
626. Section 7A of the Information Technology Act 2000 (as amended in 2008)
addresses which of the following issues ?
A. Damage liability to a corporate negligent handling of personal data
B. Identity theft by corporate or individual
C. Extension of audit coverage to documents, etc. in electronic form
D. Publishing or transmission of obscene material
KEY C
Justification
Section 7A relates to extension of audit coverage to documents, records or information
stored in electronic form. Hence, the correct answer is as per Option C. The other
answers are incorrect.
627. Recently, there were reports of some criminal hacking of Facebook accounts and
theft of passwords and other personal information. You, as a Facebook account
holder, apprehend personal loss/damage and would like to proceed legally
against the Facebook organization. You would like to issue a notice to them, to
start with. Which Indian Act and which section of the Indian Act would you cite in
your notice alleging violations ?
248
A. Information Technology Act, 2000, Section 7A

B. Right to Information Act, 2006, Section 43A
C. Information Technology Act, 2000, Section 43 A
D. Right to Information Act, 2006, Section 7A
KEY C
Justification
A Corporate’s liability to damages on negligent handling of personal information is
covered by Section 43A of the IT Act, 2000. Hence answer in Option C is correct and
the other options are wrong.
628. A famous cinema actor has learnt that his password and personal information on
a social networking website have been compromised owing to suspected breach
of the security of the relevant networking website. The actor is furious and feels
that the potential for damage to his image and reputation is great. The actor is
convinced that there has been negligence involved & is particular that the website
needs to be taught a lesson and made to understand that such breaches in
security leading to violation of privacy are not acceptable. He proceeds, therefore,
to sue the website and seeks damages of the seemingly steep amount of Rs. 1000
crores. Is there any Indian Act which would cover this situation ? If so, which Act
and which clause of the Act, do you think, the actor would be able to cite for
claiming such a large quantum of damages ?
A. Information Technology Act, 2000, Section 7A, damages limited to proven loss
suffered
B. Information Technology Act, 2000, Section 43 A
C. Right to Information Security Act, 2006, Section 43A
D. No Indian Act covers this situation &, hence, the actor’s claim may not be
enforceable
KEY B
Justification
A Corporate’s liability to damages on negligent handling of personal information is
covered by Section 43A of the IT Act, 2000. There is no upper limit specified for
compensation under the Act &, hence, even a Rs. 1000 crore claim for damages would
be tenable. Hence answer in Option B is correct and the other options are wrong.
629. An employee of an organization is caught using his official computer for sending
offensive messages to one of his colleagues in the organization. Which Indian Act
and which clause of the Act would cover this violation of the law ?
249
A. Sarbanes Oxley Act, 2002, Sections 401 to 403

B. Information Technology Act 2000, Sections 7A, B and C
C. Information Technology Act 2000, Sections 66 to 66F and 67
D. Right to Information Security Act, 2006, Section 7A
KEY C
Justification
The illegal act of sending offensive messages through electronic media is covered
under Sections 66 to 66F and 67 of the Information Technology Act 2000. Hence
answer in Option C is correct and the other options are wrong.
630. A small scale industry has developed an effective, organic mosquito repellent
which shows great promise. Since they had limitations in terms of resources,
capability to scale up operations & marketing, they decided to join hands with a
large marketing company. They signed off on a contract for marketing of their
product, working capital funding and long term product development in the larger
company’s R& D laboratories. They also built in protective clauses on non-
disclosure of manufacturing formula, secret ingredients, etc. which were provided
to them as encrypted soft copies. After a few months, the small scale industry
learns that the larger company has begun marketing a me-too product abroad,
manufactured by another unit, utilising the knowledge obtained while
manufacturing the small scale industry’s unique product. Since informal
discussions on the subject failed to make progress, the small scale industry has
decided to proceed legally against the larger company.
Which Indian Act and which clause of the Act would support the small scale
industry in their legal battle ?
A. Sarbanes Oxley Act, 2002, Sections 401 to 403
B. Information Technology Act 2000, Sections 43A
C. Right to Information Security Act, 2006, Section 7A
D. Information Technology Act 2000, Section 72A
KEY D
Justification
Intentional disclosure of information, without the consent of the person concerned and
in breach of lawful contract, is covered under Section 72A of the Information
Technology Act 2000. Hence answer in Option D is correct and the other options are
wrong.
250
631. A small scale industry has developed an effective, organic mosquito repellent
which shows great promise. Since they had limitations in terms of resources,
capability to scale up operations & marketing, they decided to join hands with a
large marketing company. They signed off on a contract for marketing of their
product, working capital funding and long term product development in the larger
company’s R& D laboratories. They also built in protective clauses on non-
disclosure of manufacturing formula, secret ingredients, etc which were provided
to them as encrypted soft copies. After a few months, the small scale industry
learns that the larger company has begun marketing a me-too product abroad,
manufactured by another unit, utilising the knowledge obtained while
manufacturing the small scale industry’s unique product.
Under the Information Technology Act 2000, what is the potential punishment &
penalty for such intentional disclosure of information, without the consent of the
person concerned and in breach of lawful contract ?
A. Fine of Rs. 3 lacs alone, no imprisonment
B. Imprisonment up to 3 years and fine up to Rs. 5 lacs
C. Imprisonment up to 5 years and fine up to Rs. 10 lacs
D. Fine of Rs. 5 lacs alone, no imprisonment
KEY B
Justification
Under Section 72A of the Information Technology Act 2000, such intentional disclosure
of information, without the consent of the person concerned & in breach of lawful
contract is punishable with imprisonment up to 3 years and fine up to Rs. 5 lacs. Hence
answer in Option B is correct and the other options are wrong.
632. In addition to giving opinion on the fair presentation of the organization’s
accounts, an independent auditor of an organization is expected to opine on the
effectiveness of internal control over financial reporting as per a particular Act.
This is mandatory as per which Act and which section of the Act ?
A. Information Technology Act 2000, Section 43A
B. Information Technology Act 2000, Section 7A
C. Sarbanes Oxley Act 2002, Section 404
D. Gramm Leach Bliley Act or the Financial Services Modernisation Act 1999,
Section 14A
251
KEY C
Justification
This is mandatory in the U.S. as per Section 404 of the Sarbanes Oxley Act 2002.
Hence answer in Option C is correct and the other options are wrong.
633. What does Auditing Standard 5 of the Public Company Accounting Oversight
Board (PCAOB) relate to ?
A. Independence & performance of statutory auditors
B. Appointment, removal & terms of the Chief Internal Auditor
C. Audit of Internal control over financial reporting integrated with audit of financial
statements
D. Implementation of enterprise risk management system in the organization
KEY C
Justification
The PCAOB was set up as a non-profit body as per the provisions of the Sarbanes
Oxley Act with the objective of setting up standards of auditing. Auditing Standard 5 of
the PCAOB relates to audit of internal control over financial reporting integrated with
audit of financial statements. Hence answer in Option C is correct and the other options
are wrong.
634. Corporate governance, including internal controls, enterprise risk management,
etc. are covered under the provisions of ______________
A. Clause 49 of the Listing agreement of SEBI
B. Section 43A of the Information Technology Act 2000
C. Section 126A of the Sarbanes Oxley Act 2002
D. Section 14A of the Gramm Leach Bliley Act or the Financial Services
Modernisation Act 1999
KEY A
Justification
Corporate governance, including internal controls, enterprise risk management, etc. are
covered under the provisions of Clause 49 of the Listing agreement of SEBI. Hence
answer in Option A is correct and the other options are wrong.
635. ISO/IEC 27000 is basically a/an ______________
A. Information security standard
252
B. Auditing related standard

C. Standard for quality in auditing
D. Generic standard for quality in accounting
KEY A
Justification
ISO/IEC 27000 is basically an Information security standard established by the
International Standards Organization in association with the International Electro-
technical Commission. It lays down the specification for information security
management. Hence answer in Option A is correct and the other options are wrong.
636. Which is the International system which has laid down standards for information
security & information security management system ?
A. IS 21000
B. GAAP 2014
C. IS / IEC 27001
D. IS /IEC 24007
KEY C
Justification
ISO/IEC 27001 is basically an Information security management system established by
the International Standards Organization in association with the International Electro
technical Commission. It lays down the specification for information security
management. Hence answer in Option C is correct and the other options are wrong.
637. Information Technology Assurance Framework (ITAF) ___________
A. Is a good-practice-setting reference standard for audit & assurance
B. Standards are divided into two categories
C. Standards are divided into four categories
D. Is not recognized by ISACA
KEY A
Justification
ITAF has been designed and created by ISACA. It is a good-practice-setting reference
standard for audit and assurance. It is divided into three categories. Hence answer in
Option A is correct and the other options are wrong.
253
638. Information Technology Assurance Framework (ITAF) standards comprise three

categories, viz. ______________
A. General, IT and non IT standards
B. General, industry specific and non-financial standards
C. General, performance and reporting standards
D. Macro, micro and non-financial standards
KEY C
Justification
The three categories of ITAF are General, Performance and Reporting standards.
Hence answer in Option C is correct and the other options are wrong.
639. General standards under Information Technology Assurance Framework (ITAF)
__________________
A. Fall under the 1100 series of ITAF standards
B. Are the guiding principles under which IS assurance profession operates
C. Relate to the non-financial aspects of audit & assurance
D. Are yet to be validated & approved by ISACA
KEY B
Justification
ITAF has been designed and created by ISACA. The General standards, falling under
the 1000 series, are the guiding principles under which the IS assurance profession
operates. Hence, the answer in Option B is correct and the other options are wrong.
640. Performance standards under Information Technology Assurance Framework
(ITAF) _______________
A. Deal with the minimum performance standards expected of installed software
B. Deal with conduct of the assignment & exercising of professional judgement &
due care
C. Relate to the minimum level of quality of audit to be carried out by IS auditors
D. Fall under the 1400 series of ITAF
254
KEY B
Justification
ITAF has been designed and created by ISACA. The Performance standards, falling
under the 1200 series, deal with conduct of the assignment & the exercising of
professional judgement & due care. Hence, the answer in Option B is correct and the
other options are wrong.
641. Reporting standards under Information Technology Assurance Framework (ITAF)
_______________
A. Deal with report types, communication means & communicated information
B. Deal with the minimum performance standards expected of installed software
C. Relate to the minimum level of quality of audit to be carried out by IS auditors
D. Fall under the 1200 series of ITAF
KEY A
Justification
ITAF has been designed and created by ISACA. The Reporting standards, falling under
the 1400 series, deal with report types, communication means & communicated
information. Hence, the answer in Option A is correct and the other options are wrong.
642. COBIT 5 _____________
A. Is a framework for governance & management of enterprise IT, excluding risk
aspects
B. Operates through 7 principles
C. Is a framework for governance & management of enterprise IT
D. Can be useful only for large organizations with ERP systems
KEY C
Justification
COBIT is a framework for governance & management of enterprise IT. It helps
organizations manage risk & ensure compliance, continuity, security & privacy. It has 5
KEY principles and can be used in any type of organization, irrespective of size or
nature of business. Hence, the answer in Option C is correct and the other options are
wrong.
643. COBIT 5’s KEY principles _____________
A. Are 3 in number & focus on shareholders’ needs
255
B. Are 7 in number and applies multiple frameworks to cover the whole organization
C. Are 5 in number & Include meeting stakeholders’ needs
D. Marries the management & governance, creating shared goals & objectives
KEY C
Justification
organizations manage risk & ensure compliance, continuity, security & privacy. It has 5
KEY principles and can be used in any type of organization, irrespective of size or
nature of business. It applies a single integrated framework to address the entire
organization. It deliberately separates governance & management. Hence, the answer
in Option C is correct and the other options are wrong.
644. COBIT 5’s KEY principle of meeting stakeholders’ needs creates value by
_____________
A. Maximizing dividend payout to shareholders
B. Balancing benefits and the optimization of risk & use of resources
C. Reducing costs to the minimum
D. Eliminating risks & avoiding wasteful expenditure
KEY B
Justification
organizations manage risk & ensure compliance, continuity, security & privacy. One of
its 5 KEY principles is meeting stakeholders’ needs. This principle creates value by
balancing the benefits against the optimization of risk & the use of resources. Hence,
the answer in Option B is correct and the other options are wrong.
256
Module 4
Protection of Information Assets
645. In order to protect its critical data from virus attacks an organisation decides to
limit internet access to its employees. What type of risk response has the
organisation exercised?
A. Mitigate
B. Avoid
C. Accept
D. Transfer
KEY A
A. “Mitigate” is the correct answer. Risk Mitigation primarily focuses on designing
and implementing controls to prevent incidents due to risk materialisation.
B “Avoid” is not correct as the organisation is not avoiding the use of technology to
avoid risks
C “Accept” is not correct as the organisation has not chosen to accept the risk
D “transfer” is not correct as the organisation is not passing on the risk to another
entity
646. A production company decides to insure against production loss due to natural
calamities. What type of response is this classified as?
A. Mitigate
B. Accept
C. Transfer
D. Avoid
KEY A
C “Transfer” is correct as the organisation passes on the risk to the insurance
company.
A: “Mitigate” is not correct as the organisation is not implementing any controls
within
B: “Accept” is not correct as organisation has not accepted the risk
D “Avoid” is not correct as the organisation has not decided to avoid technology to
minimise risk
647. Implementation of Information system control in an organisation ensures that:
A. Risk is transferred to another entity
B. Desired Outcome from business process is not affected
C. Losses are avoided
D. Incidents due to risk materialisation are avoided
KEY B
B is correct – Information Control includes implementation of policies, procedures and
practices which ensure that the desired outcome from business is not affected
A is not correct – this is a type of risk response
C & D are not correct – They are not a direct result of implementation of controls
648. Which of the following leads to destruction of information Assets such as
hardware, software and critical data?
A. Data error during data entry
B. Non maintenance of privacy with respect to sensitive data
C. Unauthorised access to computer systems
D. Using systems that do not meet user requirements
KEY C
C is correct - Unauthorised access to computer systems, computer viruses,
unauthorised physical access to computer facilities and unauthorised copies of sensitive
data can lead to destruction of assets
A is not correct – data error causes damage to the business process only
B is not correct – non maintenance of privacy does not cause damage to Information
Assets, it infringes on the privacy of the customer
D is not correct – this is a system efficiency objective
649. Maintenance of privacy in relation to data collected by an organisation is very
important because:
A. Errors committed during entry would cause great damage
B. It has an impact on the infrastructure and business competitiveness
C. It can be easily accessed by third parties
D. It contains critical and sensitive information pertaining to a customer
258
KEY D
D is correct - Today data collected in a business process contains details about an
individual on medical, educational, employment, residence etc.
A B and C are incorrect as these are not related to privacy of data
650. The role of an internal auditor in Information Systems auditing includes:
A. Safeguarding data integrity
B. Attesting management objectives
C. Attesting System effectiveness and system efficiency objectives
D. Implementing control procedures
KEY C
C is correct - management objectives of the internal auditor includes not only attest
objectives but also effectiveness and efficiency objectives.
A & B are incorrect – these are the responsibilities of an external auditor
D is incorrect – this is the responsibility of the organisation
651. What does an external Information Systems auditor focus on?
A. Attesting objectives that focus on asset safeguarding and data integrity
B. Attesting system effectiveness
C. Attesting system efficiency
D. Implementing control procedures
KEY A
A is correct - Information systems auditing is the process of attesting objectives (those
of the external auditor) that focus on asset safeguarding and data integrity
B & C are incorrect – these are the responsibilities of an external auditor
D is incorrect. This is the responsibility of the organisatio006E
652. By auditing the characteristics of the system to meet substantial user
requirements, which control objective does an IS Auditor attest?
A. Data integrity objectives
B. System Effectiveness Objectives
C. Asset safeguarding objectives
D. System efficiency objectives
259
KEY B
B is correct - Effectiveness of a system is evaluated by auditing the characteristics and
objective of the system to meet substantial user requirements.
A is incorrect – the auditor checks the extent of access to information and the value of
data to business
C is incorrect – the auditor assesses the internal controls to protect software and
hardware
D is incorrect – the auditor assesses the optimal usage of system resources
653. A statement of purpose achieved by implementing control procedures in a
particular IT process is defined as:
A. IS Control framework
B. Internal Controls
C. Control Objective
D. Preventive Controls
KEY C
C is correct - Control objective is defined as “A statement of the desired result or
purpose to be achieved by implementing control procedures in a particular IT process or
activity”
B is incorrect – it is the basic outline of the policies of the organisation towards IS
control
A & D are incorrect – these are the steps taken by the organisation to protect
information and system assets
654. Which of the following is an example of technical implementation of Internal
Control?
A. Outlining policies that safeguard information assets
B. Installing a security guard in the premises to restrict entry of unauthorised
persons
C. Locking the room containing sensitive documents
D. Investing in tools and software to restrict unauthorised access to information
KEY D
D is correct - this is an example of technical implementation
B is incorrect – this is an example of administrative implementation
A & C are incorrect – these are examples of physical implications
260
655. What are preventive controls?

A. those mechanisms which refer unlawful activities to the appropriate person/group
B. those controls which attempt to predict potential problems before they occur
C. those mechanisms which modify the processing system to minimise error
occurrences
D. those controls which corrects the error arising from a problem
KEY B
B is correct - Preventive controls attempts to predict problems before they occur and
make necessary adjustments. They are designed to protect the organisation from
unauthorised activities
A is incorrect – this is a characteristic of detective control
C & D are incorrect – these are characteristics of corrective control
656. What are detective controls?
A. Provision for control of probable threats from materializing
B. Those controls that are designed to detect errors and omissions of malicious acts
C. Those controls which assess probable threats
D. Those controls which minimise the impact of threat
KEY B
B is correct - These controls are designed to detect errors, omissions of malicious acts
that occur and reporting the occurrence.
A & C are incorrect – this is a characteristic of preventive control
D is incorrect – this is a characteristic of corrective control
657. What are corrective controls?
A. Those controls that correct an error once it has been detected
B. Those mechanisms which provide a clear understanding of the vulnerabilities of
an asset
C. Surprise checks by an administrator
D. Those mechanisms by which the management gets regular reports of spend to
date against a profiled spend
261
KEY A
A is correct - These controls are designed to reduce the impact or correct an error once
it has been detected.
B is incorrect – this is a characteristic of preventive control
C is incorrect – this is a characteristic of detective control
D is incorrect – this is an example of detective control
658. An organisation decides to control the access to a software application by
segregating entry level and updation level duties. What type of internal control
does this amount to?
A. Preventive Control
B. Detective Control
C. Corrective Control
D. physical implementation of a control
KEY A
A is correct - Examples of preventive controls include – employing qualified personnel,
segregation of duties, access control, documentation etc.
B and C are incorrect – detective and corrective controls are not designed to predict
potential problems
D is incorrect – physical implementation of a control includes only physical aspects like
security guards and locked rooms
659. Under which type of control mechanism does taking a back up of everyday
activity classify as?
A. Detective Control
B. Preventive control
C. Corrective control
D. Administrative Implementation of Control
KEY C
C is correct – Examples of Corrective Controls are - contingency planning, backup and
restoration procedure, rerun procedure, procedure for treating error, etc.
A & B are incorrect – Detective and Preventive controls are not designed to reduce the
impact or correct an error once it has been detected.
D is incorrect – Administrative implications of controls are items such as policies and
processes
262
660. As an IS auditor, how would you rate a computerised detective control which is
moderately efficient and with corresponding corrective action?
A. High
B. Low
C. Moderate
D. Blank
KEY A
A is correct - Computerised control which is most effective, generally controls that are
computerized and applied before processing can take place; moderately efficient, with
corresponding corrective action are rated as “High”
B, C and D are incorrect –
Moderate- Controls implemented over a cause of exposure/error type and is moderately
effective.
Low-Controls implemented over a cause of exposure/error type but have low
effectiveness.
Blank- Controls not implemented or does not exist to that cause or exposure or error
type.
661. As an IS auditor, how would you rate a least effective and inefficient manual
detective control without corrective action?
A. High
B. Low
C. Blank
D. Moderate
KEY C
C is correct - Manual control which is least effective, generally manual controls applied
at front-end of processing; moderately efficient are rated as “Blank”
A, B & D are incorrect –
High- Controls implemented over a cause of exposure/error type and should be highly
effective.
Moderate- Controls implemented over a cause of exposure/error type and is moderately
effective.
Low-Controls implemented over a cause of exposure/error type but have low
effectiveness.
263
662. Which of the following describes the role of a risk owner?

A. Ensuring that all control objectives that focus on asset safeguarding and data
integrity are attested
B. Ensuring that the risk response is effective enough and is translated into actions
that will prevent and/or detect the risk.
C. Ensuring that all system effectiveness and system efficiency objectives are
attested
D. Ensuring that risk associated with a certain activity is mitigated either by reducing
likelihood or reducing impact
KEY B
B is correct - Generally owner is a person or position within the organization that has
close interest about the processes affected due to risk. The person responsible needs
to ensure that the risk response is translated into actual day-to-day actions that will
prevent and/or detect the risk.
A, C and D are incorrect – These are the roles of IS auditors
663. The process of Information Security does not end with implementation of risk
responses. The next step is to:
A. Facilitate to conduct risk assessment workshops
B. Ensure that KEY business risks are being managed appropriately
C. Plan the audit cycle according to the perceived risk
D. Ensure that the identified risk stays within an acceptable threshold
KEY D
D is correct - After implementation of the risk responses and management techniques,
the managers need to monitor the actual activities to ensure that the identified risk stays
within an acceptable threshold.
A, B and C are incorrect – these are the roles that an auditor has to perform in view of
control assessment
664. What process must an organisation follow to ensure that the identified risk stays
within the acceptable limits?
A. Evaluate the efficiency of the objectives of controls
B. Designing an effective internal control framework
C. Periodic review of the risk assessment exercise and proactive review of possible
risks
D. Optimise the use of various information resources
264
KEY C
C is correct - To ensure that risks are reviewed and updated organizations must have a
process that will ensure the review of risks. Periodic review: the risk assessment
exercise may be conducted after predefined period say annual. Change management
processes proactively review the possible risks and ensure they are part of
organization’s risk register.
A B and D are incorrect – these are steps to be taken towards identifying, assessing
risks and implementing internal controls
665. How does an IS auditor prioritise the controls that needs to be tested?
A. By reviewing the control catalogue (which is a collective record of all controls
implemented)
B. By reviewing control procedure documents
C. By facilitating risk assessment workshops
D. Planning the audit cycle according to the risks perceived
KEY A
A is correct - The first step in control’s assessment is to review the control catalogue
(which is a collective record of all controls implemented) and ensure that associated risk
is mitigated either by reducing likelihood or reducing impact or both.
B is incorrect – This should be done after reviewing the control procedure documents
C and D are incorrect – These are the roles of an auditor with respect to Information
risk management
666. In case of control self assessment, who does the actual testing of controls?
A. The owner of the identified risk for which the control has been implemented
B. Internal auditor, during the audit cycle as planned
C. Staff whose day-to-day role is within the area of the organisation
D. External auditor, while reviewing the management of KEY risks
KEY C
C is correct - In case organization has implemented control self-assessment, the actual
testing of the controls is performed by staff whose day-to-day role is within the area of
the organisation that is being examined as they have the greatest knowledge of how the
processes operate.
A is incorrect – though he/she is the risk owner, it is appropriate that the person who is
actually involved in the activity does the self- assessment
265
B and D are incorrect – they are external to the specified activity and are not eligible to
do the self- assessment.
667. Of the below mentioned roles, which one should an auditor refrain from
performing?
A. Giving assurance that the risks are being evaluated correctly
B. Implementing risk response on management’s behalf.
C. Evaluating the risk management process
D. Reviewing the management of KEY risks
KEY B
B is correct - This is the job of the management, an auditor only needs to review the risk
response
A, C and D are incorrect – these are the roles of an IS auditor
668. Of the below mentioned roles, which one of the following should be performed by
an IS auditor?
A. Set the risk appetite
B. Impose risk management process
C. Evaluate Risk Management process
D. Take decision on risk responses
KEY C
C is correct - Evaluating the risk management process is the KEY role of an IS auditor
A, B and D are incorrect – these are the roles of the management and the risk owner.
669. A data centre housing about 200 employees is involved in handling businesses
processes of multinational companies. For security reasons, it decides to shift its
network server and mail server to a secluded room with restricted entry. What
kind of internal control is this?
A. Manual Preventive Control
B. Manual Detective Control
C. Computerised Preventive Control
D. Computerised Corrective Control
266
KEY A
A is correct - This is a preventive control which is designed to protect the data and mail
server from unauthorised access. Moreover, it is a manual control as the servers are
physically moved to a secluded room.
B, C and D are incorrect – The action does not categorise under any of these
categories for the reasons mentioned above.
670. Company depends on an MIS given to it by an outsourced vendor to identify
payment defaulters and fine them. On further investigation about the correctness
of data supplied, he finds that though at the entry level, a lot of mistakes are
prone to happen, there are computerised controls at the vendors end and also the
company’s end at processing level to minimise these. As an IS auditor, how
would you rate efficiency of these controls?
A. Blank
B. Low
C. Moderate
D. High
KEY D
D is correct – Computerised corrective controls are applied before processing and
hence efficiency of controls is high
A, B and C are incorrect – The Company is not relying on unchecked information. The
information is checked not by manual corrective control but computerised corrective
control. Hence the efficiency cannot be rated as blank, low or moderate.
671. The HR department of a company pays its employees medical claims subject to a
maximum limit per employee per year. For this, it relies on data partaining to a full
year downloaded through the appropriate software. However, it does not have a
proper back up or restoration procedure in place. How will an IS auditor rate this?
A. High control
B. Low Control
C. Blank Control
D. Moderate Control
KEY B
B is correct - Here there is no corrective control in case of loss of data and there is no
way the department can ascertain how much it has paid an employee in a year.
A, C and D are incorrect – Reason is as mentioned above
267
672. A data centre handling outsourced operations decides to set up a parallel facility
for its critical activities at some place other than its present place of operations.
This is done with an intention to facilitate return of business to normal levels in
case of impact of natural disasters or unforeseen events. Under what security
policy is this categorised?
A. Business Continuity Management Policy
B. Acceptable use of Information Assets policy
C. Physical Access and Security Policy
D. Asset Management Policy
KEY A
A is correct - This policy defines the requirements to ensure continuity of business
critical operations. It is designed to minimize the impact of an unforeseen event (or
disaster) and to facilitate return of business to normal levels.
B is incorrect - An acceptable use policy (AUP), also known as an Acceptable Usage
policy or Fair Use policy, is a set of rules applied by the owner or manager of a network,
website or large computer system that restrict the ways in which the network, website or
system may be used.
C is incorrect - Physical security describes security measures that are designed to
restrict unauthorized access to facilities, equipment and resources, and to protect
personnel and property from damage or harm (such as espionage, theft, or terrorist
attacks).
D is incorrect – This policy defines the requirements for Information Asset’s protection.
It includes assets like servers, desktops, handhelds, software, network devices etc.
Besides, it covers all assets used by an organization- owned or leased.
673. What are the three KEY objectives of Information Security Management (CIA
Triad)?
A. Compliance, Integrity and Availability
B. Confidentiality, Information Security and Availability
C. Confidentiality, Integrity and Availability
D. Confidentiality, Integrity and Asset Management
KEY C
C is correct - Protection of information assets includes the KEY components that ensure
confidentiality, integrity and availability (CIA) of information assets. There are three KEY
objectives of Information Security Management viz.: Confidentiality, Integrity and
Availability also called CIA Triad.
268
A, B and D are incorrect – Though important for Information Security, these are not the
KEY components.
674. What does “Integrity” mean with respect to Information Security Management?
A. No data/information or programs shall be allowed to be modified by anyone
without proper authority.
B. No data or information is made available to any person within or outside the
organization, other than the persons who are authorized to use that data.
C. All Information Systems including hardware, communication networks, software
applications and the data they hold, is available to authorized users to carry out
business activities.
D. Executive management endorsement of intrinsic security requirements to ensure
that security expectations are met at all levels of the enterprise
KEY A
A is correct – This is the correct definition as per paragraph 2.1 of the chapter
B and C are incorrect – these are definitions of “Confidentiality” and “Availability”
D is incorrect – this clause pertains to Senior Management Commitment and support
675. What provides the basis for ensuring that information security expectations are
met at all levels of an enterprise?
A. Adopting an internationally recognized reference framework to establish an
Information Security framework
B. Successful establishment and endorsement of intrinsic security measures by the
senior management
C. Prioritising expenditures to mitigate risks and avoid spending more resources in
assessing risks
D. Ensuring that the framework followed to implement, maintain, monitor and
improve Information Security is consistent with the organisational culture.
KEY B
B is correct - Commitment and support from senior management are important for
successful establishment and continuance of an information security management
program.
A C and D are incorrect – These are some of the critical success factors to Information
Security Management.
269
676. How does an enterprise ensure that the information present in any of its business
processes is protected and secure?
A. By ensuring that the framework followed to implement, maintain, monitor and
B. By adopting an internationally recognized reference framework to establish an
Information Security framework
C. By spending resources widely and transparently
D. By establishing and enforcing an Information Security Program
KEY D
D is correct - Information Security program focuses on protecting information present in
business processes. Establish a program to improve Information Security management
enterprise-wide and enforce it.
A B, and C are incorrect – These are other critical success factors to Information
677. How does an enterprise demonstrate to staff, customers and trading partners that
their data is safe?
A. By establishing and enforcing an Information Security Program
B. By ensuring that the framework followed to implement, maintain, monitor and
C. Adopting an information security standard
D. By spending resources widely and transparently
KEY C
C is correct - Adopting an information security standard seems to demonstrate to staff,
customers and trading partners that their data is safe, and that there is an independent
verification of this fact.
A B and D are incorrect – These are other critical success factors to Information
678. The IS policy of an enterprise that talks about protecting non-public personal
information from unauthorised use, corruption, disclosure and distribution is:
A. Acceptable usage policy or Fair Use policy
B. Data classification and Privacy Policy
C. Physical Access and Security policy
D. Asset Management Policy
270
KEY B
B is correct - the policy of the Organization to protect against the unauthorized access,
use, corruption, disclosure, and distribution of non-public personal information in its
possession, and to comply with all applicable laws and regulations regarding such
information is termed as the Data Classification and privacy policy
A is incorrect – is a set of rules applied by the owner or manager of a network, website
or large computer system
C is incorrect – Physical security describes security measures that are designed to
restrict unauthorized access to facilities, equipment and resources
D is incorrect - This policy defines the requirements for Information Asset’s protection
679. The policy which restricts the ways in which the network, website or system may
be used by a user of an enterprise is termed as:
A. Acceptable usage policy or Fair Use policy
B. Physical Access and Security policy
C. Asset Management Policy
D. Business Continuity Management Policy
KEY A
A is correct - An acceptable use policy (AUP), also known as an Acceptable Usage
system may be used.
B is incorrect – Physical security describes security measures that are designed to
restrict unauthorized access to facilities, equipment and resources
C is incorrect - This policy defines the requirements for Information Asset’s protection
D is incorrect - This policy defines the requirements to ensure continuity of business
critical operations.
680. The IS policy which talks about protecting personnel and physical property from
damage or harm is termed as:
A. Asset Management policy
B. Business Continuity Management policy
C. Physical access and security policy
D. Password policy
271
KEY C
C is correct - Physical security describes security measures that are designed to restrict
unauthorized access to facilities, equipment and resources, and to protect personnel
and property from damage or harm (such as espionage, theft, or terrorist attacks).
A is incorrect - This policy defines the requirements for Information Asset’s protection
B is incorrect - This policy defines the requirements to ensure continuity of business
D is incorrect - This policy defines high-level configuration of password to be used
within organization to access the information assets.
681. What is the IS policy that defines the requirements for Information Assets
protection?
A. Business Continuity Management Policy
B. Asset Management Policy
C. Network Security Policy
D. Password policy
KEY B
B is correct - This policy defines the requirements for Information Asset’s protection. It
includes assets like servers, desktops, handhelds, software, network devices etc.
A is incorrect - This policy defines the requirements to ensure continuity of business
C is incorrect - A network security policy defines the overall rules for organisation’s
network access
D is incorrect - This policy defines high-level configuration of password to be used
within organization to access the information assets.
682. The characteristics of a strong password that protects information assets should
be:
A. Maximum 8 characters, case specific
B. Minimum 8 characters, only alpha numeric
C. Minimum 8 characters, only alphabets and easy to remember
D. Minimum 8 characters, case specific and containing special characters
272
KEY D
D is correct - The password policy defines high-level configuration of password to be
used within organization to access the information assets. For example:
• Password length must be more than 8 characters
• Password must be complex containing upper case, lower case, numeric and
special characters
• Password must be changed regularly
• Password should not be used again for minimum period
• Password should not be changed in consecutive sequence
A B and C are incorrect – These are not the characteristics of a strong password
683. What should be done to ensure that security policies are in tune with the
management’s intent?
A. Change passwords regularly
B. Restrict unauthorised access to facilities
C. Review the security policies periodically
D. Hold non public personal information in strict confidence
KEY C
C is correct - Information security policies need to be maintained and updated regularly.
This might need to revisit the security requirements and hence policies. Hence, it is
necessary to review the security policies periodically to ensure that they are in line with
the management’s intent.
A, B and D are incorrect – These are the parts of an information security policy
684. Policies are generic and sometimes cannot be enforced in specific situations. Can
there be a relaxation of adherence to policy in such cases?
A. Yes. But, it is necessary to ensure that there are suitable compensating controls
B. Yes. Policies can be relaxed in case of such situations unconditionally
C. No. Under no circumstances can an Information Security policy be relaxed
D. Yes. Adherence to the policy can be relaxed for an indefinite period for the
specific activity only.
KEY A
A is correct - In such situations it is necessary to ensure there are suitable
compensating controls so that the risks mitigated by enforcement of policy are within
acceptable limits.
273
B, C and D are incorrect – Policies can be relaxed for a specific period provided the
exceptions are appropriately approved and these exceptions must be reviewed
periodically.
685. Standards, Guidelines and Procedures are the three elements of policy
implementation. In what order should they be followed for proper
implementation?
A. Guidelines, Procedures and Standards
B. Procedures, Standards and Guidelines
C. Standards, Guidelines and Procedures
D. Guidelines, Standards and Procedures
KEY C
C is correct - The next level down from policies is three elements of policy
implementation as given here: Standards: Specify the uniform way for the use of
specific technologies in an organization. Guidelines: Guidelines are similar to
standards; they refer to the methodologies of securing systems, but they are only
recommended actions and are not compulsory. Procedures: Procedure contains the
detailed steps that are followed to perform a specific task. Procedures are the detailed
actions that must be followed.
A, B and D are incorrect – These do not specify the correct levels of implementation.
Unless Standards are set, guidelines cannot be recommended. Unless guidelines are
recommended, procedures cannot be outlined for implementing policies.
686. With respect to Information Security, what does ‘Segregation of Duties’ mean?
A. No individual, of whatever seniority in the organization, should have the ability to
carry out every step of a sensitive business transaction.
B. The responsibility of powerful and KEY access to the system should not be
carried out by one person alone.
C. No person should be kept in one particular post for too long
D. Organisations should avoid situations where an individual becomes indispensable
to the business
KEY A
A is correct - No individual, of whatever seniority in the organization, should have the
ability to carry out every step of a sensitive business transaction. Access to too many
functions enables staff to carry out a fraudulent transaction and hide their tracks.
B is incorrect – This pertains to the ‘Four Eyes’ or ‘Two Person’ principle
274
C is incorrect – This pertains to rotation of duties

D is incorrect – This pertains to ‘KEY Man’ policies
687. In a bank, the chest in which cash is kept has to be opened with two keys, one
which is in the control of the manager and the other which is in the control of the
accountant/sub manager. Under what security rule does this aspect classify?
A. Segregation of Duties
B. The ‘Four Eyes’ or ‘Two Person’ principle
C. Rotation of Duties
D. ‘KEY Man’ policies
KEY B
B is correct - To reduce the opportunities for any person to breach security, those
responsibilities and duties which would afford particularly powerful access to the
system, or which act at KEY control points, should not be carried out by one person
alone.
A, C and D are incorrect – These are other security rules designed for implementation
of IS policies
688. An organisation which is IS compliant requires its employees to take two weeks
consecutive mandatory leave. Under which security rule does this feature classify
as?
A. Rotation of duties
B. ‘KEY Man’ policies
C. Two person principle
D. Segregation of duties
KEY A
A is correct - No one person should be kept in one particular post for too long,
especially if that appointment involves any particular security responsibilities
opportunities for dishonesty. A similar rule should insist that staff take at least two
consecutive weeks; holiday in any year, as experience has shown that many frauds
need continual masking by the perpetrator and may surface when the individual is
away.
B, C and D are incorrect – These are other security rules designed for implementation
of IS policies
275
689. Every corporate asset, building, item of equipment, bank account and item of
information should have a clearly defined ‘owner’. What are the responsibilities of
the owner of such assets?
A. Adding and deleting user identifiers from the system
B. Defining security responsibilities for every person in the organization
C. Ensuring that the asset is well maintained, accurate and up to date
D. Establishing and Implementing an effective IS program
KEY C
C is correct - The owner should have a defined set of responsibilities.
• Ensuring that computer rooms are kept clean and tidy
• Ensuring that equipment is well maintained and kept operational
• Ensuring that an item of data used by the organization is accurate and up to date.
A,B and D are incorrect – These are steps to ensure that Information Security is
implemented in an organisation.
690. When an owner is not able to manage a particular asset on a day to day basis, the
responsibility is passed on to a custodian. Which of the following is an example
of a custodian?
A. a vendor responsible for an outsourced activity
B. data center controlling access to production data
C. a subordinate doing the function of an owner during his absence
D. an auditor auditing the effectiveness of an asset
KEY B
B is correct - The owner should clearly state the requirements, the responsibilities and
associated levels of authority of the custodian and final management responsibility will
always reside with the owner. Examples of custodian include a data center operations
function controlling access to production data, and a computer bureau running an
application for a client.
A,C and D are incorrect – these are not examples of a custodian. They pertain to roles
of other players in Information Security Management.
691. The actual security mechanism has its application in certain KEY tasks of security
systems. What are these called as?
A. Organisational control
276
B. Backup data
C. Control points
D. Operating System
KEY C
C is correct - In all security systems there are KEY tasks which can be called control
points. It is at these control points that the actual security mechanism has its
application.
A is incorrect – this is the control that an organisation places to secure its information
assets
B is incorrect – this is a procedure that is adopted for safeguarding critical data
D is incorrect – Operating system is a software that manages computer hardware and
software resources
692. Name the participant which ensures that all stakeholders impacted by security
considerations are involved in the Information Security Management process.
A. Steering committee
B. Information Owner
C. Information Custodian
D. System Owner
KEY A
A is correct - It serves as an effective communications channel and provides an ongoing
basis for ensuring the alignment of the security program with business objectives. It can
also be instrumental in achieving modification of behavior toward a culture more
conducive to good security.
B is incorrect - Information Owner (also called Data Owners) is responsible for a
company information asset.
C is incorrect – Information custodian is assigned the task of implementing the
prescribed protection defined by the security procedure
D is incorrect – The system owner is responsible for one or more systems, each of
which may process and store data owned by different information owners.
693. Name the participant who ensures that security controls have been implemented
in accordance with the information classification.
A. information Custodian
277
C. System Owner
D. Process Owner
KEY B
B is correct - Information Owner (also called Data Owners) is responsible for a
company information asset. The responsibilities are generally assigned to
person/position that owns business process.
A is incorrect - Information custodian is assigned the task of implementing the
C is incorrect – The system owner is responsible for one or more systems, each of
D is incorrect – This person is responsible for the implementation, management and
continuous improvement of a process that has been defined to meet a business
requirement.
694. Name the participant who ensures safe keeping of information on behalf of the
information owner.
A. System Owner
B. Process Owner
C. Information Custodian
D. System Administrator
KEY C
C is correct - Information custodian is assigned the task of implementing the prescribed
protection defined by the security procedure and top level/Senior management
decisions. Among other activities, information custodian also performs following
activities:
• Ensuring safe keeping of information on behalf of information owner
• Providing access to users that are approved by owners
• Running regular backups and routinely testing from backup data
• Performing data restoration activity from the backups when necessary
A is incorrect – The system owner is responsible for one or more systems, each of
B is incorrect – This person is responsible for the implementation, management and
requirement.
278
D is incorrect - System Administrator is the one with administrative / root level privileges
of the Operating systems like Windows, Unix etc.
695. Whose responsibility is it to ensure that adequate security is built once the
applications and systems have been acquired and are ready for use in the
production department?
A. System Owner
B. Process Owner
C. System Administrator
D. User Manager
KEY A
A is correct - A system owner is responsible for:
• Integrating security considerations into application and system purchasing
process and decisions.
• Ensuring that adequate security is built or defined once the applications and
systems have been acquired and are ready for use in production environment.
• Ensuring that the systems are properly assessed for vulnerabilities and report
any to the incident response team and information owner.
B is incorrect – This person is responsible for the implementation, management and
requirement.
C is incorrect - System Administrator is the one with administrative / root level privileges
of the Operating systems like Windows, Unix etc
D is incorrect - User manager is the immediate manager or reporting manager of an
employee.
696. Who is the person responsible for creating new system user accounts and
changing permissions of existing user accounts?
A. User Manager
B. System Administrator
C. Super User
D. Security Manager
279
KEY B
B is correct - A system administrator is responsible for:
• Creating new system user accounts,
• Changing permissions of existing user accounts,
• Implementing new security software,
• Testing security patches and updates, and
• Resetting user passwords.
A is incorrect - User manager is the immediate manager or reporting manager of an
employee.
C is incorrect – Super User is the person with the highest level of authorization access,
who can make any transaction and master setup activity immediately and sets the
conditions for transaction approvals, financial daily limits of each transaction type, and
classifies and authorizes other Users.
D is incorrect - Security manager is responsible for defining security strategy and
policies for the organization.
697. Who holds the ultimate responsibility for all user id’s and information assets
owned by the company’s employees?
A. Super User
B. Security Manager
C. Steering Committee
D. User Manager
KEY D
D is correct - User manager is the immediate manager or reporting manager of an
employee. They have ultimate responsibility for all user IDs and information assets
owned by company employees.
A is incorrect – Super User is the person with the highest level of authorization access,
who can make any transaction and master setup activity immediately and sets the
conditions for transaction approvals, financial daily limits of each transaction type, and
classifies and authorizes other Users.
B is incorrect - Security manager is responsible for defining security strategy and
policies for the organization.
C is incorrect - a steering committee is comprised of senior representatives of affected
groups. This facilitates achieving consensus on priorities and trade-offs. It also serves
as an effective communications channel and provides an ongoing basis for ensuring the
alignment of the security program with business objectives.
280
698. Who is responsible for defining security strategy and policies for an
organisation?
A. Steering Committee
C. Security Manager
D. Information Custodian
KEY C
C is correct - Security manager is responsible for defining security strategy and policies
for the organization. The manager also ensures defining roles and responsibilities.
A is incorrect - a steering committee is comprised of senior representatives of affected
groups. This facilitates achieving consensus on priorities and trade-offs. It also serves
as an effective communications channel and provides an ongoing basis for ensuring the
alignment of the security program with business objectives.
B is incorrect - Information Owner (also called Data Owners) is responsible for a
person/position that owns business process.
D is incorrect - Information custodian is assigned the task of implementing the
699. What is the role of Human Resources Security when the employment of a person
is terminated?
A. Ensure that access to sensitive data is revoked immediately
B. Define appropriate access to sensitive information for another person
C. Send regular updates in an effort to safeguard the data which was in their
possession
D. Educate the terminated employee to prevent data disclosure to 3rd parties
KEY A
A is correct - To prevent unauthorized access to sensitive information, access must be
revoked immediate upon termination/separation of an employee and 3rd parties with
access to such information. This also includes the return of any assets of the
organization that was held by the employee.
B is incorrect – Before granting access to a replacement, access of the leaving
employee should be revoked
C and D are incorrect – these are wrong steps – terminated employee should not have
access to sensitive data
281
700. What is ‘Acknowledge Policy’ with regard to Security Awareness training

program?
A. All employees are required to undergo security awareness training
B. All employees and third parties having access to sensitive information have to
complete training at least once a year
C. All employees are required to acknowledge that they have read and understood
the organization's information security / acceptable use policy.
D. All employees have to go through a formal induction process designed to
introduce the organisations security policies
KEY C
C is correct - Acknowledge Policy ensures that all employees are required to
acknowledge that they have read and understood the organization's information security
/ acceptable use policy.
A, B, and D are incorrect – These are other important considerations for a security
awareness training program
701. What is the primary goal of configuration management?
A. Ensuring that changes to the system do not unintentionally diminish security
B. Mitigate the impact that a change might have on the security of other systems
C. Configuring systems to meet the security requirement of the organisation
D. Updating the software with the latest versions of all applications
KEY A
A is correct - The primary security goal of configuration management is to ensure that
changes to the system do not unintentionally diminish security.
B is incorrect – This is also a goal of configuration management, though not primary
C and D are incorrect – These are not goals, they form part of configuration
management
702. What is the objective of a non- disclosure agreement?
A. Identify functional and physical characteristics of each configuration setting
B. Impose limitations on like organisations that operate in the same competitive
space
C. Creates a confidential relationship between parties to protect any type of
confidential information
D. Follow a checklist to address whether any of the security holes remain unplugged
282
KEY C
C is correct - A non-disclosure agreement (NDA), also known as a confidentiality
agreement (CA), is a legal contract between at least two parties that outlines
confidential material, knowledge, or information that the parties wish to share with one
another for certain purposes, but wish to restrict access to or by third parties.
A, B and D are incorrect – these are some of the issues and challenges of IS
Management
703. What is the primary cause for lack of integration in system and security design?
A. inadequacy of checklists as a means to address security concerns
B. limitations imposed on like organizations that operate in its competitive space
C. the challenge of finding the right balance between protecting the organization’s
core assets and processes and enabling them to do their job
D. systems and security design are undertaken in parallel rather than in an
integrated manner
KEY D
D is correct - Development duality is a phenomenon where systems and security design
are undertaken in parallel rather than in an integrated manner.
A.B and C are incorrect – These are other issues and challenges of IS management
704. What is a Denial-of-Service attack?
A. An attempt to make a machine or network unavailable to its intended users.
B. Unauthorized access to an organisation’s internal network.
C. Illegal copying of software.
D. Creation of Internet Protocol (IP) packets with a forged source IP address
KEY A
A is correct - A Denial-of-Service attack (DoS) is an attempt to make a machine or
network unavailable to its intended users. This causes legitimate users to not be able to
get on the network and may even cause the network to crash.
B is incorrect - unauthorized access to an organisation’s internal network is referred to
as Network Intrusion
C is incorrect – Illegal copying of software is referred to as Software Piracy
D is incorrect – creation of Internet Protocol (IP) packets with a forged source IP
address, with the purpose of concealing the identity of the sender or impersonating
another computing system is termed as ‘spoofing IP addresses’.
283
705. What is ‘Phishing’?

A. Unauthorized real-time interception of a private communication
B. Attempting to obtain otherwise secure data by conning an individual into
revealing secure information
C. Trying to obtain information like user ID and password for bank accounts, credit
card pin etc. using electronic communication means
D. Exploiting vulnerabilities of a system to gain unauthorized access to system or
resources
KEY C
C is correct - Phishing is the act of trying to obtain information like user ID and
password for bank accounts, credit card pin etc. using electronic communication means
like emails, fake websites etc.
A is incorrect - unauthorized real-time interception of a private communication is called
eavesdropping
B is incorrect - attempting to obtain otherwise secure data by conning an individual into
revealing secure information is called Social Engineering
D is incorrect – exploiting vulnerabilities of a system to gain unauthorized access to
system or resources like a website, bank accounts etc. is called hacking
706. What are ‘botnets’?
A. underground network established by hackers by sending malware
B. targeted attack that continues for a sustained period for about a year or more
C. attacks that are specifically targeted to selected organization
D. changing of data before or during entry into the computer system
KEY A
A is correct - Botnets: Acronym for robotic network. An underground network
established by hackers by sending malware. This malware goes undetected since it is
part of targeted attack.
B is incorrect - A type of targeted attack that continues for a sustained period for about
a year or more is called Advanced Persistent Threat (APT)
C is incorrect - attacks that are specifically targeted to selected organization are called
‘targeted attacks’.
D is incorrect - changing of data before or during entry into the computer system is
called ‘dat diddling’.
284
707. What should be done to minimise damage from security incidents and and to
recover from them?
A. Report an incident to an appropriate authority to know what action should be
taken
B. Handle the incident independently and follow it up if required
C. Establish a formal incident response capability and centralise it with the KEY
roles and responsibilities
D. Plan and prepare a response system proactively in case of the occurrence of an
incident
KEY C
C is correct - Establishing a formal incidence response capability and coordinating it
within the organisation to include all KEY roles and responsibilities is the proper way to
minimise damage from security incidents
A and B are incorrect – These are some of the actions to be taken while addressing a
security incident
D is incorrect – This is the first phase of an incident response capability
708. Generating a higher level of compliance by creating realistic workable policies is
one way of increasing compliance to security policies. Which guideline of
implementation does this fall under?
A. Simplify enforcement
B. Increase Awareness
C. Communicate Effectively
D. Integrate Security with corporate culture
KEY A
A is correct – Simplifying enforcement means convincing employees to comply with
every policy. Generating a higher level of compliance by creating realistic, workable
policies shall help.
B, C and D are incorrect – these are other guidelines to improve employee compliance
of security policies
709. As part of auditing Information Security of a multinational bank, an auditor wants
to assess the security of information in ATM facilities. Under which privacy policy
should he look for details pertaining to security guards and CCTV surveillance of
ATM’s?
285
A. Acceptable use of Information Assets Policy

B. Physical Access and Security Policy
C. Asset Management Policy
D. Business Continuity Management Policy
KEY B
B is correct - Physical security describes security measures that are designed to restrict
unauthorized access to facilities, equipment and resources, and to protect personnel
and property from damage or harm (such as espionage, theft, or terrorist attacks).
Physical security involves the use of multiple layers of interdependent systems which
include CCTV surveillance, security guards, Biometric access, RFID cards, access
cards protective barriers, locks, access control protocols, and many other techniques.
A is incorrect - An acceptable use policy (AUP), also known as an Acceptable Usage
system may be used.
C is incorrect – This policy defines the requirements for Information Asset’s protection.
It includes assets like servers, desktops, handhelds, software, network devices etc.
D is incorrect – This policy defines the requirements to ensure continuity of business
critical operations. It is designed to minimize the impact of an unforeseen event (or
disaster) and to facilitate return of business to normal levels.
710. You work in a company which has strict Information Security Procedures. One of
the requirements which you have to adhere to is setting a strong login password.
Which of the following is an example of a strong password?
A. Abcde
B. Rosy98
C. 31567
D. qqbRqs$W
KEY D
D is correct - According to the password policy, Password length must be more than 8
characters, Password must be complex containing upper case, lower case, numeric and
special characters.
A, B, and C are incorrect – For the same reasons as mentioned above
286
711. The customer data for the loyalty card issued by a retail store is picked from a
form filled by the customer. The data from the form is entered into software by
data entry operators who report to a manager. In order to protect customer data,
segregation of duties are built in the software in such a way that the operators
have permission only to enter data. Any editing or modification can be done only
by the manager. It so happens that the manager quits his employment and the
store elevates the position of one of the operators to that of a manager. Who do
you think is responsible for removing the permission of the exiting manager and
changing that of the new manager?
A. Information Owner
B. New Manager
C. System Administrator
D. Information Owner
KEY A
A is correct - System Administrator is the one with administrative / root level privileges
of the Operating systems like Windows, Unix etc. This means that they can add and
remove permissions and set security configurations. A system administrator is
responsible for:
• Creating new system user accounts,
• Changing permissions of existing user accounts,
• Implementing new security software,
• Testing security patches and updates, and
• Resetting user passwords.
B, C and D are incorrect – for reasons mentioned above
712. The retail store (mentioned in question 3) has branches in locations across India
and the same process for collecting customer data for loyalty programs is
followed in all the branches. This data is then consolidated into one database and
is accessible across all branches. The persons who are assigned responsibilities
with respect to this database are as follows:
• Management as Information Owners
• General Manager – Marketing: As custodian for the data
• General Manager – Operations: as owner of the process
• System Administrator
• Branch Manager
287
• Data Entry Operator

Who, do you think, is responsible for processing the information that is received
from the branches, checking it and circulating it?
A. Management
B. General Manager, Marketing
C. General Manager, Operations
D. Branch Manager
KEY C
C is correct - The system owner is responsible for one or more systems, each of which
may process and store data owned by different information owners. Here a system
refers to group of assets required for hosting one or more applications that support a
business function.
A is incorrect –The management as information custodian is assigned the task of
implementing the prescribed protection defined by the security procedure and top
level/Senior management decisions.
B is incorrect –The General Manager, Marketing as Information Owner (also called Data
Owners) is responsible for a company information asset.
D is incorrect – Branch manager as the user manager is the immediate manager or
reporting manager of an employee.
713. In the same case as mentioned in Questions 3 and 4, who, do you think is
responsible for ensuring that the customer data is secure and running regular
back ups?
A. General Manager, Marketing
B. General Manager, Operations
C. Data Entry Operator
KEY A
A is correct –General Manager, Marketing, as Information custodian is assigned the
task of implementing the prescribed protection defined by the security procedure and
top level/Senior management decisions. He is usually an information technology or
operations person, and is the system administrator for the Information Owner.
Among other activities, information custodian also performs following activities:
• Ensuring safe keeping of information on behalf of information owner
288
• Providing access to users that are approved by owners

• Running regular backups and routinely testing from backup data
• Performing data restoration activity from the backups when necessary
B, C and D are incorrect – for reasons stated above
714. You are an Information Systems Security Awareness Training Manager employed
in a Multinational Bank. You have been part of a team that has created a security
training program including classroom, online and web based trainings which is
mandatory for all employees and third parties who have access to the bank’s
sensitive information. How would you ensure that employees and third parties are
continually updated on latest issues?
A. By introducing them to the bank’s expectations with respect to Information
Security
B. By making Security Awareness training mandatory for the management
C. By getting a written acknowledgement from employees that they have read and
understood the policy
D. By giving security awareness training to employees and third parties at least once
a year
KEY D
D is correct - Training at Least Annually: Ensure that all employees and third parties
(having access to company information and information systems) are given security
awareness training at least once per year. This keeps all updated about the latest
developments and issues in this area.
A, B, and C are incorrect – These are the important considerations for a Security
training program to ensure that all employees and third parties have attended the
training and understood the policies.
715. A bank has outsourced certain processes related to its personal loans unit to a
third party vendor. As an IS auditor of the bank, what would you look for to assure
yourself that non- public business information accessed by the third party vendor is
protected and not misused?
A. A non -disclosure agreement signed by the vendor
B. Check if all employees of the vendor are given enough training
C. Verify if there are instances of data being misused earlier
D. Check for a written acknowledgement from the vendor that they have read and
understood the company’s policy
289
KEY A
A is correct - A non-disclosure agreement (NDA), also known as a confidentiality
agreement (CA), is a legal contract between at least two parties that outlines
confidential material, knowledge, or information that the parties wish to share with one
another for certain purposes, but wish to restrict access to or by third parties. It's a
contract through which the parties agree not to disclose information covered by the
agreement. An NDA creates a confidential relationship between the parties to protect
any type of confidential and proprietary information or trade secrets. As such, an NDA
protects non-public business information.
B, C and D are incorrect – for reasons as mentioned above
716. Organisations have to identify the information that needs various levels of
protection and put them in the appropriate ‘bucket’. Why can’t the entire
information within an organisation be protected uniformly?
A. There is a great dependence on information by organizations
B. It provides a systematic approach to protecting information consistently
C. Maintaining security in a network environment is complex
D. It will be a massive task to protect all information uniformly
KEY B
B is correct - Information classification can provide organizations with a systematic
approach to protecting information consistently across all parts of organization and for
all versions of information (original, copies, discarded, outdated etc.)
A, C and D are incorrect – though these are also reasons for classification, the primary
reason is that the appropriate bucket can be protected as per the nature of information
it contains
717. How must an organisation ensure that its information is adequately protected,
i.e., neither over protected nor under protected.
A. By training its employees who are using the information
B. By ensuring that its information is not shared in any network
C. By classifying its information and placing it in the appropriate bucket
D. By not sharing information with third parties
KEY C
C is correct - Information classification can help in determining the risk associated in
case of loss and thus prevent ‘over-protecting’ and/or ‘under-protecting’, ensuring that
information is adequately protected (e.g. against unauthorized disclosure, theft and
information leakage)
290
A B and D are incorrect – An organization may want to: 1. Publish 2. Share with select
entities and business partners 3. Made available to internal users and stakeholders
4.Should not be known for more than select few. A uniform protection may introduce
unnecessary delay and sometimes create challenges for operations. The solution
organization adopt is known identify the information that needs various levels of
protection and put them in appropriate “bucket”. Now the bucket can be protected as
per nature of information it contains.
718. Information classification ensures that security controls are only applied to
information that requires such protection. What is the benefit of such an
exercise?
A. Reduces operational costs of protecting information
B. Helps the management access sensitive information
C. Ensures that such information is not shared with third parties
D. Ensures that such information is not accessible to employees
KEY A
A is correct - Information classification helps to ensure that security controls are only
applied to information that requires such protection. This can help reduce the demand
on resources and staff and ultimately reduce the cost of protecting information. B, C and
D are incorrect – Classification of information labels information in such a way that it is
shared only with the appropriate person
719. How does an organisation ensure that appropriate users gain access to
appropriate files?
A. By classifying users to groups
B. By classifying and labeling information
C. By not sharing information in the general network
D. By having a supervisor for groups who controls access
KEY B
B is correct - Information classification can help enforce access control policies by using
the classification label to determine if an individual can gain access to a piece of
information (e.g. information labeled as Secret can only be accessed by individuals that
have been granted a security clearance of Secret)
A, C and D are incorrect – these options cannot effectively ensure that the appropriate
information is used by the appropriate user.
291
720. What are the factors to be considered for determining the level of confidentiality
of information?
A. Relevancy to a business transaction
B. Meeting particular compliance requirements
C. Changes to the content and external conditions of information
D. Appropriate User groups
KEY C
C is correct - Factors that should be considered when determining the level of
confidentiality of information are:
• Changes to the content of information
• Changes to external conditions over time
• Aggregation of individual pieces of information.
A, Band D are incorrect – these are the advantages of classifying information
721. An Information classification policy determines the accountability of Information
Owners, custodians and users. Who is responsible for assigning classifications
to information assets?
A. System Owner
C. System administrator
D. Process Owner
KEY B
B is correct - Information Owner (also called Data Owners) is responsible for a
person/position that owns business process. Primary responsibilities are:
• Assign appropriate information classification and periodically review the
classification to ensure it still meets the business requirements.
• Ensure security controls have been implemented in accordance with the
information classification.
• Review and ensure currency of the access rights associated with the information
assets they own.
A, C and D are incorrect – These are some of the KEY roles in Information Security
Management – system owner is responsible for the systems – which hold the
information, a system administrator can set security configurations and a process owner
for the implementation and management of a process.
292
722. Under what information category does widely distributed product brochures fall?
A. Sensitive Information
B. Client Confidential Information
C. Unclassified/Public Information
D. Company Confidential Information
KEY C
C is correct - Information is not confidential and can be made public without any
implications for Company.
A is incorrect –Does not require special precautions to ensure the integrity and
confidentiality of the data by protecting it from unauthorized modification or deletion. It
does not require higher than normal assurance of accuracy and completeness.
B is incorrect – Is not Information received from clients in any form for processing in
production by Company.
D is incorrect – Is not information collected and used by Company in the conduct of its
business to employ people, to log and fulfill client orders, and to manage all aspects of
corporate finance.
723. Under what category does Company developed software codes fall?
A. Sensitive Information
B. Client Confidential Information
C. Company Confidential Information
D. Unclassified/Public Information
KEY A
A is correct - It requires special precautions to ensure the integrity and confidentiality of
the data by protecting it from unauthorized modification or deletion. It also requires
higher than normal assurance of accuracy and completeness.
B is incorrect – Is not Information received from clients in any form for processing in
production by Company.
C is incorrect – Is not information collected and used by Company in the conduct of its
corporate finance.
D is incorrect – Information is confidential and cannot be made public without any
724. Under what category does information received from clients fall?
293
A. Client Confidential Information

B. Company Confidential information
C. Unclassified/Public Information
D. Sensitive Information
KEY A
A is correct - Information received from clients in any form for processing in production
by Company. The original copy of such information must not be changed in any way
without written permission from the client. The highest possible levels of integrity,
confidentiality, and restricted availability are vital.
B is incorrect – Is not information collected and used by Company in the conduct of its
corporate finance.
C is incorrect – Information is confidential and cannot be made public without any
D is incorrect – It does not requires special precautions to ensure the integrity and
confidentiality of the data by protecting it from unauthorized modification or deletion.
Does not require higher than normal assurance of accuracy and completeness.
725. What is Personally Identifiable Information (PII)?
A. Personal Information of any person who needs to provide this to the organisation
B. Information held by an organisation which can identify a stakeholder
C. Personal Information pertaining to the employees of an organisation
D. Personal Information pertaining to the third parties associated with the
organisation
KEY A
A is correct - PI generally refers to personal information. This personal information can
be related to any person or stake holders who need to provide this information to
organization. For example Banks may have to collect identification proofs, PAN card
details, address, telephone numbers from the customers, and generates information like
credit cards details, bank account numbers for customers.
B, C and D are incorrect – These do not classify under personally identifiable
information.
726. What is the standard that must be complied with by all those deals with
credit/debit cards?
294
A. PCIDSS
B. Electronic Communications Privacy Act
C. Information Technology Acct 2000
D. Regulations mandated by Reserve Bank
KEY A
A is correct -
Pay-card industry data security standard: De-facto standard for card related
information. Must be complied by all those deals with credit or debit cards which include
banks, merchants, intermediately. Although there may not be regulatory or legal
requirements as of now for compliance with PCIDSS, it has been accepted by industry.
B is incorrect – Electronics Communications Privacy Act extends government
restrictions on wire taps to include transmissions of electronic data.
C is incorrect - Information technology Act 2000, (Amendment 2008): Provides that any
organization is collecting PII shall be liable in case absence of reasonable security of
such information results in identify theft.
D is incorrect – These regulations have mandated processes for collecting, storing,
securing data and information including PII.
727. What is the Act which mandates how financial institutions must deal with the
private information of individuals?
A. Information technology Act 2000
B. Video Privacy Protection Act
C. Gramm-Leach-Bliley Act
D. Electronic Communications Privacy Act
KEY C
C is correct - Gramm-Leach-Bliley Act: Mandates how financial institutions must deal
with the private information of individuals.
B is incorrect - Video Privacy Protection Act: Prevents wrongful disclosure of an
individual's personally identifiable information stemming from their rental or purchase of
audio-visual material.
A is incorrect - Information technology Act 2000, (Amendment 2008): Provides that any
organization is collecting PII shall be liable in case absence of reasonable security of
such information results in identify theft.
D is incorrect –Electronic Communications Privacy Act (ECPA): Extends government
restrictions on wire taps to include transmissions of electronic data.
295
728. Which of the following does not classify under Personally identifiable
Information?
A. Company advertisement information
B. Medical information of patients
C. Location information of clients
D. Information collected by websites
KEY A
A is correct - This is public/unclassified information which is not sensitive and does not
require any security
B, C and D are incorrect – these are PII’s
729. How is information classification applied for information contained in a critical
database?
A. at the file or data level
B. to the entire database
C. to each individual document
D. at column level at the discretion of the information owner
KEY D
D is correct - For critical databases, classification may apply to column level, at the
discretion of the information owner
A is incorrect - For server-based systems, classification will be done at the file or data
level;
B is incorrect - For information in a database, the classification will normally apply to the
entire database;
C is incorrect – For paper documents, including output from systems, classification will
apply to each individual document
730. How can critical data be protected during transmission, processing and storing?
A. By keeping the information physically secured
B. By encrypting
C. By controlling access
D. By taking a backup
296
KEY B
B is correct - By encrypting critical information, we ensure that such information is
accessible only to the appropriate person
A, C and D are incorrect – these do not apply to information that is being transmitted,
stored and processed.
731. What are the solutions referred to under DLP (Data Leak Prevention)?
A. Protecting data based on the rule set and classification
B. Expecting creator of data file to choose who shall access data
C. Authenticating users out of the organisation
D. Working at data base level and managing the access rights
KEY A
A is correct - The solutions generally referred under popular acronym DLP (Data leak
prevention/ Data loss prevention/ Data leak protection) provide few capabilities to be
implemented independently e.g. there are solutions that focuses on protecting data
passing through networks based on the rule-set and classification.
B and C are incorrect – solutions referred by acronym DRM (Digital rights Management)
that can be applied to data files. The solutions expects creator of data file to decide who
shall access the data and need to add in central user list. Sometimes this becomes
impractical when such files are meant for users out of organization and they need to be
authenticated by DRM server.
D is incorrect - DAM (Digital access management) that works at data base level and
manages the access rights while providing data to applications, based on rules and
classification.
732. What is the pre requisite for successful implementation of data protection tools
like DLP, DRM and DAM?
A. Identifying information resources
B. Creating an information risk profile
C. Creating appropriate rule set and classification based on impact of risks
D. Establishing a process for data classification
KEY C
C is correct - A prerequisite for successful implementation of these tools is appropriate
rule set and data classification based on impact of risks associated with data leak.
A, B and D are incorrect – These are steps that have to be followed to create
appropriate rule set and classification
297
733. Which of the following is a risk associated with Portable Devices?

A. Users can access Company’s internal information from anywhere
B. It is prone to physical security problems because of availability within the
workplace
C. Unauthorised users may access hard copy of electronic data
D. Its overall security is dependent on the physical security of the work stations
KEY A
A is correct - Portable devices: Can be an organization’s security nightmare. Although
issuing laptops and PDAs to employees facilitates flexibility and productivity in an
organization, it poses several serious risks with regard to physical security. Besides,
more and more organizations are adopting Bring Your Own Device (BYOD) policy which
further makes the portable device and the corporate network vulnerable. With users
accessing the company’s internal information systems from anywhere, a breach in
physical security on one of these devices could undermine an organization’s information
security. Extreme care must be taken with this class.
B is incorrect - Workstations: Usually located in more open or accessible areas of a
facility. Because of their availability within the workplace, workstations can be prone to
physical security problems if used carelessly.
C is incorrect - Printers: Although the data is stored on electronic for the purpose. The
reports, letters, communications etc. have to be printed. Organizations deploy printers.
In order to optimize use of printer most organization deploy network based printers
shared among group of users.
D is incorrect – Servers: Servers are the most physically secure class of systems. This
is due to the common practice of placing them in a location that has better access and
environmental control. Although this class may be the most physically secure, their
overall security is dependent on the physical security of the workstations and portable
devices that access them.
734. What are network devices?
A. Device in which all data in a network is placed
B. Devices deployed for establishing communication
C. Devices installed by telecom companies to facilitate mobile communication
D. Devices that facilitate accessing data from anywhere
298
KEY B
B is correct - Network devices: devices deployed for establishing communication which
includes routers, switches, firewalls, cables, wireless devices and other network
monitoring tools.
A is incorrect – Devices in which all the data in a network is placed is a server
C is incorrect – Devices installed by telecom companies to facilitate mobile
communication are towers
D is incorrect – Devices that facilitate accessing data from anywhere are portable
devices
735. In order to ensure the privacy of personal information of an individual, a company
has to:
A. Write policies and procedures
B. Define roles and responsibilities
C. Implement an effective privacy program
D. Define incident response plans
KEY C
C is correct - It is important that the organization implements an effective privacy
program in order to ensure the privacy of the personal information of an individual
A, Band D are incorrect – These are the steps to be taken to implement a successful
privacy program
736. An auditor need not involve in one of the following while evaluating an
organisation’s privacy framework. Which is it?
A. Liaise with in-house legal counsel to understand legal implications
B. Design Incident response plans
C. Liaise with information technology specialists to understand security implications
D. Understand internal policies and guidelines
KEY B
B is correct - This is done by the organisations governing body
A, C and D are incorrect – These are the roles of an internal auditor
737. An insurance company is in the process of classifying its information according
to its sensitivity. If you formed a part of the team responsible for this
299
classification, how would you classify personal information pertaining to

insurance holders as?
A. Unclassified/Public Information
B. Sensitive Information
C. Client Confidential data
D. Company Confidential data
KEY C
C is correct - Information received from clients in any form for processing in production
by Company. The original copy of such information must not be changed in any way
without written permission from the client. The highest possible levels of integrity,
confidentiality, and restricted availability are vital.
A, B and D are incorrect – Sensitive Information recd from clients cannot be placed
under these categories.
738. You head a data processing center which handles an outsourced activity of
employee medical reimbursements of a multinational. You have employed
professionals who have developed the required software for the activity and who
maintain the same. Under which of the following would you classify the software
codes?
A. Client Confidential Data
B. Company Confidential Data
C. Sensitive Information
D. Unclassified data
KEY C
C is correct - All company developed software codes whether used internally or sold to
clients and know how used to process client information should be classified as
Sensitive Information
A, B and D are incorrect – for reason mentioned above
739. The personal loans department of a bank maintains a database of personal
information of its customers who have availed loans. This database is used for
various purposes by the bank. As an IS auditor you find that there are security
breaches related to this information. Under what Act would the company be
liable?
A. PCIDSS
300
B. Information Technology Act 2000

C. Gramm Leach Bliley Act
D. Video Privacy Protection Act
KEY B
B is correct - Information technology Act 2000, (Amendment 2008): Provides that
any organization is collecting PII shall be liable in case absence of reasonable security
of such information results in identify theft.
A is incorrect – PCIDSS: Pay-card industry data security standard: De-facto
standard for card related information. Must be complied by all those deals with credit or
debit cards which include banks, merchants, intermediately. Although there may not be
regulatory or legal requirements as of now for compliance with PCIDSS, it has been
accepted by industry.
C is incorrect – Gramm-Leach-Bliley Act: Mandates how financial institutions must
deal with the private information of individuals.
D is incorrect - Video Privacy Protection Act: Prevents wrongful disclosure of an
individual's personally identifiable information stemming from their rental or purchase of
audio-visual material.
740. As an employee of the HR department of a multinational company, you are
required to send through email, sensitive data pertaining to the employees of
your organisation to a data centre for processing. Though there is approval from
the management that the data centre can have access to this data, there is a
precautionary measure that you should take while transmitting this data. Which of
the following is it?
A. Encrypting the data before sending
B. Taking a back up before sending
C. Sending information only on a need to know basis
D. Setting strong access controls at the vendors site
KEY A
A is correct - Encryption of information during transmission ensures that it is not
misused by any third party
B, C and D are incorrect – though these are important security considerations, they are
not mandatory for this case
741. Which of the following is not a part of Physical Access Control?
A. Preventing unauthorised physical access to resources
301
B. Protection of information in stored, transit and processing stages

C. Control entry during and after normal business hours
D. Identification checks
KEY B
B is correct - This is a part of Logical Access Control
A, C and D are incorrect – Physical access controls encompass securing physical
access to computing equipment as well as facilities housing the IS computing
equipment and supplies. The choice of safeguard should be such that they prevent
unauthorized physical access but at the same time cause the least inconvenience to
authorized users. All the three options form a part of Physical Access Control.
742. Which of the following is an information asset that need not be included in
physical access control?
A. Information in transit through mail
B. Primary computer facilities
C. Micro computers
D. Printers
KEY A
A is correct - Information in transit through mail cannot be restricted physically.
B, C and D are incorrect – These are assets that should be included under Physical
Access Control
743. Which of the following is not a physical access control?
A. Manual doors or cipher KEY locks
B. Protecting data with passwords
C. Controlling the reception area
D. Logging in visitors
KEY B
B is correct - Protecting data with passwords is part of logical access control
A, C and D are incorrect – Physical access controls may include – manual door or
cipher KEY locks, photo Ids and security guards, entry logs, perimeter intrusion locks
etc. Physical controls should also include: Pre-planned appointments, Identification
checks, controlling the reception area, Logging in visitors, Escorting visitors while in
sensitive areas etc.
302
744. Threats to Information Assets like computing equipment, media and people are
known as:
A. Cyber threats
B. Environmental Threats
C. Physical Threats
D. Logical Access Threats
KEY C
C is correct - Physical threats to information system assets comprises of threats to
computing equipment, facilities which house the equipment, media and people.
A is incorrect - Cyber threats are threats due to exposure of information in the world
wide web
B is incorrect – Environment threats are undesired or unintentional or intentional
alteration in the environment in which computing resources function can result in threats
to availability of information systems and integrity of information.
D is incorrect – Logical access threat arising where unauthorized persons tried to get
information useful for breaking into organization system.
745. “Preventing modification of data by unauthorised personnel” falls under which
core principle of Information Safety?
A. Integrity
B. Confidentiality
C. Availability
D. Security
KEY A
A is correct - Confidentiality, Integrity and Availability (CIA Triad) are the core principles
of information safety. Integrity: Prevent modification of data by unauthorized personnel.
B and C are incorrect – Confidentiality: Preventing disclosure of information to
unauthorized individuals or systems, Availability: Information must be available when it
is needed.
D is incorrect – This Is not a part of the CIA Triad
746. Under what category of Physical Security threat does poor handling and cabling
of electronic equipments fall?
A. Electrical
303
B. Environmental
C. Maintenance
D. Hardware
KEY C
C is correct - Maintenance: These threats are due to poor handling of electronic
components, which cause ESD (electrostatic discharge), the lack of spare parts, poor
cabling, poor device labelling, etc.
A is incorrect - Electrical vulnerabilities are seen in things such as spikes in voltage to
different devices and hardware systems, or brownouts due to an insufficient voltage
supply. Electrical threats also come from the noise of unconditioned power and, in some
extreme circumstances like total power loss.
B is incorrect – interference of natural disasters such as fires, hurricanes, tornados, and
flooding, fall under the realm of environmental threat.
D is incorrect - It has the threat of physical damage to corporate hardware or its theft.
747. Which of the following is not a source of Physical Security threat?
A. Uncontrolled/Unconditioned Power, Low voltage
B. Physical Access to IS resources by unauthorised personnel
C. Discontented or disgruntled employees
D. Interested or Informed outsiders
KEY A
A is correct - This is not a source of physical security threat, it is a source of
environmental threat
B, C and D are incorrect – These are sources of physical security threats
748. In an organisation there are instances of employees using the internet for
personal purposes. Under what threat is this classified?
A. Logical access threat
B. Environment threat
C. Improper physical access threat
D. Electrical threat
KEY C
C is correct - Threats from improper physical access usually are human-induced. Some
examples are:
304
• Unauthorized persons gaining access to restricted areas. Examples are

prospective suppliers gaining access to computer terminal of purchases
department, thereby viewing list of authorized suppliers and rates being
displayed on the screen during data entry.
• Employees gaining access to areas not authorized, e.g. sales executives gaining
access to server room.
• Damage, vandalism or theft of equipment or other IS resources.
• Abuse of data processing resources, e.g. employees using internet for personal
purposes.
• Damage due to civil disturbances and war.
• Embezzlement of computer supplies, e.g. floppies, cartridges, printer
consumables.
• Public disclosure of sensitive information, e.g. Information regarding location of
servers, confidential or embarrassing information.
A, B and D are incorrect – This is neither a logical access, environmental or electrical
threat
749. Viewing or copying of sensitive information by visitors who have gained
unauthorised access to the same is:
A. An Improper Physical Access Exposure
B. An Unintentional or Accidental Exposure
C. A Deliberate Exposure
D. An Environmental Exposure
KEY A
A is correct - Improper physical access to IS resources may result in losses to
organization which can result in compromising one or any of the following:
• Confidentiality of organizational information or knowledge of protected
organizational resources. Example: unauthorized access to systems containing
sensitive information may be viewed or copied by visitors accidentally gaining
access to such systems.
• Integrity of information by improper manipulation of information or data
contained on systems or media. Example: Unauthorized access to record rooms
or databases may result in modification or deletion of file content.
• Availability of information. Improper access to IS resources may be used to
adversely impact availability of IS resources’ ultimately preventing or delaying
305
access to organizational information and business applications. Example: A

disgruntled bank employee may switch of power to information servers thus
sabotaging operations.
B is incorrect - Authorized personnel or unauthorized personnel unintentionally gaining
physical access to IS resources result in accidentally or inadvertently causing loss or
damage to the organization.
C is incorrect - Unauthorized personnel may deliberately gain access or authorized
personnel may deliberately gain access to IS resources, for which they are not
permitted or possess rights of access. This may result in the perpetrator achieving his
objective of causing loss or damage to the organization or gain personal monetary
benefits or otherwise.
D is incorrect – Environmental exposure are not human induced and caused by nature
750. If windows exist in a data centre, they must be translucent and shatterproof.
Why?
A. To avoid data leakage through electromagnetic radiation
B. To prevent anyone from peeping and viewing data
C. To avoid environmental threats to physical systems
D. To avoid theft of physical assets
KEY A
A is correct - Windows are normally not acceptable in a data centre to avoid data
leakage through electromagnetic radiation emitted by monitors. If they do exist,
however, they must be translucent (semi-transparent, i.e. allowing light without being
able to view things clearly) and shatterproof or monitors should not be facing them.
B, C and D are incorrect – There is a negligible chance of these threats due to the
presence of windows
751. Why audit trials and control are logs important for Security Management?
A. To know where access attempts occurred and who attempted them
B. To reduce unauthorised access to sensitive information
C. To prevent modification or deletion of file content
D. To prevent unintentional physical access
KEY A
A is correct - With respect to physical security, audit trails and access control logs are
vital because management needs to know where access attempts occurred and who
306
attempted them. The audit trails or access logs must record the following:
• The date-and time of the access attempt
• Whether the attempt was successful or not
• Where the access was granted (which door, for example)
• Who attempted the access
• Who modified the access privileges at the supervisor level
B, C and D are incorrect – These have no relevance to maintenance of audit logs
752. What is the first step once an unauthorised event is detected?
A. Process owner should investigate and take action
B. The incident should be reported to the appropriate authority
C. Security administrator should effect modifications to the security policy
D. Should be effectively handled to mitigate losses
KEY B
B is correct - Once an unauthorised incident is detected, the first step is to report the
same.
Appropriate procedures should be in place to enable reporting of such incidents
A, C and D are incorrect – These are subsequent steps
753. Which of the following is not a Human Resource Control?
A. Providing identity cards
B. Providing training in Physical Security
C. Locking system screens when not in seat
D. Monitoring behavior
KEY C
C is correct - Locking screens forms part of logical access control
A, B and D are incorrect – These are examples of human resources control
754. The most important human resource control is:
A. Providing access cards to employees
B. Assigning responsibilities to employees
C. Provide training to employees
D. Escort terminated or resigned/retired employees
307
KEY A
A is correct - One of most important control is process of providing access cards to
employees, vendor personnel working onsite and visitors. The process should aim in
preventing generation of false cards, modifying contents of cards, accounting for lost
cards and reconciliation of cards to detect missing/lost cards. In addition a process to
grant, change and revoke access must be in place.
B, C and D are incorrect – These controls are other human resource controls
755. Which of the following is a perimeter security?
A. Screen savers
B. Passwords
C. Access cards
D. Guards
KEY D
D is correct - Guards are commonly deployed in perimeter control, depending on cost
and sensitivity of resource to be secured. While guards are capable of applying
subjective intelligence, they are also subject to the risks of social engineering. They are
useful whenever immediate, discriminating judgment is required.
A is incorrect – Screen savers are used to lock screens when not in use
B is incorrect – Passwords are used to prevent unauthorised access to sensitive data
C is incorrect – Access cards are used as a physical security measure
756. Which of the following is not a perimeter security?
A. Compound walls and Fencing
B. Lighting exteriors
C. Encrypting data in transit
D. Bolting door locks
KEY C
C is correct - Encrypting data in transit is a logical access security
A,B and D are incorrect – thee are examples of perimeter security
757. What perimeter security is used to reduce the risk of piggy backing?
A. Dead man doors
B. Bolting door locks
308
C. Combination or Cipher locks

D. Compound walls
KEY A
A is correct - Also called as Mantrap systems. These are typically used to secure
entrance to sensitive computing facilities or storage areas. This technique involves a
pair of doors and the space between the doors is enough to accommodate just one
person. Such doors reduce the risk of piggybacking, in which an unauthorized person
could enter the secured facility by closely following an authorized person which may or
may not be monitored by a guard.
B is incorrect - This is the most commonly used means to secure against unauthorized
access to rooms, cabins, closets. These use metal locks and keys and access can be
gained by any person having physical possession of the key. This is cheap yet a
reasonably effective technique, however control over physical custody and inventory of
keys is required.
C is incorrect - To gain entry, a person presses a four digit number in a particular pre-
determined sequence which disengages the levers for a pre-set interval of time.
D is incorrect – A common method of securing against unauthorized boundary access to
the facility. It helps in deterring casual intruders but is ineffective against a determined
intruder.
758. The advantages of Electronic door locks do not include:
A. Distinguishing between various categories of users
B. Most secure locks since they enable access based on individual features such as
finger prints
C. Restricting individual access through the special internal code
D. Deactivation of card entry from a central electronic control mechanism
KEY B
B is correct - The feature pertains to Biometric door locks
A, C and D are incorrect – These are the advantages of Electronic Door locks
759. Which of the following is a disadvantage of a Biometric Door lock?
A. Easy duplication
B. Is not as sophisticated as electronic door locks
C. High cost of acquisition, implementation and maintenance
D. They are not very secure
309
KEY C
C is correct - While these devices are considered highly secure, they suffer from the
following disadvantages:
• Relatively high cost of acquisition, implementation and maintenance, hence they
are used mainly to secure sensitive installations.
• Time consuming process of user registration.
• Privacy issues relating to use of devices like retina and fingerprint scanners.
• High error rates compared to other devices since they may result in a false
rejection or more critically a false acceptance.
A, B and D are incorrect – Biometric locks are sophisticated and highly secure.
Duplication of biometrics is not possible.
760. A device which creates a grid of visible white light or invisible infra red light,
which when broken activates an alarm is:
A. Photo electric sensors
B. Dry contact switches
C. Video cameras
D. Identification badges
KEY A
A is correct - Photoelectric sensors receive a beam of light from a light-emitting device,
creating a grid of either visible white light, or invisible infrared light, which when broken
activates an alarm.
B is incorrect - Dry contact switches and tape are probably the most common types of
perimeter detection. This can consist of metallic foil tape on windows or metal contact
switches on doorframes to detect when a door or window has been opened.
C is incorrect – Cameras provide preventive and detective control. Closed-Circuit
Television (CCTV) cameras have to be supplemented by security monitoring and
guards for taking corrective action.
D is incorrect - Special identification badges such as employee cards, privileged access
pass, visitor passes etc. enable tracking movement of personnel. These can also be
cards with signature and/or photo identity.
761. The process requiring all visitors to sign a visitors log at the time of entry/exit is
known as
A. Electronic logging
310
B. Manual logging
C. Controlled visitor access
D. Controlled single point access
KEY B
B is correct - Manual Logging: All visitors to the premises are prompted to sign a
visitor’s log recording the date and time of entry/exit, name of entrant, organization,
purpose etc. The visitor may also be required to authenticate his identity by means of a
business card, photo identification card, driver’s license etc.
A is incorrect - Electronic Logging: Electronic card users may be used to record the
date and time of entry/exit of the card holder by requiring the person to swipe the card
both time of entry and exit. This is a faster and more reliable method for restricting
access to employees and pre-authorized personnel only. These devices may use
electronic/biometric security mechanisms.
C is incorrect - Controlled single point access: Physical access to the facility is
granted though a single guarded entry point. Multiple entry points may dilute
administration of effective security.
D is incorrect – Controlled Visitor access: A pre-designated responsible employee or
security staff escorts all visitors such as maintenance personnel, contract workers,
vendors, consultants for a specified time period
762. A card reader that senses the card in possession of a user in the general area and
enables faster access is:
A. Wireless proximity readers
B. Motion detectors
C. Cable locks
D. Identification Badges
KEY A
A is correct - A proximity reader does not require physical contact between the access
card and the reader. The card reader senses the card in possession of a user in the
general area (proximity) and enables faster access.
B is incorrect - Alarm Systems/Motion detectors. Alarm systems provide detective
controls and highlight security breaches to prohibited areas, access to areas beyond
restricted hours, violation of direction of movement e.g. where entry only/exit only doors
are used. Motion detectors are used to sense unusual movement within a predefined
interior security area and thus detect physical breaches of perimeter security, and may
sound an alarm.
311
C is incorrect - A cable lock consists of a plastic-covered steel cable that chains a PC,
laptop or peripherals to the desk or other immovable objects.
D is incorrect – Special identification badges such as employee cards, privileged access
pass, visitor passes etc. enable tracking movement of personnel.
763. Lockable switches that prevent a KEY board from being used is:
A. Switch controls
B. Biometric Mouse
C. Laptop security
D. Peripheral switch controls
KEY D
D is correct - Peripheral switch controls: These types of controls are lockable
switches that prevent a keyboard from being used.
A is incorrect - A switch control is a cover for the on/off switch, which prevents a user
from switching of the file server’s power.
B is incorrect - Biometric Mouse: The input to the system uses a specially designed
mouse, which is usable only by pre-determined/pre-registered person based on the
fingerprint of the user.
C is incorrect – Cable locks, biometric mice/fingerprint/iris recognition and encryption of
the file system are some of the means available to protect laptops and their data.
764. A smart card used for access control is also called a security access card. Which
of the following is not a type of smart card?
A. Identification cards
B. Photo Image Cards
C. Digital coded cards
D. Wireless proximity readers
KEY A
A is correct - Special identification badges such as employee cards, privileged access
pass, visitor passes etc. enable tracking movement of personnel.
B is incorrect - Photo-image cards are simple identification cards with the photo of the
bearer for identification.
C is incorrect - Digitally encoded cards contain chips or magnetically encoded strips
(possibly in addition to a photo of the bearer).
312
D is incorrect – A proximity reader does not require the user to physically insert the
access card.
765. Which of the following is not a biometric characteristic?
A. Finger prints
B. Retina scans
C. Passport photo
D. Palm scans
KEY C
C is correct - Passport photo does not have a biometric characteristic
A, B and D are incorrect – All these are typical biometric characteristics used to
uniquely identify or authenticate an individual
766. Name the performance measure in biometrics which is the percentage of invalid
subjects that are falsely accepted.
A. False Rejection Rate (FRR)
B. False Acceptance Rate (FAR)
C. Crossover Error Rate (CER)
D. Throughput rate
KEY B
B is correct - False acceptance rate (FAR), or Type II error: The percentage of invalid
subjects that are falsely accepted. FAR is more critical than FRR.
A is incorrect - False rejection rate (FRR), or Type I error: The percentage of valid
subjects that are falsely rejected
C is incorrect - Crossover error rate (CER): The percent at which the FRR equals the
FAR. In most cases, the sensitivity of the biometric detection system can be increased
or decreased. If the system’s sensitivity is increased, such as in an airport metal
detector, the system becomes increasingly selective and has a higher FRR. Conversely,
if the sensitivity is decreased, the FAR will increase.
D is incorrect – There is no such measure as throughput rate in biometrics
767. With respect to biometrics evaluation, how is the time taken to register with a
system referred as?
A. Enrolment time
B. Throughput rate
313
C. Acceptability
D. Registration time
KEY A
A is correct - Enrolment time is the time it takes to initially register with a system by
providing samples of the biometric characteristic to be evaluated.
B is incorrect - The throughput rate is the rate at which individuals, once enrolled, can
be processed and identified or authenticated by a system.
C is incorrect - Acceptability refers to considerations of privacy, invasiveness, and
psychological and physical comfort when using the system.
D is incorrect – there is no such evaluation as registration time with respect to
biometrics
768. With respect to audit of physical access controls, what does controls assessment
mean?
A. Ensuring that the risk assessment procedure adequately covers periodic and
timely assessment of all assets
B. Evaluating whether physical access controls are in place
C. Examining relevant documentation such as the security policy and procedures,
premises plans, building plans, etc
D. Reviewing physical access controls for their effectiveness.
KEY B
B is correct - Controls Assessment: The auditor based on the risk profile evaluates
whether physical access controls are in place and adequate to protect the IS assets
against the risks.
A is incorrect – This procedure is risk assessment
C is incorrect – This procedure is review of documentation
D is incorrect – This procedure is testing of controls
769. The review of physical access controls by an auditor need not include:
A. Observing safeguards and Physical access procedures
B. Interviewing personnel to get information of procedures
C. Authorising special access
D. Touring organisational facilities
314
KEY C
C is correct - This is the role of the manager/management, not of an auditor
A,B and D are incorrect – These are the roles of an auditor
770. What should an auditor check for in case of employee termination?
A. The employees tenure and his conduct during the same
B. Withdrawal and deactivation of access rights
C. Whether appropriate rights have been granted to the replacement
D. Whether there is any due from the employee to the organisation
KEY B
B is correct - Employee termination procedures should provide withdrawal of rights such
as retrieval of physical devices such as smart cards, access tokens, deactivation of
access rights and its appropriate communication to relevant constituents in the
organization.
A, C and D are incorrect – these are not the concerns of an auditor
771. What is the review procedure that should be adopted by an auditor to ensure that
there is adequate security at entrance and exits?
A. Review physical layout diagrams , risk analysis, procedure for removal and return
of storage media, knowledge and awareness of emergency procedures by
employees
B. Inspect guard procedures and practices, and facility surveillance system apart
from assessing vehicle and pedestrian traffic around high risk facility
C. Review security policies and procedures at enterprise level and system level are
aligned with business stated objectives
D. Review employee and visitor entry logs, entry/exit procedures used by
management, documentation of logs
KEY D
D is correct
A is incorrect – these procedures are to review that physical safeguards are
commensurate with the risks of physical damage or access
B is incorrect – These procedures are to review the perimeter security
C is incorrect – These procedures are to review whether security control policies and
procedures are properly documented
315
772. From the perspective of environmental exposures and controls, how are
computer rooms, server rooms and printer rooms categorised?
A. Information System supporting infrastructure or facilities
B. Hardware and Media
C. Documentation
D. Supplies
KEY A
A is correct - Information Systems Supporting Infrastructure or Facilities: This
typically includes the following:
• Physical Premises, like Computer Rooms, Cabins, Server Rooms/Farms, Data
Centre premises, Printer Rooms, Remote facilities and Storage Areas
• Communication Closets
• Cabling ducts
• Power Source
• Heating, Ventilation and Air Conditioning (HVAC)
B is incorrect - Hardware and Media: Includes Computing Equipment, Communication
equipment, and Storage Media
C is incorrect - Documentation: Physical and geographical documentation of
computing facilities with emergency excavation plans and incident planning procedures.
D is incorrect – Supplies: The third party maintenance procedures for say air-
conditioning, fire safety, and civil contractors whose entry and assess with respect to
their scope of work assigned are to be monitored and logged.
773. Which of the following is a natural environmental threat?
A. War action and Bomb threats
B. Air conditioning failure
C. Earthquakes
D. Undesired activities in computer facilities such as smoking
KEY C
C is correct - Earthquake is a natural environmental threat
A, B and D are incorrect – These are man made environmental threats
774. Which of the following is a man-made environmental threat?
316
A. Extreme variations in temperature

B. Static Electricity
C. Humidity, vapors, smoke and suspended particles
D. Fire due to negligence and human action
KEY D
D is correct - This is a man- made threat
A,B and C are incorrect – These are natural threats
775. Given below are some examples of exposures. Which of these do not pertain to
violation of environmental controls?
A. The possibility of a fire destroying valuable computer equipment due to use of
inflammable material for construction of server cabin
B. The possibility of Unauthorised access to sensitive data through hacking
C. The possibility of a fire due to poor cabling
D. The possibility of damage of keyboards and other devices due to accidental
dropping of beverages
KEY B
B is correct - This is an example of exposure due to violation of physical access
A, C and D are incorrect – these are examples of exposure due to violation of
environmental controls
776. What is a sudden rise in in voltage in the power supply known as?
A. Surge
B. Blackout
C. Sag/dip
D. Transient
KEY A
A is correct - Surge is a sudden rise in voltage in the power supply. A strong power
surge can easily harm unprotected computers and other microprocessor circuits. It also
puts a stress on anything else powered by the electric supply, from air conditioning
motors to light bulbs.
B is incorrect – Blackout is a complete loss of commercial power
C is incorrect – Sag or dip is a short period of low voltage
317
D is incorrect – Transient is line noise or disturbance superimposed on the supply

circuit and can cause fluctuations in electrical power.
777. Which of the following need not be considered while choosing a safe site?
A. Probability of natural disasters
B. Transportation
C. Proximity to other like companies
D. External services like police, fire, hospital etc
KEY C
C is correct - This is not a factor to be considered while choosing a safe site
A, B, and D are incorrect – These are some of the factors to be considered while
choosing a safe site
778. While designing a site, it is important that the location of media libraries is:
A. Fungi Resistant and heat resistant
B. Easily accessible
C. Not easily accessible
D. Outside the work area
KEY A
A is correct - Media Protection: Location of media libraries, fire proof cabinets, kind of
media used (fungi resistant, heat resistant).
B, C and D are incorrect – These are not important considerations for storing media
779. The organisation should consider newer environmental threats like generator
installation by a neighbor or sudden changes in climate as part of:
A. Facilities planning
B. Choosing a site
C. Designing a site
D. Documentation
KEY A
A is correct - The risk profile of the organization should take into consideration newer
environmental threats. A few examples of threats to be considered are given below:
• Installation of a generator by a neighbor.
318
• Sudden changes in climate leading to extreme changes in humidity levels.

• Building construction in the vicinity of IPF leading to increase in suspended dust
particles in the environment.
• Raising of foundation and flooring by a neighbor causing change in the flow of
rainwater.
• Installation of high power consumption equipment adversely affecting the quality
of power.
B, C and D are incorrect – The aspect need not be considered at these levels
780. New employee induction programs should be conducted as part of:
A. Documentation
B. Facilities planning
C. People Responsibility and training
D. Emergency plan
KEY C
C is correct - Responsibility and accountability for environmental controls planning and
management should be fixed and should be expressly communicated as part of job
description. New employee induction programs should include informing and educating
employees on environmental control procedures, prohibited activities (eating, smoking,
drinking inside IPF), and maintaining secrecy and confidentiality.
A, B and D are incorrect – Induction programs are not part f any of these.
781. An effective emergency plan of an organisation should include:
A. Detailed analysis of third party and outsourced vendors/suppliers
B. Evaluation of effectiveness and efficiency of environmental facilities
C. Preventive maintenance plans
D. Control Action, Evacuation plan and paths
KEY D
D is correct - Disasters result in increased environmental threats e.g. smoke from a fire
in the neighborhood or in some other facility of the organization would require
appropriate control action, evacuation plan should be in place and evacuation paths
should be prominently displayed at strategic places in the organization.
A, B and C are incorrect. These are parts of Vendors/Suppliers security and
Maintenance plans
319
782. How can an organisation reduce Mean Time to Repair/recover/respond/restore

(MTTR)?
A. By stocking spare parts on site
B. By planning for environmental controls
C. By identifying, parameterizing and documenting risks of utility failure
D. By evaluating alternatives with low MTBF
KEY A
A is correct - Stocking spare parts on site and training maintenance personnel can
reduce MTTR.
B, C and D are incorrect – Failure modes of each utility, risks of utility failure, should be
identified, parameterized and documented. This includes estimating the MTBF (Mean
Time between Failures) and MTTR (Mean-Time to Repair/recover/respond/ restore).
Planning for Environmental controls would need to evaluate alternatives with low MTBF
or installing redundant units.
783. Listed below are some of the controls to ensure uninterrupted supply of clean
power. Out of these which is the equipment which cleanses the incoming power
supply of problems such as spikes, sags, etc.?
A. Generators
B. Electrical surge protectors/line conditioners
C. Uninterruptible power supply (UPS)
D. Power leads from two substations
KEY B
B is correct - Power supply from external sources such a grid and generators are
subject to many quality problems such as spikes, surges, sag and brown outs, noise,
etc. Surge protectors, spike busters and line conditioners are equipment which cleanses
the incoming power supply of such quality problems and delivery clean power for the
equipment.
A, C and D are incorrect – UPS generally is a good solution in case of applications
enabling their proper closure of processing and systems. In respect of continuous
process equipment, UPS may fail to meet the purpose if regular power supply is not
available for a prolonged period of time. Diesel or kerosene generators could also be
used, but they
require some time to be switched on and the power from generators has to be cleansed
before delivery to computer systems.
320
D is incorrect - To protect against such exposures, redundant power lines from a

different grid supply should be provided for. Interruption of one power supply should
result in the system immediately switching over to the stand-by line.
784. How does a smoke/fire detector function?
A. Activate audible alarms on sensing a particular degree of smoke or fire
B. Activate audible alarms and are linked to monitoring stations within and outside
the organisation
C. Activate an audible alarm on detecting water
D. Switches off power in case of emergency situations like fire etc.
KEY A
A is correct - Smoke and fire detectors activate audible alarms or fire suppression
systems on sensing a particular degree of smoke or fire. Such detectors should be
placed at appropriate places, above and below the false ceiling, in ventilation and
cabling ducts.
B is incorrect - By manual operation of switch or levers, these devices activate an
audible alarm and may be linked to monitoring stations both within and/or outside the
organization.
C is incorrect - When necessity of immediate power shutdown arises during situations
such as computer facility fire or emergency evacuation, emergency power-off switches
should be provided.
D is incorrect – Risks to IPF equipment from flooding and water logging can be
controlled by use of water detectors placed under false flooring or near drain hole.
Water detectors should be placed on all unattended or unmanned facilities. Water
detectors on detecting water activate an audible alarm.
785. How are fires caused by flammable liquids and gases suppressed?
A. Water or soda acid
B. Dry powder
C. Carbon dioxide, soda acid or FM200
D. Gas based systems
KEY C
C is correct - Fires caused by flammable liquids and gases are classed as Class B and
are suppressed by Carbon Dioxide (CO), soda acid, or FM200.
321
A is incorrect - Fires caused by common combustibles (like wood, cloth, paper, rubber,
most plastics) are classed as Class A and are suppressed by water or soda acid (or
sodium bicarbonate).
B is incorrect - Electrical fires are classified as Class C fires and are suppressed by
Carbon Dioxide (CO), or FM200. Fire caused by flammable chemicals and metals (such
as magnesium and sodium) are classed as Class D and are suppressed by Dry Powder
(a special smothering and coating agent).
D is incorrect – This is a classification of suppression systems
786. Which of the following is a gas based fire suppression system?
A. Wet pipe sprinklers
B. FM 200
C. Dry pipe sprinklers
D. Pre action
KEY B
B is correct - FM200 is an inert gas, does not damage equipment as water systems do
and does not leave any liquid or solid residues, however it is not safe for humans as it
reduces the levels of oxygen.
A, C & DF are incorrect – These are water based fire suppression systems
787. How does an auditor ensure that there are safeguards against the risks of
heating, ventilation and air-conditioning systems?
A. Review heating, ventilation and air-conditioning design
B. Review any shielding strategies
C. Verify critical systems and emergency power supplies
D. Interview officials and review planning documents
KEY A
A is correct - The auditor has to review a heating, ventilation and air-conditioning design
to verify proper functioning within an organization in order to ensure safeguards against
risks of heating, ventilation and air-conditioning
B is incorrect – This is done to check control of radio emissions effect on computer
systems
C is incorrect – This is done to establish adequate interior security based on risk
D is incorrect – This is done to adequately protect against emerging threats
322
788. How does an auditor ensure that adequate environmental controls have been
implemented?
A. Interview security personnel to ensure their awareness and responsibilities
B. Verify critical systems and emergency power supplies
C. Interview staff, determine humidity, temperature and voltage are within
acceptable levels
D. Interview officials and review planning documents and review training records
and documentation
KEY C
C is correct - To ensure adequate environmental controls have been implemented, an
auditor has to: Interview managers and scrutinize that operations staff are aware of the
locations of fire alarms, extinguishers, shut-off power switches, air -ventilation
apparatus and other emergency devices.
Determine that humidity, temperature and voltage are controlled within the accepted
levels.
Check cabling, plumbing, room ceiling smoke detectors, water detectors on the floor are
installed and in proper working order.
A is incorrect –This is done to ensure that Staff has been trained to react to
emergencies
B is incorrect – This is done to establish adequate interior security based on risk
D is incorrect – This is done to adequately protect against emerging threats
789. Which of the following is not a component in the information systems
infrastructure between the user and the Data Base?
A. Network operating systems
B. Application software
C. Physical documents
D. Data Base Management System
KEY C
C is correct - Physical documents do not form a component in the information systems
infrastructure between the user and the database
A, B and D are incorrect – These are components in the information systems
infrastructure which have to be subjected to appropriate means of security
323
790. What is the task of an auditor when evaluating the risks associated with hardware
components?
A. Consider vulnerabilities of different communication channels and devices like
workstations, peripherals etc.
B. Ensure that logical access to system software are controlled to detect changes in
system configuration
C. Evaluate the access security enforced by the DBMS
D. Focus on the effectiveness of boundary controls and I/O controls
KEY A
A is correct - Hardware includes computer workstations, terminal devices,
communication devices, peripherals etc., constituting the physical interface with the
users. Here the auditor should consider vulnerabilities of different communication
channels and devices specifically (e.g. modems, network interface cards) connected to
computers. Software
B, C and D are incorrect – These are the auditors tasks when auditing systems
software, Database Management System and Application software respectively.
791. What are the tasks of an auditor while evaluating the vulnerabilities of a Data
Base Management System (DBMS)?
A. Evaluate access permissions configured in software
B. Evaluating the access security enforced by the DBMS
C. Ensure that logical access to system software are controlled to detect changes in
system configuration
D. Focus on the effectiveness of boundary controls and I/O controls
KEY B
B is correct - In environments involving voluminous data handling, a Database
Management System (DBMS) manages the organisation of data in the databases. The
auditor is required to evaluate the access security enforced by the DBMS, which could
include schema definitions, access to data dictionary, directory services and scripts to
restrict access implemented by the DBMS.
A, C and D are incorrect – These are the auditors tasks when auditing application
software, systems software and access control software respectively
792. What is Masquerading?
A. Disguising or Impersonation
324
B. Using an unattended terminal

C. Tapping a communication cable
D. Flooding Memory buffers and communication ports
KEY A
A is correct - Masquerading means disguising or impersonation. The attacker pretends
to be an authorized user of a system in order to gain access to or to gain greater
privileges than they are authorized for. A masquerade may be attempted through the
use of stolen logon IDs and passwords, through finding security gaps in programs, or
through bypassing the authentication mechanism.
B is incorrect - Unauthorized access to information by using a terminal that is already
logged on with an authorized ID (identification) and left unattended is called Piggy
backing
C is incorrect - Tapping a communication cable to collect information being transmitted
is called Wire trapping
D is incorrect – In Denial of Service the perpetrator attempts to flood memory buffers
and communication ports to prevent delivery of normal services.
793. What is Phishing?
A. Requesting personal details over phone posing as an originator
B. Sending a mail posing as an originator (ex. bank) requesting to provide
information by clicking a link
C. Installing software that captures user information like login id and password
D. Specially design programs that captures and transmits information
KEY B
B is correct - Phishing: User receives a mail requesting to provide authentication
information by clicking on link provided. The mail and link appears to be actual
originator e.g. Bank. Unaware users click on link and provide confidential information.
The most popular attacks on banking systems in the recent times, they target gullible
victims, using a combination of social engineering, e-mail and fake websites to con the
victim to click on a link embedded in an apparent authentic mail from a reputed bank.
The link takes the victim (generally a customer of the bank) to a look-alike Bank website
that gets the personal details of the victim including details such as PIN and internet
banking password, which is then exploited by the hacker.
A is incorrect – The above technique used over phone is called Impersonating
325
C is incorrect – This technique is KEY logging: Perpetrator installs software that

captures the KEY sequence used by user including login information. KEY logger can
be sent thru mail or infected pen drive like virus or other malware. There are hardware
KEY loggers available that are connected to system where KEY board is attached.
D is incorrect – These programs are called Malware.
794. What are malicious codes that attaches to a host program and propogates when
an infected program is executed?
A. Worms
B. Trojan Horses
C. Viruses
D. Logic Bombs
KEY C
C is correct - Viruses are malicious code that attaches to a host program and
propagates when an infected program is executed? The perpetrator’s objective is to
multiply and spread the code. However they are dependent on another program or
human action to replicate or to activate their payload. They are not capable of self-
actuating.
A is incorrect – Worms are malicious programs that attack a network by moving from
device to device and create undesirable traffic.
B is incorrect – These are malicious code which hides inside a host program that does
something useful. Once these programs are executed, the hidden malicious code is
released to attack the workstation, server, or network or to allow unauthorized access to
those devices.
D is incorrect – These are legitimate programs, to which malicious code has been
added. Their destructive action is programmed to “blow up” on occurrence of a logical
event such as time or a logical event as number of users, memory/disk space usage,
etc.
795. What is a macro virus?
A. A virus that infects Microsoft Word or similar applications
B. A virus that hides itself from anti virus software
C. A virus which encrypts itself and is very hard to detect
D. Software that tracks the internet activities of the user
326
KEY A
A is correct - A macro virus is a computer virus that "infects" a Microsoft Word or similar
application and causes a sequence of actions to be performed automatically when the
application is started or an event trigger. If a user accesses a document containing a
viral macro and unwittingly executes this macro virus, it can then copy itself into that
application's start-up files.
B is incorrect - Polymorphic viruses are difficult to detect because they hide themselves
from antivirus software by altering their appearance after each infection. Some
polymorphic viruses can assume over two billion different identities.
C is incorrect - Stealth viruses attempt to hide their presence from both the operating
system and the antivirus software by encrypting themselves. They are similar to
polymorphic viruses and are very hard to detect.
D is incorrect – These are Adware and Spyware that often come with some commercial
software, both packaged as well as shareware software. There is often a reference to
the Adware and Spyware software in the license agreement.
796. Which of the following is not a characteristic of Logic Bombs?
A. This blows up on the occurrence of a logical event
B. These are programmed to open specific ports to allow access for exploitation
C. This checks whether a particular condition has been met to execute the logic
code
D. These are very difficult to detect as its destructive information set is known only
after it is executed
KEY B
B is correct - This is the characteristic of a Trojan Horse
A, C and D are incorrect – These are the characteristics of Logic Bombs.
797. Which of the following is not a characteristic of a Macro Virus?
A. When executed unwittingly by a user, it copies itself to the applications start up
files
B. Its infection spreads to other machines on a network
C. These are relatively harmless
D. This can assume over two billion two billion different identities
KEY D
D is correct - This is the characteristic of a polymorphic virus
A, B and D are incorrect – These are the characteristics of macro Viruses
327
798. User Registration is generally approved by:

A. User himself
B. IS Auditor
C. User Manager
KEY C
C is correct - User Registration is generally done based on the job responsibilities and
confirmed by User manager. This must be approved by information owner. User
registration process must answer:
• Why the user is granted the access?
• Has the data owner approved the access?
• Has the user accepted the responsibility?
A, B, and D are incorrect – These people are not authorised to approve User
Registration.
799. On what basis are access privileges assigned to a user?
A. Seniority level
B. Expertise and qualification
C. Job requirements and responsibilities
D. There is no basis. It is randomly assigned
KEY C
C is correct - Access privileges are to be aligned with job requirements and
responsibilities. These are defined and approved by the information asset owner.
A, B and D are incorrect – Access privileges cannot be assigned based on these criteria
800. In password management, how can misuse of passwords by system
administrators be prevented?
A. Force change on first login by the user
B. Secure communication of password to user
C. By generating hash while storing
D. By taking an undertaking from the system administrator
328
KEY A
A is correct - Force change on first login by the user so as to prevent possible misuse
by system administrators
B and C are incorrect – These are a few of the other password management functions
D is incorrect – Taking an undertaking is not an appropriate method
801. Which of the following is not mandatory for good password management?
A. All passwords should be authenticated
B. Password expiry must be managed as per policy
C. Every user’s password should be known to the user manager
D. Users have to be educated and made responsible for their password
KEY C
C is correct - It is not necessary for the user manager to know the passwords of all the
users
A, B and D are incorrect – these are some of the functions of password management
802. How is it possible to detect excess rights due to changes in responsibilities,
emergencies etc.?
A. By assigning access privileges
B. By getting the password of the user
C. By a person who has administrative privileges
D. By Periodic review of user’s access rights
KEY D
D is correct - Periodic review of user's access rights is essential process to detect
possible excess rights due to changes in responsibilities, emergencies, and other
changes. These reviews must be conducted by information owner and administrators
facilitates by providing available accesses recorded in system.
A, B and C are incorrect – excess rights due to changes in responsibilities cannot be
detected by these methods
803. What must an IS auditor ensure while reviewing access controls related to user id
and passwords of default users with administrative privileges?
A. They can remain but it should be known to the organisation
B. These user ids should be disabled and passwords changed
329
C. Default users cannot have a user id or password

D. Default users should be educated about their responsibility
KEY B
B is correct - Applications, operating systems and databases purchased from vendor
have provision for default users with administrative privileges required for
implementation and/or maintenance of application, OS or database. The user ID and
Passwords for these users are published by the vendor required for implementing. It is
expected that these password must be changed immediately as soon as system is
implemented. While reviewing these access controls IS auditor must ensure that these
user ID are either disabled, or passwords have been changed and suitably controlled by
the organization.
A, C and D are incorrect – None of these options will ensure protection to information
804. What is segregation of networks with respect to network access control?
A. Isolation of network from internet usage service availability
B. Aligning internet service requirements with the business need policy
C. Restriction of traffic between networks
D. Specifying the exact path or route connecting the network
KEY A
A is correct - Based on the sensitive information handling function; say a VPN
connection between a branch office and the head-office this network is to be isolated
from the internet usage service availability for employees.
B is incorrect - An enterprise wide applicable internet service requirements aligned with
the business need policy based on business needs for using the Internet services is the
first step for network access control. Selection of appropriate services and approval to
access them will be part of this policy. The policy also specify the use on internet and
internet based services while access internet using organization’s devices.
C is incorrect – This is another feature of network access control – network connection
and routing control - The traffic between networks should be restricted, based on
identification of source and authentication access policies implemented across the
enterprise network facility. The techniques of authentication and authorization as per
access policy have been implemented across the organization’s network.
D is incorrect – Enforced path - Based on risk assessment, it is necessary to specify the
exact path or route connecting the networks; say for example internet access by
employees will be routed through a firewall. And to maintain a hierarchical access levels
for both internal and external user logging. An Internet connection exposes an
organization to the entire world. This brings up the issue of benefits the organization
should derive along with the precaution against harmful elements.
330
805. Name the control which helps in auditing and tracking of transactions along with
date and time?
A. Segregation of Networks
B. Network connection and routing control
C. Clock synchronisation
D. Enforced path
KEY C
C is correct - Clock synchronization is useful control to ensure that event and audit logs
maintained across an enterprise are in synch and can be correlated. This helps in
auditing and tracking of transactions along with date and time that is uniform across
organization. In modern networks this function is centralized and automated.
A is incorrect – Segregation of Networks - Based on the sensitive information handling
function; say a VPN connection between a branch office and the head-office this
network is to be isolated from the internet usage service availability for employees.
B is incorrect - This is another feature of network access control – network connection
and routing control - The traffic between networks should be restricted, based on
identification of source and authentication access policies implemented across the
enterprise network facility. The techniques of authentication and authorization as per
access policy have been implemented across the organization’s network.
D is incorrect – Enforced path - Based on risk assessment, it is necessary to specify the
exact path or route connecting the networks; say for example internet access by
employees will be routed through a firewall. And to maintain a hierarchical access levels
for both internal and external user logging. An Internet connection exposes an
organization to the entire world. This brings up the issue of benefits the organization
should derive along with the precaution against harmful elements.
806. A user is allowed to access only those items he is authorised to access. How is
access to information prevented in an application?
A. By application specific menu interfaces
B. System Access is monitored
C. By Event logging
D. By monitoring system use
KEY A
A is correct - The access to information is prevented by application specific menu
interfaces, which limit access to system function. A user is allowed to access only to
those items he is authorized to access. Controls are implemented on the access rights
of users, For example, read, write, delete, and execute. And ensure that sensitive
output is sent only to authorized terminals and locations.
331
B is incorrect – This is a part of Sensitive system isolation - Based on the critical

constitution of a system in an enterprise it may even be necessary to run the system in
an isolated environment. Monitoring system access and use is a detective control, to
check if preventive controls discussed so far are working. If not, this control will detect
and report any unauthorized activities.
C is incorrect - In Computer systems it is easy and viable to maintain extensive logs for
all types of events. It is necessary to review if logging is enabled and the logs are
archived properly. This is called event logging.
D is incorrect – Monitor system use - Based on the risk assessment a constant
monitoring of some critical systems is essential. the details of types of accesses,
operations, events and alerts that will be monitored. The extent of detail and the
frequency of the review would be based on criticality of operation and risk factors. The
log files are to be reviewed periodically and attention should be given to any gaps in
these logs.
807. In operation system control, what is the use of system utilities?
A. Ensures that a particular session can be initiated from a particular location
B. Help manage critical functions of the operating system
C. Provides means to alert authorities if users are forced to execute instructions
D. Prevents unauthorised access by limiting time slot
KEY B
B is correct - System utilities are the programs that help to manage critical functions of
the operating system—for example, addition or deletion of users. Obviously, this utility
should not be accessible to a general user. Use and access to these utilities should be
strictly controlled and logged.
A is incorrect - Automated terminal identification helps to ensure that a particular
session could only be initiated from a particular location or computer terminal.
C is incorrect - Duress alarm to safeguard users: If users are forced to execute some
instruction under threat, the system should provide a means to alert the authorities. An
example could be forcing a person to withdraw money from the ATM. Many banks
provide a secret code to alert the bank about such transactions.
D is incorrect – Limitation of connection time: Define the available time slot. Do not
allow any transaction beyond this time period. For example, no computer access after
8.00 p.m. and before 8.00 a.m.—or on a Saturday or Sunday. This is useful in
preventing unauthorized accesses by authorized users.
332
808. Methods like Biometric Authentication or digital certificates are employed for
which aspect of operating system control?
A. Password Management
B. Terminal log on procedures
C. User identification and authentication
D. Automated terminal identification
KEY C
C is correct - User identification and authentication: The users must be identified and
authenticated in a fool proof manner. Depending on risk assessment, more stringent
methods like Biometric Authentication or Cryptographic means like Digital Certificates
should be employed.
A is incorrect - An operating system could enforce selection of good passwords. Internal
storage of password should use one-way encryption algorithms and the password file
should not be accessible to users.
B is incorrect - Terminal log-on procedures: The log-on procedure does not provide
unnecessary help or information, which could be misused by an intruder.
D is incorrect – Automated terminal identification: This will help to ensure that a
particular session could only be initiated from a particular location or computer terminal.
809. What are ‘Audit Trails’?
A. History of transactions
B. Record of system activities enabling examination of a transaction
C. Attempts to gain unauthorised access to system
D. Unauthorised privileges granted to users
KEY B
B is correct - Logs are also called ‘audit trail’. It is a record of system activities that
enables the reconstruction and examination of the sequence of events of a transaction,
from its inception to output of final results. Violation reports present significant, security-
oriented events that may indicate either actual or attempted policy transgressions
reflected in the audit trail. Violation reports should be frequently and regularly reviewed
by information owner to identify any unauthorized change or access.
A, C and D are incorrect – An audit associated with information system security
searches for these activities that are obtained from Audit trails.
810. What is authentication with regard to Access Control Mechanism?
333
A. Process by which user provides a claimed identity

B. Process by which a user is allowed to perform a pre determined set of actions
C. Prevention of unauthorised access by a user
D. Mechanism through which user’s claim is verified
KEY D
D is correct - Authentication is a mechanism through which the user’s claim is verified.
A is incorrect - process by which a user provides a claimed identity to the system such
as an account number is called identification
B is incorrect - The authenticated user is allowed to perform a pre-determined set of
actions on eligible resources. This is called authorisation
C is incorrect – The primary function of access control is to allow authorized access and
prevent unauthorized access to information resources in an organization.
811. A physical/biometric comparison falls under which category of authentication
factor?
A. Something the user is
B. Something the user knows
C. Something the user has
D. Two factor authentication
KEY A
A is correct - Finger print, Biometric templates etc. come under this category
B is incorrect – Password, PIN entry etc. come under this category
C is incorrect – Identification Badge, Smart card, Bank card etc. come under this
category
D is incorrect – Two-factor or dual factor authentication uses two factors and the three-
factor authentication uses all the three factors.
812. Which is the authentication technique which allows the password to be based on
changing input rather than just time?
A. Passwords
B. Challenge response
C. PIN’s
D. One time passwords
334
KEY B
B is correct - An alternative to one-time passwords is challenge response schemes.
Instead of having the device just blindly generate a password, a user identifies himself
to the server, usually by presenting his user ID. The server then responds with a
challenge, which is usually a short phrase of letters and numbers. The user types the
challenge into the device and, based on the challenge, the device responds with an
output. The user then types that output in as his password to the server. This scheme is
slightly more complicated, but it allows the password to be based on changing input
rather than just time.
A is incorrect - This is the most common authentication technique that depends on
remembered information. The user, initially, identifies him using his login-id to the
system and then provides the password information. Once the system is able to locate
the match and is successful for both fields, the system authenticates the user and
enables access to resources based on the authorization matrix. However if a match is
not successful, the system returns a message (such as “Invalid User or password”) thus
preventing access to resources.
C is incorrect - PIN is a type of password, usually a 4-digit numeric value that is used in
certain systems to gain access, and authenticate. The PIN should be such that a person
or a computer cannot guess it in sufficient time by using a guess and check method, i.e.
where it guesses the PIN, and checks for correctness by testing it on the system that
the person is attempting to gain access to and the process is repeated with a different
guess till access is obtained. PINs are commonly used for gaining access to Automatic
Teller Machines (ATMs).
D is incorrect – One-time passwords solve the problems of user-derived passwords.
With one-time passwords, each time the user tries to log on he is given a new
password. Even if an attacker intercepts the password, he will not be able to use it to
gain access because it is good for only one session and predetermined limited time
period. For example one time password for online card transaction is provided by bank
to user on registered mobile is valid for 10 minutes only. One-time passwords typically
use a small hardware device or software that generates a new password every time.
The server also has the same software running, so when a user types in his password,
the server can confirm whether it is the correct password. Each time the user logs on he
has a new password, so it is much more secure.
813. What is the attacking technique in which the attacker uses a malicious software to
steal passwords and other information?
A. Trojan attack
B. Brute force
335
C. Dictionary attack
D. Spoofing attack
KEY A
A is correct - Trojan: A malicious software, which the attacker can use to steal access
control lists, passwords or other information.
B is incorrect - In this crude form of attack, the attacker tries out every possible
combination to hit on the successful match. The attacker may also use various
password cracking software that assist in this effort.
C is incorrect - Dictionary attack: On the similar lines as brute force, this type of attack
is based on the assumption that users tend to use common words as passwords, which
can be found in a dictionary, hence the name. The “dictionary” simply consists of a list
of words, including proper names (Raju, Ramesh, Ibrahim, etc.) and also that of
mythological or religious names (Krishna, Jesus, Osiris, Buddha, etc.).
D is incorrect – Spoofing attacks: In this technique, the attacker plants a Trojan
program, which masquerades as the system’s logon screen, gets the logon and
password information and returns control to the genuine access control mechanism.
Once the information is obtained, the attacker uses the information to gain access to
the system resources.
814. Automatic log out after a predetermined period of inactivity is a technique used
against which type of attack?
A. Spoofing attacks
B. Dictionary attacks
C. Piggy backing
D. Trojan attack
KEY C
C is correct - Piggybacking: As stated earlier, an unauthorized user may wait for an
authorised user to log in and leave a terminal unattended. The logical techniques that
are used to secure against this attack are to automatically log out the session after a
pre-determined period of inactivity or by using password-protected screen savers.
A Band D are incorrect – For these attacks other techniques are used
815. Which of the following is the feature of a Smart token only?
A. Contains information such as name, identification no, photograph etc
B. Contains a magnetic strip which stores information
336
C. The user is required to KEY in remembered information

D. Contains a processor chip which enables storing dynamic information
KEY D
D is correct - Smart Tokens: In this case, the card or device contains a small processor
chip which enables storing dynamic information on the card. Besides static information
about the user, the smart tokens can store dynamic information such as bank balance,
credit limits etc., however the loss of such smart cards can have more serious
implications.
A B and C are incorrect – These are the features of a memory token also
816. In which of the following tokens does the card contain a bar code which is read
when brought in proximity to the reader device?
A. Processor based proximity reader
B. Smart tokens
C. Static proximity reader
D. Memory tokens
KEY C
C is correct - In static tokens, the card contains a bar code, which has to be brought in
proximity of the reader device.
A is incorrect – In case of processor based tokens, the token device, once in the range
of the reader, senses the reader and transmits a series of codes to the reader.
B is incorrect - In this case, the card or device contains a small processor chip which
enables storing dynamic information on the card.
D is incorrect – In its most common form, the cards contain visible information such as
name, identification number, photograph and such other information about the user and
also a magnetic strip.
817. In Biometrics, what is the Crossover Error rate (CER)?
A. A very low FRR
B. The point at which FRR equals FAR
C. A very high FAR
D. The point at which FAR and FRR are zero
337
KEY B
B is correct - An overall metric used is the Crossover Error Rate (CER) which is the
point at which FRR equals FAR.
A, C and D are incorrect – False Rejection Rate (FRR) which is wrongfully rejecting a
rightful user and False Acceptance Rate (FAR) which involves an unauthorized user
being wrongfully authenticated as a right user. Ideally a system should have a low false
rejection and low false acceptance rate. Most biometric systems have sensitivity levels
which can be tuned. The more sensitive a system becomes, FAR drops while FRR
increases. Thus, FRR and FAR tends to inversely related.
818. Which of the following is not a function of the operating system?
A. Provides independent user and access privilege management mechanism
B. Supports execution of applications and enforces and security constraints defined
at that level
C. Isolates processes from each other and protects permanent data stored in its
files
D. Provides controlled access to shared resources
KEY A
A is correct - This is not the function of an operating system, this is the function of an
application
B, C and D are incorrect – These are the functions of an operating system
819. The flexibility of a Pluggable authentication module allows to:
A. Execute applications and support any security constraints
B. Use multiple authentications for a given service
C. Provide controlled access to shared resources
D. Use physiological and behavioral characteristics to identify user
KEY B
B is correct - Applications enabled to make use of PAM can be plugged-in to new
technologies without modifying the existing applications. This flexibility allows
administrators to do the following:
Select any authentication service on the system for an application
• Use multiple authentication mechanisms for a given service
• Add new authentication service modules without modifying existing applications
338
• Use a previously entered password for authentication with multiple modules

• A general Authentication scheme independent of the authentication mechanism
may be used
A and C are incorrect – These are the functions of an operating system
D are incorrect – This is the identification technique of biometrics
820. Most operating systems have at least three types of file permissions: read, write
and execute. The least access that have to be given to users is:
A. Write
B. Execute
C. Read
D. Read and Write
KEY C
C is correct - The users have to be given at least read access to many of the system
files.
A, B and D are incorrect – These accesses are given only to authorised users.
821. When a system receives a request, how does it determine access rights for the
particular request?
A. By authenticating the password entered by the user
B. By using the access matrix
C. By consulting a hierarchy of rules in the Access Control List
D. By a challenge response
KEY C
C is correct - Access control enables one to protect a system or part of the system
(directories, files, file types, etc.). When the system receives a request, it determines
access by consulting a hierarchy of rules in the ACL.
A This is one of the authentication techniques
B is incorrect – This is used by the operating system
D is incorrect – This is one of the authentication techniques
822. What does an Access Control Entry in an ACL consist of?
A. Name of the database and its path
B. Name of the user and his reporting structure
339
C. Name of the user and his group or role

D. Name of users and their access privileges
KEY D
D is correct - ACL has one or more access control entries (ACEs), each consisting of
the name of a user or a group of users. The user can also be a role name, such as
programmer or tester. For each of these users, groups, or roles, the access privileges
are stated in a string of bits called an access mask. Generally, the system,
administrator or the object owner creates the access control list for an object.
A, B and C are incorrect – These are not the constituents of an Access Control Entry
823. The core objective of an IdM system in a corporate setting is:
A. One identity per individual
B. One user per database
C. One role per individual
D. One user one group
KEY A
A is correct - The core objective of an IdM system in a corporate setting is: one identity
per individual. And once that digital ID has been established, it has to be maintained,
modified and monitored throughout what is called the "User access lifecycle."
B, C and D are incorrect – these are not the objectives of an IdM system.
824. Which of the following does not form a part of Identity Management?
A. Controls User Access Provisioning Lifecycle
B. Maintains the identity of a user and actions they are authorised to perform
C. Determines which user can access which resource
D. Manages descriptive information about the user
KEY C
C is correct - This is the attribute of Access Control Policies
A B and D are incorrect – These are the tasks of Identity Management
825. System administrators/Network Administrators who have the powers to create or
amend user profiles are:
A. Privileged users
B. Administrative users
340
C. Special users
D. Maintenance users
KEY A
A is correct - Privileged user is a user who has been allocated powers within the
computer system, which are significantly greater than those available to the majority of
users. Such persons will include, for example, the system administrator(s) and Network
administrator(s) who are responsible for keeping the system available and may need
powers to create new user profiles as well as add to or amend the powers and access
rights of existing users.
B, C and D are incorrect – There are no such user categories
826. A privileged user can use the user account that has privileged access for only:
A. Normal business use
B. Non privileged activities
C. Privileged activities
D. Logging in to a system
KEY C
C is correct - Privileged Users should be required to create strong passwords
comprising of letters, numbers, and special characters. The user account that has
privileged access should have a unique password that is different from all other
accounts accessed by the User.
A, B and D are incorrect – All Users that have access to privileged accounts should be
assigned their own user ID for normal business use. Privileged Users must use their
personal user IDs for conducting non-privileged activities. Wherever possible the User
must login to a system using their personal user ID prior to invoking a privileged
account.
827. What is a ‘back door’ or ‘trap door’?
A. Flaw that allows data to circumvent the encryption process
B. Bypass which is a means of access for authorised access
C. Flaw that allows an attacker to circumvent security mechanisms
D. Mechanism put in place by an attacker
KEY B
B is correct - A bypass that is purposefully put in place as a means of access for
authorized users is called a back door or a trap door.
341
A is incorrect - A flaw that allows data to circumvent the encryption process and escape,
unencrypted, as plaintext isa crypto by pass
C and D are incorrect – These are definitions for bypass
828. What are the rows of an access control matrix called?
A. Access Control lists
B. Subjects
C. Objects
D. Capability lists
KEY D
D is correct - the rows are called capability lists.
A, B and C are incorrect – A subject is an active entity that is seeking rights to a
resource or object. A subject can be a person, a program, or a process. An object is a
passive entity, such as a file or a storage resource. The columns of the access matrix
are called Access Control Lists (ACLs)
829. What is the major concern of using group/generic ids?
A. Fixing accountability of actions to individual
B. It needs special approval
C. It is not allowed in ERP packages
D. It is not wise to share user id with others
KEY A
A is correct - The main concern in using group id is the fixing accountability of actions to
individual.
B, C and D are incorrect – These are all the conditions that have to be met in case
group/generic ids are used
830. What is the specialty of a Single Sign On session?
A. User ids and passwords are shared among select users
B. A single user id and password to log on to all required applications
C. Verifies that the users are whoever they claim to be
D. Verifies that the network components used by the users are within their
permission profile
342
KEY B
B is correct - In SSO, a user provides one ID and password per work session and is
automatically logged on to all the required applications.
A is incorrect - users Ids are created and password is shared among select users when
generic/group id’s are used
C and D are incorrect – These are the features of Kerberos
831. What is the function of Active Directory (AD) domain controller?
A. Accesses and maintains distributed directory information services over an
Internet Protocol network
B. Plays an important role in developing intranet and internet applications by
allowing the sharing of information by users
C. Authenticates and authorises all users and computers in a Windows domain type
network
D. Verifies that users are who they claim to be and the network components they
use are within their profile
KEY C
C is correct - AD is a directory service implemented by Microsoft for Windows domain
networks. It is included in most Windows Server operating systems. An AD domain
controller authenticates and authorizes all users and computers in a Windows domain
type network—assigning and enforcing security policies for all computers and installing
or updating software.
A and B are incorrect - The Lightweight Directory Access Protocol (LDAP) is an open,
vendor-neutral, industry standard application protocol for accessing and maintaining
distributed directory information services over an Internet Protocol (IP) network.[1]
Directory services play an important role in developing intranet and Internet applications
by allowing the sharing of information about users, systems, networks, services, and
applications throughout the network.
D is incorrect – This is the primary use of Kerberos - to verify that users are who they
claim to be and the network components they use are contained within their permission
profile.
832. Which authentication mechanism issues ‘tickets’ which have a limited life span
and are stored in the users credential cache?
A. AD
B. LDAP
343
C. Kerberos
D. DNS
KEY C
C is correct - The primary use of Kerberos is to verify that users are who they claim to
be and the network components they use are contained within their permission profile.
To accomplish this, a trusted Kerberos server issues “tickets” to users. These tickets
have a limited life span and are stored in the user’s credential cache.
A, B and D are incorrect – when a user logs into a computer that is part of a Windows
domain, Active Directory checks the submitted password and determines whether the
user is a system administrator or normal user. Active Directory makes use of
Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version of
Kerberos, and DNS.
833. Which of following is an advantage of Single Sign On?
A. Easier administration of changing or deleting passwords
B. It can avoid a potential single point of failure issue
C. Maintaining SSO is easy as it is not prone to human errors
D. It protects network traffic
KEY A
A is correct - The advantages of SSO include having the ability to use stronger
passwords, easier administration of changing or deleting the passwords, and requiring
less time to access resources.
B is incorrect – This is the advantage of Kerberos
C and D are incorrect – These are not advantages of SSO. Maintaining SSO is atedious
process and it is prone to human errors. It does not protect network traffic.
834. In a SSO system, once a user’s identity and authentication is established, on what
basis are access criteria determined?
A. All identified users are granted access
B. Based on Roles, groups or network location
C. All authenticated users are granted access
D. It is not necessary to establish identity or authenticity
KEY B
B is correct - Once a user’s identity and authentication are established, authorization
levels determine the extent of system rights that a user can hold.
344
Access criteria types can be broken up into:

• Roles
• Groups
• Physical or logical (network) location
• Time of day
• Transaction type
A, C and D are incorrect – Only after identity and authenticity is established,
authorisation comes into play
835. In a Single Sign On system, all access criteria should default to:
A. No access
B. Full access
C. Granting access to all identified users
D. Granting access to all authenticated users
KEY A
A is correct - All access criteria should default to “no access” and authorizations should
be granted on need to know basis.
B, C and D are incorrect – Just because a subject has been identified and authenticated
does not automatically mean they have been authorized. It is possible for a subject to
be logged onto a network (i.e., identified and authenticated) but be blocked from
accessing a file or printing to a printer (i.e., by not being authorized to perform that
activity). Most users are authorized to perform only a limited number of activities on a
specific collection of resources. Identification and authentication are all-or-nothing
aspects of access control. Authorization has a wide range of variations between all or
nothing for each individual object within the environment. A user may be able to read a
file but not delete it, print a document but not alter the print queue, or log onto a system
but not access any resources.
836. What should an access control mechanism ensure?
A. Subjects should be identified before they are granted access
B. All subjects that are authenticated should be authorised to access objects
C. All Objects can be accessed by authorised subjects
D. Subjects gain access to objects only if they are authorised to
345
KEY D
D is correct - The access control mechanism should ensure that subjects gain access to
objects only if they are authorized to.
A B and C are incorrect – Subject of operating systems are (active) entities that
communicate with the system and use its resources. The best example for a subject is
the user or a process. Objects on the other hand are entities of the operating system
that are accessed (requested) by the subject. The access control mechanism should
ensure that subjects gain access to objects only if they are authorized to.
837. This is a multi- level secure access control which defines a hierarchy of levels of
security.
A. Discretionary Access Control
B. Mandatory Access Control
C. Role Based Access Control
D. Database Access Control
KEY B
B is correct - Mandatory Access Control- It is a multi-level secure access control
mechanism. It defines a hierarchy of levels of security. A security policy defines rules by
which the access is controlled.
A is incorrect - In this type of access control, every object has an owner. The owner
(subject) grants access to his resources (objects) for other users and/or groups.
C is incorrect - In role based systems, users get assigned roles based on their functions
in that system.
D is incorrect – This is not a type of access control mechanism
838. Which of the following is a feature of Role Based Access Control?
A. Multilevel secure access control mechanism
B. The Matrix defines the whole state of the system
C. Systems are centrally administered and are nondiscretionary
D. Access control lists are used to store the rights with object
KEY C
C is correct - Role Based Access Control- In some environments, it is problematical to
determine who the owner of resources is. In role based systems, users get assigned
roles based on their functions in that system. These systems are centrally administered,
they are nondiscretionary. An example is a hospital.
346
A is incorrect – This is the feature of Mandatory Access Control

B and D are incorrect – These are the features of discretionary access control
839. Access to database can be controlled through permission settings. On what basis
is this permission system designed?
A. Principle of least privileges
B. Permissible values or limits
C. Approval by data owner
D. Access levels
KEY D
D is correct - Each database has its own customizable permissions system. The
permission system is based on access levels.
A and B are incorrect – Relational Database works on the principles of tables and
relations and allows rules of integrity and access to be specified. The principle of least
privileges to data items can be enforced using views as against reads. Such rules can
be restricted by a range of parameters such as permissible values or limits.
C is incorrect - The access to data base can be Discretionary based on the approved
by data owner (usually business process owner who is accountable for data stored in
database)
840. What permissions does a user with ‘Manage’ access level have with regard to a
database?
A. View, Edit, Add and delete
B. View, add, edit and delete (only information added by them)
C. View, Edit, Add, Delete and change database design
D. Only view
KEY C
C is correct - Users can view, edit, add, and delete any information in the database and
any aspect of the database design. They can also export any information to a file, and
import information from a file. A member who has Manage access is called a Database
Manager. This is a powerful permission level, so use it carefully.
A, B and D are incorrect – Access levels are ‘Edit’, ‘Read and Add (own records only)’
and ‘Read’ respectively
841. When access to database is controlled through application software, how is
maintenance of database done?
347
A. Users are granted access for maintenance

B. Direct access is granted to DBA
C. Direct access is granted to system administrator
D. User managers are granted access
KEY B
B is correct - Direct access to database level (also sometimes referred as backend
access) are then restricted only to data base administrators (DBA) to perform
maintenance work. It is possible to restrict DBA to access data.
A, C and D are incorrect – When access to database is controlled, only DBA’s have
direct access.
842. What is user access to applications with respect to their job responsibilities or
logical access control called?
A. User Password Management
B. Equipment Management
C. Privilege Management
D. Network Management
KEY C
C is correct - Privileged user is a user who has been allocated powers within the
computer system, which are significantly greater than those available to the majority of
users. Such persons will include, for example, the system administrator(s) and Network
administrator(s) who are responsible for keeping the system available and may need
powers to create new user profiles as well as add to or amend the powers and access
rights of existing users.
A, B and D are incorrect – These are other aspects of access control
843. Which of the following operating system access control ensures a particular
session is initiated from a particular location or computer terminal?
A. Automated Terminal Identification
B. Terminal Log On Procedures
C. Password Management Stem
D. User identification and Authentication
348
KEY A
A is correct - Automated terminal identification: This will help to ensure that a
particular session could only be initiated from a particular location or computer terminal.
B is incorrect – Terminal log-on procedures: The log-on procedure does not provide
unnecessary help or information, which could be misused by an intruder.
C is incorrect – Password management system: An operating system could enforce
selection of good passwords. Internal storage of password should use one-way
encryption algorithms and the password file should not be accessible to users.
D is incorrect – User identification and authentication: The users must be identified
and authenticated in a fool proof manner. Depending on risk assessment, more
stringent methods like Biometric Authentication or Cryptographic means like Digital
Certificates should be employed.
844. Which of the following is a process by which a user provides a claimed identity to
access a system?
A. User Authorisation
B. User Registration
C. User Identification
D. User logging
KEY C
C is correct - Identification: Identification is a process by which a user provides a
claimed identity to the system such as an account number.
A is incorrect – Authorization: The authenticated user is allowed to perform a pre-
determined set of actions on eligible resources.
B and D are incorrect -These are not par the three step process of Access Control
Mechanism
845. What are the three steps in the process of access control mechanism?
A. Authorisation, information and identification
B. Synchronisation, verification and authentication
C. Identification, authentication and authorisation
D. Synchronisation, identification and authentication
349
KEY C
C is correct - Access control mechanism is actually a three step process – identification,
authentication and authorisation
A, B and D are incorrect – these are not the steps involved in access control
mechanism
846. In _________ authentication techniques, the system authenticates the user and
enables access to resources based on the authorisation matrix.
A. Token or smart card
B. Password
C. Biometric comparison
D. Personal Identification Number (PIN)
KEY B
B is correct – In password authentication technique, once the system is able to locate
the match and is successful for both fields, the system authenticates the user and
enables access to resources based on the authorization matrix
A, C and D are incorrect – These are other types of authentication techniques
847. Which of the following is the weakness of the password logon mechanism?
A. Periodic changing of password
B. Encrypted password
C. Repeated use of the same password
D. One user one password
KEY C
C is correct - Repeated use of the same password makes it vulnerable to attacks
A B and D are incorrect – these are techniques to protect passwords
848. _________________ is defined as automated mechanism, which uses
physiological and behavioral characteristics to determine or verify identities.
A. Biometrics
B. Plastic cards
C. Logon/password systems
D. Smart Cards
350
KEY A
A is correct - Biometrics as the name suggests is based on certain physical
characteristics or behavioral patterns identified with the individual, which are
measurable. The International Biometric Group defines biometrics as automated
mechanism which uses physiological and behavioral characteristics to determine or
verify identity and further explains that the physiological biometrics are based on
measurements and data derived from direct measurement of a part of the human body.
B, C and D are incorrect – These are other types of authentication techniques
849. What is/are the error(s) caused by biometrics due to the complexity of data?
A. False Rejection Rate (FRR)
B. False Acceptance Rate (FAR)
C. Crossover Error Rate (CER)
D. FRR and FAR
KEY D
D is correct - However due to the complexity of data, biometrics suffer from two types of
error viz. False Rejection Rate (FRR) which is wrongfully rejecting a rightful user and
False Acceptance Rate (FAR) which involves an unauthorized user being wrongfully
authenticated as a right user.
A and B incorrect – False Rejection Rate (FRR) which is wrongfully rejecting a rightful
user and False Acceptance Rate (FAR) which involves an unauthorized user being
wrongfully authenticated as a right user.
C is incorrect - An overall metric used is the Crossover Error Rate (CER) which is the
point at which FRR equals FAR.
850. Facial scan, iris and retina scanning are used in _______________.
A. Biometric security
B. Smart tokens
C. Bio direct security
D. Backup security
KEY A
A is correct - Some of the biometric characteristics which are used are:
• Fingerprint
• Facial Scan
351
• Hand Geometry
• Signature
• Voice
• Keystroke Dynamics
• Iris Scanners
• Retina Scanners
B, C and D are incorrect – these are not security measures
851. Which of the following provides system administrators the ability to incorporate
multiple authentication mechanisms into an existing system using pluggable
modules?
A. Personal Authentication Module
B. Password Processing Module
C. Pluggable Authentication Module
D. Login identification Module
KEY C
C is correct - The pluggable authentication module (PAM) framework provides system
administrators with the ability to incorporate multiple authentication mechanisms into an
existing system through the use of pluggable modules. Applications enabled to make
use of PAM can be plugged-in to new technologies without modifying the existing
applications.
A, B and D are incorrect – Thee are not authentication modules
852. Access privileges of a user for two entities, A and B for read and write are
maintained in the _____________ within an application.
A. Actual access control list
B. Access control list
C. Acquired control entry
D. Secret policy entry
KEY B
B is correct - ACL has one or more access control entries (ACEs), each consisting of
the name of a user or a group of users. The user can also be a role name, such as
programmer or tester. For each of these users, groups, or roles, the access privileges
are stated in a string of bits called an access mask.
A, C and D are incorrect
352
853. The characteristic of network that improves reliability and performance due to
dynamic routings between two end points is better known as:
A. Anonymity
B. Automation
C. Routing diversity
D. Opaqueness
KEY C
C is correct - Routing diversity: To maintain or improve reliability and performance,
routings between two endpoints are usually dynamic. That is, the same interaction may
follow one path through the network the first time and a very different path the second
time. In fact, a query may take a different path from the response that follows a few
seconds later.
A is incorrect - Anonymity: A network removes personal interaction i.e. most of the
clues, such as appearance, voice, or context, by which we recognize acquaintances.
B is incorrect – Automation: In some networks, one or both endpoints, as well as all
intermediate points, involved in a given communication may be machines with only
minimal human supervision.
D is incorrect - Opaqueness: Because the dimension of distance is hidden, users
cannot tell whether a remote host is in the room next door or in a different country. In
the same way, users cannot distinguish whether they are connected to a node in an
office, school, home, or warehouse, or whether the node’s computing system is large or
small, modest or powerful. In fact, users cannot tell if the current communication
involves the same machine with which they communicated the last time.
854. Network establishes communication among disperse users/machines. Which of
the following is a disadvantage of this characteristic of networks?
A. Risks like impersonation, intrusion, tapping
B. Very fast communication speed
C. Physically far end points
D. Humans cannot tell the location of the remote site
KEY A
A is correct - Though networks makes it easier to establish communication among
geographically dispersed users/machines, it also introduces risks like impersonation,
intrusion, tapping.
353
B, C and D are incorrect – Many networks connect endpoints that are physically far
apart. Although not all network connections involve distance, the speed of
communication is fast enough that humans usually cannot tell whether a remote site is
near or far. These are not disadvantages but advantages of a network
855. What is the program that an attacker uses which reports to him which ports
responds to messages and the vulnerabilities present in each port?
A. Social Engineering
B. Dumpster diving
C. Port Scan
D. Malware
KEY C
C is correct - Port Scan: An easy way to gather network information is to use a port
scanner, a program that, for a particular IP address, reports which ports respond to
messages and which of several known vulnerabilities seem to be present.
A, B and D are incorrect – These are other methods used by an attacker
856. What does Social Engineering involve?
A. Gathering bits of on formation from various sources
B. Using social skills to persuade a victim
C. Looking through items that have been discarded
D. Eavesdropping
KEY B
B is correct - Social engineering involves using social skills and personal interaction to
get someone to reveal security-relevant information and perhaps even to do something
that permits an attack.
A, C and D are incorrect – These methods of gathering information are classified under
Reconnaissance
857. ‘Dumpster Diving’ is a commonly used ________________ technique.
A. Reconnaissance
B. Social Engineering
C. Documentation
D. Application fingerprint
354
KEY A
A is correct - One commonly used reconnaissance technique is “dumpster diving.” It
involves looking through items that have been discarded in garbage bins or waste paper
baskets.
B, C and D are incorrect – Dumpster diving does not fall under any of these attacking
techniques
858. The process by which an attacker comes to know about the commercial server on
which an application is running, the version and operating system for the same is
known as:
A. Biometrics
B. Protocol flaws
C. Wiretapping
D. OS and Application Fingerprinting
KEY D
D is correct - Operating System and Application Fingerprinting: Here the attacker
wants to know which commercial server application is running, what version, and what
the underlying operating system and version are.
A is incorrect – This is a method of identification of system user
B is incorrect – There are flaws in many of the commonly used protocols called protocol
flaws. These flaws can be exploited by an attacker.
C is incorrect – Wiretapping is the technique intercepting communications through some
effort.
859. How does an attacker use Malware to gather information?
A. Investigate a product that can be the target of an attack
B. Search for additional information on systems, applications or sites
C. Scavenge the system and receive information over network
D. Post latest exploits and techniques
KEY C
C is correct - Malware: Attacker may use malware like virus or worms to scavenge the
system and keep sending information to attacker over network without the knowledge of
system user.
A is incorrect – Resource kits distributed by application vendors to other developers can
also give attackers tools to use in investigating a product that can subsequently be the
355
target of an attack. Here, the vendors themselves distribute information that is useful to
an attacker.
B and D are incorrect – Bulletin Boards and Chats: Underground bulletin boards and
chat rooms support exchange of information among the hackers. Attackers can post
their latest exploits and techniques, read what others have done, and search for
additional information on systems, applications, or sites.
860. The process by which an attacker picks off the content of a communication
passing in an unencrypted form is known as:
A. Eavesdropping
B. Wiretapping
C. Microwave signal tapping
D. Satellite signal interception
KEY A
A is correct - An attacker can pick off the content of a communication passing in
unencrypted form. The term eavesdrop implies overhearing without expending any extra
effort. For example, an attacker (or a system administrator) is eavesdropping by
monitoring all traffic passing through a node.
B is incorrect – wiretapping means intercepting communications through some effort.
C is incorrect – Microwave signal tapping is a process by which an attacker can
intercept a microwave transmission by interfering with the line of sight between sender
and receiver.
D is incorrect – The process of intercepting satellite communication
861. What is active wiretapping?
A. Listening to communications intentionally
B. Overhearing without extra effort
C. Injecting something into the communication stream
D. Placing an illegitimate antenna to intercept communication
KEY C
C is correct - Active wiretapping means injecting something into the communication
stream.
A and B are incorrect – These methods are classified under passive wiretapping or
eavesdropping
D is incorrect – This method is microwave signal tapping
356
862. The costs of intercepting satellite communications are very high because:
A. All traffics passing through a node have to be monitored
B. Neither the sender nor receiver should know that contents have been intercepted
C. Satellite communications are heavily multiplexed
D. Cost of placing an illegitimate antenna is more
KEY C
C is correct - In satellite communication, the potential for interception is even greater
than with microwave signals. However, because satellite communications are heavily
multiplexed, the cost of extracting a single communication is rather high.
A B and D are incorrect – These are not reasons for the high cost of satellite
communication interception
863. A wireless signal can be picked up easily within 60 meters. Why?
A. The signal is strong up to 60 meters
B. The signal is weak up to 60 meters
C. There is no signal up to 60 meters
D. The signal is strong after 60 meters
KEY A
A is correct - A wireless signal is strong for approximately 30 to 60 meters. A strong
signal can be picked up easily.
B, C and D are incorrect – for the same reason as mentioned above
864. It is not possible to tap an optical system without detection. Why?
A. Optical fiber carries electricity but does not emanate a magnetic field
B. Optical fiber carries light energy which does not emanate a magnetic field
C. An optical signal is not very strong and hence cannot be picked up
D. An antenna needs to be placed to intercept which is detectible
KEY B
B is correct - It is not possible to tap an optical system without detection. Further optical
fiber carries light energy, not electricity, which does not emanate a magnetic field as
electricity docs.
A ,C and D are incorrect – for the same reasons as mentioned above.
357
865. A term used for a virtual network of zombies used to launch attack on a system
is:
A. BOTnets
B. Spam
C. Malware
D. Spoofing
KEY A
A is correct - BOTnets is a term (robotic network) used for virtual network of zombies.
BOTnet operator launches malware/virus on system that once activated remains on
system and can be activated remotely. This malware helps the BOTnet operator use the
compromised system (Zombie) remotely with to launch attack or collect information. For
example Zombies have been used extensively to send e-mail spam. This allows
spammers to avoid detection and presumably reduces their bandwidth costs, since the
owners of zombies pay for their own bandwidth.
B, C and D are incorrect – These are other methods of attack
866. An employee who is on leave reveals his authentication details to another in order
to allow access to carry out urgent activities in his absence. It so happens that
these details are passed on without encryption. How is the employee making his
authentication information vulnerable to an impersonator?
A. The impersonator can guess the identity by using common passwords
B. The impersonator can exploit flaws and weaknesses of the operating system
C. The attacker can circumvent or disable the authentication mechanism
D. These details can be rescued by an impersonator by eavesdropping or
wiretapping
KEY D
D is correct - Authentication foiled by eavesdropping or wiretapping: When the
account and authentication details are passed on the network without encryption, they
are exposed to anyone observing the communication on the network. These
authentication details can be reused by an impersonator until they are changed.
A is incorrect - Authentication foiled by guessing: Guess the identity and
authentication details of the target, by using common passwords, the words in a
dictionary, variations of the user name, default passwords, etc.
B is incorrect - Authentication Foiled by Avoidance: A flawed operating system may
be such that the buffer for typed characters in a password is of fixed size, counting all
characters typed, including backspaces for correction. If a user types more characters
than the buffer would hold, the overflow causes the operating system to by-pass
358
password comparison and act as if a correct authentication has been supplied. Such
flaws or weaknesses can be exploited by anyone seeking unauthorized access.
C is incorrect – Non-existent Authentication: Here the attacker circumvents or
disables the authentication mechanism at the target computer. If two computers trusts
each other’s authentication an attacker may obtain access to one system through an
authentication weakness (such as a guest password) and then transfer to another
system that accepts the authenticity of a user who comes from a system on its trusted
list. The attacker may also use a system that has some identities requiring no
authentication. For example, some systems have “guest” or “anonymous” accounts to
allow outsiders to access things the systems want to release to the public. These
accounts allow access to unauthenticated users.
867. An organisation purchases 10 new systems which are installed by the seller using
a test account without any password. However, authentications are put in place
and users access information after proper authentication. But the test account
has not been deleted. How can an impersonator foil authentication in this case?
A. Information can be accessed through session hijacking
B. Information can be hijacked by intruding between two authenticated users
C. Information becomes vulnerable through well- known test password
D. Information can be accessed through spoofing or masquerading
KEY C
C is correct - Well-Known Authentication: Most vendors often sell computers with one
system administration account installed, having a default password. Or the systems
come with a demonstration or test account, with no required password. Some
administrators fail to change the passwords or delete these accounts, creating
vulnerability.
A is incorrect - Session Hijacking: Session hijacking is intercepting and carrying on a
session begun by another entity. In this case the attacker intercepts the session of one
of the two entities that have entered into a session and carry it over in the name of that
entity. For example, in an e-commerce transaction, just before a user places his order
and gives his address, credit number etc. the session could be hijacked by an attacker.
B is incorrect – Man-in-the-Middle Attack: A man-in-the-middle attack is a similar to
session hijacking, in which one entity intrudes between two others. The difference
between man-in-the-middle and hijacking is that a man-in-the-middle usually
participates from the start of the session, whereas a session hijacking occurs after a
session has been established. The difference is largely semantic and not particularly
significant.
D is incorrect - Spoofing attacks: In this technique, the attacker plants a Trojan
program, which masquerades as the system’s logon screen, gets the logon and
359
password information and returns control to the genuine access control mechanism.
Once the information is obtained, the attacker uses the information to gain access to
the system resources.
868. Not only is the message itself sensitive but the fact that a message exists is also
sensitive. How can an attacker infer that sensitive messages exist between two
confidential parties?
A. Traffic flow analysis
B. Using exposures as part of attack
C. By modifying a destination address
D. Taking advantage of mis-delivery due to congestion at network elements
KEY A
A is correct - Traffic Analysis (or Traffic Flow Analysis): Sometimes not only is the
message itself sensitive but the fact that a message exists is also sensitive. For
example, if a wartime enemy sees a large amount of network traffic between
headquarters and a particular unit, the enemy may be able to infer that significant action
is being planned involving that unit. In a commercial setting, messages sent from the
president of one company to the president of a competitor could lead to speculation
about a takeover or conspiracy to fix prices.
B is incorrect - Exposure: The content of a message may be exposed in temporary
buffers, at switches, routers, gateways, and intermediate hosts throughout the network;
and in the workspaces of processes that build, format, and present the message. A
malicious attacker can use any of these exposures as part of a general or focused
attack on message confidentiality.
C and D are incorrect – Mis-delivery: Message mis-delivery happens mainly due to
congestion at network elements which causes buffers to overflow and packets dropped.
Sometimes messages are mis-delivered because of some flaw in the network hardware
or software. Most frequently, messages are lost entirely, which is an integrity or
availability issue. Occasionally, however, a destination address will be modified or some
router or protocol will malfunction, causing a message to be delivered to someone other
than the intended recipient. All of these “random” events are quite uncommon. More
frequent than network flaws are human errors, caused by mistyping an address.
869. Which of the following amounts to compromising the integrity of messages?
A. Mistyping an address so that it reaches the wrong recipient
B. Mis-delivery of messages due to some flaw in the network hardware or software
360
C. Exposure of messages in temporary buffers

D. Combining pieces of different messages into one false message
KEY D
A, B and C are incorrect - These amount to message confidentiality threats
D is correct – This amounts to compromising on the integrity of messages
870. It is easy for an attacker to obtain information necessary to attack the website.
How?
A. Website codes are downloaded and executed in the browser from which the
information can be obtained
B. The attacker exploits vulnerabilities in multiple machines and uses them to attack
the target simultaneously.
C. An attacker can monitor the communication between a browser and a server to
see how changing a web page entry affects what the browser sends and reacts.
D. attackers execute scripts in the victim’s browser which can hijack user sessions
KEY A
A is correct - Web site defacement is common not only because of its visibility but also
because of the ease with which one can be done. Web sites are designed so that their
code is downloaded and executed in the client (browser). This enables an attacker to
obtain the full hypertext document and all programs and references programs
embedded in the browser. This essentially gives the attacker the information necessary
to attack the web site. Most websites have quite a few common and well known
vulnerabilities that an attacker can exploit.
B is incorrect – This is a Distributed Denial of Service Attack
C is incorrect – This pertains to threats from scripts
D is incorrect – This is a form of Cross site scripting
871. What is ‘Ping of Death’?
A. Sending more data that what a communication system can handle, thereby
preventing receipt of legitimate data
B. Crashing a large number of systems by sending a ping of certain size from a
remote machine
C. Corrupting the routing so that traffic can disappear
D. corrupting a name server or causing it to cache spurious entries, thereby redirect
the routing of any traffic
361
KEY B
B is correct - Ping of death: It is possible to crash, reboot or otherwise kill a large
number of systems by sending a ping of a certain size from a remote machine. This is a
serious problem, mainly because this can be reproduced very easily, and from a remote
machine. Ping is an ICMP protocol which requests a destination to return a reply,
intended to show that the destination system is reachable and functioning. Since ping
requires the recipient to respond to the ping request, all the attacker needs to do is
send a flood of pings to the intended victim.
A is incorrect – Connection Flooding: This is the oldest type of attack where an
attacker sends more data than what a communication system can handle, thereby
preventing the system from receiving any other legitimate data. Even if an occasional
legitimate packet reaches the system, communication will be seriously degraded.
C is incorrect - Traffic Redirection: A router is a device that forwards traffic on its way
through intermediate networks between a source host’s network and a destination’s. So
if an attacker can corrupt the routing, traffic can disappear.
D is incorrect - DNS Attacks: DNS attacks are actually a class of attacks based on the
concept of domain name server. A domain name server (DNS) is a table that converts
domain names like www.icai.org into network addresses like 202.54.74.130, a process
called resolving the domain name or name resolution. By corrupting a name server or
causing it to cache spurious entries, an attacker can redirect the routing of any traffic, or
ensure that packets intended for a particular host never reach their destination.
872. What are the multiple machines that are used by an attacker for DdS attacks
called?
A. Cookies
B. Routers
C. Zombies
D. FTP
KEY C
C is correct - In distributed denial of service (DDoS) attack more than one machine are
used by the attacker to attack the target. These multiple machines are called zombies
that act on the direction of the attacker and they don’t belong to the attacker.
A is incorrect - Cookies are data files created by the server that can be stored on the
client machine and fetched by a remote server usually containing information about the
user on the client machine. Anyone intercepting or retrieving a cookie can impersonate
the cookie’s legitimate owner.
362
B is incorrect – A router is a networking device, commonly specialized hardware, that

forwards data packets between computer networks.
D is incorrect - FTP is an application known to transmit communication including user id
and password in plain text.
873. A code which can cause serious damage to a system because it is not screened
for safety when it is downloaded and runs with the privileges of its invoking user
is called:
A. Hostile applet code
B. Cookies
C. Scripts
D. Active X
KEY A
A is correct - A hostile applet is downloadable code that can cause harm on the client’s
system. Because an applet is not screened for safety when it is downloaded and
because it typically runs with the privileges of its invoking user, a hostile applet can
cause serious damage.
B is incorrect - Cookies are data files created by the server that can be stored on the
client machine and fetched by a remote server usually containing information about the
user on the client machine. Anyone intercepting or retrieving a cookie can impersonate
the cookie’s legitimate owner.
C is incorrect - Clients can invoke services by executing scripts on servers. A malicious
user can monitor the communication between a browser and a server to see how
changing a web page entry affects what the browser sends and then how the server
reacts.
D is incorrect – The popular types of active code languages are Java, JavaScript,
VBScript and ActiveX controls.
874. A virus that is difficult to detect because it modifies itself and changes its identity
thus hiding itself from antivirus software:
A. MBR Virus
B. Stealth Virus
C. Polymorhic virus
D. Macro Virus
363
KEY C
A is incorrect - Master Boot Record (MBR) Viruses: Affects the boot sector of storage
device and further infects when the storage is accessed.
B is incorrect – Stealth viruses hide themselves by tampering the operating system to
fool antivirus software into thinking that everything is functioning normally.
C is correct - Polymorphic Viruses: Polymorphic viruses are difficult to detect because
they can modify themselves and change their identity thus able to hide themselves from
antivirus software
D is incorrect – Macro Viruses: Macro viruses are the most prevalent computer viruses
and can easily infect many types of applications, such as Microsoft Excel and Word.
875. What is a Trojan Horse?
A. Virus that affects the boot sector of storage device
B. Virus that affects applications like Microsoft Word and Excel
C. Stand- alone viruses that are transmitted independently
D. Malicious codes hidden under a legitimate program
KEY D
A is incorrect - MBR virus
B is incorrect – Macro viruses
C is incorrect – Worms
D is correct.
876. Malicious codes added to an existing application to be executed at a later date is
known as:
A. Logic bomb
B. Trojan Horse
C. Polymorphic virus
D. Stealth virus
KEY A
A is correct - Logic bombs are malicious code added to an existing application to be
executed at a later date. These can be intentional or unintentional. For example
Year2000 problem was an unintentional logic bomb. Every time the infected application
is run, the logic bomb checks the date to see whether it is time to run the bomb. If not,
control is passed back to the main application and the logic bomb waits. If the date
364
condition is correct, the rest of the logic bomb’s code is executed and the result can be
anything from a harmless message to a system crash.
B, C and D are incorrect – These are different types of viruses.
877. What is the method used by most of the antivirus software to identify virus
infections in a system?
A. Monitoring traffic
B. Signature detection
C. Repair or quarantine
D. Scan processes
KEY B
A, C and D are incorrect - these are the types of controls of antivirus tools
B is correct - Most of the antivirus software utilizes a method known as signature
detection to identify potential virus infections on a system. Essentially, they maintain an
extremely large database that contains the known characteristics (signatures) of all
viruses. Depending upon the antivirus package and configuration settings, it can scan
storage media periodically, check for any files that contain data matching those criteria.
878. When do injection flaws occur?
A. When untrusted data is sent to an interpreter as part of a command or query
B. When application functions related to authentication and session management
are not implemented correctly
C. When an application takes untrusted data and sends it to a web browser without
proper validation
D. When a developer exposes a reference to an internal implementation object
KEY A
A is correct - Injection (SQL Injection): Injection flaws, such as SQL, OS, and LDAP
injection occur when untrusted data is sent to an interpreter as part of a command or
query. The attacker’s hostile data can trick the interpreter into executing unintended
commands or accessing data without proper authorization.
B is incorrect - Broken Authentication and Session Management: Application
functions related to authentication and session management are often not implemented
correctly, allowing attackers to compromise passwords, keys, or session tokens, or to
exploit other implementation flaws to assume other users’ identities.
365
C is incorrect - Cross-Site Scripting (XSS): XSS flaws occur whenever an application

takes untrusted data and sends it to a web browser without proper validation or
escaping. XSS allows attackers to execute scripts in the victim’s browser which can
hijack user sessions, deface web sites, or redirect the user to malicious sites.
D is incorrect - Insecure Direct Object References: A direct object reference occurs
when a developer exposes a reference to an internal implementation object, such as a
file, directory, or database key. Without an access control check or other protection,
attackers can manipulate these references to access unauthorized data.
879. What is a Cross Site Request Forgery Attack?
A. It forces a logged on victim’s browser to send a forged HTTP request
B. It forges request in order to access functionality without proper authorisation
C. It helps steal or modify weakly protected data
D. It facilitates serious loss or data takeover
KEY A
A is correct - Cross-Site Request Forgery (CSRF): A CSRF attack forces a logged-on
victim’s browser to send a forged HTTP request, including the victim’s session cookie
and any other automatically included authentication information, to a vulnerable web
application. This allows the attacker to force the victim’s browser to generate requests
the vulnerable application thinks are legitimate requests from the victim.
B is incorrect - Missing Function Level Access Control: Most web applications verify
function level access rights before making that functionality visible in the UI. However,
applications need to perform the same access control checks on the server when each
function is accessed. If requests are not verified, attackers will be able to forge requests
in order to access functionality without proper authorization.
C is incorrect - Sensitive Data Exposure: Many web applications do not properly
protect sensitive data, such as credit cards, tax IDs, and authentication credentials.
Attackers may steal or modify such weakly protected data to conduct credit card fraud,
identity theft, or other crimes. Sensitive data deserves extra protection such as
encryption at rest or in transit, as well as special precautions when exchanged with the
browser.
D is incorrect – Using Components with Known Vulnerabilities: Components, such
as libraries, frameworks, and other software modules, almost always run with full
privileges. If a vulnerable component is exploited, such an attack can facilitate serious
data loss or server takeover. Applications using components with known vulnerabilities
may undermine application defenses and enable a range of possible attacks and
impacts.
366
880. In case of advanced persistent threat why is an antivirus unable to detect the
malware?
A. The attack is on an identified subject
B. Social engineering methods are used
C. Malware is specifically written for this purpose
D. The attack continues for a longer duration
KEY C
C is correct - In case of Advanced Persistent threat, since the malware is specifically
written for this purpose, it cannot be detected by an antivirus
A, B and D are incorrect – These are the other characteristics of advanced persistent
threat
881. In order to limit the amount of damage a single vulnerability can allow, it is
important to:
A. All servers reside on a single segment
B. There should be different segments for different servers
C. Having a single web server
D. Eliminating single points of failure
KEY B
B is correct - Segmentation / Zoning: Segmentation / Zoning can limit the potential for
harm in a network in two important ways. Segmentation reduces the number of threats,
and it limits the amount of damage a single vulnerability can allow. A web server,
authentication server, applications and database are residing on a single server or
segment for facilitating electronic commerce transactions are a very insecure
configuration. A more secure design will use multiple segments. Since the web server
has to be exposed to the public, that server should not have other more sensitive,
functions on it or residing on the same segment such as user authentication or access
to the database. Separate segments and servers reduce the potential harm should any
subsystem be compromised.
A is incorrect – for the same reason as mentioned above
C is incorrect – This is a redundancy vulnerability
D is incorrect – This does not relate to segmentation
882. Where does encryption occur when data is encrypted in link encryption?
A. Data link layer of the receiving host
367
B. Network layer
C. Data link layer in the OSI model
D. In transit between two computers
KEY C
C is correct - In link encryption, data are encrypted just before the system places them
on the physical communications link, that is, encryption occurs at the Data Link layer in
the OSI model.
A, B and D are incorrect – decryption occurs at the Data Link layer of the receiving host.
Link encryption protects the message in transit between two computers, but the
message is in plaintext inside the hosts (above the data link layer). Headers added by
the network layer (which includes addresses, routing information and protocol) and
above are encrypted, along with the message/data. The message is, however, exposed
at the Network layer and thus all intermediate nodes through which the message
passes can read the message. This is because all routing and addressing is done at the
Network layer. Link encryption is invisible to user and appropriate when the
transmission line is the point of greatest vulnerability. Link encryption provides
protection against traffic analysis.
368
Module 5
Systems Development-Acquisition,
Maintenance and Implementation
883. Business application system/software is designed to support a specific

organisational service, function or process, such as inventory management,
payroll, market analysis or e-commerce. What is the goal of such a business
application?
A. To enhance the targets and goals of an organisation
B. To deal with problems relating to business processes
C. To enhance quality of services
D. To turn data into information
KEY D
D is correct - The goal of an application system is to turn data into information.
A, B and C are incorrect – These are situations under which the need for business
development or acquisition of new applications may arise
647. What is the intent of SDLC?
A. To process data of relevant business processes
B. To enhance the targets and goals of an organisation
C. To improve the quality of services
D. To examine a business situation and improve it
KEY D
D is correct - SDLC refers to the process of examining a business situation with the
intent of improving it through better procedures and methods. This is required when
there is need to change business processes due to requirements arising out of
customers/stakeholders expectations and business strategy.
A, B, and C incorrect – These are situations under which the need for business
development or acquisition of new applications may arise
884. Which of the following is the role of an IS Auditor in Phase 3 (System Analysis) of
SDLC?
A. Review cost justification/ benefits

B. Review detailed requirement definition documents
C. Verify that the management has approved the initiation and cost of the project
D. Review existing data flow diagrams and other related specifications
KEY C
C is correct - Role of IS Auditor in system analysis phase:
• Verify that management has approved the initiation of the project and the cost.
• In case of acquisition, determine that an appropriate number of vendors have
been given proposals to cover the true scope of the project and requirements of
the users.
• Determine whether the application is appropriate for the user of an embedded
audit routine and if so request may be made to incorporate the routine in
conceptual design of the system.
is correct -
A is incorrect – This is the role of an IS Auditor in the feasibility phase
B and D are incorrect – These are the roles of an IS auditor in the System Analysis
phase
885. Which of the following is the role of an IS Auditor in the detailed design phase of
SDLC?
A. Analyse the justification for going in for a development or acquisition
B. Review input, processing and output controls
C. Ensure that the documentation is complete
D. Review QA report on adopting coding standards by developers.
KEY B
B is correct - Role of IS Auditor in detailed design phase:
• Review system flowcharts for adherence to the general design
• Review input, processing and output controls have been appropriately included in
the system.
• Assess adequacy of the audit trails which provide traceability and accountability.
• Verify key calculations and processes for correctness and completeness.
• Interview users to ascertain their level understanding of the system design, input
to the system, screen formats and output reports.
370
Systems Development – Acquisition, Maintenance and Implementation
• Verify that system can identify erroneous data correctly and can handle invalid
transactions.
• Review conceptual design to ensure the existence of appropriate controls.
• Review quality assurance and quality control results of programs are developed.
• Verify the design for its completeness and correctness and it meets the defined
requirements.
• Verify that functional data created during requirement phase is complete and test
plans are developed.
A is incorrect – This is the role of an IS Auditor in the feasibility phase
C and D are incorrect – These are the roles of an IS Auditor in the development phase
886. What are the characteristics of a very well coded application program?
A. Good coding standards, Accuracy and Speed
B. Reliability, Robustness, Accuracy, Efficiency, Usability, Readability
C. Flexibility, Speed, Coding Standards
D. Reliability, Flexibility and Speed
KEY B
B is correct - A very well coded application program should have the following
characteristics:
• Reliability: It refers to the consistency with which a program operates over a
period of time. However, poor setting of parameters and hard coding of some
data subsequently could result in the failure of a program after some time.
• Robustness: It refers to the applications’ strength to perform operations in
adverse situations by taking into account all possible inputs and outputs of a
program considering even the least likely situations.
• Accuracy: It refers not only to ‘what program is supposed to do’, but also the
ability to take care of ‘what it should not do’. The second part is of great interest
for quality control personnel and auditors.
• Efficiency: It refers to the performance per unit cost with respect to relevant
parameters and it should not be unduly affected with the increase in input values.
• Usability: It refers to a user-friendly interface and easy-to-understand
internal/external documentation.
• Readability: It refers to the ease of maintenance of program even in the absence
of the program developer.
371
A, C and D are incorrect – These are not the major characteristics of a well coded
application program
887. What is the role of an IS Auditor in the testing phase of SDLC?
A. Review the test plan for completeness and correctness
B. Ensure test plans, test data nd test results are maintained for reference
C. Verify that the system has been installed according to the organisation’s change
control procedures.
D. Review programmed procedure used for scheduling and running the system
along with the system parameters are used in executing the production schedule.
KEY A
A is correct - Role of IS Auditor in testing phase:
• Review the test plan for completeness and correctness.
• Review whether relevant users have participated during testing phase.
• Review error reports for their precision in recognizing erroneous data and for
resolution of errors.
• Verify cyclical processes for correctness( example: year-end process, quarter-
end process)
• Interview end-users of the system for their understanding of new methods,
procedures and operating instructions.
• Review the system and end-user documentation to determine its completeness
and correctness.
• Review whether reconciliation of control totals and converted data has been
performed to verify the integrity of the data after conversion.
• Review all parallel testing results.
• Test the system randomly for correctness.
• Review unit test plans and system test plans to determine that tests for internal
control are addressed.
• Verify that the system security is functioning as designed by developing and
executing access tests.
• Ensure test plans and rest results are maintained for reference and audit
B, C and D are incorrect – These are the roles of an IS Auditor in the UAT or final
testing phase
372
888. What are the security steps involved in the development phase of SDLC?
A. To identify possible attacks and design controls
B. To train developers on security coding practices.
C. To ensure security requirements are tested during testing.
D. To perform security scan of application after implementation.
KEY B
B is correct - Security steps involved during the development phase are:
To develop and implement security coding practices such as input data validation and
avoiding complex coding.
To train developers on security coding practices.
A, C and D are incorrect – These are security steps involved during the design, testing
and implementation phases.
889. Which of the following is a mitigation plan for risk associated with compromising
on quality and testing?
A. Understand organisation baseline for infrastructure and incorporate in design.
B. Ensure standard coding practices are adopted.
C. Ensure completion of documentation along with design and development.
D. Ensure documentation experts and technical writers are part of team.
KEY B
B is correct - The following are the mitigation plans for risk associated with
compromising on quality and testing:
Ensure standard coding practices are adopted.
Provide enough time for building test cases to cover all function, performance and
security requirements.
Build test cases along with design.
A is incorrect – This is a mitigation plan associated with the risk of inappropriate
selection of platform
C and D are incorrect – These are mitigation plans for risk associated with missing or
inadequate documentation
890. What is the mitigation plan for risk associated with absence of skilled resources?
A. Consider outsourcing or hiring skilled resources on contract.
373
B. Develop and implement standard coding practices

C. Perform scope base lining.
D. Introduce change management process to evaluate and adopt changes in
requirements
KEY A
A is correct - Mitigation plan for risk associated with absence of skilled resources is to
consider outsourcing or hiring skilled resources on contract
B, C and D are incorrect – these are mitigation plans for risks associated with poor
coding techniques and lack of proper change control
891. Who is responsible for delivery of a project within the time and budget?
A. Module/Team leader
B. System Analyst
C. Project Manager
D. Database Administrator
KEY C
C is correct - A project manager is normally responsible for more than one project and
liaisons with the client or the affected functions. This is a middle management function.
The Project manager is responsible for delivery of the project within the time and
budget.
A is incorrect – A project is divided into several manageable modules and the
development responsibility for each module is assigned to module leaders.
B is incorrect - The system analyst also has a responsibility to understand existing
problem/system/data flow and new requirements. System analysts convert the user’s
requirements in the system requirements to design new system.
D is incorrect – The data in a database environment has to be maintained by a
specialist in database administration so as to support the application program. The
database administrator handles multiple projects; and ensures the integrity and security
of information stored in the database.
892. Which of the following is the role of a programmer?
A. Approve, supervise and direct IT projects
B. Convert design into programs by coding
C. Checking compliance with SDLC standards
D. Testing programs and sub programs
374
KEY B
B is correct - Programmers convert design into programs by coding using programming
language. They are also referred to as coders or developers
A is incorrect - This is the role of a steering committee
C is incorrect – this is the role of the quality assurance team
D are incorrect – This is the role of testers
893. The technical feasibility study for automating a business process using
information technology includes which of the following?
A. Is the cost of hardware and software for the class of applications being
considered.
B. Are the benefits derived from new application such as improved efficiency,
reduced costs, business growth, and customer and user satisfaction.
C. Is the cost of conducting a full systems development/acquisition, implementation
and operation.
D. Is system scalable and can it handle the expected business and data growth?
KEY D
D is correct - The technical feasibility includes evaluation of the following factors:
• Can the solution work on existing infrastructure or does organisation need to
acquire new hardware or software? If currently the organisation is not using an
automated solution, they may have to invest in acquiring technology and solution.
• Will the proposed system provide adequate responses to inquiries, regardless of
the number or location of users? Currently there are many organisations that
have deployed such solutions and hence we can conclude that the technical
solutions can be made available to meet the response requirements.
• Is system scalable and can it handle the expected business and data growth?
There are multiple training courses and those can be deployed using scalable
infrastructure.
• Does the technology offer adequate security? Those requirements need to be
considered while developing or acquiring solution. However since many
organisations have already implemented similar solution, the required security
can be embedded.
A, B, C are incorrect – These factors are evaluated by the study of economic feasibility.
375
894. The business case is a KEY element of the decision making process throughout
the life cycle of project. What information does a business case provide to an
organisation?
A. decide whether the SDLC project should be undertaken
B. Explore solutions and make a recommendation
C. Develop a new application system
D. Outline and calculate of benefits
KEY A
A is correct - A business case is normally derived from the benefit realization plan and
feasibility study. A business case provides the information required for an organisation
to decide whether the SDLC project should be undertaken and if approved, becomes
the basis for a project execution and assessment.
B is incorrect – this is the objective of a feasibility study
C and D are incorrect – these are also the objectives of a feasibility study
895. What does study of history, structure and culture of information involve?
A. Identifying stakeholder expectations
B. Types of useful systems, issues that have not been addressed and require
attention
C. Identifying how the system needs to interact with its environment
D. Study of business processes, underlying activities, and actors that perform these
activities
KEY B
B is correct - The study of the history of systems in an organisation gives an idea about
the types of systems that have been extremely useful, issues that have not been
addressed over a period and new issues that require attention. It is essential to
understand organisational structure and culture as the solutions that are not consistent
with the culture often fail.
A and C are incorrect – These are the activities that come under understanding
requirements
D is incorrect – These is an activity associated with the study of information flows
896. t is important to record requirements after they have been analysed. Under which
phase of requirement Engineering does this fall?
A. Elicitation
376
B. Analysis and Negotiation

C. Documentation
D. Validation
KEY C
C is correct -
Documentation: Once the requirements have been analyzed, it is important to record
them in order to make them formal through proper specification mechanism. During this
phase, the team organizes the requirements in such a way that ascertains their clarity,
consistency, and traceability etc. This phase is extremely important because often ‘the
document produced during specification is what the rest of the development stages will
be based upon’.
A is incorrect – Elicitation: The RE process is normally considered as the process of
finding out ‘what are the real needs of the customers as well as of the system’. It also
includes activities to explore ‘how the software can meet the stakeholders’ goals’ and
‘what alternatives might exist’.
B is incorrect - Analysis and Negotiation: This phase consists of a set of activities
aimed to discover problems within the system requirements and achieve agreement on
changes to satisfy all system stakeholders. If an analyst discovers some problems with
the requirements during the analysis phase, such requirements are referred back to the
elicitation phase. This process is related to the requirements that are incomplete,
ambiguous and/or conflicting. Negotiation part is known as ‘the process of discussing
conflicts in requirements and finding some compromise which all of the stakeholders
can live with’. The principle of this process should be objective, where the judgments
and the compromise for the system requirements should be based on technical and
organisational needs. All the conflict requirements identified during the analysis process
should be negotiated and discussed individually with the stakeholders in order to
resolve the conflicts.
D is incorrect – Validation: This phase ensures that models and documentation
accurately express the stakeholders’ needs along with checking the final draft of
requirements document for conflicts, omissions and deviations from different standards.
897. Which aspect related to Project Planning does process of handing over
deliverables come under?
A. Project execution
B. Project execution
C. Project monitoring and controlling
D. Project closing
377
KEY D
D is correct - Project closing has processes for handing over deliverables or
terminating project.
A is incorrect – Project planning consists of processes related to developing project
execution plan, finalizing requirements, defining work breakdown structure and modules
to be developed, estimating efforts and cost, resource planning, risk management,
procurement planning and plan for communications with stakeholders.
B is incorrect - Project execution consists of processes related to direct project teams,
ensuring quality assurance and testing, managing requirements and changes in
requirements, ensuring timely procurements and manage resources.
C is incorrect - Project controlling and monitoring consists of processes related to
monitoring risks, scope creeps, quality of deliverables, costs and budgets, performance
reporting.
898. What does Work Breakdown Structure (WBS) represent?
A. The project in terms of manageable and controllable units of work
B. Detailed specifications with objectives
C. Assigned responsibilities and deadlines
D. Work documents containing the start and finish dates
KEY A
A is correct - A commonly accepted approach to define project objectives is to start with
a work breakdown structure (WBS) with each work module having its own objectives
derived from main objectives. The WBS represents the project in terms of manageable
and controllable units of work and forms the baseline for cost and resource planning.
B, C and D are incorrect – Detailed specifications regarding the WBS can be used to
develop work packages (WP). Each WP must have a distinct owner and a list of main
objectives, and may have a list of additional objectives. The WP specifications should
include dependencies on other WPs and a definition of how to evaluate performance
and goal achievement. A task list is a list of actions to be carried to complete each work
package and includes assigned responsibilities and deadlines. The task list aids the
individual project team members in operational planning and scheduling, that when
merged together forms a project schedule. Project schedules are work documents
containing the start and finish dates, percentage completed, task dependencies, and
resource names of individuals planned to work on tasks.
378
899. Half way through a project development, on which phase should an IS auditor
focus in order to ensure that there is no deviation from the primary objectives of
the projects?
A. Project Planning
B. Project Controlling
C. Resource Management
D. Risk Management
KEY B
B is correct - During mid-term project review IS auditor should focus on project planning
and controlling activities to ensure that these are not deviating from primary objectives
of the project.
A is incorrect –
A and C are incorrect – These phases do not require much review during this stage.
D is incorrect – Focus on risk management process provides detailed insight on the
effectiveness of the project management
900. What is the tool used to verify that deployed resources are capable of finishing a
task within the set time limit and with the expected quality level?
A. Earned value analysis
B. Work Breakdown structure
C. Work Package
D. Qualitative Analysis of Risks
KEY A
A is correct - Earned Value Analysis consists of comparing expected budget till date,
actual cost, estimated completion date and actual completion at regular intervals during
the project.
B and C are incorrect – A commonly accepted approach to define project objectives is
to start with a work breakdown structure (WBS) with each work module having its own
objectives derived from main objectives. The WBS represents the project in terms of
manageable and controllable units of work and forms the baseline for cost and resource
planning. Detailed specifications regarding the WBS can be used to develop work
packages (WP). Each WP must have a distinct owner and a list of main objectives, and
may have a list of additional objectives. The WP specifications should include
dependencies on other WPs and a definition of how to evaluate performance and goal
achievement. A task list is a list of actions to be carried to complete each work package
379
and includes assigned responsibilities and deadlines. The task list aids the individual
project team members in operational planning and scheduling, that when merged
together forms a project schedule. Project schedules are work documents containing
the start and finish dates, percentage completed, task dependencies, and resource
names of individuals planned to work on tasks.
D is incorrect – Qualitative Analysis of Risks is a part of project planning.
901. During risk management process, how is risk assessed and evaluated?
A. Creating an inventory of possible risk
B. Quantify the likelihood and impact of risk
C. Create a risk management plan
D. Discover risk that materializes
KEY B
B is correct - Assess and evaluate risk: Quantify the likelihood (expressed as a
percentage) and the impact of the risk (expressed as an amount of money). The
“insurance policy” (total impact) that needs to be in the project budget is calculated as
the likelihood multiplied by the impact.
A is incorrect – This step is to identify the risk\
C is incorrect – This is a part of managing the risk after it has been assessed
D is incorrect – This forms a part of monitoring the risk process
902. Which of the following is the feature of a waterfall model?
A. The designers create an initial base model and give little or no consideration to
internal controls, but instead emphasize system characteristics such as
simplicity, flexibility, and ease of use.
B. Project is divided into sequential phases, with some overlap and splash back
acceptable between phases.
C. This is an iterative model where each iteration helps in optimizing the intended
solution.
D. This model of development helps to ease the traumatic effect of introducing
completely new system all at once
KEY B
B is correct - The characterizing features of the waterfall model have influenced the
development community in big way. Some of the KEY characteristics are:
• Project is divided into sequential phases, with some overlap and splash back
acceptable between phases.
380
• Emphasis is on planning, time schedules, target dates, budgets and

implementation of an entire system at one time.
• Tight control is maintained over the life of the project through the use of
extensive written documentation, as well as through formal reviews and
approval/signoff by the user and information technology management occurring
at the end of most phases before beginning the next phase.
A, C and D are incorrect – These are the features of prototype model, spiral model and
the incremental model respectively.
903. In this model, a series of mini-waterfalls are performed, where all phases of the
waterfall development model are completed for a small part of the system, before
proceeding to the next increment. What SDLC model is this?
A. Waterfall model
B. Prototype model
C. Spiral model
D. Incremental model
KEY D
D is correct - A few pertinent features of incremental model are listed as follows:
A series of mini-waterfalls are performed, where all phases of the waterfall development
model are completed for a small part of the system, before proceeding to the next
increment.
• Overall requirements are defined before proceeding to evolutionary, mini –
Waterfall development of individual increments of the system.
• The initial software concept, requirement analysis, and design of architecture and
system core are defined using the Waterfall approach, followed by iterative
Prototyping, which culminates in installation of the final prototype (i.e. working
system).
B, C and D are incorrect – This is not a feature of any of these models.
904. This model is especially useful for resolving unclear objectives and requirements;
developing and validating user requirements; experimenting with or comparing
various design solutions, or investigating both performance and the human
computer interface.
A. Waterfall model
B. Prototyping model
C. Spiral Model
381
KEY B
B is correct - Strengths of Prototyping Model:
• It improves both user participation in system development and communication
among project stakeholders.
• It is especially useful for resolving unclear objectives and requirements;
developing and validating user requirements; experimenting with or comparing
various design solutions, or investigating both performance and the human
computer interface.
• Potential exists for exploiting knowledge gained in an early iteration as later
iterations are developed.
• It helps to easily identify, confusing or difficult functions and missing functionality.
• It enables to generate specifications for a production application.
• It encourages innovation and flexible designs.
• It provides for quick implementation of an incomplete, but functional, application.
• It typically results in a better definition of these users’ needs and requirements
than does the traditional systems development approach.
• A very short time period is normally required to develop and start experimenting
with a prototype. This short time period allows system users to immediately
evaluate proposed system changes.
• Since system users experiment with each version of the prototype through an
interactive process, errors are hopefully detected and eliminated early in the
developmental process. As a result, the information system ultimately
implemented should be more reliable and less costly to develop than when the
traditional systems development approach is employed.
A, C and D are incorrect – this is not strength of any of these models
905. Which of the following is a weakness of the spiral model?
A. It is criticized to be Inflexible, slow, costly, and cumbersome due to significant
structure and tight controls.
B. Approval process and control are not formal.
C. Sometimes there are no firm deadlines, cycles continue till requirements are
clearly identified.
D. Problems may arise pertaining to system architecture because not all
requirements are gathered up front for the entire software life cycle.
382
KEY C
C is correct – Weaknesses of the spiral model are:
• It is challenging to determine the exact composition of development
methodologies to use for each of the iterations around the Spiral.
• A skilled and experienced project manager is required to determine how to apply
it to any given project.
• Sometimes there are no firm deadlines, cycles continue till requirements are
clearly identified. Hence has an inherent risk of not meeting budget or schedule.
A, B and D are incorrect – These are the weaknesses of the waterfall model, prototype
model and incremental model respectively
906. Which of the following is a KEY feature of Rapid Application Development?
A. fast development and delivery of a high quality system at a relatively low
investment cost,
B. Use of small, time-boxed subprojects or iterations where each iteration forms
basis for planning next iteration.
C. Customer satisfaction by rapid delivery of useful software;
D.  Welcome changing requirements, even late in development;
KEY A
A is correct - The KEY features of RAD are:
• KEY objective is fast development and delivery of a high quality system at a
relatively low investment cost,
• Attempts to reduce inherent project risk by breaking a project into smaller
segments and providing more ease-of-change during the development process.
• Aims to produce high quality systems quickly, primarily through the use of
iterative Prototyping (at any stage of development), active user involvement, and
computerized development tools like Graphical User Interface (GUI) builders,
Computer Aided Software Engineering (CASE) tools, Database Management
Systems (DBMS), Fourth generation programming languages, Code generators
and object-oriented techniques.
• KEY emphasis is on fulfilling the business need while technological or
engineering excellence is of lesser importance.
• Project control involves prioritizing development and defining delivery deadlines
or “time boxes.” If the project starts to slip, emphasis is on reducing requirements
to fit the time box, not in increasing the deadline.
• Generally includes Joint Application Development (JAD), where users are
383
intensely involved in system design, either through consensus building in

structured workshops, or through electronically facilitated interaction.
B, C and D are incorrect – These are the KEY features of Agile Software development
methodology
907. Which of the following is the weakness of the Agile Software development
methodology?
A. Fast speed and lower cost may affect adversely the system quality.
B. The project may end up with more requirements than needed (gold-plating).
C. Potential for feature creep where more and more features are added to the
system during development.
D. There is lack of emphasis on necessary designing and documentation due to time
management and generally is left out or incomplete.
KEY D
D is correct - Weaknesses of Agile methodology:
• In case of some software deliverables, especially the large ones, it is difficult to
assess the efforts required at the beginning of the System Development life
cycle.
• There is lack of emphasis on necessary designing and documentation due to time
management and generally is left out or incomplete.
• Agile increases potential threats to business continuity and knowledge transfer
due to verbal communication and weak documentation.
• Agile requires more re-work and due to the lack of long-term planning and the
lightweight approach to architecture.
• The project can easily get taken off track if the customer representative is not
clear about the requirements and final outcome.
• Agile lacks the attention to outside integration.
A, B and C are incorrect – These are the weaknesses of RAD
908. This is the process of studying and analyzing an application, a software
application or a product to see how it functions and to use that information to
develop a similar system.
A. Software Reengineering
B. Reverse Engineering
384
C. Agile processes
D. Rapid Application Development
KEY B
B is correct - Reverse engineering is the process of studying and analyzing an
application, a software application or a product to see how it functions and to use that
information to develop a similar system.
A, C and D are incorrect – This is not part of any of these processes
909. How is a product for which software is available and can be implemented without
customisation classified as?
A. Generic products without customisation
B. Commercial product with customisation
C. Outsourced development
D. Commercial product without customisation
KEY A
A is correct - Generic products without customization: Software is available and can
be implemented without customization. These products are also known as Plug-and-
play or COTS (Commercial of the shelf) for example MS Office, MS projects etc.
B is incorrect – Commercial product with customization: Software needs to be
customized like ERP or core banking products or at lower level customization like Tally.
C is incorrect – Outsourced development: Ready-made software as required is not
available. Hence, the organisation intends to outsource development activities based on
cost benefit analysis.
D is incorrect – There is no such classification
910. In achieving the objectives of requirement analysis, the process of understanding
the present system and its related problems comes under which of the following
steps?
A. Fact finding
B. Analysis
C. Requirements of proposed systems
D. Identifying rationale and objectives
385
KEY B
B is correct - Analysis to understand Present process: Understanding present
system and its related problems helps in confirming the requirements from new
application/software.
A is incorrect – Fact Finding: Application system focuses on two main types of
requirements. The first one is service delivery and second one is operational
requirements. These may include lower operational costs, better information for
managers, smooth operations for users or better levels of services to customers. To
assess these needs, the analysts often interact extensively with stakeholders, to
determine ‘detail requirements’. The fact-finding techniques/tools used by the system
analyst include document verification, interviews, questionnaire and observation.
C is incorrect - Requirements for Proposed Systems: Analysis of functional area and
process, the proposed expectations can be clearly defined considering the issues and
objectives.
D is incorrect – Analysis also include identifying rationale and objectives, inputs and
data sources, decision points, desired outcomes from application, mandatory and
discretionary controls.
911. The process of allotting weight-age for each requirement and then allotting score
to the software that meets that requirement is called as:
A. Point scoring Analysis
B. Agenda based presentations
C. Public evaluation reports
D. Benchmarking solutions
KEY A
A is correct - Point-Scoring Analysis (Functional gap analysis): Point-scoring
analysis provides an objective means of selecting software. This is performed by
allotting weight-age for each requirement and then allotting score to the software that
meets that requirement.
B is incorrect - The agenda-based presentations are scripted business scenarios that
are designed to show how the software will perform certain critical business functions.
Vendors are typically invited to demonstrate their product and follow the sample
business scenarios given to them to prepare.
C is incorrect – Public Evaluation Reports: Organisation may refer to independent
agencies that evaluate various software products of different vendors and publish
comparison along with rating based on various predefined parameters including survey
386
of current users. (For example, magic quadrant for similar software product by Gartner,
Forester etc.). This method has been frequently and usefully employed by several
buyers in the past.
D is incorrect – Proof of Concept (PoC) or Benchmarking Solutions: Organisations
may request vendor to provide a proof of concept (by implementing product in small
pilot area within organisation) that the software meets the expected requirements. This
helps organisation in evaluating best product that meets the requirements. This is
particularly useful for products that has high-cost and requires high level of efforts that it
may not be possible to roll back.
912. While preparing the request for proposal, what should an organisation do to
ensure vendor viability and financial stability?
A. Compare product functionalities against requirements
B. Validate vendor claims about their product performance
C. Get feedback from existing customers of the vendor on supporting documents of
the vendor
D. Evaluate what king of support the vendor provides
KEY C
C is correct - Evaluate the vendor's viability with reference to period for which the
vendor is in operation, the period for which the desired product is being used by the
existing customers and the Vendor's financial stability on the basis of the market survey
and the certification from the customers and on certain supporting documentation from
the Vendor
A is incorrect – This is part of software and system requirements
B is incorrect – This is part of customer references
D is incorrect – This is part of vendor support
913. Out of the tests performed on a program unit, what does a performance test
check?
A. whether programs do, what they are supposed to do or not
B. verify the expected performance criteria of program
C. determines the stability of a given system or entity
D. examines the internal processing logic of a software system
387
KEY B
B is correct - Performance tests are designed to verify the expected performance
criteria of program.
A, C and D are incorrect – These are the functions of a function test, stress test and
structural test respectively
914. Which of the following is a feature of top down integration?
A. The testing will start from opening login screen and then login, then selecting
function one by one
B. It is the traditional strategy used to integrate the components of a software
system starting from smallest module/function/program.
C. It consists of unit testing, followed by sub-system testing.
D. Bottom-up testing is easy to implement as at the time of module testing, tested
subordinate modules are available.
KEY A
A is correct - Top-down Integration: This starts with the main routine followed by the
stubs being substituted for the modules which are directly subordinate to the main
module. Considering above example, the testing will start from opening login screen
and then login, then selecting function one by one. An incomplete portion of a program
code is put under a function (called stub) to allow the function. Here a stub is
considered as black box and assumed to perform as expected, which is tested
subsequently. Once the main module testing is complete, stubs are substituted with real
modules one by one, and these modules are tested. This process continues till the
atomic (smallest) modules are reached. Since decision-making processes are likely to
occur in the higher levels of program hierarchy, the top-down strategy emphasizes on
major control decision points encountered in the earlier stages of a process and detects
any error in these processes. The difficulty arises in the top-down method, because the
high-level modules are tested with stubs and not with actual modules.
B, C and D are incorrect – These are the features of bottom up integration
915. With respect to System testing, what is the objective of performance testing?
A. To assess how well the application is able to recover from crashes, hardware
failures and other similar problems
B. To determine that an Information System protects data and maintains
functionality as intended.
C. to determine the stability of a given system or entity based on the requirements
D. to assess various parameters like response time, speed of processing,
effectiveness use of a resources (RAM, CPU etc.), network, etc.
388
KEY D
D is correct - Performance Testing: Software performance testing is performed on
various parameters like response time, speed of processing, effectiveness use of a
resources (RAM, CPU etc.), network, etc. This testing technique compares the new
system's performance with that of similar systems using available industry benchmarks.
A,B, C are incorrect – These are the objectives of Recovery Testing, Security testing
and Stress testing respectively.
916. What does User Acceptance Testing focus on?
A. Ensuring that the system is production-ready and satisfies all accepted
(baselined) requirements
B. Conforming to the quality standards of the organisation accepted before
development
C. Documenting specifications, technology employed, use of coding standards
D. Controlling the execution of tests and the comparing of actual outcomes with
predicted outcomes
KEY A
A is correct - User Acceptance Testing (UAT): It is a user extensive activity and
participation of functional user is a primary requirement for UAT. The objective of UAT
is to ensure that the system is production-ready and satisfies all accepted (baseline)
requirements.
B and C are incorrect – These are the features of Quality Assurance Testing
D is incorrect – This is the feature of automated testing
917. In this strategy, implementation can be staged with conversion to the new system
taking place gradually.
A. Phased Changeover
B. Abrupt Changeover
C. Pilot Changeover
D. Parallel Changeover
KEY A
A is correct - Phased Changeover: With this strategy, implementation can be staged
with conversion to the new system taking place gradually. This is done based on
business operations. For example, converting one function (e.g. marketing) on new
system, wait for the same be stabilized and then take another function
(Finance/HR/production etc.)
389
B is incorrect – Cut-off or Direct Implementation / Abrupt Change-Over: This is

achieved through an abrupt takeover – an all or no approach. With this strategy, the
changeover is done in one operation, completely replacing the old system in one go. Fig
6.1 depicts Direct Implementation, which usually takes place on a set date, often after a
break in production or a holiday period so that time can be used to get the hardware
and software for the new system installed without causing too much disruption.
C is incorrect – Pilot Changeover: With this strategy, the new system replaces the old
one in one operational area or with smaller scale. Any errors can be rectified and new
system is stabilized in pilot area, this stabilized system is replicated in operational areas
throughout the whole system. For example converting banking operations to centralized
systems are done at one branch and stabilized. The same process is replicated across
all branches.
D is incorrect – Parallel Changeover: This is considered the most secure method, time
and resource consuming implementation. The new systems is implemented, however
the old system also continues to be operational. The output of new system is regularly
compared with old system. If results matches over period of time and issues observed
with new system are taken care of, the old system is discontinued.
918. Which of the following is a requirement to be considered with respect to cloud
computing and sourcing options?
A. The development team needs to define backup procedures
B. Client needs to be tested for all known browsers
C. Evaluation of vendors for acquisition of tools and software
D. Developers to test their code before releasing to testing team
KEY B
B is correct - The lists of requirements that must be considered are discussed below:
• Application on cloud uses platform independent web based technology like Java,
Net, XML, PHP etc. Deployment of services may happen in phased manner, the
project manager may consider agile development method to develop and deploy
services.
• Client is executed using internet browsers like internet explorer, Google chrome,
Mozilla etc. and hence need to be tested for all known browsers. It is necessary
to consider security while developing the software, users may or may not use
security settings in their browsers. Also not all browsers offer same level of
security settings.
• Web application security requirements need to be considered while designing
and testing the application.
390
• Non-functional requirements of performance and response have to be considered

while developing the software.
• Licensing issues for utilities and middleware are complex and should be
considered.
A, C and D are incorrect – These are the characteristics for virtualisation
919. Which of the following is a risk with respect to security of big data?
A. When an employee leaves the company, data may still be present on their
employees’ device.
B. Requires data to be stored in denormalized form i.e. schema-less in distributed
environments
C. Propagation of malware resulting in data leakage, data corruption and non-
availability of required data.
D. Possibility of fraud through remote access and inability to prevent/detect it.
KEY B
B is correct - Big data requires data to be stored in denormalized form i.e. schema-less
in distributed environments, where data from multiple sources can be joined and
aggregated in arbitrary ways, make it challenging to establish access controls
• As the big data consist of high volume, high variety and high velocity data, it
makes difficult to ensure data integrity
• Since it is aggregation of data from across the organisation, it also includes
sensitive data
• Most existing data security and compliance approaches will not scale to handle
big data security.
A, C and D are incorrect – These are the disadvantages of using mobile devices in
SDLC
920. Which of the following is the role of an IS Auditor during post implementation
review?
A. suggest appropriate controls to be included in proposed solution
B. Interview project team and stakeholders to understand expectations
C. Ensure ‘what project control standards are to be complied with
D. Evaluation of system for information security and privacy controls
391
KEY D
D is correct - Information Security: System should also need to be evaluated for
information security and privacy controls. This aspect of system evaluation is based on
the security requirements documented during information gathering, security of
infrastructure on which the application is hosted (e.g. hardware baselining, network
security, access controls and vulnerability scanning). Evaluation may also include the
availability aspect required for continuity (e.g. in case of high availability requirements
redundant infrastructure in cluster or replication and readiness of alternate site,
updating of BCP documents etc.)
A, B, C are incorrect – These are the reviews to be done by the auditor as a team
member and during mid project
392
Module 6
Business Application Software Audit
921. In an organisation, business processes and related controls are put in place
through:
A. Business Applications
B. Control Structure
C. Business Cycle
D. Business Model
KEY A
A is correct - “Business Application”, may be defined as applications (meaning
computerized software) used by organisation to run its business. The consideration is
whether the said application covers / incorporates the KEY business processes of the
organisation. Another important consideration is whether the control structure as
available in the Business Application is appropriate to help organisation achieve its
goals. Business applications are where the necessary controls needed to run business
are put in place. The business processes and related controls are put in place through
business applications used by an organisation.
B, C and D are incorrect –
Each business cycle used by an organisation has a defined control structure that has a
direct co-relation to the business model used. Organisations have to document
business processes and identify KEY control points. Organisations have to ensure that
the KEY control points are configured in system.
922. The ICAI has issued standards on Internal Audit in Information Technology
Environment. According to this, an auditor has to:
A. Consider subject matter guidance or direction, as afforded through legislation,
regulations, rules, directives and guidelines issued by government or industry.
B. Establish the expected degree of reliance to be placed on internal control;
C. Determine the nature, timing, and extent of the audit procedures to be performed;
and
D. Consider the extent to which the IT environment is used to record, compile,
process and analyse information
KEY D
D is correct - SIA 14, on INTERNAL AUDIT IN INFORMATION TECHNOLOGY
ENVIRONMENT, as issued by ICAI, states that; “The internal auditor should consider
the effect of an IT environment on the internal audit engagement, inter alia:
a. The extent to which the IT environment is used to record, compile, process and
analyse information; and
b. The system of internal control in existence in the organisation with regard to: the
flow of authorised, correct and complete data to the processing centre; the
processing, analysis and reporting tasks undertaken in the installation”.
A, B and C are incorrect – ISACA Standards
ISACA ITAF, 1201 “Engagement Planning”, identifies risk assessment as one of the
KEY aspects and states that IS audit and assurance professionals, have to;
• Obtain an understanding of the activity being audited. The extent of the
knowledge required should be determined by the nature of the enterprise, its
environment, areas of risk, and the objectives of the engagement.
• Consider subject matter guidance or direction, as afforded through legislation,
regulations, rules, directives and guidelines issued by government or industry.
• Perform a risk assessment to provide reasonable assurance that all material
items will be adequately covered during the engagement. Audit strategies,
materiality levels and resource requirements can then be developed.
• Develop the engagement project plan using appropriate project management
methodologies to ensure that activities remain on track and within budget.
ICAI Standards
SA 200 “Overall Objectives of the Independent Auditor and the conduct of an audit in
accordance with standards on Auditing”, Issued by ICAI, requires an auditor to plan an
audit and get following information: “The auditor should plan his work to enable him to
conduct an effective audit in an efficient and timely manner. Plans should be based on
knowledge of the client’s business. Plans should be made to cover, among other things:
a. Acquiring knowledge of the client’s accounting system, policies and internal
control procedures;
b. Establishing the expected degree of reliance to be placed on internal control;
c. Determining and programming the nature, timing, and extent of the audit
procedures to be performed; and
d. Coordinating the work to be performed.
394
The first step to by an IS auditor is to obtain knowledge about the business of the
organisation, do risk assessment and decide on the specific and additional audit
procedures to complete the audit.
923. What is control risk with respect to risk assessment for a business application?
A. Relates to business risks, country risks and contract risks
B. Failure of a control to prevent or detect a material error that exists in system.
C. risk arising without taking into account a planned action by management
D. failure of an audit procedure to detect an error that might be material
KEY B
B is correct - Control risk is defined as failure of a control to prevent, detect a material
error that exists in system.
A, C and D are incorrect –
Subject matter risk, relates to business risk, country risk, contract risks. These are
important for an IS auditor to consider but merged with inherent risk (discussed later).
2. Audit risk, is define as auditor reaching incorrect conclusion after an audit. The
components of audit risk being control risk, inherent risk and detection risk.
• Control risk is defined as failure of a control to prevent, detect a material error
that exists in system.
• Inherent risk is defined as risk arising without taking into account a planned
action by management to reduce the risk. Simply said it related to nature of
transaction / business.
• Detection risk is defined as failure of an audit procedure to detect an error that
might be material individually or in combination of other errors.
924. Business applications used by entities to manage resources optimally and to
maximize economy, efficiency and effectiveness of business operations is known
as:
A. Accounting Applications
B. Banking Applications
C. ERP Applications
D. Payroll Application
395
KEY C
C is correct -
ERP Application: These have been created a separate category of business
application systems, due to their importance for an organisation. These software called
as enterprise resource planning software are used by entities to manage resources
optimally and to maximize E^3 i.e. economy, efficiency and effectiveness of business
operations.
A is incorrect -
Accounting Applications: Applications like TALLY, TATA EX, UDYOG, used by
business entities for purpose of accounting for day to day transactions, generation of
financial information like balance sheet, profit and loss account, cash flow statements,
are classified as accounting applications.
B is incorrect –
Banking Application: Today all public sector banks, private sector banks, and
including regional rural banks have shifted to core banking business applications
(referred to as CBS). Reserve Bank of India guidelines mandating all co-operative
banks also to shift to core banking applications by December 013, means 95% plus
Indian banks use CBS. CBS used by Indian banks include, FINACLE (by Infosys
Technologies Ltd.), FLEXCUBE (By Oracle Financial Services Software Limited,
formerly called i-flex Solutions Limited), TCS BaNCS (By TCS Limited), and many more
CBS.
D is incorrect –
Payroll Application: Many companies across the world are outsourcing these activities
to professionals. In India also many CA firms are doing good job on payroll outsourcing.
TALLY has a payroll application built into it. ICAI, has made available for its members a
payroll application.
925. Key business requirements for information specify ‘integrity’ as a parameter that
needs to be present in information generated. By integrety we mean:
A. protection of sensitive information from unauthorised disclosure
B. accuracy and completeness of information as well as its validity
C. information being available when required
D. information being delivered in a timely, correct, consistent and usable manner
KEY B
B is correct - Integrity: Relates to the accuracy and completeness of information as
well as to its validity in accordance with business values and expectations
396
A is incorrect – Confidentiality: Concerns the protection of sensitive information from

unauthorised disclosure
C is incorrect - Availability: Relates to information being available when required by
the process now and in the future. It also concerns the safeguarding of necessary
resources and associated capabilities.
D is incorrect – Effectiveness: Deals with information being relevant and pertinent to
the process as well as being delivered in a timely, correct, consistent and usable
manner
926. COBIT defines six control objectives for application controls. Under which of the
following objectives does validating input data classify?
A. Data collection and entry
B. Completeness and Authenticity checks
C. Processing integrity and validity
D. Transaction Authentication and Integrity
KEY B
B is correct - Accuracy, Completeness and Authenticity Checks: Ensure that
transactions are accurate, complete and valid. Validate data that were input, and edit or
send back for correction as close to the point of origination as possible.
A is incorrect - Source Data Collection and Entry: Ensure that data input is performed
in a timely manner by authorised and qualified staff. Correction and resubmission of
data that were erroneously input should be performed without compromising original
transaction authorisation levels. Where appropriate for reconstruction, retain original
source documents for the appropriate amount of time.
C is incorrect - Processing Integrity and Validity: Maintain the integrity and validity of
data throughout the processing cycle. Detection of erroneous transactions does not
disrupt the processing of valid transactions.
D is incorrect – Transaction Authentication and Integrity: Before passing transaction
data between internal applications and business/operational functions (within or outside
the enterprise), check the data for proper addressing, authenticity of origin and integrity
of content. Maintain authenticity and integrity during transmission or transport
927. Neural Networks and Fuzzy Logics are classified under which category of
Artificial intelligence?
A. Cognitive Science
B. Robotics
397
C. Natural Sciences
D. Virtual Reality
KEY A
A is correct - Cognitive Science: This is an area based on research in disciplines such
as biology, neurology, psychology, mathematics and allied disciplines. It focuses on
how human brain works and how humans think and learn. Applications of AI in the
cognitive science are Expert Systems, Learning Systems, Neural Networks, Intelligent
Agents and Fuzzy Logic
B, C and D are incorrect – Robotics: This technology produces robot machines with
computer intelligence and human-like physical capabilities. This area includes
applications that give robots visual perception, capabilities to feel by touch, dexterity
and locomotion.
iii. Natural Languages.
Being able to 'converse' with computers in human languages is the goal of research in
this area. Interactive voice response and natural programming languages, closer to
human conversation, are some of the applications. Virtual reality is another important
application that can be classified under natural interfaces.
928. What are decision support systems (DSS)?
A. System used for getting valuable information for making management decisions
B. systems that provide interactive information support to managers with analytical
models
C. system which allows buying and selling goods on the internet and involves
information sharing, payment, fulfillment, service and support
D. system intended to capture data at the time and place of a transaction
KEY B
B is correct - DSS are information systems that provide interactive information support
to managers with analytical models. DSS are designed to be ad hoc systems for
specific decisions by individual-managers. These systems answer queries that are not
answered by the transactions processing systems.
A, C and D are incorrect – Data warehousing system is used for getting valuable
information for making management decisions.
Other than buying and selling goods on the Internet, E Commerce (Electronic
Commerce) involves information sharing, payment, fulfillment and service and support.
a PoS is intended to capture data at the time and place of transaction which is being
initiated by a business user. It is often attached to scanners to read bar codes and
magnetic cards for credit card payment and electronic sales.
398
929. Which of the following should an IS auditor consider while auditing data
warehousing systems?
A. Network capacity for speedy access
B. Accuracy and correctness of outputs generated
C. Validation of receivers details for correctness and completeness
D. Review of exceptional transaction logs
KEY A
A is correct - IS Auditor should consider the following while auditing data warehouse:
1. Credibility of the source data
2. Accuracy of the source data
3. Complexity of the source data structure
4. Accuracy of extraction and transformation process
5. Access control rules
6. Network capacity for speedy access
B is incorrect – IS Auditors role with respect to Decision Support System:
1. Credibility of the source data
2. Accuracy of the source data
3. Accuracy of extraction and transformation process
4. Accuracy and correctness of the output generated
5. Access control rules
C is incorrect – The IS Auditors role with respect to EFT will be with respect to:
1. Authorisation of payment.
2. Validation of receivers details, for correctness and completeness.
3. Verifying the payment made.
4. Getting acknowledgement from the receiver, or alternatively from bank about the
payment made.
5. Checking whether the obligation against which the payment was made has been
fulfilled.
D is incorrect – IS Auditors role for PoS systems:
1. In case there is batch processing, the IS auditor should evaluate the batch
controls implemented by the organization.
399
2. Check if they are in operation,

3. Review exceptional transaction logs.
4. Whether the internal control system is sufficient to ensure the accuracy and
completeness of the transaction batch before updating?
5. The relevance of controls is more In the case of online updating system, the IS
auditor will have to evaluate the controls for accuracy and completeness of
transactions.
930. Why is IS Audit performed?
A. It safeguards assets, maintains data integrity and achieves the organisations
goals and objectives
B. To ensure that the organisations computer systems are available for the business
at all times when required
C. Business processes have been integrated into system and decisions are being
taken through this integrated system
D. To ensure that the information provided by the system is accurate, reliable and
timely
KEY C
C is correct - IS Audit is necessary in today’s business environment as business
processes have been integrated into system and lot of decision is being taken through
these integrated system.
A, B and D are incorrect – These are the agenda to be followed for an IS Audit
931. While performing an IS audit which of the following comes under risk assessment
and planning?
A. conclusions on objective(s), scope, timeline and deliverables, compliance with
applicable laws and professional auditing standards
B. provide supervision to IS audit staff for whom they have supervisory
responsibility, to accomplish audit objectives
C. use an appropriate risk assessment approach and supporting methodology to
develop the overall IS audit plan
D. obtain sufficient and appropriate evidence to achieve the audit objectives.
KEY C
C is correct - Risk Assessment in Planning: The IS audit and assurance function shall
use an appropriate risk assessment approach and supporting methodology to develop
the overall IS audit plan and determine priorities for the effective allocation of IS audit
400
resources. IS audit and assurance professionals shall identify and assess risk relevant
to the area under review, when planning individual engagements. IS audit and
assurance professionals shall consider subject matter risk, audit risk and related
exposure to the enterprise.
A, B and D are incorrect –
Engagement Planning: This includes conclusions on objective(s), scope, timeline and
deliverables, compliance with applicable laws and professional auditing standards, use
of a risk-based approach, where appropriate, engagement-specific issues,
documentation and reporting requirements.
Performance and Supervision: IS audit and assurance professionals shall conduct the
work in accordance with the approved IS audit plan to cover identified risk and within
the agreed-on schedule. IS audit and assurance professionals shall provide supervision
to IS audit staff for whom they have supervisory responsibility, to accomplish audit
objectives and meet applicable professional audit standards. IS audit and assurance
professionals shall accept only tasks that are within their knowledge and skills or for
which they have a reasonable expectation of either acquiring the skills during the
engagement or achieving the task under supervision. IS audit and assurance
professionals shall obtain sufficient and appropriate evidence to achieve the audit
objectives. The audit findings and conclusions shall be supported by appropriate
analysis and interpretation of this evidence. IS audit and assurance professionals shall
document the audit process, describing the audit work and the audit evidence that
supports findings and conclusions. IS audit and assurance professionals shall identify
and conclude on findings.
Evidence: IS audit and assurance professionals shall obtain sufficient and appropriate
evidence to draw reasonable conclusions on which to base the engagement results. IS
audit and assurance professionals shall evaluate the sufficiency of evidence obtained to
support conclusions and achieve engagement objectives.
932. The type of CAAT which is written for special audit purposes or targeting
specialized IT environments is known as:
A. Specialised Audit Software
B. Generalised Audit Software
C. Utility Software
D. Computer Audit Software
KEY A
A is correct - Specialised Audit software, unlike GAS, is written for special audit
purposes or targeting specialized IT environments.
401
B, C and D are incorrect – Generalised Audit software refers to generalized computer

programs designed to perform data processing functions such as reading data,
selecting and analyzing information, performing calculations, creating data files and
reporting in a format specified by the auditor.
Utility software or utilities though not developed or sold specifically for audit are often
extremely useful and handy for conducting audits.
Computer audit software is also known as Generalised Audit Programs (GAS)
933. Which of the following pertains to an operation using GAS?
A. Testing for UNIX controls
B. Comparing an input file with a processed file
C. Production of circularisation letters
D. Random sampling plan
KEY D
D is correct - Typical operations using GAS include:
a. Sampling Items are selected following a value based or random sampling plan.
b. Extraction Items that meet the selection criteria are reported individually.
c. Totaling the total value and number of items meeting selection criteria are
reported.
d. Ageing Data is aged by reference to a base date
e. Calculation Input data is manipulated prior to applying selection criteria
A, B and C are incorrect – Specialised Audit software, unlike GAS, is written for special
audit purposes or targeting specialized IT environments. The objective of these
software to achieve special audit procedures which may be specific to the type of
business, transaction or IT environment e.g. testing for NPAs, testing for UNIX controls,
testing for overnight deals in a Forex Application software etc. Such software may be
either developed by the auditee or embedded as part of the client’s mission critical
application software. Such software may also be developed by the auditor
independently. Before using the organisation’s specialized audit software, the auditor
should take care to get an assurance on the integrity and security of the software
developed by the client...
Utility software or utilities though not developed or sold specifically for audit are often
extremely useful and handy for conducting audits. These utilities usually come as part
of office automation software, operating systems, and database management systems
or may even come separately. Utilities are useful in performing specific system
402
command sequences and are also useful in performing common data analysis functions
such as searching, sorting, appending, joining, analysis etc. Utilities are extensively
used in design, development, testing and auditing of application software, operating
systems parameters, security software parameters, security testing, debugging etc.
a. File comparison: A current version of a file for example, is compared with the
previous year’s version, or an input file is compared with a processed file.
b. Production of circularisation letters.
934. What is continuous auditing?
A. Process of obtaining evidence directly on the quality of the records produced and
maintained in the system.
B. Process of reviewing the computer logs generated at various points to build an
audit trail
C. Process through which an auditor evaluates the particular system(s) and thereby
generates audit reports on real time basis.
D. Process of reviewing transactions as they are processed and select items
according to audit criteria specified in the resident code
KEY C
C is correct - Continuous auditing is a process through which an auditor evaluates the
particular system(s) and thereby generates audit reports on real time basis. Continuous
auditing approach may be required to be used in various environments. Such
environments usually involve systems that are 4*7 mission critical systems.
A is correct – This forms part of selecting, implementing and using CAAT’s
B and D are incorrect – These are different techniques of continuous auditing
935. Procedure of continuous auditing whereby digital pictures of procedures are
saved and stored in the memory:
A. Snapshot
B. Integrated Test facility
C. System activity file interrogation
D. Embedded audit facilities
KEY A
A is correct - Most applications follow a standard procedure whereby, after taking in the
user input they process it to generate the corresponding output. Snapshots are digital
pictures of procedures of the console that are saved and stored in the memory.
Procedures of the console refer to the application procedures that take input from the
403
console i.e. from the keyboard or the mouse. These procedures serve as references for
subsequent output generations in the future. Typically, snapshots are implemented for
tracing application software and mapping it. The user provides inputs through the
console for processing the data. Snapshots are means through which each step of data
processing (after the user gives the input through) is stored and recalled.
B is incorrect - Integrated Test Facility (ITF) is a system in which a test pack is pushed
through the production system affecting “dummy” entities. Hence this requires dummy
entities to be created in the production software. For example, the auditor would
introduce test transactions that affect targeting dummy customer accounts and dummy
items created earlier for this testing purpose.
C is incorrect – Most computer operating systems provide the capability of producing a
log of every event occurring in the system, both user and computer initiated. This
information is usually written to a file and can be printed out periodically. As part of
audit testing of general controls, it may be useful for the auditor to review the computer
logs generated at various points to build an audit trail. Wherever possible, unauthorised
or anomalous activity would need to be identified for further investigation.
D is incorrect – Embedded audit facilities consist of program audit procedures, which
are inserted into the client’s application programs and executed simultaneously. The
technique helps review transactions as they are processed and select items according
to audit criteria specified in the resident code, and automatically write details of these
items to an output file for subsequent audit examination.
936. Compliance testing helps an auditor:
A. substantiate the integrity of actual processing and the outcome of compliance
testing
B. to test for monetary errors directly affecting financial statement balances
C. To obtain evidence of the validity and propriety of accounting treatment of
transactions
D. Determine that controls are applied in a manner that complies with policies and
procedures
KEY D
D is correct - Compliance tests are used to help determine the extent of substantive
testing to be performed, as stated in Statement of Auditing Standards. Such tests are
necessary if the prescribed procedures are to be relied upon in determining the nature,
time or extent of substantive tests of particular classes of transactions or balances.
Once the KEY control points are identified, the auditor seeks to develop a preliminary
understanding of the controls to ensure their existence and effectiveness.
B, C and D are incorrect – These are the features of Substantive Testing
404
937. While reviewing authorisation procedure before creating user rights, an IS auditor
has to:
A. Evaluate how the user rights have been granted and monitored
B. Check who triggers the request for user rights creation
C. Check Whether there is a proper cross check mechanism to validate the user
rights
D. Check Whether user right alteration process is linked to the job profile of the
individual
KEY B
B is correct - Authorisation procedure before creating user rights?
IS Auditor needs to check whether there is a formal user rights approval
form/document. The question that need to be answered being
a. Who triggers the request for user rights creation? Ideally this request has to be
generated through HR department.
b. Whether the form contains all relevant information for the specific user?
c. Whether the form has been properly filled?
d. Whether the form has valid authorisation?
e. Whether forms are marked once user rights are created in system?
A is incorrect – Who has the authority to create user rights?
IS auditor is also concerned to know the person who has the authority to create users in
system. IS auditor needs to evaluate the rights of persons doing this job and how these
rights have been granted and monitored.
C is incorrect - Validation of user rights created in system?
IS Auditor needs to evaluate the process how user rights created at step (ii) are
validated once they have been put in system. IS Auditor may seek answers to the
following questions.
a. Whether there is a proper cross check mechanism build in organisation to
validate the user rights of employee once they have been created?
b. Whether there is timely validation of user rights and user job profiles? For
example this is a cyclical process to be done once each year to see whether the
job profile of individual is appropriately reflected in his/her user rights?
D is incorrect - Process of alteration of user rights?
IS Auditor is concerned with the process of alteration of rights. The IS Auditor seeks
answers to the following questions.
405
a. Whether the user right alteration process is linked to job profile of individual?
b. Who triggers the request for user rights alteration?
938. This is the highest level of database abstraction which is of concern to the users
is:
A. Conceptual or global view
B. Physical view
C. Internal view
D. External or user view
KEY D
D is correct - External or user view: It is at the highest level of the database
abstraction. It includes only that portion of database or application programs which is of
concern to the users. It is defined by the users or written by the programmers. It is
described by the external schema.
A is incorrect – Conceptual or global view: This is reflection of a database is viewed
by database administrator. Single view represents the entire database. It describes all
records, relationships and constraints or boundaries. Data description to render it
independent of the physical representation. It is defined by the conceptual schema,
B and C are incorrect – Physical or internal view: It is at the lowest level of database
abstraction. It is closest to the physical storage method. It indicates how data will be
stored, describes data structure, and the access methods. It is expressed by internal
schema.
939. What control does a ‘view’ function offer with respect to database security?
A. Segregation of duties
B. Addresses conflicts relating to simultaneous access
C. Enables data access limitations
D. Ability to create and reuse SQL code
KEY C
C is correct - Views: Views enable data access limitations. A view is a content or
context dependent subset of one or more tables.
A, B and D are incorrect – Database Roles and Permissions
• Segregation of duties
• Roles & Permissions allow control of operations that a user can perform on
database,
406
Concurrency Control: Addresses conflicts relating to simultaneous accesses

Stored Procedures: Database servers offer developers the ability to create & reuse
SQL code through the use of objects called as Stored Procedures (Group of SQL
statements).
940. User Creation and Access rights are done by _______________________.
A. Application Programmers
B. Specialised Users
C. Naïve Users
D. Database Administrators
KEY D
D is correct - Normally, a database administrator first uses CREATE USER to create an
account, then GRANT to define its privileges and characteristics. For Example in
Oracle, The SYS and SYSTEM accounts have the database administrator (DBA) role
granted to them by default. These are predefined all other users have to be created.
There is a need to create user and assign some authentication mechanism like a
Password.
A, B, C are incorrect – These are different types of database users
941. Compliances specified in Section 17(2AA) of Companies Act 1956 which states
that directors of the company are responsible to implement proper internal
control relates to:
A. Taxation related compliance
B. Control related compliance
C. XBRL Compliance
D. Accounting Standard related compliance
KEY B
B is correct - Control Related: Those specified in:
- Section 17(2AA) of Companies Act 1956 (old): Detailing Director’s Responsibility
Statement, which specifies that directors of the company are responsible to
implement proper internal controls.
- CARO, 2003 (As amended in 2004), has many clauses where statutory auditor
needs to comment upon the internal controls.
- SOX compliance: Financial transaction analysis, for example aging analysis for
debtors and inventory, capability to drill down un-usual financial transactions.
407
A, C and D are incorrect – Taxation related: TDS, TCS, Excise Duty, Service Tax,
VAT, PF, etc.
XBRL compliance: Looking to the growth of XBRL compliance in India and
governments intention to slowly increase the coverage area of eligible entities, XBRL
compliance shall increase in India. Many business application vendors have already
started making their software capable of generating XBRL reporting.
Accounting Standard related: Accounting standards prescribing the accounting
guidance to transactions. It is important that the business applications used are in
compliance with the applicable accounting standards.
942. What is the responsibility of management with respect to accuracy and
authenticity of reports?
A. Prime responsibility of accuracy of reports generated
B. Whether established controls ensure accuracy of reports
C. Forming opinion based on such reports
D. Respond appropriately to written representations
KEY A
A is correct - The prime responsibility for accuracy of report generated from the
business applications lies with the management.
B, C and D are incorrect – These are the responsibilities of the internal and statutory
auditor
408
Module 7
Business Continuity Management
943. It is becoming increasingly important for businesses to have a business

contingency plans for their Information systems. The criticality of the
contingency plan will depend mainly upon _____________
A. The extent of investment in the organization on IT
B. Likely level of impact due to failure or non-availability of IT
C. The severity of the incident
D. The extent of risk aversion of the organization
KEY B
Justification
The criticality of the contingency plan will depend upon the anticipated intensity of the
impact of failure or non-availability of IT, as pointed out in Option B. The other factors
indicated in other would not influence the criticality as much.
944. In terms of ascending order of severity / intensity, how would the terms incident,
crisis, emergency & disaster be ordered ?
A. Incident, crisis, emergency, disaster
B. Incident, emergency, crisis, disaster
C. Emergency, incident, crisis, disaster
D. Emergency, crisis, incident, disaster
KEY A
Justification
An incident is an event that can lead to losses for an organization &, if not managed
properly, can lead to a crisis, emergency or disaster. A crisis is an event that is
expected to lead to an emergency or disaster. A disaster is like an emergency, but of
much larger scale. Hence, answer at Option A is correct.
945. An organization with extensive internet based business has its computer servers
located in an area known for power outages at times for several hours a day. How
is the organization’s exposure to this situation expressed in Business Continuity
Management terms ?
A. Risk
B. Vulnerability
C. Contingency
D. Emergency
KEY B
Justification
The degree of exposure to any risk or the consequences of risk is termed vulnerability.
The exposure is to a risk & the situation is described as vulnerability. A contingency
expresses the possibility of exposure to risk and an emergency when the risk is actually
likely to occur. Hence, answer at Option B only is correct.
946. What is Minimum Business Continuity Objective?
A. Organization objective to continue doing business despite disruptions
B. Organization objective to continue minimum level of business even during
financial crisis
C. Organization approach to reduce business operations to a minimum level during
crises
D. Minimum level of services/products acceptable during a disruption
KEY D
Justification
MBCO is the minimum level of services and/or products acceptable to the organization
during a disruption, as brought out in Option D. The answers in the other options are
factually wrong.
947. What is Maximum Acceptable Outage ?
A. Maximum loss an organization can afford to absorb on account of a disruption
B. Maximum loss of output an organization can afford on account of a disruption
C. Maximum number of persons an organization can afford to shift out during an
emergency
D. Maximum period of time an organization can tolerate disruption of a critical
business function
KEY D
Justification
MAO is the maximum period of time an organization can tolerate disruption of a critical
business function, as brought out in Option D. The answers in the other options are
factually wrong.
410
948. What is a Contingency Plan ?

A. An overall process of preparing for unexpected events
B. A list of contingencies that can strike an organization’s operations
C. Plan of deployment of a contingent of officials involved with security
D. Maximum number of persons an organization can afford to shift out during an
emergency
KEY A
Justification
A Contingency plan, as brought out in Option A, is an overall process of preparing for
unexpected events. The answers in the other options are factually wrong.
949. Preventive measures and corrective measures are two of the three basic
strategies that encompass a disaster recovery plan. What is the third basic
strategy ?
A. Restoration phase
B. Planning phase
C. Stabilization phase
D. Multiplication phase
KEY C
Justification
Detective measures are taken to identify the presence of unwanted events within the IT
infrastructure. They are the third basic strategy involved in disaster recovery plans.
Hence, answer in Option C is correct.
950. Distinguish between Business Continuity Plan (BCP) and Disaster Recovery plan
(DRP)?
A. BCP is to enable business to function normally in all respects whereas DRP is to
have basic functions alone operating post an event
B. BCP is to facilitate continuation of a business even after the death or disability of
the promoter whereas DRP is preparation for facing natural disasters alone
C. BCP is to ensure recovery of critical functions alone whereas DRP is to have all
operations functioning post an event
D. Both BCP and DRP are effectively the same; they are inter-changeable
terminology
411
KEY C
Justification
BCP is to ensure recovery of critical functions alone whereas DRP is to have all
operations functioning post an event. Thus, BCP may be the initial response to an event
or disaster when some essential functions alone are revived. DRP, however, will cover
resumption of full-fledged normal operations. The answers in other options are not
correct and answer in Option C is correct.
951. Crisis phase, Emergency response phase & Recovery phase are three of the four
phases that are typical of any disaster scenario. Which is the fourth phase ?
A. Restoration phase
B. Planning phase
C. Multiplication phase
D. Stabilization phase
KEY A
Justification
The fourth phase of Disaster is the Restoration phase. This phase involves restoration
of conditions to normal. Damages to equipment & facilities are normally repaired during
this period. The answers in Options B to D are not correct and answer in Option A is
correct.
952. What are the pre-requisites in developing a Business Continuity Plan (BCP) ?
A. Planning for all phases & making it part of business process
B. Testing of the BCP
C. Waiting for one incident to learn from, before drawing up BCP
D. Having the organization’s strategic long term plan ready
KEY A
Justification
The major pre-requisites for developing a BCP include planning for all phases & making
it a part of business process by assigning responsibility to specific business process
owners. It will not be practicable to wait for one event or disaster to happen; we would
have to depend upon the wisdom of the team members to brain storm, identify possible
scenarios & plan corrective actions. While it would be good to have the organization’s
strategic long term plan ready, it may not be an actual must. Testing of the BCP will be
a subsequent step, post finalization of the BCP.
Hence, answer at Option A is correct & the others wrong.
412
953. What are the key phases prior to development of a Business Continuity Plan
(BCP) ?
A. Maintenance of the BCP
B. Business Impact Analysis & Risk Assessment
C. Testing of the BCP
D. Training & awareness of employees
KEY B
Justification
The KEY phases prior to development of a BCP are Business Impact Analysis & Risk
Assessment. Training and awareness of the employees will happen subsequent to
completion of the drafting of the BCP. Testing and maintenance, too, would happen only
after the plan is ready.
Hence, answer at Option B is correct & the others wrong.
954. What are the key phases post development of a Business Continuity Plan (BCP) ?
A. Testing, training & awareness of employees & maintenance
B. Appointing a project team and steering committee
C. Risk assessment
D. Business Impact analysis
KEY A
Justification
Business impact analysis, risk assessment & appointment of a project team & steering
committee are steps which precede the development of a BCP. Hence, they cannot
handle work relating to post development of the BCP. Testing, training & awareness of
employees and maintenance are the KEY phases to be implemented post development
of a BCP.
Hence, answer at Option A is correct & the others wrong.
955. A Business Impact Analysis (BIA) has the objective of estimating the financial &
intangible operational impacts for each business unit, assuming a worst case
scenario. What other objective does it have ?
A. Address initiatives for speedy recovery from contingency
B. Identify business unit processes & estimated recovery time for each
C. Develop recovery management team
D. Develop crisis management team
413
KEY B
Justification
The third major objective of the BIA would be to identify business unit processes &
estimated recovery time for each of them, as indicated in Option A above. Initiatives
towards recovery as also development of recovery/crisis management teams is not part
of the BIA.
Hence, answer at Option B is correct & the others wrong.
956. What is Recovery Time Objective (RTO) ?
A. RTO is a measure of the user’s tolerance to downtime
B. The time period the crisis is expected to last
C. The time required for the team to stem further damage
D. The time required for the crisis management team to respond
KEY A
Justification
The RTO is a measure of the user’s tolerance to downtime. This is the amount of
downtime of the business process that the business can tolerate and still remain viable.
It is not any of the other aspects stated in Options B to D. Hence, answer at Option A is
correct
957. What is Service Delivery Objective (SDO) ?
A. Continuing to give services during a disaster
B. The service level through alternate process till normality is restored
C. Performing a service from an alternate site, owing to disaster
D. Inter-departmental services supporting product deliveries to customers
KEY B
Justification
SDO is the service level through alternate process till normality is restored, as indicated
in Option A above. The other answers are not factually correct. Hence, answer at
958. What is Recovery Point Objective (RPO) ?
A. The extent of acceptable data loss to a business owing to node failure
B. The time by which the Crisis management team expects to achieve recovery
414
C. The extent of data which can be recovered after a disaster

D. The date by which lost data can be recovered by Recovery team
KEY A
Justification
RPO is the extent of acceptable data loss to a business owing to node failure, as
indicated in Option A above. The other answers are not factually correct. Hence,
answer at Option A is correct.
959. What level of Recovery Time Objective (RTO) will a critical monitoring system
have ?
A. Very high RTO
B. Close to a year
C. Very low RTO, close to zero
D. Medium level of RTO, close to 50 %
KEY C
Justification
The RTO is a measure of the user’s tolerance to downtime. This is the amount of
downtime of the business process that the business can tolerate and still remain viable.
In a critical monitoring system, it will be measured in hours or very close to zero hours.
Hence, answer at Option C only is correct.
960. A Recovery Point Objective (RPO) will be deemed critical if it is ?
A. Small
B. Large
C. Medium
D. Depends upon business requirements
KEY A
Justification
RPO is the extent of acceptable data loss to a business owing to node failure. Hence,
the lower the extent of acceptable data loss, the more critical the situation. Answer in
Option A, therefore, is the correct answer. Hence, answer at Option A is correct.
961. If the Recovery Point Objective (RPO) is close to zero, how will the overall cost of
maintaining the environment for recovery be ?
A. Low
415
B. Medium
C. Depends upon business requirements
D. High
KEY D
Justification
RPO is the extent of acceptable data loss to a business owing to node failure. Hence,
the lower the extent of acceptable data loss, the more critical the situation & the more
expensive the cost of maintaining the environment. Answer in Option D therefore, is the
correct answer.
962. What is the Maximum Tolerable Outage (MTO)?
A. It is the maximum time an organization can support processing in alternate mode
B. It is the maximum time an organization can afford to shut down operations
C. It is the maximum loss of output an organization is able to afford
D. It is the maximum loss of potential sales an organization can afford
KEY A
Justification
MTO is the maximum time an organization can support processing in alternate mode, as
indicated in Option A. The answers in other options are not correct. Answer in Option A,
therefore, is the correct answer.
963. What happens when the Interruption Window is crossed by an organization in
crisis ?
A. A state of business continuity has been achieved
B. Business Impact analysis can no longer be done or effective
C. The progressive losses caused by the interruption become unaffordable
D. The crisis no longer exists & the organization relaxes
KEY C
Justification
The Interruption window is the time the organization can wait from the point of failure to
the point of critical services/applications restoration. Answer in Option C, therefore, is
the correct answer. The answers in the other options are incorrect.
964. A company sells small furniture items exclusively over the Internet. It works with
an Internet service provider for facilitating its online business. In house, it runs
416
the operations with the bare minimum of manpower. Storage of information and
recording of all transactions is carried out using the company’s IT network and
very limited physical documentation is maintained.
Their business is growing fast and their far sighted CEO has asked his managers
to carry out a risk analysis to check and ensure preparedness in the face of any
contingency. How would you rate this company’s tolerance to the risk of failure of
the Internet services ?
A. Vital
B. Critical
C. Sensitive
D. Non-critical
KEY B
Justification
The Company is doing business exclusively online &, hence, dependence on the
Internet is 100 %. It is also indicated that it goes in for very limited physical
documentation of its business. Manning is also Spartan. Hence, the company’s
tolerance to risk is critical. Answer at Option B, therefore, is correct.
965. An large Indian multinational company has its head office located at New Delhi. It
has substantial investments made in this office, including large IT servers which
cater to its global operations which are heavily dependent upon IT (assessed risk
ranking 5). New Delhi happens to be in Seismic Zone 4 and is rated as a ‘High
damage risk zone’ (assessed risk ranking 4). However, the actual occurrence of
earthquakes has been rare (assessed risk ranking 2). What do you think could be
the earthquake risk score for this establishment going by the standard formula for
risk comparison ?
A. 3.66
B. 2.50
C. 10.00
D. 13.33
KEY A
Justification
The risk score for this establishment would be 3.66 as per the formula (Asset cost +
Likelihood + Vulnerability)/3. Answer at Option A, therefore, is correct.
417
966. The Head office of a large group of companies is located in a large metro city.
With a view to testing its readiness to face the contingency of a fire, the
organization very meticulously conducts fire drills at least once in a year at its
Head office. It hires an independent professional agency to conduct the drill.
Volunteers from within the organization act also assist in the process. The drill
involves the initiation of a fire alarm, evacuation of all the offices, assembly at a
common point, etc. The process and its outcome are carefully documented &
learnings utilised for tweaking the organization’s safety processes. How would
you classify this fire drill as an element of a Business Continuity Plan ?
A. Structured walk through test
B. Parallel test
C. Unstructured walk through test
D. Simulation test
KEY D
Justification
This would be classified as a simulation test since this is a mock practice session in
response to a simulated disaster. Hence, answer at Option D is correct and the other
answers are wrong.
967. Training in Disaster Recovery Planning (DRP) has two KEY objectives. One is to
train recovery team participants who are expected to act in the event of a
disaster. The other KEY objective would be _____________
A. To understand the calculation of the risk ratio
B. To re-assess the value at risk
C. To train KEY employees on awareness & disaster prevention
D. To train the public at large as a public relations exercise
KEY C
Justification
The other KEY objective would be to train KEY employees on awareness & disaster
prevention as also the need for DRP. The answers in Options B to D may not be totally
irrelevant to the process but would definitely not be top of the mind for any normal
process. Hence, answer at Option C is correct and the other answers are wrong.
968. Scenario workshop & Walkthrough sessions are two of the major methods of
training for disaster recovery & business continuity in general. What is the single,
significant difference between both ?
418
A. The workshop is preceded by a stipulated scenario & the walkthrough is based

upon this scenario
B. Scenario workshop is desktop activity whereas the walkthrough involves actual
site visit
C. Scenario workshop is for proposed businesses whereas Walkthrough sessions
are for proven, old businesses
D. Scenario workshops are for senior management whereas walkthrough sessions is
for the rest of the organization
KEY A
Justification
The key difference is that the workshop is preceded by a stipulated scenario & the
walkthrough is based upon this scenario. Both are desktop activities. Both apply to all
types of businesses & include all levels of managers. Hence, answer at Option A is
correct and the other answers are wrong.
969. As IS Auditor, you are checking out the Business Continuity Plan (BCP) process
in an organization. Apart from checking whether regular testing & updating of the
BCP takes place, the other KEY Aspect that you will need to check is __________
A. Review the market dues of the organization & cash flows
B. Check whether a succession plan is in place for KEY personnel
C. Whether gaps identified in the past tests have been plugged subsequently
D. Whether the organization has got itself certified under ISO
KEY C
Justification
The key aspect that you will have to check is whether gaps identified in past tests have
been plugged subsequently. Unless, gaps/drawbacks in the existing plan are corrected,
the plan will gradually become ineffective. The answers in other options are not
factually relevant to the situation. Hence, answer in Option C is the correct one.
970. State True or False. Incident Response Planning focuses exclusively on the
Incident Response team preparedness, apt & timely response to incidents.
A. False
B. True
419
KEY A
Justification
Incident Response Planning does not focus exclusively on the Incident Response
Team’s preparedness. It also works on preventative measures which can help eliminate
or reduce the occurrence of the incident. Hence, the statement in the stem is false and
the answer in Option A above is correct.
971. Complete the following statement. The three broad categories of incidents are
definite, probable and ________________
A. Uncertain
B. Possible
C. Unfortunate
D. Indefinite
KEY B
Justification
The third broad category of incidents is a possible incident &, hence, the answer in
Option B above is correct.
972. Some possible actual IT incidents could be _____________
A. Presence of unfamiliar files
B. Presence or Execution of unknown program or processes
C. Unusual system crashes
973. Which one of the following could also be a possible actual incident ?
A. Introduction of new software from accredited source
B. Increase in number of licences
C. Unusual consumption of computing resources
D. Recruitment of a new software engineer
KEY C
Justification
Of the choices given, unusual consumption of computing resources could be a possible
actual incident which can cause concern & trigger an incident response. Hence, the
answer in Option C above is correct.
974. Which one of the following could also be a definite indicator of an incident ?
420
A. Presence of unfamiliar files

B. Presence of unknown programs
C. Unusual consumption of computing resources
D. Use of dormant accounts
KEY D
Justification
The use of dormant accounts is a definite indicator of an incident. The other choices
given above could be owing to genuine reasons. Hence, the answer in Option D above
is correct.
975. Which of the operating teams of contingency planning would conduct research on
data that could lead to a crisis and develop actions that would adequately handle
these threats ?
A. Disaster Recovery team
B. Incident Response team
C. Contingency Planning team
D. Administration team
KEY C
Justification
It is the Contingency planning team which would conduct research on data that could
lead to a crisis and develop actions that would effectively handle these threats. The
incident response team as well as the disaster recovery team would enter the arena
only post the incident. Hence, the answer in Option C above is correct.
976. Which of the operating teams of contingency planning would be the first to arrive
during the outbreak of an incident ?
A. Incident Response team
B. Contingency Planning team
C. Disaster Recovery team
D. Administration team
421
KEY A
Justification
It is the Incident Response team which would appear first on the scene when an
incident occurs. If this team is unable to make headway, the Disaster Recovery team is
called in. If the Disaster Recovery team finds the impact of the crisis as very high, they
draw in the Business Continuity Plan team in addition. Hence, the answer in Option A
above is correct.
977. State True or False. The Disaster Recovery Plan should contain details about the
Disaster Recovery Management Team and its sub-teams like Administration,
Supplies, Public Relations, etc. as also their respective responsibilities. The idea
is to decide on these well in advance and not waste precious time arriving at the
right choice of people, roles and responsibilities at the time of the actual crisis.
A. False
B. True
KEY B
Justification
The very purpose of a Disaster Recovery Plan is to minimize the losses which a
business may incur on account of a crisis. The single most important factor in such a
situation is time and prior identification of the appropriate persons to take on the
emergency roles is critical for speedy and effective disaster recovery efforts. Hence, the
answer in Option B above is correct.
978. The Business Continuity Plan Manual comprises basically the _________
A. Business Continuity Plan alone
B. Business Continuity Plan and the Disaster Recovery Plan
C. Business Continuity Plan and the Incident Response Plan
D. Business Continuity Plan and the Contingency Response Plan
KEY B
Justification
The BCP manual is expected to give reasonable reassurance to the senior
management of the business’ capability to spring back from a disaster through a
process of identifying potential crises as also plans for recovery from the crises. Hence,
the BCP Manual comprises both the BCP and the DRP as indicated in Option B. The
answers in the other Options are not factually correct.
979. Restoring from a Differential Back-up involves ________________
422
A. Restoring from last full back-up & then every incremental back-up
B. Restoring from full back-up alone
C. Restoring from last full back-up & then the differential back-up
D. Restoring from differential back-up alone
KEY C
Justification
Restoring from a Differential Back-up involves restoring from the last full back-up and
then the differential back-up, as indicated in Option C above. The other answers in
980. What is one of the most popular back up measures for wide-area data
communication networks in an emergency ?
A. Dial-up in lieu of the normal leased/broad band lines
B. Circuit extension techniques
C. Micro-wave communications
D. On-demand carrier services
KEY A
Justification
Dial-up facilities are one of the most popular back up measures for wide-area
communication networks in the event of an emergency. The other options can also
serve as back-up facilities but come with their own limitations / specialized uses. Eg.
Circuit extension techniques are normally used with high speed leased lines, involving
effective duplication of equipment/facilities. Similarly, on-demand services would
depend upon the carrier’s capability & willingness. Hence, answer in Option A is correct.
981. A leading e-commerce provider is entering into the Indian market and is keen that
the business is built on firm foundations to ensure its credibility to customers.
Appreciating the importance of ensuring 100 % back-up for its Internet
operations, it approaches a reputed vendor for advice on back-up facilities. The
vendor analyses the customer’s requirements and comes up with a solution. The
vendor offers the customer a ready-to-use back-up facility based upon
subscription & membership. Virtually every equipment / facility which the
customer has in his main facility, including air-conditioning, would be replicated
at the vendor’s back-up location and it would be ready for instantaneous use in
the case of an emergency, providing the customer the very dependable back-up
facilities they seek but at a price. What is such a facility called ?
423
A. Mirror site
B. Cold site
C. Hot site
D. Cryogenic site
KEY C
Justification
Such a ready-to-use facility is termed a hot site as indicated in Option C. A mirror site,
on the other hand, is a fully redundant facility maintained by an organization. A cold site
is one which is not fully equipped and would require time to bring it on par with
expectations. There is not facility called as cryogenic site in this context.
982. What is a Hybrid Online Backup ?
A. Involves Local backup for recent data & Offsite backup for archived data
B. Cryogenic site
C. Back up through combination of manual as well as electronic storage
D. Remote cloud as well as physical location storage
KEY A
Justification
A Hybrid Online Backup involves a local backup which can be used for the most recent
data as also an offsite back (perhaps on the cloud) for archived data which is not
required to be accessed frequently. It does not refer to a combination of manual &
electronic storage; nor does it relate to a remote cloud as well as physical location
storage. The term cryogenic site has no relevance in this context. Hence, answer at
Option A is the correct one.
983. What is database shadowing ?
A. Maintenance of two parallel, independent databases
B. Maintenance of a parallel database with the essential information alone
C. Involves live processing of remote journaling
D. Having a mirror database on the cloud
KEY C
Justification
Database shadowing is basically processing of remote journaling. i.e. parallel
processing of all data at a remote location. The answer in Option C, hence, is correct.
The other answers are incorrect.
424
984. State True or false. Apart from covering losses on account of damage or loss of
equipment, properties, additional costs incurred to meet the contingency etc., it is
possible to get insurance cover for business interruption & consequent financial
losses including customer claims, delayed cash flows, etc.
a. False
b. True
KEY B
Justification
Business interruption includes a situation involving failure of the IT system &
consequent financial losses/expense incurred by the client. Hence, the answer in
985. Which types of torts are excluded from liability insurance cover ?
A. Negligent tort
B. Product liability
C. Intentional torts
D. Service liability
KEY C
Justification
Intentional torts are excluded since it is assumed that they are foreseeable and can be
avoided by the insurer. The other types of torts in Options A,B and D are insurable.
Hence, the answer in Option C is correct.
986. What is an example of Errors and Omissions (E&O) insurance ?
A. Professional liability insurance
B. Marine insurance
C. Business interruption insurance
D. Motor vehicle insurance
KEY A
Justification
E&O insurance is a form of insurance protecting the insured against liability arising from
failure to meet appropriate standard of care for a given profession. Professional liability
insurance is one form of E&O insurance. Marine, motor vehicle & business interruption
insurance are not examples of E&O insurance since it does not fall within the limits of
the definition given above . Hence, the answer in Option A is correct.
425
987. What is the primary goal of audit of a Business Continuity Plan (BCP)?
A. Determining effectiveness of BCP & alignment with organizational goals
B. Identify variations from laid down procedure & report to management
C. Benchmark against practices prevailing in other organizations
D. Compliance with laws & regulations
KEY A
Justification
Any good auditor would obviously be required to note & report deviations from the
stated norms. They are also expected to compare the processes involved with that of
competitors / other organizations. Lastly, the IS auditor would also have to check for
compliance with laws and regulations. While all these could be goals of an audit of a
BCP, they would not be the primary one. On the contrary, determining effectiveness of
BCP & alignment with organizational goals are critical goals which would address most
of the other aspects covered in Options B to D.
Hence, answer in Option A alone is the most appropriate one.
988. What is the first step in the BCP process ?
A. Identifying the weaknesses in the organizations
B. Testing the functioning of the process
C. Checking for compliance with laws & regulations
D. Identifying the mission/business-critical functions
KEY D
Justification
The aspects identified in Options A to C are, indeed, part of the BCP audit process.
However, they do not constitute the critical step. This would basically be identification of
mission / business-critical functions so that the adequacy of the BCP process for these
selected functions are verified as part of the audit process. Hence, answer in Option D
alone is the most appropriate one.
989. State True or False. While it is important to identify all critical missions and
businesses in the business continuity plan, it should be understood that
attempting to cover all the mission or business-critical functions would be a very
expensive affair & not very feasible. It makes better sense to identify the priority
areas which would impact most through their failure.
A. True
B. False
426
KEY A
Justification
Practically speaking it would be best to go by the 80 20 rule as per which a few KEY
issues of the journal would be available for consultation during the morning. Hence,
answer in Option A alone is the more appropriate one.
990. State True or False. While validating the resources that support critical functions,
the IS audit of the BCP process should restrict itself to computer-related matters
which alone are the division’s responsibility.
A. True
B. False
KEY B
Justification
The audit has to cover all resources, whether IT related or not, that support critical
functions. For, the failure of non-computer related resources could equally endanger the
IT aspects of the business. Hence, answer in Option B alone is the most appropriate
one.
991. State True or False. While validating the resources that support critical functions,
the IS audit of the BCP process should restrict itself to computer-related matters
which alone are the division’s responsibility.
A. False
B. True
KEY A
Justification
The audit has to cover all resources, whether IT related or not, that support critical
functions. For, the failure of non-computer related resources could equally endanger the
IT aspects of the business. Hence, answer in Option A alone is the most appropriate
one.
427
DISA Review Questions, Answers
Manual – Module
The Institute of Chartered Accountants of India

(Set up by an Act of Parliament)
New Delhi
i
© The Institute of Chartered Accountants of India
All rights reserved. No part of this publication may be reproduced, stored in

a retrieval system, or transmitted, in any form, or by any means, electronic
mechanical, photocopying, recording, or otherwise, without prior permission, in
writing, from the publisher.
DISCLAIMER
The views expressed in this material are those of author(s). The Institute of
Chartered Accountants of India (ICAI) may not necessarily subscribe to the views
expressed by the author(s).
The information in this material has been contributed by various authors based
on their expertise and research. While every effort have been made to keep
the information cited in this material error free, the Institute or its officers do not
take the responsibility for any typographical or clerical error which may have
crept in while compiling the information provided in this material. There are no
warranties/claims for ready use of this material as this material is for educational
purpose. The information provided in this material are subject to changes in
technology, business and regulatory environment. Hence, members are advised
to apply this using professional judgement. Please visit CIT portal for the latest
updates. All copyrights are acknowledged. Use of specific hardware/software in
the material is not an endorsement by ICAI.
Edition : October, 2015

Committee/Department : Committee of Information Technology
E-mail : [email protected]
Website : www.icai.org/http://cit.icai.org
Price :
` ______/- (For Module Including DVD)
ISBN :
978-81-8441-
Published by : The Publication Department on behalf of the Institute
of Chartered Accountants of India, ICAI Bhawan, Post
Box No. 7100, Indraprastha Marg, New Delhi-110 002.
Printed by : Sahitya Bhawan Publications, Hospital Road, Agra-03
October/2015/P0000 (New)
ii
Contents
DISA Review Questions, Answers Manual – Module Page Nos.
1. Module – 1 1-119
2. Module – 2 120-178
3. Module – 3 179-290
4. Module – 4 291-404
5. Module – 5 405-461
6. Module – 6 462-557
7. Module – 7 558-611
iii
viii
DISA Review Questions, Answers Manual – Module 1
Module 1 Questions
Q1. The primary function of the CPU is to take care of
A. Input, Output and arithmetic-logic activities
B. Control and Output activities
C. Control and arithmetic-logic activities
D. Input and Control activities
Q2. Which of the following would be classified as a corrective control?

A. Business continuity planning
B. Transaction authorisation
C. Terminal security
D. Passwords
Q3. A major design consideration for local area networks that replaces stand
alone computing in an organisation include:
A. Ensuring sophisticated and state-of-the-art recovery mechanism
B. Ensuring concurrent access control
C. Ensuring seamless integration
D. Allowing distribution processing
Q4 Which one would be a material irregularity?

A. Programmers forgot to indicate file retention periods
B. Operation personnel did not follow a procedure due to an
oversight
C. Librarian forgot to log tape movement
D. Knowingly, an IS Manager, approved a payment for his uncles IS
software firm for a job not done by them.
1
Q5. With respect to AI, a heuristic refers to :

A. Rule of thumb
B. Known fact
C. Known procedure
D. Guaranteed procedure
Q6. Which of the following usually is a purpose of a modem:

A. increase line errors caused by noise
B. produce encrypted messages
C. increase the speed of data transmission
D. dynamically share a smaller number of output channels
Q7. The most appropriate concurrent audit tool whose complexity is very
high and useful when regular processing cannot be interrupted is :
A. SCARF/EAM
B. ITF
C. Snapshot
D. Audit hooks
Q8. A large organization with numerous applications running on its

mainframe system is experiencing a growing backlog of undeveloped
applications. As part of a master plan to eliminate this backlog, end-user
computing with prototyping is being introduced, sup
A. Data Control
B. Systems Analysis
C. Systems Programming
D. Application Programming
2
Q9. Which of the following converts digital pulses from the computer into
frequencies within the audio signals
A. multiplexor
B. protocol converter
C. modem
D. concentrator
Q10. Introduction of computer-based information system has affected auditing.

Which of the following is NOT an effect of IS on auditing?
A. To identify a control weakness and trace its effects has become
harder
B. Collection evidence process has been rendered more difficult
C. Introduction of newer technology by the day has made their
understanding a difficult task for the auditor
D. The basic objectives of auditing have undergone change
Q11. While conducting the audit, the auditor shall allocate the audit resources
to
A. Sequentially selected areas
B. Prioritised areas
C. Randomly selected areas
D. All areas subject to audit
Q12. In data processing, which of the following causes the maximum losses
A. poor computer centre design
B. theft of machine time
C. errors and omissions
D. machine room fires
3
Q13. An MIS Manager has only enough resources to install either a new
payroll system or a new data security system, but not both. Which of
the following actions is most appropriate?
A. Giving priority to the security system
B. Leaving the decision to the MIS manager
C. Increasing MIS staff output in order for both systems to be
installed
D. Having the information systems steering committee set the priority
Q14. As an IS auditor, which would you consider the MOST CRITICAL

CONTROL over an employee performing a function.
A. Supervisory Control
B. Periodic rotation of duties
C. Keep them motivated
D. Continuous training
Q15. Which of the following types of subversive attacks on a communication

network is not an active attack:
A. message modification
B. denial of message services
C. traffic analysis
D. message deletion
Q16. Which of the following utilities can be used to directly examine the
quality of data in the database:
A. Pointer validation utility
B. HIPO charter
C. Terminal simulator
D. Decision- table preprocessor
4
Q17. Which one of the following controls would protect the production libraries
without compromising the efficiency of open access?
A. Restrict updating and read access to one position
B. Permit updating and read access for everyone in IS
C. Permit updating for everyone in IS but restrict read access to
source code to one position
D. Restrict updating to one position but permit read acccess to
source code for everyone in IS
Q18. An apparent error in input data describing an inventory item was

detected and the issue was referred back to the originating department
for correction. A few days later, the department complained that the
inventory in question was not correct. EDP could n
A. Input edit checks
B. missing data validity checks
C. transmittal control
D. error log
Q19. Hardware controls are important to IS auditors for they:

A. Ensure correct programming of operating system functions
B. Assure that the vendors support current versions of the software.
C. Assure the correct execution of machine instructions
D. Ensure that run-to-run totals in application systems are consistent
Q20. Use of public key infrastructure by an eCommerce site, where public

key is widely distributed and the private key is for the hosting server, is
MOST likely to provide comfort to the:
A. customer over the confidentiality of messages received from the
hosting site
B. hosting site over the confidentiality of message sent to the
customer
C. hosting site over the authenticity of the customer
D. customer over the authenticity of the hosting site
5
Q 21. Which of the following is considered potential benefits of Electronic Data

Interchange (EDI)?
A. improving a vendors response time to buyer orders
B. increasing data integrity by defining standards for retrieving paper
based information
C. enabling use of a multiplicity of formats and coding standards
D. increasing inventory by reducing order lead-time
Q22. A company has entered into a contract with a service provider to

outsource network and desktop support, and the relationship has
been quite successful. To mitigate some risks, which remain due to
connectivity issues, which of the following controls should
A. adequate reporting between the company and the service
provider
B. install secured sockets layer (SSL)
C. adequate definition in contractual relationship
D. network defence program
Q23. A system has adequate set of preventive controls. The installation of

detective controls:
A. Since they address the same exposures, it is redundant
B. It is necessary to provide information on the effectiveness of the
preventive controls
C. To provide an audit trail
D. Would be needed in a manual system.
Q24. Which of the following statistical selection technique is least desirable

for use by the IS auditor.
A. Systematic sampling selection technique
B. Stratified sampling selection technique
C. Cluster sampling selection technique
D. Sequential sampling selection technique
6
Q25. In an organisation, Integrated Test Facility (ITF) is not used in:

A. Maintenance
B. Automatic testing
C. Quantity control
D. Quality control
Q26. Which one of the following is not a substantive test?

A. Determining program changes are approved
B. Performing aging analysis
C. Performing system activity analysis
D. Performing job activity analysis
Q27. The audit trails are useful to

A. Auditors
B. Management
C. Users
D. All of the above
Q28. ___________ is an estimate of the degree of certainty that the

population average will be within the precision level selected
A. Standard deviation
B. Confidence level
C. Precision
D. Range
Q29. Which of the following functions SHOULD NOT BE combined with

Systems Analyst
A. Control Group
B. DBA
C. Data Entry
D. Application programmer
7
Q30. Of the following, the most critical component in a LAN is likely to be the:
A. LAN cables
B. parallel port
C. file server
D. user workstations
Q31. Possible errors related to a security issue during application

development can be identified by reviewing-
A. System logs
B. Security policies
C. Code reviews
D. System configuration files
Q32. The IS Control Group is NOT responsible for performing

A. Logging of data input
B. Review and scrutiny of error listing.
C. Rectification of errors
D. Managing distribution of outputs.
Q33. The auditor plans to select a sample of transactions to assess the

extent that purchase cash discounts may have been lost by the
company. After assessing the risks associated with lost purchase
discounts, the auditor was most likely to select a sample fro
A. Open purchase orders
B. Paid EDI invoices
C. Paid non-EDI invoices
D. Paid EDI and non-EDI invoices
8
Q34. The following message service provides the strongest protection about
the occurrence of a specific action:
A. delivery proof
B. submission proof
C. authentication messages origin
D. non-repudiation
Q35. The primary consideration for a System Auditor , regarding internal

control policies, procedures, and standards available in the IS
department, is whether they are:
A. Approved
B. Documented
C. Implemented
D. Distributed
Q36. The success of Control Self Assessment (CS depends on culture of the
organisation, project leader and the skills of the people involved in CSA.
While implementing, the pitfall to be avoided is
A. Generalisation of the planning process
B. Implementation on small projects
C. Management support
D. Broadening the focus of CSA s effectiveness
Q37. Which of the following requires the creation of a dummy entity for
Concurrent Auditing Techniques?
A. Snapshot/ Extended Record
B. Continuous and Intermittent Simulation (CIS)
C. Integrated Test Facility (ITF)
D. System Control Audit Review File (SCARF)
9
Q38. A firewall ruleset should not block

A. Inbound traffic without Internet Control Message Protocol
B. Inbound traffic from a non-authenticated source
C. Inbound traffic without the source address of the local host
D. Inbound traffic from an authenticated source having Simple
Network Management Protocol SNMP).
Q39. Access may be filtered by a firewall access control list based on each
of the following EXCEPT:
A. network interface card (NIC)
B. port
C. service type
D. Internet Protocol (IP) address
Q40. The media that is rarely used in present day LANs is:
A. Fibre optics cable
B. Twisted-pair (shielded) cable
C. Twisted-pair (unshielded) cable
D. Coaxial cable
Q41. While appointing an auditor to conduct the IS audit the company need
not look into ________ of the auditor?
A. Legal capability
B. Experience
C. Proficiency in different computer languages
D. Secrecy bond, if penetration test is to be done
10
Q42. You are planning to use monetary-unit sampling for testing the rupee
value of a large inventory population. The advantages of using
monetary-unit sampling include all of the following except
A. It is an efficient model for establishing that low error rate
population is not materially misstated
B. It does not require the normal distribution approximation required
by variable sampling
C. Since the sampling units are homogenous it can be applied to a
group of accounts
D. As errors increase, it results in a smaller sample size than that
required when using classical sampling.
Q43. Which one of the following is not a compliance test ?

A. Reconciling accounts
B. Determining whether security policy is available
C. Determining whether access controls are in place
D. Determining whether system specification documents are
available
Q44. An audit technique used to select items from a population for audit
testing purposes based on the characteristics is termed as
A. Continuous Sampling
B. Discrete Sampling
D. Statistical Sampling
Q45. The class of control used to minimise the impact of a threat is :

A. Preventive
B. Detective
C. Corrective
D. Suggestive
11
Q46. Which of the following is FALSE with regard to a symmetric key

cryptosystem?
A. the encryption and decryption process is fast
B. two different keys are used for the encryption and decryption
C. Data Encyption Standard (DES) is a typical type of private key
cryptosystem
D. For the decryption, the decryption key should be equivalent to the
encryption key
Q47. Which one of the following standards is relevant for a company dealing
with inspection and final testing?-
A. ISO 9000
B. ISO 9001
C. ISO 9002
D. ISO 9003
Q48. A Systems Analyst’s duties and roles comprises of:

A. Scheduling of computer resources.
B. Testing and evaluating programmer and optimisation tools.
C. Ascertaining user needs for application programming.
D. Corporate database definition.
Q49. An advantage of outsourcing data processing activities in a company is

obtained by:
A. Requirement of more user involvement in communicating user
needs.
B. Establishment and enforcement of processing priorities internally.
C. Best IS expertise from the outside source.
D. Exercising direct control over computer operations.
12
Q50. A sampling technique that estimates the amount of overstatement in an

account balance is termed as :
A. Variable Sampling
B. Monetary Unit Sampling
Q51. Which one of the following audit techniques would likely provide an
Systems Auditor assurance about the effectiveness and efficiency of a
system operators work?
A. Interviewing the system operator
B. Reading the operators manual
C. Observing the system operators work
D. Interviewing the system operators supervisor
Q52. An on line bookseller decides to accept online payment from customers

after implementing agreements with major credit card companies. Which
of the following parameters will LEAST impact such online transactions?
A. firewall architecture hides the internal network
B. encryption is required
C. timed authentication is required
D. traffic is exchanged through the firewall at the application layer
only
Q53. Assuming some irregularities exist in a population, the sampling plan to

identify at least one irregularity, and then to discontinue sampling when
one irregularity is found is called :
A. Stop-or-go sampling
B. Variables sampling
C. Discovery sampling
D. Attributes sampling
13
Q54. At what stage the risk assessment should be included in the security
program in event of new system additions or modification of the old
system?
A. When the new system is added or old system is modified
B. At the end of the year along with all other additions or
modifications during the year
C. Need not be done
D. After a defined period say every 3 months
Q55. In a situation where a public key cryptosystem is in use, the message

sent by the sender is signed by the:
A. senders private key
B. receivers public key
C. senders public key
D. receivers private key
Q56. Penetration testers in an attempt to penetrate into the system or the

network use different techniques to break in. Which of the following
techniques do they employ to obtain critical information for the
company’s employees?
A. Password cracking
B. Social engineering
C. Physical security
D. Logical security
Q57. Which of the following is not a characteristic of audit evidence?

A. Relevance
B. Reliability
C. Sufficiency
D. Consistency
14
Q58. A LAN policy should define which of the following persons should be
made responsible for reporting maintenance problems or disk errors
A. Network administrator
B. Users
C. Security officer
D. Systems administrator
Q59. A well written and concise job description is IRRELEVANT to

A. Providing a little indication of segregation of duties.
B. Assisting in defining the relationship between various job
functions.
C. Often being used as tool in evaluation of performance.
D. An important means of discouraging illegal acts.
Q60. While conducting the audit of security in an organisation, the procedure

of LEAST concern to the IS auditor is:
A. Validation of environmental, logical and physical access policies
for each of the job profiles.
B. Conduct sample tests to ensure that access to assets is
adequate.
C. Evaluation of procedures for safeguarding and prevention of
unauthorised access to assets.
D. Reviewing the effectiveness in utilisation of the assets.
Q61. “In its truest sense, which of the following applications is a real time
application ?
A. Missile launching system
B. Railway Reservation System
C. Banking application
D. Financial Accounting system
15
Q62. SQL is an example for

A. 1GL
B. 2GL
C. 3GL
D. 4GL
Q63. Which of the following is NOT an element of a LAN environment?

A. Packet switching technology
B. Baseband
C. Ring or short bus topology
D. Public circuit switching technology
Q64. Which of the following is not a substantive test:

A. Confirmation of data with outside sources
B. A test to access the quality of data.
C. A test to compare data with an output source
D. A test to evaluate the validation controls in an input program.
Q65. Which of the following is NOT an advantage of continuous auditing

approach ?
A. Cumulative effects for the year is tested
B. Findings are generally more material to the organisation
C. Audit resources are more effectively directed.
D. Current decisions can be based on audited information.
Q66. Which of the following is NOT TRUE about a database management

system application environment?
A. Multiple users use data concurrently
B. Data are shared by passing files between programs or systems
16
C. The physical structure of the data is independent of user needs

D. Each request for data made by an application program must be
analysed by DBMS.
Q67. “If a program is written using mnemonics and op-codes then the
program is in
A. Machine language
B. Assembly Level Language
C. Procedural Language
D. Non-procedural language
Q68. “An agreement between two computer systems related to methods of

data transmission that is packed and interpreted is called
A. Communications channel
B. Communications protocol
C. Synchronous mode of transmission
D. Asynchronous mode of transmission
Q69. “A service provided to businesses by telecommunication companies

or long distance carriers that provides a permanent direct connection
between two geographically separate local area networks is called a:
A. Point-to-point link
B. Message switching
C. Distributed network
D. Packet switching
Q70. “A transmission technique in which a complete message is sent to a

concentration point for storage and routing to the destination point when
a communication path is available is called:
A. Circuit Switching
B. Message Switching
17
C. Packet Switching
D. Junction Switching
Q71. “In Internet architecture, a domain name service (DNS) is MOST

important because it provides the:
A. Address of the domain server.
B. Address of the naming client.
C. Resolution of the name to the IP address on the Internet.
D. Domain name characteristics
Q72. “In an Internet URL,†http://www.infosys.co, what does the†.co signify?

A. Identifies the protocol being used
B. Identifies that the site is on the Internet
C. It is an additional information and is not needed
D. Identifies the purpose of the site. It stands for commercial.
Q73. Which of the following actions provides the IS Auditor with the greatest
assurance that certain weaknesses in internal control procedures have
been corrected by the management?
A. Discussing with the management the corrective procedures that
were implemented to strengthen the internal controls.
B. Obtaining a letter of representation from management stating that
the weakness has been corrected.
C. Performing compliance tests and evaluating the adequacy of
procedures that were implemented by the management to correct
the weaknesses.
D. Reviewing management’s response to the weaknesses in their
formal report to the Board of Director’s audit committee.
Q74. Which of the following device is a random access media?

A. Magnetic Tape
B. DAT
18
C. CD-ROM
D. None of the above
Q75. “Which of the following transmission media would NOT be affected by

cross talk or interference?
A. Fiber optic systems
B. Twisted pair circuits
C. Microwave radio systems
D. Satellite radio-link systems
Q76. Which type of cable uses a BNC connector

A. Twisted pair
B. UTP
C. STP
D. Coaxial cable
Q77. “Which of the following is not provided by a public key infrastructure

(PKI)?
A. Access control
B. Network Reliability
C. Authentication
D. Non-Repudiation
Q78. Which of the following is not a method of Control Self Assessment

(CSA?
A. Delphi technique
B. Interview technique
C. Interactive workshop
D. Control guide
19
Q79. Which of the following is NOT included in the digital certficate:

A. The private key of the sender
B. Name of the TTP/CA
C. Public key of the sender
D. Time period for which the key is valid
Q80. Which of the following is not the objective of the establishment of

security management structure?
A. Organisation management structure is identified
B. Security management has the required independence
C. There exists an optimal coordination and communication between
the IT and the security structure
D. Security management has the overall responsibility of security
Q81. While evaluating the IT control environment for obtaining an

understanding of the management’
A. The functions of the IT steering committee
B. The Security policy
C. The IT strategy of the management
D. The user’s perception of IT
Q82. While reviewing the outsourcing agreement with an external agency, the
IS auditor would be LEAST interested in verifying the clause containing
:
A. Continuity of service by the agency in case of a happening of a
disaster.
B. Statement of due care and confidentiality.
C. Detailed specifications of the vendor’s hardware.
D. The ownership rights for the programs and files.
20
Q83. Project management is considered a separate division on the basis of:

A. Interdependencies among departments
B. Sharing of resources
C. Size of the project
D. All the above
Q84. An Invitation to Tender (ITT) does not address which of the following?
A. Availability of service personnel
B. Application portfolio and transaction volumes
C. Budget for the project
D. Compatibility of the new systems with the existing ones
Q85. The process of database tuning is carried out by

A. Data Administrator
B. Database Administrator
C. Application Programmer
D. Systems Programmer
Q86. Middleware is implemented by :

A. Server Monitor
B. Transaction Processing Monitor
C. CPU utilisation monitor
D. Network connectivity monitor
Q87. “An organization is about to implement a computer network in a new

office building. The company has 200 users located in the same
physical area. No external network connections will be required. Which
of the following network configurations would be the MO”
A. Bus
B. Ring
21
C. Star
D. Mesh
Q88. “Which of the following can a local area network (LAN) administrator
use to protect against exposure to illegal or unlicensed software usage
by the network user?
A. Software metering
B. Virus detection software
C. Software encryption
D. Software decryption
Q89. Machine maintenance engineers pose some difficult control programs

because:
A. they possess very high level of computing skills
B. they are prone to changing jobs frequently. This may lead to the
loss of experience about a particular machine
C. they have available special hardware/software tools that enable
them to breach data integrity
D. for them to carry out their work, normally the application system
controls have to be relaxed
Q90. Which of the following provide complete information about a database?

A. Database model
B. The internal schema of the database
C. Data Dictionary
D. Database Views
Q91. “Which of the following is NOT considered as a method for data

representation in a DBMS?
A. Hierarchical model
B. Indexed Sequential model
22
C. Network model
D. Relational model
Q92. “Which of the following translates e-mail formats from one network to
another so that the message can travel through all the networks?
A. Gateway
B. Protocol converter
C. Front-end communication processor
D. Concentrator/multiplexer
Q93. “An IS auditor who intends to use penetration testing during an audit of
Internet connections would:
A. Evaluate configurations.
B. Examine security settings.
C. Censure virus-scanning software is in use.
D. Use tools and techniques that are available to a hacker
Q94. Which activity is taken up during post-test phase of penetration testing?

A. Cleaning up
B. Vulnerability detection
C. Preparation of legal documents
D. Penetration attempt
Q95. Preventive controls are usually preferred to detective controls because:

A. Easier to design and operate
B. Requires elaborate performance measurement systems
C. Are intended to stop losses before they occur
D. No performance standard
23
Q96. Which of the following is deemed as good system design practice?

A. High cohesion of modules, low coupling of modules, and high
modularity of programs
B. Low cohesion of modules, high coupling of modules, and high
C. High cohesion of modules, high coupling of modules, and high
D. Low cohesion of modules, low coupling of modules, and low
Q97. Which of the following is not a database model :

A. Hierarchical structure
B. Batched sequential structure
C. Network structure
D. Relational structure
Q98. The network of the company must be protected from remote access that
may damage the company’
A. All employees
B. Vendors
C. Contractors
D. All the above
Q99. Which of the following is FALSE with respect to Systems Software?

A. Provides facilities for debugging systems
B. Provides facilities to optimally use the resources of the system
C. Provides software for cryptographic purpose
D. Provides facilities to manage users connected to the system
24
Q100. Which network typically demands more knowledgeable users?

A. Server-based network
B. Peer-to-peer network
C. Local area network
D. Wide area network
Q101. “Which of the following functions cannot be performed using a

communications network control terminal?
A. Resetting queue lengths
B. Starting and terminating line processes
C. Generating a control total for a point of sale device
D. Correcting a hardware error in a modem
Q102. “Which of the following would typically be considered the fastest to

restore?
A. Normal backup
B. Incremental backup
C. Differential backup
D. Copy backup
Q103. All of the following are significant Internet exposures EXCEPT:

A. Loss of integrity
B. Denial of Service attacks.
C. Insufficient resources to improve and maintain integrity
D. Unauthorized access
Q104. When a store uses a point of sale device to record the sale of an item,
which of the following sequences of activities best describes the input
process:
A. data preparation, data capture, data input
B. data capture, data preparation, data input
25
C. data preparation, data input

D. data capture, data preparation, data capture, data input
Q105. Which of the following controls may not be associated with point-of-sale
equipment?
A. edit
B. data validation
C. batch
D. access
Q106. “As an IS auditor, what precautionary method would you suggest to

the company when old computers that held confidential data are being
disposed off:
A. Dispose it off to reliable people
B. Format the hard disk
C. Delete all files in the hard disk
D. Demagnetize the hard disk
Q107. A session can be defined as

A. A link between two network nodes
B. Series of transmission without any disconnection
C. A specific place in a system
D. Bi-directional data flow between two network nodes.
Q108. All of the following are true relating to the use of fiber optics EXCEPT:
A. Data is transmitted rapidly
B. Fiber optic cable is small and flexible
C. They are unaffected by electrical interference
D. They provide the highest level of signal attenuation
26
Q109. “When an organizatio⁮Section 1s network is connected with an external

network in an Internet client-server model not under that organization’s
control, security becomes a concern. In providing adequate security in
this environment, which of the following assurance”
A. Server and client authentication
B. Data integrity
C. Data recovery
D. Data confidentiality
Q110. Penetration testing helps in identifying the vulnerabilities in a network

security. Which of the following is not a reason for conducting the test?
A. Make the top management aware of the security issues
B. Test intrusion detection and response capabilities
C. Help in decision making process
D. Identifying the systems to be tested
Q111. Which of the following is a substantive audit test?

A. Verifying that a management check has been regularly performed
B. Observing that user Ids and passwords are required to sign on
to the computer
C. Reviewing reports listing short shipments of goods received
D. Reviewing an aged trial balance of accounts receivable
Q112. Which of the following is NOT a proper responsibility of functional users.

A. Establishing data ownership guidelines
B. Establishing data custodianship outlines
C. Establishing data usage guidelines
D. Establishing data disclosure guidelines
27
Q113. Which of the following statements about automated operations facility

parameters is not true?
A. operating system will identify an inaccuracy
B. they need to be maintained in a secure file
C. standards should be prepared to guide their maintenance
D. an offsite back copy should be maintained
Q114. Which of the following is NOT addressed in data and capacity

management?
A. Rapid growth of volumes of data
B. Rapid growth in the number of computer systems in the
organisation
C. Effective data backup schemes
D. Ensuring 24 X 7 availability
Q115. “Which of the following is the best option with regard to an Information
Processing Facility (IPF)?
A. High MTBF and Low MTTR
B. Low MTBF and High MTTR
C. Low MTBF and Low MTTR
D. High MTBF and High MTTR
Q116. A hub is a device that connects:

A. Two LANs using different protocols.
B. A LAN with a WAN.
C. A LAN with a MAN.
D. Two segments of a single LAN.
28
Q117. “It is essential to monitor elecommunication processes and ensure that

data transmission is complete and accurate. Which of the following
automated processes / reports measure this?
A. Turnaround time reports
B. Help Desk response monitoring reports
C. Breakdowns/downtime reports
D. Online monitoring tools
Q118. “All of the following are considered characteristics of N-Tier computing

architecture EXCEPT:
A. Distributed computing
B. Open Industry standards
C. Thin Client interfaces
D. Monolithic architecture
Q119. “In which of the following, tags are placed within text to accomplish
document formatting, visual features such as font size, italics and bold,
and the creation of links:
A. FTP
B. HTTP
C. Telnet
D. ActiveX
Q120. One main reason for using Redundant Array of Inexpensive Disks
(RAID) is :
A. all data can still be reconstructed even if one drive fails
B. all data are split evenly across pairs of drives
C. snap shots of all transactions are taken
D. write time is minimised to avoid concurrency conflicts
29
Q121. Output controls ensure that output is accurate, complete and produced
when required. The auditor during the course of his audit of output
controls does not look into which of the following:
A. All pages of the report are numbered consecutively
B. Comparison between the actual data totals and totals of record
counts is done at regular interval
C. Proper procedure for classification of output exists
D. Output of test runs and procedure runs are kept separately
Q122. “Which of the following tool would be used when program coding has
to be done?
A. Compiler
B. Editor
C. Loader
D. Linker
Q123. Which of the following statements about a DBMS is INCORRECT?

A. Data redundancy is minimised
B. Applications share data
C. Provides the logic to solve a problem in an application
D. Provides facilities to access & store data which is accessed by
users
Q124. “The database administrator is NOT responsible for which one of the
following functions?
A. Physical design of a database
B. Security of a database
C. Coordinate and resolve conflicting needs and desires of users Iin
their diverse application areas
D. Logical design of a database
30
Q125. Which of the following OSI layers communicates with the user
programs?
A. Physical
B. Application
C. Presentation
D. Session
Q126. “Measuring utilization of all important network resources so that

individual or group uses on the network can be regulated appropriately
is called:
A. Performance management
B. Security management
C. Accounting management
D. Configuration management
Q127. “Which of the following controls would be MOST comprehensive in a

remote access network with multiple and diverse sub-systems?
A. Proxy server
B. Firewall installation
C. Network administrator
D. Password implementation and administration
Q128. “A reasonably controlled practice in the distributed executable programs

that execute in background of a web browser client, like Java applets
and Active X controls, is:
A. Installation of a firewall
B. Usage of a secure web connection
C. “Acceptance of executable only from the established and trusted
source“
D. Hosting the website as part of your organization
31
Q129. Which of the following is FALSE with regard to a public key

cryptosystem?
A. the encryption key can be known to all communication users
B. the processing time required in private key cryptosystem is faster
than that of public key cryptosystem
C. the decryption key should be kept a secret
D. the decryption key is the same as the encryption key
Q130. Which of the following is not true with regard to the establishment of a
security management structure?
A. Security management should have authority in accordance with
the responsibility
B. Security management should have the overall responsibility of
security
C. Security management structure should be approved by all the
employees
D. Security management should have the required independence
Q131. “When the computer is switched on, the system performs some tasks
before loading the operating system. Such ROM chips can be classifed
as:
A. Hardware
B. Software
C. Firmware
Q132. “Which of the following media would be MOST secure in a

telecommunication network? “
A. Dedicated lines
B. Base band network
C. Dial up
D. Broadband network digital transmission
32
Q133. “Which of the following transmission media is MOST resistant to a

sniffing attack?“
A. Optical fiber
B. Satellite microwave
C. Twisted-pair wire
D. Infrared
Q134. “An electronic device that combines data from several low speed
communication lines into a single high speed line is called “
A. Modem
B. Multiplexer
C. Channel
D. Link Editor
Q135. Monetary-unit sampling is most useful when:

A. in testing the accounts receivable balance
B. Cannot cumulatively arrange the population items
C. Expects to find several material errors in the sample
D. One is concerned with over-statements
Q136. When an accounting application is processed by computer, an auditor

cannot verify the reliable operation of programmed controls by
A. Manually comparing detail transaction files used by an edit
program with the programs generated error listings to determine
that errors were properly identified by the edit program
B. Constructing a processing system for accounting applications and
processing actual data from throughout the period through both
the clients program and the auditors program
C. Manually reperforming, as of a moment in time, the processing
of input data and comparing the simulated results with the actual
results
D. Periodically submitting auditor prepared test data to the same
computer process and evaluating the results
33
Q137. Which of the following actions should be undertaken when plastic debit/
credit cards are issued:
A. mail the cards in an envelope that identifies the name of the
issuing institution
B. make the same groups responsible for the mailing of cards and
the investigation of returned cards
C. communicate the PIN to the cardholder over phone
D. mail the card and PIN mailer separately in registered envelopes
Q138. “Which one of the following is the most essential activity for effective
computer capacity planning? “
A. “Doing the process of liaison with the management and hardware
suppliers “
B. “Talking to security administrator for incorporating security
procedures “
C. “To perform the process of Disaster Recovery Planning and
Business Continuity Planning “
D. Determining the workload of applications
Q139. “Which of the following is NOT a key concept of object-oriented

technology? “
A. Encapsulation
B. Cohesion and Coupling
C. Polymorphism
D. Inheritance
Q140. “Which of the following would typically be considered a LAN?”

A. 10 computers in your office connected together and hooked up
to a printer
B. A connection of one computer in Mumbai to another in Delhi
C. The city-wide connection between ATMs
D. The 3 stand-alone PCs in your home
34
Q141. “Which of the following allow users on the Internet to communicate with
each other by typing text mode in real time:”
A. IM
B. RFC
C. FYI
D. FAQ
Q142. “Secure socket layer (SSL) protocol addresses the confidentiality of a

message through: “
A. Symmetric encryption
B. Message authentication code
C. Hash function
D. Digital signature certificates
Q143. “A manufacturer has been purchasing materials and supplies for its
business through an e-commerce application. Which of the following
should this manufacturer rely on to prove that the transactions were
actually made? “
A. Reputation
B. Authentication
C. Encryption
D. Non-Repudiation
Q144. In Wide Area Networks (WANs):

A. Data flow must be half duplex
B. Communication lines must be dedicated.
C. Circuit structure can be operated only over a fixed distance.
D. The selection of communication lines will affect reliability.
35
Q145. “An IS auditor performing a telecommunication access control review

would focus his / her attention MOST on the: “
A. Maintenance of usage logs of various system resources
B. “Authorization and authentication of the user prior to granting
access to system resources”
C. “Adequate protection of stored data on servers by encryption or
other means.”
D. “Accountability system and the ability to properly identify any
terminal accessing system resources.”
Q146. Which among the following components is of PRIMARY concern for

evolving a recovery plan after a communication failure?
A. Software
B. Documentation
C. Telecommunication
D. Hard disk free space
Q147. Which of the following a company need not prepare or decide upon after
appointing an IS auditor?
A. Documents related to processes or procedures
B. Area of surprise audit
C. Letter foregoing legal course of action related to penetration
testing
D. Number of days the audit should be carried out
Q148. Which of the following best describes feature of statistical sampling?

A. It allows the auditors to have the same degree of confidence as
with judgement sampling
B. It allows the auditor to substitute sampling technique for his
judgement.
C. It provides a means for measuring the actual misstatement
statement in assertions
36
D. It provides a means for assessing the risk that the sample results
will not accurately represent the population characteristics.
Q149. Which of the following step forms part of an approach to IT audit

A. Review of systems
B. User controls
C. Compliance testing
D. All of the above
Q150. ___________ is not a component of the network security policy

A. Encryption policy
B. HR policy
C. Authentication policy
D. Access control policy
Q151. Which of the following persons is not a member of the IT steering

committee?
A. Senior managers
B. User departments
C. The control group
D. The information system department
Q152. The auditor of an IS can exercise control over

A. Desired audit risk
B. Inherent risk
C. Control risk
D. Detection risk
Q153. Data in a PC is represented by

A. ASCII Code
B. EBCDIC Code
37
C. Gray Code
D. Excess - 3 Code
Q154. “One feature provided by the OS is to store all the data and program in
the auxiliary memory and bring only selective and needed portions into
the main memory for processing. This feature is termed as:”
A. Spooling
B. Multiplexing
C. Caching
D. Paging
Q155. “DBMS is a software package used to create, access and maintain a

database. The sub-language of a DBMS that defines a database is:”
A. Data Description Language
B. Data Manipulation Language
C. Data Control Language
D. Data Access Language
Q156. DSS addresses which of the following?

A. Structured problems
B. Semi-Structured problems
C. Un-Structured problems
D. Problems that focus on exceptional reporting
Q157. “With regard to a DSS, which of the following statements are TRUE: i) It
deals with semi-structured problems ii) It tackles problems dealing with
uncertainity iii) Permits ‘What-if” analysis “
A. i & ii
B. ii & iii
C. i & iii
D. i & ii & iii
38
Q158. “The device primarily used to extend the network that must have the
ability to act as a storage and forwarding device is a: “
A. Router
B. Bridge
C. Repeater
D. Gateway
Q159. “All the following are phases in the establishment of a Switched Virtual
Circuit EXCEPT “
A. Circuit termination
B. Data transfer
C. Circuit expansion
D. Circuit establishment
Q160. “A sequence of bits appended to a digital document that is used to

authenticate an e-mail sent through the Internet is called a: “
A. Digest signature
B. Encrypted message
C. Digital signature
D. Hash signature
Q161. Software that translates a program in 2GL to 1GL is:

A. Compiler
B. Interpreter
C. Assembler
D. Editor
39
Q162. “An organisation decides to migrate from conventional file system

to a DBMS. Which of the following will increase on account of such
migration? “
A. Programming errors
B. Data Entry Errors
C. Improper file access
D. Loss of parity
Q163. The advantage of a Ring topology is that

A. It is easy to install
B. It is easy to add or replace computers to the network
C. It minimizes network traffic congestion
D. It uses a number of high speed hubs and switches
Q164. “A major problem in networking is the slow rate of data transfer. Which
of the following would help counter this problem? “
A. Data formatting
B. Allocating adequate bandwidth
C. Centralized control
D. All of the above
Q165. Which of the following is NOT a function of the kernel of the OS?
A. To determine which processes are to be executed
B. To prepare the access matrix for accessing resources.
C. To allocate quantum of main memory for each and every user.
D. To overcome the problem of deadlock
Q166. Which of the following is not a job scheduling algorithm?

A. Round Robin
B. Demand Paging
40
C. Shortest Setup time

D. Jobs with a Red Tag
Q167. “An organization is considering installing a local area network (LAN) in a

site under construction. If system availability is the main concern, which
of the following topologies is MOST appropriate? “
A. Ring
B. Line
C. Star
D. Bus
Q168. “Which of the following devices connects two or more dissimilar

computer systems by interpreting and translating the different protocols
that are used? “
A. Router
B. Repeater
C. Gateway
D. Firewall
Q169. “A firewall access control list may filter access based on each of the
following parameters EXCEPT: “
A. Port
B. Service type
C. Network interface card (NIC)
D. Internet protocol (IP) address
Q170. “Electromagnetic emissions from a terminal represent an exposure

because they: “
A. Affect noise pollution.
B. disrupt processor functions.
C. Produce dangerous levels of electric current.
D. Can be detected and displayed
41
Q171. “Which of the following would an IS auditor consider a MAJOR risk of

using single sign-on in a networked environment?”
A. It enables access to multiple applications
B. It represents a single point of failure
C. It causes an administrative bottleneck
D. It leads to a lockout of valid users
Q172. Which of the following activities is NOT within the scope of a DBA?
A. Defining the conceptual schema
B. Performing the task of database tuning
C. Determining the storage capacity for applications
D. Granting and revoking rights of users
Q173. In a TCP/IP based network, an IP address specifies a:

A. Network connection.
B. Router/gateway.
C. Computer in the network.
D. Device on the network such as a gateway/router, host, server etc
Q174. “Which of the following is most often used for collecting statistical
and configuration information about network devices such as
computers,hubs, switches, routers, etc.? “
A. Simple Network Management Protocol
B. Online reports
C. Downtime reports
D. Help desk reports
Q175. “Which of the following provides the GREATEST assurance in achieving

message integrity and non-repudiation ? “
A. “The recipient uses the sende Section 1s public key, verified with
a certificate authority, to decrypt the message digest “
B. The recipient uses his private key to decrypt the secret key
42
C. “The encrypted message digest and the message are encrypted

using a secret key “
D. “The encrypted message digest is derived mathematically from
the message to be sent “
Q176. Networks are growing day-by-day. Which one of the following

component of such growth is most difficult to predict?
A. Modifications to physical and facilities
B. Network utilization by the existing users
C. Increased business activity and revenue
D. Extension of the network to new users
Q177. A normally expected outcome of a business process re-engineering is

that:
A. Information technologies will remain unaltered.
B. It improves the product, service and profitability.
C. Information from clients and customers will not be required.
D. Business priorities will not be modified.
Q178. The IS activity that is IRRELEVANT to information processing is:

A. Systems Programming
B. Librarian functions
C. Computer Operations
D. System analysis.
Q179. Which sampling plan will be used to find evidence of at least one
improper transaction in the population?
A. Discovery sampling
B. Acceptance sampling
C. Dollar unit sampling
D. Attribute sampling
43
Q180. Audit risk is a negative representation of an audit

A. Process
B. Analysis
C. Objective
D. Software
Q181. Network performance monitoring tools will MOST affect which of the
following?
A. accuracy
B. completeness
C. secrecy
D. availability
Q182. An IS auditor performing a telecommunication access control review

would focus the MOST attention on the:
A. whether access logs are maintained of use of various system
resources
B. whether data stored on servers are adequately protected by
means of encryption or any other means
C. accountability system and the ability to properly identify any
terminal accessing system resources
D. whether users are authorised and authenticated prior to granting
access to system resources
Q183. In System Development Life Cycle (SDLC) the functional specification

are translated into the logical and physical design during ___________
stage
A. Functional specification
B. Program specification
C. Detailed design specification
D. Business requirement specification
44
Q184. The auditor during the course of audit takes into consideration the
materiality of the transaction. Which of the following would not be
considered by the auditor to assess the materiality in case of non-
financial transaction
A. Cost of system or operations
B. Cost of errors
C. Activities supported by system or operations
D. Cost of providing physical access controls to the system
Q185. The difference between SCARF and Continuous and Intermittence

Simulation (CIS) is :
A. CIS can not collect data for performance monitoring purposes
B. CIS requires modification of the database management system
used by the application
C. Only targeted transactions can be examined using CIS.
D. CIS is can not write exceptions identified to a log file
Q186. The first step the IS Internal Audit manager should take, when preparing
the Annual audit plan is to:
A. Meet the audit committee members to discuss the IS audit plan
B. Ensure that the audit staff is competent in the areas to audited
and wherever required to provide for appropriate training.
C. Priorities the audit area by performing risk analysis.
D. Begin with previous year‘s IS audit plan and carry over any IS
audit that had not been accomplishe
Q187. Due to an important work, the senior computer operator has gone on a
leave for ten days. In his place, the security officer has been asked to
officiate. In this scenario, as an IS auditor which of the following would
be the most appropriate.
A. Inform the top management of the complexities and risks in doing
so.
B. Develop a small program that will give a picture of what is
happening during the absence of the operator
45
C. Examine the accounting data recorded in the system for any

irregularities
D. Appoint a qualified computer operator on a temporary basis.
Q188. Internal controls are not designed to provide reasonable assurance that:
A. Irregularities will be eliminated
B. logical access is permitted only in accordance with authorization
C. Segregation of duties is maintained
D. IS operations are performed in accordance with appropriate
authorizations
Q189. System Auditor primarily uses, the information provided by a detailed,

understanding of the Information system controls and risk assessment
,to determine the nature, timing, and extent of the:
A. Substantive tests
B. Attribute sample tests
C. Variable sample tests
D. Compliance tests
Q190. The class of control used to overcome problems before they acquire
gigantic proportions is :
A. Preventive
B. Detective
C. Corrective
D. Suggestive
Q191. A general guideline of a security policy does not

A. Identify and determine what is to be protected
B. Identify acceptable activities
C. Update the policy
D. Keep the policy a secret
46
Q192. To conduct a System audit the IS auditor should:

A. Be technically at par with clients technical staff
B. Be able to understand the system that is being audited
C. Possess knowledge in the area of current technical words.
D. Only possess a knowledge of auditing
Q193. Which of the following activities is undertaken during data preparation:

A. errors identified during the input validation phase are corrected
B. captured data are converted into machine readable form
C. economic events that are relevant to the ongoing operations of
an organisation are identified and recorded
D. data are recorded on source documents so it can be keyed to
some type of magnetic medium
Q194. Which of the following applet intrusion issues poses the GREATEST risk
of disruption to an organisation?
A. applets damaging machines on the network by opening
connections from the client machine
B. a program that deposits a virus on a client
C. applets recording keystrokes made by the client and, therefore
passwords
D. downloaded codes reading files on the client’s hard disk
Q195. Which of the following is true with regard to a computerised

environment?
A. Separation of duties is not possible
B. A clear line of authority and responsibility exists
C. Highly skilled persons are not required to develop, modify and
operate the system
D. Audit trails are not available by default on all software
47
Q196. The class of control used to monitor inputs and operation is :

A. Preventive
B. Detective
C. Corrective
D. Suggestive
Q197. Which of the following steps provide the highest assurance in achieving
confidentiality, message integrity and non-repudiation by either sender
or recipient?
A. the recipient uses his/her private key to decrypt the secret key.
B. the recipient uses the senders public key, verified with a
certificate authority, to decrypt the pre-hash code
C. the encrypted pre-hash code and the message are encrypted
using a secret key
D. the encrypted pre-hash code is derived mathematically from the
message to be sent
Q198. Several risk are inherent in the evaluation of evidence that has been
obtained through the use of statistical sampling .A beta or type II error
related to sampling risk is the failure to :
A. Properly define the population
B. Draw a random sample from the population.
C. Reject the statistical hypothesis that value is not misstated when
the true value is materially misstated.
D. Accept the statistical hypothesis that value is not materially
misstated when the true value is not materially misstate
Q199. The following statement about controls over computer operators is true:
A. segregation of operator duties is not a very effective control
B. If operators are given access to the system documentation, they
may help in tracing the cause of a potential error
48
C. a malicious operator can undermine a disaster recovery operation

by corrupting backup files progressively over time
D. operators do not need to rely on documentation during a disaster
recovery operation
Q200. Corporate guidelines to download anti-virus software from the official

site help to
A. Detect virus
B. Prevent virus
C. Correct virus
D. Contain virus
Q201. The installation of a database management system (DBMS) does not

have any direct impact on :
A. Data redundancy within files
B. Sharing of common data
C. The internal control of data accuracy and access and
inconsistencies within common data fields
D. The logic needed to solve a problem in an application program
Q202. The risk that the conclusion based on a sample might be different from
the conclusion based on examination of the entire population is called
A. Confidence risk
B. Sampling risk
C. Statistical sampling
D. Tolerable rate and the expected deviation rate.
Q203. The LAN policy is framed by

A. The IT steering committee
B. The Top management
C. A business analyst
D. A project manager
49
Q204. Which of the following represents a typical prototype of an interactive

application?
A. Screens and process programs
B. Screens, interactive edits, and sample reports
C. Interactive edits, process programs and sample reports
D. Screens, interactive edits, process programs and sample reports
Q205. A function NOT possible of being accomplished using CAATs is :

A. Calculating the age-wise outstandings of Receivables and
Payables.
B. Checking and reconciling of postings done in the General Ledger.
C. Calculation of Foot Totals
D. Selection of testing sample data
Q206. A sampling technique used to estimate the average or total value of a

population based on a sample is termed as :
Q207. In selecting the applications to be audited, which criteria is LEAST likely

to be used:
A. Technological complexity
B. Inherent Risk
C. Sensitivity of transactions
D. Legal requirements
Q208. Which one of the following is ideally suited for multimedia applications?
A. Integrated services digital network (ISDN) and broadband ISDN
B. Broadband ISDN, fiber optics, and ATM
50
C. Narrowband ISDN, central office switches, Voice Mail system

D. ISDN LAN Bridges, fiber optics, and asynchronous transfer mode
(ATM)
Q209. During an audit of the tape management system at a data center, an

IS auditor discovered that some parameters are set to bypass or ignore
the labels written on tape header records. However, the IS auditor did
not e that there were effective staging and jo
A. tape header should be manually logged and checked by the
operators
B. staging and jo set-up procedures are not appropriate
compensating controls
C. staging and job set-up procedures compensate for the tape label
control weakness
D. tape management system is putting processing at risk and that
the parameters must be set correctly.
Q210. For electronic-Commerce deals through web-based transactions

involving acceptance of payment through credit cards, installation
of firewall with strict parameters is required, having impact on the
transaction itself. State the parameter having the LEAST i
A. Encryption of all transactions
B. Authentication of all transaction in time
C. Architecture of the firewall hiding the internal network
D. Exchange of traffic through the firewall at the application layer
only
Q211. In which phase Rapid prototyping is used in Waterfall life cycle

development model?
A. Requirements
B. Design
C. Coding
D. Testing
51
Q212. The following estimates the probability of a computer system being

destroyed in a natural disaster and the corresponding overall business
loss. Which system has the greatest exposure to loss?
A. System A - Likelihood 10%, Losses in ($) 6 million
B. System B - Likelihood 15%, Losses in ($) 5 million
C. System C - Likelihood 20%, Losses in ($) 2.5 million
D. System D - Likelihood 25%, Losses in ($) 4 million
Q213. When implementing local area networks, the major implementation

choices involve decisions about all of the following except:
A. Repeaters
B. File servers
C. Routers
D. Terminal controllers
Q214. Which of the following functions SHOULD NOT BE combined with

Control Group.
A. Systems Analyst
B. DBA
C. Security Administration
D. QA
Q215. Which of the following are considered while determining the sensitivity
of information-
A. Availability and integrity
B. Integrity and Confidentiality
C. Availability and Confidentiality
D. Availability, Integrity and Confidentiality
52
Q216. A control is NOT designed and implemented to:

A. reduce the enormity of the loss when a threat materializes
B. reduce the probability of the threat materializing
C. reduce the expected loss from a threat
D. control the normality of the distribution curve of the loss from the
threat
Q217. An example for a concurrent audit tool whose complexity is low is :

A. SCARF/EAM
B. ITF
C. Snapshot
D. Audit hooks
Q218. The initial validation control for a credit card transaction capture
application would MOST like be to:
A. check that the transaction is not invalid for that card type
B. ensure that the transaction amount entered is within the
cardholders credit limit
C. verify the format of the number entered and then locate it on the
database
D. confirm that the card is not listed as hot
Q219. Which of the following utilities can be used to directly examine the ability
of the program to maintain data integrity?
A. Data dictionary
B. Macro
C. Output analyser
D. Code optimiser
53
Q220. Due diligence of third party service providers need not cover
A. Evaluation of testimonials
B. Evaluation of infrastructure
C. Evaluation of experience
D. Evaluation of ownership
Q221. _________ tests individual programs.

A. Unit testing
B. System testing
C. Acceptance testing
D. Parallel testing
Q222. “Which of the computer assisted audit techniques and tools help the
auditor to identify the impact of delays and rescheduling audit plans”
A. Planning and scheduling
B. Project management and audit tracking
C. Inventory of the audit universe
D. Risk analysis
Q223. Which of the following is NOT TRUE with regard to network reliability
enhancement:
A. Redundant switching equipment
B. Parallel physical circuits
C. Licensed software
D. Standby power supplies
Q224. A LAN administrator is forbidden from:

A. Having programming responsibilities.
B. Reporting to the end use manager.
54
C. Being responsible for LAN security administration.

D. Having end user responsibilities.
Q225. Custom Software Agreement should include a pre-acceptance

performance standard to measure the software’
A. Unit Testing
B. Regression Testing
C. Load Testing
D. Acceptance testing
Q226. A procedure to have an overall environmental review which is NOT

performed by an IS auditor during pre audit planning is
A. Understanding of business risks by interviewing management’s
key personnel.
B. Determining adherence of regulatory requirements by conducting
compliance tests.
C. Reviewing audit reports of the previous years.
D. Touring key activities of the organisation.
Q227. Which of the following would be an appropriate compensating control

when an IS auditor notices that after normal office hours, changes are
made with a shorter number of steps than complying with the normal
set standard procedures.
A. Using the of regular account of the user with access to make
changes to the database.
B. Using the DBA’s account to make changes, logging of changes,
and the following day reviewing the before and after image.
C. Using the normal user account to make changes, logging of
change, and the following day reviewing the before and after
image.
D. Using the account of the DBA and make the changes.
55
Q228. An acceptable situation when IS product selection and purchase are

done internally is when:
A. A thorough cost benefit analysis is done by the managers before
ensuring what is to be purchased.
B. The purchases are done in line with the company’s long and
short term technology plans.
C. The exchange data is done on casual basis in the local offices
which are independent.
D. The company uses a similar database management system
throughout.
Q229. While conducting an audit, the auditor should

A. Insist that a security policy exists
B. Not insist for a security policy
C. Insist that a security policy exists, and accept the existing policy
D. Insist that a security policy exists. However he may not accept
the existing policy
Q230. Which of the following would NOT be a reason for IS Audit involvement
in information systems contractual negotiations?
A. Often hardware does not interface in an acceptable manner
B. Many information systems projects incur additional costs over the
contract cost
C. Vendors may go out of business and discontinue service support
on their products
D. Only the IS Auditor can determine whether the controls in the
system are adequate
Q231. Compliance auditing is used to do?

A. Complete audit under accepted auditing standards
B. Eliminate the need for substantive auditing
56
C. Verify specifi balance-sheet and Profit and loss account values

D. Determine the degree to which substantive auditing may be limite
Q232. Each of the following is a general control concern EXCEPT:

A. Security policy
B. Environmental control within the IS department.
C. Daily control totals.
D. Physicals and logical access controls.
Q233. To measure variability the most useful sampling technique is the:

A. Median
B. Range
C. Standard deviation
D. Mean
Q234. To examine the existence of the entities described by the data , which
of the functional capabilities in the generilise audit software would be
used:
A. File assess capabilities
B. Analytical review capability
C. Stratification and frequency analysis capability
D. Statistical sampling capabilities
Q235. Which of the following is a responsibility of computer operations

department?
A. analysing system degradation
B. analysing user specifications
C. reviewing software quality
D. troubleshooting electrical connections failure
57
Q236. Which of the following need not be emphasised while choosing

technology insurance policy?
A. Evaluation of the company
B. Reading the terms and conditions of the policy carefully
C. Not making any assumptions and obtaining clarifications where
required
D. Focussing on purchasing a general insurance policy
Q237. A detailed policy on firewalls should not

A. Include log reports
B. Include guidelines for assessment of logs
C. Ensue that it is physically secured
D. Ensure that it is logically secured
Q238. The feasibility study is conducted after _____________ phase

A. Business requirement
B. Need/ user request
C. Design specification
D. Program specification
Q239. Which of the following is not a component of audit risk?

A. Inherent risk
B. Control risk
C. Detection risk
D. Restrictive risk
Q240. The HR policy of a company should state that

A. Employees should take leave
B. If the employee has not taken leave, he should be given an
incentive
58
C. Employees should be forced to go on leave for a few days

D. Employees should take leave only when they have some
important personal work
Q241. The primary advantage of a derived Personal Identification Number

(PIN) is that :
A. it is easy to remember
B. new account numbers must be issued to customers if their PINs
are lost or compromised
C. it does not have to be stored. Hence preserving privacy is easier
D. changing the cryptographic key has no implications for existing
PINs
Q242. In which phase of a system development life cycle would you perform
Mutation analysis?
A. Requirements
B. Design
C. Implementation
D. Maintenance
Q243. Accuracy of data is important most likely to a

A. Decision Support System (DSS)
B. Strategic Planning System
C. Expert system
D. Management control system
Q244. The complete information about all data in a database is found in :

A. Database schema
B. Data dictionary
C. Data encryptor
D. Decision table
59
Q245. The auditor should ensure that the policy has been formulated and
communicated by
A. Asks employees for related documents that they have in hand
B. Identifies areas where relevant information has not been
communicated
C. Assesses the commitment of the management
D. Identifies its misuse
Q246. To ensure the operating system integrity the web server configuration
should be monitored. Which of the following is not necessary to achieve
this objective?
A. Baseline for the configuration
B. Periodical review of the web configuration and where needed a
secondary review of the same
C. Internal web sites are inside the company
D. All internal communication must be digitally signed
Q247. Which of the following does NOT need to be considered in determining

statistical sample sizes?
A. Desired precision
B. Size of the population
C. Nature of the population
D. Standard deviation of the population
Q248. Which of the following statement is FALSE for Equipment mean-time-

between-failure (MTBF)?
A. It is the average length of time the hardware is functional
B. Low MTBF values imply good reliability
C. It is the total functioning life of an item divided by the total
number of failures during the measurement interval
D. High MTBF values imply good reliability
60
Q249. User controls are designed to ensure that data collected and entered
into the system is
A. Authorised
B. Accurate
C. Complete
D. All of the above
Q250. Which of the following techniques ensure an e-mail messages,

authenticity, confidentiality, integrity and non-repudiation?
A. encrypt the message with the senders public key, and sign the
message with the receivers private key
B. encrypt the message with the senders private key and sign the
message with the receivers public key
C. encrypt the message with the receivers public key and sign the
message with the senders private key
D. encrypt the message with the receivers private key and sign the
message with the senders public key
Q251. Echo Check belongs to hardware controls, which usually are those built
into the equipment. Echo Check is best described as:
A. a component that signals the control unit that an operation has
been performed
B. two units that provide read-after-write and dual-read capabilities
C. double wiring of the CPU and peripheral equipment to prevent
malfunctioning
D. validations logic to fields and records based o their
interrelationships with controls established for the batch.
Q252. Incompatible functions may be performed by the same individual either

in the Information System department or in the User department. One
compensating control for this situation is the use of:
A. A log
B. Check digit
61
C. Batch control totals

D. Range check
Q253. Intentional Standards Organisation (ISO) has defined risk as “the

potential that a given threat will exploit vulnerability of an asset or group
of assets to cause loss or damage to the assets”. This means , risk has
all of the following elements EXCEPT:
A. Vulnerabilities of assets
B. Probabilities of occurrence of threats
C. Exposure based on threats and vulnerabilities
D. Controls to contain the threat.
Q254. An auditor performing a statistical sampling of the financial transactions

in a financial MIS would BEST use :
A. Generalised Audit Software
B. Regression Testing
C. Spreadsheets
D. Paralled simulation
Q255. You as an IS Auditor observed that technical support personnel have

unlimited access to all data and program files in the computer. Such
access authority is:
A. appropriate, but all access should be logged
B. appropriate, because technical support personnel need to access
all data and program files
C. inappropriate, since access should be limited to a need-to-know
basis, regardless of position
D. inappropriate, because technical support personnel are capable
of running the system
62
Q256. An Information System Auditor observed that technical support

personnel have unlimited access to all data and program files in the
computer. Such access authority is:
A. appropriate, but all access should be logged
B. appropriate, because technical support personnel need to access
all data and program files
C. inappropriate, since access should be limited to a need-to-know
basis, regardless of position
D. inappropriate, because technical support personnel are capable
of running the system
Q257. In a data processing environment, which one of the following is not

Compliance review?
A. Security policies are available
B. Performing analysis of system storage media
C. Review of system logs
D. Review of System errors
Q258. In order to prevent the loss of data during the processing cycle, the First
point at which control totals should be implemented?
A. in transit to the computer
B. during the return of the data to the user department
C. during the data preparation
D. between related computer runs
Q259. In the System Development life Cycle (SDLC) the user should be
involved in (1) design (2) development (3) implementation of new
system and changes to the existing system. Which of the following is
true?
A. 1, 2
B. 2, 3
63
C. 1, 3
D. 1, 2, 3
Q260. If fraud or errors are suspected in the population , the auditor would
use:
A. Attribute sampling
B. Discover sampling
C. Dollar – unit sampling
D. Ratio and difference estimation.
Q261. The functions of operations management relating to the microcomputers

in organisations where microcomputers are used extensively should be:
A. formulated by the person who develops the application system
for the microcomputers
B. performed by the operations manager responsible for the
mainframe computer
C. determined by and the individuals who use the microcomputers
D. formulated by the operations manager and promulgated as a
standard through-out the organisation
Q262. The primary objective in testing the integrity of information is to ensure

that:
A. Confidential information is protected
B. Data are complete, accurate and valid
C. Information for making decisions
D. Data are used for achieving business objectives.
Q263. Which of the following is a common security practice in a LAN.

A. Matching user ID and name with password
B. Principle of highest privilege should be implemented to perform
the file backup function
64
C. Limiting access to local drives and directories

D. Controlling file-transfer rights
Q264. The auditor during the course of his audit of IT steering committee
interviews the members of the committee. This process helps the
auditor to ascertain
A. Members of the committee are the persons who have more
number of years of experience in the company
B. Members are appointed by the IS project sponsor
C. Committee is in charge of allocation of resources and prioritising
the projects
D. The organisation culture is in no way influencing the committee
and its management practices
Q265. To obtain competent evidential matter about control risk, an Information

Systems Auditor uses a variety of techniques, including:
A. Re performance
B. Statistical Analysis
C. Code Comparisons
D. Expert system
Q266. In the LAN environment, _____________officer is responsible for

prevention and detection of virus
A. Web administrator
B. Security officer
C. Network administrator
D. A project manager
65
Q267. When the Auditor uses generalised audit software to access a data
maintained by a database management system, which file structure is
most likely to be difficult to assess:
A. A tree structure
B. A sequential file structure
C. A random structured
D. A index sequential
Q268. Which is the primary reason for replacing cheques with Electronic Funds
Transfer (EFT) systems in the accounts payable area?
A. to ensure compliance with international EFT standard
B. to decrease the number of paper-based forms
C. to increase the efficiency of the payment process
D. to eliminate the risk that unauthorised changes may be made to
the payment transactions
Q269. Which of the following statement is true about a mandatory access

control policy?
A. it is not possible for users to change their classification level,
though they can change their clearance levels
B. it must be enforced by a more complex access control
mechanism compared with a discretionary access control policy
C. it is less likely to be used in a business systems environment
than a discretionary access control policy
D. an audit trail is not required with a mandatory access control
policy
Q270. An Integrated Test Facility (ITF) is BEST described as:

A. Tagging and extending master records.
B. Programming options permitting printout of specific transactions.
C. Technique enabling to enter test data into a live computer for
processing verification.
D. Utilisation details of hardware and software for reviewing
functioning of the system.
66
Q271. An IS auditor came across an instance of a security administrator

working occasionally as a senior computer operator. The BEST followup
action to be taken by the IS auditor is to :
A. Continue to work along with the Security Officer on such
occasions as a precautionary preventive control.
B. Inform and advise the Senior Management of the high risks
involved in it.
C. Develop CAATs in detecting such instances.
D. Review system logs on such occasions to identify irregularities
encountered if any.
Q272. Insecure information, which could threaten the existence of an

organisation is classified under:
A. Low sensitivity
B. Average sensitivity
C. Medium sensitivity
D. High sensitivity
Q273. Which one of the following poses a major threat in using remote
workstations?
A. Standard software packages
B. Response time
C. Data transfer speed
D. Security
Q274. The main objective of separation of duties is to ensure that:

A. The workload in the organisation is shared
B. Controls exist over efficient usage of hardware
C. a single person do not have the complete control over a
transaction from start to finish
D. none of the above
67
Q275. The objective of compliance testing is to find :

A. Whether statutory regulations are complied with
B. Whether assets are properly valued.
C. Whether appropriate controls have been incorporated.
D. The time and cost parameters for software projects are within
schedule and comply with the estimated ones.
Q276. The snapshot technique involves:

A. Selecting transaction that must pass through input program
B. Capturing the working of an application at a point in time.
C. Taking the afterimages of all data items changed for accuracy and
completeness.
D. Taking picture of transaction as it flows through a system
Q277. A network security policy need not include

A. A security matrix table
B. Penetration testing
C. Risk analysis
D. Network assets
Q278. An insurance company is planning to implement new standard software

in all its local offices. The new software has a fast response time, is
very user friendly, and was developed with extensive user involvement.
The new software captures, consolidates, edi
A. Increased workloads
B. Lengthy retraining
C. More accountability
D. Less computer equipment
68
Q279 The best method to detect and correct errors is before the data are
entered into an application system. But this is not always possible. In
that case the best alternative approach for ensuring data integrity?
A. Test data generator
B. Having monitoring modules
C. Use of generalised audit software
D. Expert systems
Q280. Which of the following is:

A. The auditor should take into consideration the subsequent events
B. The auditor should issue the report to all interested parties
C. The report need not touch upon standards and the internal control
of the organisation
D. The auditor should state in his report that all his
recommendations should be implemented
Q281. In an IPF (Information processing facility) is typically a large computer

centre, which of the following has the primary consideration for selecting
of a site.
A. minimise the distance that data control personnel must travel to
deliver data and reports
B. provide security
C. be easily accessible by a majority of company personnel
D. be in the top floor
Q282. In determining the sample size for a test of control using attribute
sampling, a System Auditor would be least concern with the
A. Expected rate of occurrence
B. Precision limit
C. Result of substantive audit procedure
D. Assessing control risk too high
69
Q283. The basic purpose of an IS audit is :

A. To identify control objectives
B. To suggest the best possible hardware for the company
C. To help the top management in assessing the capabilities of
personnel.
D. To ensure that no statutory regulations are violated using
networks.
Q284. The IT auditor considers the controls that are present for the evaluation
of the internal controls. Which of the following controls cuts across the
hierarchical line and follow the data as it flows in the organisation?
A. Corrective controls
B. Management controls
C. Application controls
D. Detective controls
Q285. There are various techniques for telecommunication controls.

Confidentiality of data is BEST maintained by
A. parallel simulation technique
B. data encryption technique
C. password encryption technique
D. maintaining a test deck
Q286. A decision table is used for testing the test data. The purpose of the
results stub in the decision table:
A. Exhibits the expected and actual results
B. Document the conditions that lead to a particular action.
C. Exhibits the rules for different conditional value
D. Indicates the action to be taken when a rules is saisfie
70
Q287. A good email policy should state that:

A. All mails sent and received should be monitored
B. All messages should be encrypted
C. Emails should be used only for official purpose
D. All personal mail should be labelled
Q288. The risk in auditing an information system is dependent on various other

risks. Which of the following results in decrease of the achieved audit
risk?
A. A decrease in desired audit risk
B. A decrease in detection risk
C. An increase in inherent risk
D. An increase in control risk
Q289. The weakness that the IS auditor would be LEAST concerned with while
reviewing an access control review in an organisation is:
A. The application programmers have the access rights to the live
data environment.
B. There is no provision for enabling the audit trails in the package.
C. Initiating transactions and changing the related parameters could
be done by a single user.
D. Group login access is being used for accessing critical functions.
Q290. The work schedule of a clerk in a Control Group is of

A. Authorising all the transactions.
B. Carrying out corrections in the master file.
C. Maintaining the error log.
D. Custody and control over the non IS assets.
71
Q291. To enforce the email policy, the management in order need not:
A. Educate employees
B. Educate third parties
C. Take prompt action in case of misuse or complaints
D. Prohibit subscription to e-newspapers and e-groups
Q292. To ensure proper separation of duties, the function NOT to be performed

by the Scheduling and Operations personnel is :
A. Code Correction
B. Job submission
C. Resource management
D. Output distribution
Q293. When an organisation outsources its activities, it also provides data to

the service provider. In such cases, the ownership of data ‘
A. Is transferred to the service provider
B. Is with the client/organisation that outsources services
C. Is shared by both parties
D. Is not transferred
Q294. When the company acquires custom made software it enters into a
custom software agreement with the vendor. What should company not
consider before entering into such agreement?
A. Present and future demands of the company
B. Contingency plan of the vendor
C. Frequency at which the vendor updates the software
D. Number of users of the software
72
Q295. Which among the following statements about information systems

personnel is NOT true?
A. IS personnel have always lacked ethics
B. There has been a dearth of IS personnel from the initial days
C. Generally, the tasks performed by IS personnel are more complex
than those in manual systems
D. IS personnel do not enjoy the as much power and clout in
organizations as manual systems personnel do like the HR
personnel
Q296. Which of the below is a TRUE statement concerning Test Data

Techniques.
A. Requires the usage of a Test Data Generator.
B. Tests only pre-conceived situations
C. Requires the minimum computer usage and manual personnel.
D. High Level of IS expertise is essential.
Q297. Which of the comments about Business Process Re-engineering (BPR)

is NOT false?
A. Lesser accountability and Weaker Organisational structures are
the outcome of a BPR.
B. Information protection has a high risk and always deviates from
with BPR.
C. Decrease in complexity and volatility in IT leads to considerable
decrease in costs.
D. Increased number of people using the technology causes a
serious concern for BPR projects.
Q298. Which of the following areas would an IS auditor NOT do while

conducting a review of an organisation’s IS Strategies.
A. Interviewing concerned Corporate Management personnel.
B. Consideration of external environment likely to benefit / affect the
organisation.
73
C. Assessing the required Security procedures for the IS

environment.
D. Review of Short and Long term IS strategies.
Q299. Which of the following functions, if combined, would provide the

GREATEST risk to an organisation.
A. Systems analyst and Database administrator.
B. Quality assurance and computer operator.
C. Computer Operator and Tape Librarian.
D. Application Programmer and Data entry clerk
Q300. Which of the following is not true (with regard passwords)?

A. It should be communicated to the top management
B. It should not be written anywhere
C. It should not be written in plain text
D. Users should not be allowed to use the previous password
Q301. Which of the following statements about controls is FALSE?

A. A threat materializing can be prevented by implementing more
than one control
B. Controls are focussed primarily at unlawful events or threats
C. Controls can be implemented to prevent all unlawful events
D. Controls are subsystems in an IS consisting of interacting
components
Q302. An IS auditor came across instances where the users failed to review
the invoices prior to submitting them for processing since discounts
from vendors could be availed only within three business days of the
invoicing. Which of the following should the IS
A. Confirm that copies of invoices are compared with edit reports
with detail of invoice value and discount prior to releasing the
payment.
74
B. Confirm that copies of invoices are compared with edit reports

with detail of invoice value and discount.
C. Confirm copies of invoices are reviewed on submission to
Accounts payable department.
D. Confirm that invoices are reviewed by accounts payable
department.
Q303. An organisation’s strategic plan would normally comprise of the

organisation’s goal of:
A. Implementation a new project planning system during the
forthcoming year.
B. Testing of control in the new accounting package to be
implemented.
C. Growing to become the unanimous supplier of choice among the
buyers in a given period of time for the product / service to be
offered by the organisation.
D. Performing an evaluation of information technology needs of the
organisation.
Q304. As compared with other Information Systems, Executive Information

Systems does NOT have the characteristic of
A. Ease to use compared with other systems
B. User friendly features built in.
C. Focusing on broad problems to a specific view.
D. Including other features of word processing, spreadsheets and
e-mails.
Q305. Can an IS auditor of a company outsourcing its operations insist to

review the vendor’s Business Continuity plan document?
A. No, since the BCP is a personal document of the vendor.
B. Yes, because it helps the IS auditor to evaluate the vendor’s
financial stability and capacity to abide to the contract.
75
C. Yes, since the vendor’s plan could be adequately evaluated for

preparing a complementary plan for the outsourcing company.
D. No, since this backup provision is adequately provided for in the
agreement.
Q306. Control of employee activities in a computerized environment is, vis-à-vis

manual systems,
A. more difficult as the IS personnel resent being supervised at
every step
B. more difficult because employees access the system remotely
and perform duties electronically
C. less difficult because audit trails can be looked upon for tracing
out unauthorized activities
D. less difficult because monitoring the employee activities
electronically is feasible
Q307. Due Professional Care” requires an IS auditor to possess which of the

following quality
A. Good amount of programming skills in the required software.
B. Arriving at an correct conclusion based on the facts and figures
available.
C. Evaluating methodology of the audit test results.
D. Skills and judgement that are commonly possessed by IS
practitioners of that speciality.
Q308. During the audit of automated Information systems, responsibility and

reporting lines CANNOT be established since :
A. In sharing of resources, ownership is difficult to be established.
B. In the rapid development of technology, the duties change very
frequently.
C. The staff change the jobs with high frequency.
D. Ownership is irrelevant on account of diversified control.
76
Q309. Employees are compulsorily asked to proceed on a week long vacation

in many organisations to
A. Remove possible disruption caused when going on leave for a
day at a time.
B. Cross train with another employee of another department.
C. Diminish chances of committing improper / illegal acts by the
employee.
D. Ensure a standard quality of life is lead by the employee which
could enhance productivity.
Q310. Evaluation of which of the following functional areas CANNOT be carried

out by risk assessment techniques.
A. Time and cost involved and resources utilised in conducting an
audit.
B. Audit programs and audit procedures.
C. Recommendations and conclusions based on the findings from
the audit.
D. Functional business areas under audit.
Q311. Information that must be provided in the register is part of the

_________ guideline of the server security policy
A. Ownership and responsibility
B. Monitoring
C. General configuration
D. Compliance
Q312. For a company carrying on the business of leasing of computers, the

GREATEST threat would be:
A. The issues concerning licensing of software running on the leased
out machines.
B. The accounting control of peripherals being shared.
77
C. The leased out machines becoming obsolete prior to termination

of the lease contract.
D. The re-assignment of the hardware quite frequently.
Q313. For an effective implementation of a continuous monitoring system,

which of the following is identified as the FIRST and FOREMOST step
by an IS auditor.
A. The input and output process of data entry and reports
generated.
B. The higher the Return on Investment by the application.
C. The Organisation’s critical and high risk business areas
D. Availability of adequate manpower for the effective implementation
of the system.
Q314. For consideration of outsourcing of computer operations which is the

factor that would LEAST indicate the same.
A. There is a delay of more than 36 months in application
development.
B. System maintenance constitutes about 65% of the programming
costs.
C. Concurrent / parallel existence of Duplicate Information system
functions.
D. Development time of a high priority system is more than 12
months.
Q315. For eliminating data loss in processing, control totals are to be

INITIALLY introduced:
A. During the return of data to the user department.
B. In transit to the computer.
C. During data preparation.
D. Between related computer runs.
78
Q316. Generalised Audit Software (GAS) are NOT used for:

A. Selecting unusual data as per the auditor’s choice.
B. Performing intricate and complex calculations
C. Preparation of multiple reports and output files.
D. Calculation verifications.
Q317. Implementation and maintenance of new and existing systems with the
aid of programmers and analysts is the responsibility of the:
A. Database administrator.
B. Systems development manager.
C. Operations Manager.
D. Quality assurance manager.
Q318. Improper segregation of duties amongst programmers and computer

operators may lead to the threat of :
A. Unauthorised program changes.
B. Loss of data while executing a program.
C. Oversight omissions of dat
D. Inadequate volume testing.
Q319. In a network security policy, a statement on methods of data

communication will be listed under
A. Identification and authentication
B. Accountability and audit
C. Data exchange
D. Access control
Q320. In an audit of the outsourcing process, the IS auditor would LAST

perform the task of:
A. Control Risk assessment.
B. Contract reviews with the legal counsel.
79
C. Assumptions and analysis of costs and benefits.

D. Assessing the organisation’s business needs.
Q321. In determining good preventive and detective security measures

practised by an employee, the IS auditor places the HIGHEST reliance
on :
A. Compliance Testing
B. Risk Assessment
C. Observation
D. Detailed Testing
Q322. In evaluating and reviewing the effectiveness of the management’s

communication of IS policies to concerned personnel, the IS auditor
would be LEAST interested in reviewing / conducting
A. Systems and procedure manuals of the user department.
B. Interviews with the IS personnel and the end users.
C. Working Notes of the IS audit staff of the minutes of the IS
Steering committee meetings.
D. Information processing facilities operations and procedures
manuals.
Q323. In evaluation of an organisation’s IS strategy, which of the following

would an IS auditor consider to be the MOST important criteri
A. Adequately supporting the business objectives of the organisation.
B. Consistent with the IS department’s preliminary budget
C. Procurement procedures are complied with.
D. Improvement done by the line management.
Q324. In the absence of full segregation of duties in an on-line system, the

distinct activity not to be combined with the other IS activities is:
A. Authorising
B. Originating
80
C. Correcting
D. Recording
Q325. In resolving legal complications, e-mail systems act as an important

medium of evidence since:
A. Classification of data is frequently used to control the information
to be communicated through e-mails.
B. The evidences are clear since there are defined policies for using
e-mail within the enterprise.
C. Excessive cycles of backup files remain due to availability of poor
housekeeping.
D. Accountability of the activities on the e-mail system is well
established due to strong access controls.
Q326. In segregation of duties, the organisation will exposed to a very HIGH

risk if the duties of
A. Computer Operator and Quality Assurance are combined.
B. The work of a Data entry clerk is also done by a Tape Librarian.
C. A tape librarian are carried out by an application programmer.
D. Systems analyst and database administrator are done by the
same person.
Q327. In the case of Business Process re-engineering which of the following

is NOT true ?
A. Development of a project plan and defining the key areas to be
reviewed is a key factor for the success of a BPR.
B. Implementation and monitoring of the new process is the
management’s responsibility.
C. The Success of a BPR is reached when the business and the risk
suits the re-engineering process.
D. The IS auditor is not concerned with the key controls that once
existed but with the one which exists in the new business
process.
81
Q328. ISO stands for -

A. International Statement of Organisation
B. International Organisation for Standardisation
C. International Standards Organisation
D. International Organisation for Stability
Q329. Intrusion can BEST be detected by:

A. Monitoring of all unsuccessful logon attempts by the security
administrator.
B. If on reaching the specified number of unsuccessful logon
attempts, the system is automatically logged off.
C. Authorised procedures are followed for user creation and user
privileges.
D. Automatic logoff if workstation is inactive for a specific period of
time.
Q330. IS activities can be outsourced to a third party. To evaluate the

performance of the service provider the auditor should
A. Benchmark the services
B. Identify the risk associated with outsourced activity
C. Determine the duration of the contract with the service provider
D. Determine the frequency at which the payment will be made for
services
Q331. ISO 9000:2000 standards are based on eight quality management

principles. One of the principles follows the systems approach to
management, which has various advantages. Which of the following
comes within the purview of this approach?
A. Defining different activities and their working within the system
B. Segregation of duties
C. Continuous monitoring
D. All of the above
82
Q332. IT operational efficiency is measured in terms of:

A. Technological value added to the organisation.
B. Its impact on other business processes and business units.
C. Decreased costs and increased revenue.
D. All the above
Q333. Maintenance of adequate security measures over IS assets and

accountability for the same rests with the:
A. Database administrator
B. Data and System owners
C. Data entry operators
D. Data Librarian
Q334. Many organisations are outsourcing specific activities to Service

Providers (SPs). Which is the least probable reason for such a move?
A. High security
B. Low cost
C. Reduced operational risk
D. Better service
Q335. Reconciliation of transactions in an application system is generally

carried out by the:
A. Application programmers
B. Systems design personnel
C. Employee in Computer operations.
D. End users in the respective business units
Q336. Segregation of duties is the procedure of dividing the critical functions

among different individuals so that no two critical aspects of a function
83
are performed by the same individual. Which of the following is not a

benefit of segregation of duties:
A. It reduces the possibility of frauds and misconducts
B. It increases the opportunity for someone to perpetuate misdeeds
and conceal errors
C. It makes the individual accountable for any unauthorised access
D. It reduces the dependency on one individual
Q337. Segregation of duties is TRUE in which of the following cases ?

A. Improvement of an organistion’s efficiency and communication
can be achieved through a restrictive separation of duties.
B. Policies on segregation of duties in IS must highlight the
variations between the logical and physical access to assets.
C. While evaluating an organisation’s policy of segregation of duty,
the competancy of the employees are of no relevance.
D. An organisation chart provides a precise definition of the
segregation of duties among the employees.
Q338. Service level agreements ensure that effective and efficient computer
services are provided to users. Which of the following is correct with
respect to service level agreements:
A. They are limited to certain IT resources
B. They are static agreements
C. They are arrangements between users and computer operation
facilities
D. It is the responsibility of user department to provide a framework
for each service level agreement
Q339. Shareware software acquired by a company can be used

A. Only by the company
B. By its employees for their personal purpose also
84
C. By all third parties associated with the company

D. By Everyone with whom the company chooses to share it
Q340. Testing of the accuracy of the interest collected on lending by a financial

institution is a/an
A. test of controls
B. analytical review
C. substantive test
D. understanding of internal controls
Q341. Substantive Testing and Compliance Testing can be best differentiated

as :
A. The latter tests details while the former tests procedures.
B. The former tests procedures while the latter tests plans.
C. Substantive testing tests validation while compliance testing tests
for regulatory requirements.
D. The latter tests for controls while the former tests for details
Q342. The activity of detective control in detecting virus relates to

A. Daily scanning of the entire file server and moving to a safer area
all the doubtful files
B. Linking to external systems thro a firewall
C. Pre-usage scan of all secondary storage media brought from
outside.
D. Updation of anti-virus configuration settings on logging in by the
user.
Q343. The activity which is NOT a control function of a database administrator

(DBA is:
A. Review of access logs in a supervisory level.
B. Approval of DBA activities by the management.
85
C. Database structure maintenance.

D. Separation of duties.
Q344. The advantage of an ISO 9001 quality system implementation is:

A. All business problems are assured of quality solutions.
B. Worries over cost effectiveness are well addressed.
C. Software Life Cycle activities are improved.
D. Maturity of the implemented quality system is irrelevant.
Q345. The advantage tagging live transactions in an Integrated Test Facility

(ITF) as against designing new test data is that:
A. Special audit routines do not have to be embedded
B. The limiting the conditions to be tested in the system
C. Source documents do not have to be redesigned.
D. Test transactions are representative of normal application system
processing.
Q346. The application run manual would normally comprise of :

A. Change records for the application source code.
B. Program Logic flow charts and file definition.
C. Data base structures and the source codes.
D. Recovery actions for the error codes.
Q347. The basic character / purpose of an audit charter is best described by

which of the following.
A. Outlines the overall authority scope and responsibilities of the
audit function.
B. State the audit’s objective for the delegation of authority for
maintenance and review of internal controls.
C. Document the procedures designed to achieve the planned audit
objectives.
D. Be dynamic and often change with the technology and profession.
86
Q348. The BEST and reliable form of evidence that assists the IS auditor to
develop audit conclusions is :
A. Control Self Assessment assurance received on the working of
the application from a line management personnel.
B. A Letter of confirmation received from an outsider regarding the
account balance.
C. An analytical review of the ratios by the IS auditor from the
information received from the internal line management.
D. Internet trend analysis of the industry’s performance.
Q349. The BEST and the most reliable form of evidence that an IS auditor
would look for in audit of an IS environment is
A. The IS auditor’s test results
B. The auditee’s oral explanation / statement of the evidence
C. A confirmation letter received by the IS auditor directly from an
outside source
D. A report generated by the accountant from internal evidence
Q350. The BEST method of detecting the copying of illegal softwares onto a
network is by:
A. Periodically checking all the hard disks.
B. Using diskless workstations.
C. Framing policies for immediate termination of service of the
employee if he violates.
D. Always using an updated version of an anti-virus software
package.
Q351. The BEST set of attribute of Functionality in evaluating the quality of the
software product during its lifecycle is:
A. Relationship between the amount of resources used and the level
of performance of the software.
B. Ability of the software in maintaining its quality of performance
under various conditions.
87
C. Availability of a set of functions and its relevant properties.

D. Possibility of the software to be migrated from one environment.
Q352. The comment which is NOT true regarding ISO 9000 is

A. Documentation of activities is the main focus of the standard.
B. Quality compliance requirement sets are defined in ISO 9000.
C. Aspects affecting the customer satisfaction in an organisation are
dealt in the ISO 9000 standard.
D. Both the Internal and External business processes are covered
under the standar
Q353. The definition of expected loss from a threat is:

A. the anticipated loss from the failure of the system to meet its
functional, efficiency and effectiveness objectives
B. the loss likely to occur in the ordinary course of business
C. the loss likely to occur if the threat materializes multiplied by the
probability of the threat
D. the loss likely to occur if the threat materializes
Q354. The DISADVANTAGE in cross training employees is that:

A. Succession planning is not provided for.
B. Increases the dependence on a single employee.
C. Allow individuals to understand all parts of a system.
D. Does not provide backup in the event of absence.
Q355. The duties and role of an IS Steering Committee is:

A. Performance review of the system department.
B. Preparation and monitoring of System implementation plans.
C. Initiating computer applications.
D. Ensuring data processing resources are efficiently use
88
Q356. The Duties of a Computer operations does NOT comprise of :

A. Trouble shooting teleprocessing problems.
B. Analysis of degradation of the system.
C. Review and analysis of user specifications.
D. Analysing system schedules
Q357. The duties of a Data Security Officer does NOT comprise of :

A. Monitoring whether security of data is adequate and effective.
B. Suggesting and enforcing security measures ex. Changes in
password)
C. Ensuring completeness and correctness of the data
D. Preparation of data classification methodology.
Q358. The Duties of a Database administrator does NOT comprise of :

A. Monitoring database usage
B. Altering physical data definitions for improving performance.
C. Designing database applications
D. Specifying physical data definition
Q359. The duty and responsibility of the security administrator without affecting
the interests of the organisation CAN be combined with that of the:
A. Computer operator
B. Systems Analyst
C. Systems programmer
D. Quality assurance
Q360. The duty of the Quality Assurance Group is

A. Ensuring completeness of the output on processing.
B. Adherence of established standards by programs, program
changes and documentation.
89
C. Developing and designing standards and procedures to protect

data in case of accidental disclosure, modification or destruction.
D. Reviewing execution of computer processing tasks.
Q361. The FIRST and preliminary step in the process of information security
program establishment is :
A. Acquisition of a software for the purpose of controlling the
security access.
B. Framing and adherence of a Corporate IS policy statement
C. Developing and implementing an IS security standards manual
D. The IS auditor conducting a comprehensive security control study.
Q362. The FIRST step an IS auditor while conducting a software licensing

audit should do on noticing that unauthorise software are used on most
of the machines is:
A. Inform auditee of the same and follow-up to confirm deletion of
the software.
B. Physically delete all copies of the unauthorised software in the
machines.
C. Do not initiate any action, as it is a common practice and only the
operations management is liable for observing the use of such
unauthorised softwares.
D. Report that unauthorised software is being used to auditee
management and the requirement to prevent such future
happenings.
Q363. The FIRST step in the review of an IT strategic plan is the review of
the:
A. Business plan of the organisation.
B. Information technology environment available at present.
C. Recent trends in the technology.
D. IT budget approved in the latest meeting of the Management.
90
Q364. The IMPORTANT benefit of risk assessment approach compared to

baseline approach to IS security management is that:
A. Irrespective of the asset value, a basic level of protection is
applied.
B. Adequate levels of protection are applied to information assets.
C. Equal resources are devoted to protect all information assets.
D. There is excess protection of the information assets.
Q365. The independence of an IS auditor who was involved in the

development of an appliction system shall be impaired when he :
A. Actively involves himself while designing and implementing the
application system.
B. Performs a post-implementation evaluation of the application
independently.
C. Suggests the management of control and system enhancements.
D. Conducts a review of the application develope
Q366. The inherent risk in an applicable system is NOT likely to be influenced

by
A. the criticality of the application
B. the reliability of the controls in the system as perceived by the
auditor
C. the implementation of advanced technology in the application
D. the strategic nature of the system
Q367. The Job responsibilities and rights of an application programmer does

NOT include
A. Access to system program libraries.
B. Defining backup procedures.
C. Maintaining the systems in production.
D. Moving test versions into the production environment.
91
Q368. The LAN policy describes the job of persons who work on the network.
The duties of a network administrator are
A. Monitoring security violations
B. Password administration
C. Configuring and optimising storage systems
D. Monitoring network environmental conditions
Q369. The main difference between manual and computerized systems in so

far as separation of duties is concerned is :
A. separation of duties is essential in manual systems whereas in-
built checks and balances take care in computerized systems
B. separate persons are responsible for initiation and authorization
in manual systems whereas execution and maintenance of
programs are entrusted to different persons in computerized
environment
C. separation of duties is easy to achieve in manual systems and
impossible in computerized systems
D. separation of duties does not totally eliminate frauds in manual
systems whereas computerized systems do not allow frauds to
be perpetrated.
Q370. The main difference in terms of control between a manual system and
a computer system is:
A. there is a difference in the internal control principles
B. the methodology for implementing the controls is not the same in
both
C. there is a perceptible difference in the basic control objectives
D. the control objectives pose more problems for implementing
Q371. The MAIN purpose of having Compensating Controls are to

A. Report the errors and omissions noticed.
B. Solve the problems encountered by the detective controls.
92
C. Foresee important problems prior to occurring.

D. Reduce risks of existing or anticipated control weaknesses.
Q372. The MOST critical situation that an IS auditor should report when he
observes a computer operator also performing the duties of a backup
tape librarian and security administrator is:
A. It is not necessary to report these situations to the senior
management.
B. Computer operators acting as a tape librarian and security
administrator.
C. Computer operators acting as security administrators.
D. Computer operators acting as tape librarians.
Q373. The MOST ideal documentation for an Enterprise Product Re-

engineering software installation is that
A. All phases of the installation must be documented.
B. Business requirement only needs to be documented.
C. Only specific developments are to be documented.
D. There is no need to develop a specific documentation for the
customer.
Q374. The MOST likely characteristic of an informational systems

OPERATIONAL plan is:
A. assessing the strengths and limitations of the hardware to be
installed and software platform to be used
B. focusing on the strategy for the next three years for the IS
division
C. documenting the major milestones to be achieved in the system
development process
D. narrate the competitive advantages of the proposed development
93
Q375. The objective of using System Control Audit Review File (SCARF within
the application is for collecting following information except:
A. Statistical sampling
B. Policy and procedural variations
C. Application system errors
D. Lack of internal program documentation
Q376. The purpose of establishing Information System Security Evaluation

Team is to
A. Guide the management and help them in protecting information
assets
B. Help in recruitment of the staff
C. Assist in appointing auditors
D. Frame the security and other policies of the company
Q377. The quality that should be determined by the IS auditor while reviewing
the functions of a Database administrator is
A. The database administrator has strong systems programming
capabilities.
B. The IS auditor’s audit software has the efficiency in accessing the
database.
C. The job responsibilities of the function are clearly defined.
D. The function reports to the data processing operations.
Q378. The quantification of the sample size depends on which of the following
criteria.
A. The sample size decreases as the precision amount decreases.
B. The expected population error rate does not affect the sample
size.
C. The sample size decreases with a decrease in the standard
deviation.
D. The confidence level increases as the sample size decreases.
94
Q379. The reason for the IS auditor NOT preparing a formal audit program
is :
A. To structure the IS auditor’s own planning.
B. Guiding the assistants in performing planned procedures.
C. Overall risk assessment of operations in the organisation.
D. Providing audit documentation for review and reference.
Q380. Which of the following is an application level firewall?

A. Packet filtering routers
B. Proxy systems
C. Stateful inspection
D. Circuit layer gateways
Q381. Which of the following is not a hash function?

A. MD Algorithm
B. Secure Hash Algorithm
C. Quantum Cryptography
D. HAVAL
Q382. Which one of the following is not a private IP address?

A. 10.5.09.210
B. 59.12.90.111
C. 172.16.99.100
D. 192.168.32.11
Q383. Which one of the following purposes is not served by Digital

Certificates?
A. Authentication
B. Validity of certificate
95
C. Non-Repudiation
D. Selection
Q384. Which is the component not found in a data dictionary?

A. Table definition
B. ER model of data
C. Actual data
D. Data element definition
Q385. In Public Key Infrastructure Confidentiality is ensured

A. Hash Code
B. Private Key
C. Public Key
D. Symetric Key
Q386. System software that informs the computer how to use a particular
peripheral device is known as
A. Loader
B. Linker
C. Device Driver
D. Compiler
Q387. Which of the following is not a data structure?

A. Hierarchical
B. Network
C. Relational
D. Traditional
96
Q388. Which of the following IP address class has maximum hosts in its
network?
A. Class A
B. Class B
C. Class C
D. Class D
Q389. A topology in which every node is physically connected to every other

node is_____ .
A. Tree
B. Star
C. Mesh
D. Bus
Q390. Which of the following is not an operating system?

A. Mainframe Systems
B. Multiprocessor Systems
C. Distributed Systems
D. Peer-to-peer systems
Q391. ARP stands for:

A. Address Reverse Protocol
B. Address Rapid Protocol
C. Address Resolution Protocol
D. Address Reserve Protocol
Q392. The voice data is transformed from analog to digital mode or vice-versa
by:
A. Internet Service Provider
B. Internet Service Provider
97
C. VoIP Service Provider

D. PSTN Station
Q393. What is the similarity between a multiplexer and a hub?

A. Both of them use TDM
B. Both use FDM and STDM
C. Both are hardware
D. Both route multiple connections
Q394. Data Dictionary contains?

A. Data about data.
B. Programs.
C. Programs and data.
D. None of above.
Q395. Complier is an example of:

A. System software
B. Programming software
C. Application software
D. Ulitility software
Q396. The IP address 205.189.256.71 is a

A. Class A address
B. Class B address
C. Class C address
D. None of above
Q397. IETF Stands for:

A. The Internet Engineering Task Force
B. The Internet Engineering Travel Force
C. The International Engineering Task Force
D. The International Engineering Travel Force
98
Q398. A specialized network device that determines the next network point to
which a data packet is forwarded toward its destination is called:
A. Gateway
B. Router
C. Firewall
D. Hub
Q399. Which one of the following is also known as a Proxy Server.

A. Dual Level Gateway
B. Application- Level Gateway
C. Circuit-Level Gateway
D. Packet Level Gateway
Q400. Switch is a:
A. Phyical Layer device
B. Data Link Layer device
C. Network Layer device
D. Transport Layer device
Q401. EBCDIC stands for

A. Expandable Binary-Coded Decimal Interchange Code
B. Extended Binary-Coded Decimal Interchange Code
C. Extended Bit-Coded Decimal Interchange Code
Q402. Embedded Systems make use of software called-

A. Middleware
B. Shareware
C. Firmware
99
Q403. Which of the following is not a protocol in the Application Layer of TCP/
IP suite?
A. SMTP
B. DNS
C. UDP
D. TELNET
Q404. Hash functions are also called:

A. One-way Encryption
B. Public Key Encryption
C. Symmetric Key Encryption
D. Asymmetric Key Encryption
Q405. Which of the following is not an OSI Layer?

A. Application Layer
B. Data Link Layer
C. Message Layer
D. Transport Layer
Q406. NAT stands for:

A. Network Address Translator
B. Network Address Translation
C. Network address Testing
D. None of these
Q407. Which one of the following is not true about DDR2 RAM?
A. It runs twice as fast as DDR
B. It is known as Dynamic Data Rate Two RAM
C. It is know as Double Data Rate Two RAM
D. It is volatile
100
Q408. The primary difference of a buffer from a cache is in terms of

___________
A. Memory space
B. Temporary storage
C. Process speed
D. Operational level
Q409. Property that does not permit any person who signed any document to
deny it later is called:
A. Integrity
B. Validation
C. Maintenance
D. Non-Repudiation
Q410. Which of the following is not a level of abstraction?

A. Conceptual Level
B. Chemical Level
C. User Level
D. Physical Level
Q411. Access to the firewall should be limited to:

A. Firewall administrators
B. Top management
C. Security administrators
D. IT personnel
Q412. Which one of the following databases supports programming languages?

B. Network model
101
C. Relational model
D. Object-oriented models
Q413. MAU is:

A. Miscellaneous Access Unit
B. Multi Access Unicode
C. Multi - station Access Unit
D. Miscellaneous Access Unicode
Q414. SMTP uses port:

A.
B.
C.
D.
Q415. Which one of the following is not an essential feature of LAN?

A. Range
B. Transmission Technology
C. Topology
D. Routing
Q416. A Packet Filter Firewall Ruleset ideally should:

A. Forward any packet with a source address of the local network
to the external network
B. Allow all access from the external network to the firewall system
itself
C. Expressly allow everything unless specifically prohibited
D. Expressly prohibit everything unless specifically allowed
102
Q417. The following device is used to connect one type of IEEE 802.x LAN to
another
A. Router
B. Repeater
C. Bridge
D. No device is necessary as they are all compatible and are hence
grouped under 802 series
Q418. The operating system is not responsible for which of the following
activities in connection with the process management
A. Creating and deleting both user and system processes.
B. Suspending and resuming processes.
C. Storage allocation.
D. Providing mechanism for deadlock handling
Q419. 127.0.0.1 is
A. Broadcase address
B. Loopback address
C. is default routing address
D. None of above
Q420. Which of the following is a feature of ActiveX controls that can both be
used as well as misused?
A. ActiveX controls can be reused
B. ActiveX controls can access system resources
C. Many pre-developed controls for performing many tasks are
available
D. Execution of ActiveX controls can be controlled using Internet
Explorer security settings
103
Q421. Client server architecture is:

A. System software architecture.
B. Application software architecture.
C. Hardware architecture.
D. All of above.
Q422. When data is accessed through both sequential and direct access
methods the process is called:
A. Sequential storage and retrieval
B. Direct access and retrieval
C. Indexed sequential storage and retrieval
Q423. A computer that is exeremly fast and used for specialized applications
requiring immense mathematical calculations is:
A. Mainframe computer
B. Mini Computer
C. Super Computer
D. Hand held Device
Q424. Which one of the following is not a key issues in data and capacity
management?
A. How to effectively manage rapidly growing volume of data?
B. How to leverage data and storage technology to support business
needs?
C. What is the best data and storage management framework for an
enterprising business environment?
D. How to maintain the performance of a sytem?
104
Q425. What is not true about Open System Interconnection (OSI) model:
A. is a reference model
B. describes how information from a software application in one
computer moves through a network medium to a software
application in another computer
C. is a seven layered model
D. is a communication protocol.
Q426. The sequence of steps followed in connection-oriented service are:

A. Connection Release, Data Transfer, and Connection
Establishment
B. Connection Establishment, Data Transfer, and Connection
Release
C. Connection Release, Connection Establishment, and Data
Transfer
D. Data Transfer, Connection Establishment, and Connection
Release
Q427. Which one of the following perform the similar function?

A. Assembler and compiler
B. The Web server and the Web browser
C. Port protection device (PPD) and packet assembly and
disassembly (PAD) device
D. Routers and gateways
Q428. Confidentiality and data integrity services are provided in a network in

which of the following layers of the ISO/OSI model?
A. Physical layer
B. Data Link layer
C. Presentation layer
D. Application layer
105
Q429. Which of the following is not true about firewalls?

A. They can not be circumvented by use of modems.
B. They are responsible for filteration of network traffic between
public and private network.
C. More than one types of firewalls can be used in a network.
D. Firewalls may be hardware devices or computers running firewall
software.
Q430. In an Internet URL, “http://www.icai.org”, what is the use of .org?

D. Identifies the domain and the purpose of the site
Q431. Hardware monitoring procedures those help in the hardware

maintenance program do not utilze:
A. Hardware Error Reports
B. Availability Reports
C. Utilization Reports
D. Preventive Maintenace Reports
Q432. The _______ is a mechanism used by hosts and routers to send

notification of datagram problems back to the sender.
A. ICMP
B. TCP
C. SMTP
D. TFTP
Q433. DMZ stands for:

A. De-military Zone
B. Demilitarized Zone
C. De-military Zone
D. None of these
106
Q434. Network-based Intrusion Detection Systems cannot do which of the

following:
A. Filter and analyse packets over a network
B. Operate in Real-Time
C. Match against database of known “attack signatures”
D. Recognise new types of attacks
Q435. When sending a signed message under a public key infrastructure, the
message is encrypted using the:
A. receiver’s private key
B. sender’s private key
C. receiver’s public key
D. sender’s public key and receiver’s private key
Q436. The Internet protocol (IP) address is

A. Always same for any server.
B. More than 32 bits to provide high security
C. Can change even if the Domain Name remains the same
D. Not a part of the DNS
Q437. The main disadvantage of peer-to-peer networking is:

A. The networks are difficult to configure
B. The networks are expensive
C. The network is less secure than a server based network
D. It follows a Master/Slave topology
Q438. Internet Protocol v.6

A. Address is shorter than Internet Protocol v.4 address
B. Migration from Internet Protocol v.4 will require extra cost
C. Migration from Internet Protocol v.4 will incrrease the IP address
space
D. is not being implemented in India.
107
Q439. Thin client fat server architecture means:

A. Client is dumb and server is intelligent.
B. Server is dumb and client is intelligent.
C. Client is less powerful than server.
D. Server is less powerful than client.
Q440. Where are the additional data and programs not used by the processor
stored?
A. Secondary storage
B. Input units
C. Output units
D. The CPU.
Q441. Hashing, get storage addresses, is the process of applying a formula to

a:
A. Key filed
B. File
C. Record
D. Character
Q442. A bus line consists of

A. Parallel data paths
B. Registers
C. Accumulators
D. Machine cycles
Q443. Pretty good privacy (PGP) is used in

A. Email security
B. Browser security
108
C. FTP security
D. None of the mentioned
Q444. Processing transactions in groups is called

A. Batch processing
B. Transaction processing
C. Offline processing
D. Data processing
Q445. A computer based system in which a telephone message is recorded in

digital form and then forwarded to other is
A. Voice mail
B. Tele conferencing
C. A bulletin board
D. Tele commuting
Q446. Computer systems that use data communication equipment to connect

two or more computers and their resources are a
A. Network
B. Host computer system
C. Teleprocessing system
D. Centralized processing system
Q447. The term used to describe the placement of the data entry function at
the scattered locations where the transactions occur is:
A. Distributed data entry
B. Distributed database
C. Distributed computing
D. Distributed risk management
109
Q448. In which way does the Combined Encryption combine symmetric and
assymmetric encryption?
A. The secret key is asymmetrically transmitted, the message itself
symmetrically.
B. First, the message is encrypted with symmetric encryption and
afterwards it is encrypted asymmetrically together with the key.
C. The secret key is symmetrically transmitted, the message itself
asymmetrically.
D. First, the message is encrypted with asymmetric encryption and
afterwards it is encrypted symmetrically together with the key.
Q449. A bus line consists of

A. Parallel data paths
B. Registers
C. Accumulators
D. Machine cycles
Q450. Hashing, get storage addresses, is the process of applying a formula

to a:
A. Key filed
B. File
C. Record
D. Character
Q451. The name for the screens clarity is

A. Resolution
B. Pixel
C. Refresh rate
D. LCD
110
Q452. Where are the additional data and programs not used by the processor
stored?
A. Secondary storage
B. Input units
C. Output units
D. The CPU.
Q453. IPSec is designed to provide the security at the

A. Network layer
B. Transport layer
C. Application layer
D. Session layer
Q454. A pictorial screen symbol that represents a computer activity/artifact is

called a(n):
A. Icon
B. Pointer
C. Cursor
D. Touch Screen
Q455. Processing transactions in groups is called

A. Batch processing
B. Transaction processing
C. Offline processing
D. Data processing
Q456. Computer systems that use data communication equipment to connect

two or more computers and their resources are a
A. Network
B. Host computer system
111
C. Teleprocessing system
D. Centralized processing system
Q457. A computer based system in which a telephone message is recorded in

digital form and then forwarded to other is
A. Voice mail
B. Tele conferencing
C. A bulletin board
D. Tele commuting
Q458. Microwave transmission, coaxial cables, and fiber optics are examples
of
A. Communication links
B. protocols
C. Internet working
D. Frames
Q459. The technique in shared programs that avoids interspersed printout from
several programe is:
A. Spooling
B. Queuing
C. Paging
D. Slicing
Q460. The term used to describe the placement of the data entry function at
the scattered locations where the transactions occur is:
A. Distributed data entry
B. Distributed database
C. Distributed computing
D. Distributed risk management
112
Q461. The effective size of the primary storage available for programs may
appear to be unlimited when the following concept is used:
A. Virtual storage
B. Memory caches
C. Buffering
D. Mirroring
Q462. Pretty good privacy (PGP) is used in

A. Email security
B. Browser security
C. FTP security
D. None of the mentioned
Q463. In which way does the Combined Encryption combine symmetric and
assymmetric encryption?
A. The secret key is asymmetrically transmitted, the message itself
symmetrically.
B. First, the message is encrypted with symmetric encryption and
afterwards it is encrypted asymmetrically together with the key.
C. The secret key is symmetrically transmitted, the message itself
asymmetrically.
D. First, the message is encrypted with asymmetric encryption and
afterwards it is encrypted symmetrically together with the key.
Q464. A pictorial screen symbol that represents a computer activity/artifact is

called a(n):
A. Icon
B. Pointer
C. Cursor
D. Touch Screen
113
Q465. The effective size of the primary storage available for programs may
appear to be unlimited when the following concept is used:
A. Virtual storage
B. Memory caches
C. Buffering
D. Mirroring
Q466. Microwave transmission, coaxial cables, and fiber optics are examples
of
A. Communication links
B. protocols
C. Internet working
D. Frames
Q467. The technique in shared programs that avoids interspersed printout from
several programe is:
A. Spooling
B. Queuing
C. Paging
D. Slicing
Q468. The name for the screens clarity is

A. Resolution
B. Pixel
C. Refresh rate
D. LCD
Q469. IPSec is designed to provide the security at the

A. Network layer
B. Transport layer
C. Application layer
D. Session layer
114
Answers for Module 1

Q1 Ans. c Q31 Ans. c Q61 Ans. a
Q2 Ans. a Q32 Ans. c Q62 Ans. d
Q3 Ans. c Q33 Ans. c Q63 Ans. d
Q4 Ans. d Q34 Ans. d Q64 Ans. d
Q5 Ans. a Q35 Ans. c Q65 Ans. b
Q6 Ans. c Q36 Ans. a Q66 Ans. b
Q8 Ans. b Q38 Ans. d Q68 Ans. b
Q9 Ans. c Q39 Ans. a Q69 Ans. a
Q10 Ans. d Q40 Ans. d Q70 Ans. b
Q11 Ans. b Q41 Ans. c Q71 Ans. c
Q12 Ans. c Q42 Ans. d Q72 Ans. d
Q13 Ans. d Q43 Ans. a Q73 Ans. c
Q16 Ans. a Q46 Ans. b Q76 Ans. d
Q17 Ans. d Q47 Ans. d Q77 Ans. c
Q18 Ans. d Q48 Ans. c Q78 Ans. a
Q20 Ans. d Q50 Ans. b Q80 Ans. a
Q22 Ans. c Q52 Ans. a Q82 Ans. c
Q23 Ans. b Q53 Ans. c Q83 Ans. d
Q26 Ans. a Q56 Ans. b Q86 Ans. b
Q28 Ans. b Q58 Ans. b Q88 Ans. b
Q29 Ans. a Q59 Ans. a Q89 Ans. c
Q30 Ans. c Q60 Ans. d Q90 Ans. c
115
Q91 Ans. b Q123 Ans. c Q155 Ans. a

Q92 Ans. a Q124 Ans. d Q156 Ans. b
Q93 Ans. d Q125 Ans. b Q157 Ans. c
Q94 Ans. a Q126 Ans. c Q158 Ans. c
Q97 Ans. b Q129 Ans. d Q161 Ans. c
Q98 Ans. d Q130 Ans. c Q162 Ans. c
Q99 Ans. c Q131 Ans. c Q163 Ans. c
Q100 Ans. b Q132 Ans. a Q164 Ans. d
Q101 Ans. d Q133 Ans. a Q165 Ans. b
Q103 Ans. b Q135 Ans. b Q167 Ans. c
Q104 Ans. a Q136 Ans. c Q168 Ans. a
Q105 Ans. d Q137 Ans. d Q169 Ans.
Q106 Ans. d Q138 Ans. d Q170 Ans. a
Q107 Ans. b Q139 Ans. b Q171 Ans. d
Q108 Ans. d Q140 Ans. a Q172 Ans. a
Q112 Ans. b Q144 Ans. d Q176 Ans. d
Q115 Ans. a Q147 Ans. d Q179 Ans. a
Q118 Ans. d Q150 Ans. b Q182 Ans. d
Q120 Ans. a Q152 Ans. d Q184 Ans. d
Q121 Ans. b Q153 Ans. a Q185 Ans. b
116

Q189 Ans. a Q221 Ans. a Q253 Ans. d
Q190 Ans. a Q222 Ans. b Q254 Ans. a
Q192 Ans. b Q224 Ans. a Q256 Ans. c
Q193 Ans. b Q225 Ans. c Q257 Ans. b
Q194 Ans. a Q226 Ans. b Q258 Ans. c
Q198 Ans. c Q230 Ans. d Q262 Ans. b
Q199 Ans. c Q231 Ans. d Q263 Ans. a
Q203 Ans. a Q235 Ans. a Q267 Ans. a
Q213 Ans. d Q245 Ans. c Q277 Ans. b
Q214 Ans. a Q246 Ans. d Q278 Ans. c
117

Q284 Ans. c Q316 Ans. b Q348 Ans. b
Q298 Ans. c Q330 Ans. a Q362 Ans. d
Q301 Ans. c Q333 Ans. b Q365 Ans. a
Q302 Ans. a Q334 Ans. a Q366 Ans. b
Q304 Ans. c Q336 Ans. b Q368 Ans. d
Q307 Ans. d Q339 Ans. a Q371 Ans. d
118
Q379 Ans. c Q411 Ans. A Q443 Ans. A

Q380 Ans. B Q412 Ans. D Q444 Ans. A
Q381 Ans. C Q413 Ans. C Q445 Ans. A
Q382 Ans. B Q414 Ans. B Q446 Ans. A
Q383 Ans. D Q415 Ans. D Q447 Ans. A
Q384 Ans. C Q416 Ans. D Q448 Ans. A
Q385 Ans. D Q417 Ans. C Q449 Ans. A
Q387 Ans. D Q419 Ans. B Q451 Ans. A
Q388 Ans. A Q420 Ans. B Q452 Ans. A
Q389 Ans. C Q421 Ans. B Q453 Ans. A
Q395 Ans. B Q427 Ans. A Q459 Ans. A
Q397 Ans. A Q429 Ans. A Q461 Ans. A
Q404 Ans. A Q436 Ans. C Q468 Ans. A
Q406 Ans. B Q438 Ans. C
Q407 Ans. B Q439 Ans. C
Q408 Ans. C Q440 Ans. A
Q409 Ans. D Q441 Ans. A
Q410 Ans. B Q442 Ans. A
119
Module 2 Questions
Q470. Which one of the following requirements of Virtual reality is concerned
with synchronisation?
A. User input
B. Visual perception
C. Spatiotemporal realism
D. Sound perception
Q471. Which of the following is a Movie file format?

A. .ra
B. .au
C. .mp3
D. .mpeg
Q472. Which stage in the software lifecycle does not require any maintenance?
A. Development or pre-delivery phase
B. Early operational phase
C. Mature operational phase
D. Evolution/replacement phase
Q473. In TPC benchmarks, the performance is measured in terms of

A. Transactions per second
B. Cycles per second
C. Bytes per second
120
Q474. Military and defence organisations are more likely to use

A. Discretionary access control.
B. Unrestricted access control.
C. Compulsory access control.
D. Mandatory access control
Q475. Which of the following should NOT be included in an Organisation

Section 1s information security policy?
A. Identity of sensitive security features
B. Access philosophy
C. Access authorisation
D. Importance of security awareness
Q476. A firewall cannot

A. Protect against unauthorized logins from external networks
B. Protect the network against users connecting to the Internet by
dialling to their ISP using their offi ce telephone and a modem
C. Appear transparent to their users
D. Log traffic to and from the local network
Q477. The purpose of employee bonding is to:

A. Reduce financial impact due to improper access/misuse of
physical access
B. Prevent fraud
C. Encourage employees to report access violations
D. Improve physical security
Q478. While auditing the environment controls the auditor should confirm that
A. LAN file server facility has dust, smoke and other particulate
matters
B. Consumption of food, beverage and tobacco is allowed
121
C. Fire protection equipment are adequate and appropriate

D. Air conditioning, humidity control system are followed as desired
by the users of the LAN
Q479. Which of the following is NOT an environmental control?

A. Biometric devices
B. Line conditioners
C. Air conditioners
D. Fire suppression systems
Q480. The internal view of data is also called-

A. Physical level
B. Logical level
C. View level
Q481. Which of these enable a super computer’s CPU to share operations for
enhanced performance?
A. Pipelining
B. Parallelism
C. RISC
D. SMP
Q482. Which term often means a piece of code left behind in the system that
will allow the original programmer back into the system?
A. Trap Door
B. Flap Jack
C. Unicode
D. Stealth Code
122
Q483. Which of the following terms describes a form of dial-up access control
whereby the user dials the desired phone number, authenticates with
the server, hangs up, and then the server dials the client, establishing
the connection?
A. Dial Back
B. Redialing
C. Call Waiting
D. Call Forwarding
Q484. Which of the following gas-based fire suppression system would you
find in an unmanned computer facility?
A. Argon
B. Halon
C. Carbon-dioxide
D. Oxygen
Q485. In an ideally equipped data centre, the wall, ceiling, etc should be made
of fire resistant materials. For how long is it recommended that they
should resist a fire?
A. 2 Hours
B. 1 Hour
C. 30 Minutes
D. 3 Minutes
Q486. As it applies to security, which selection best defines the difference

between the role of an Information Owner and the role of an Information
Custodian?
A. The Information Custodian applies the data classification scheme
and protection mechanisms after the initial assignment by the
Chief Information Officer.
B. The Information Owner is a managing partner of the organization
and the Information Custodian is an hourly employee.
123
C. The Information Custodian applies the data classification scheme

Owner.
D. The Information Owner applies the data classification scheme
Custodian.
Q487. Which of the following checks can significantly reduce transcription

errors?
A. Range checks
B. Limit checks
C. Check digits
D. Size checks
Q488. Which aspect of storage management incorporates redundancy into the

system to maintain performance:
A. Scalability
B. Performance
C. Reliability
D. Manageability
Q489. Which of the following lines prevents tapping?

A. an optical fiber line
B. a digital line
C. a microwave radio system
D. satellite line
Q490. Which of the following need NOT be considered before hosting a new
online privacy policy?
A. Business practices
B. Business partners
124
C. Proposed users
D. Nature of the site
Q491. While conducting an audit, the auditor should

A. Insist that a security policy exists.
B. Not insist for a security policy.
C. Insist that a security policy exists, and accept the existing policy.
D. Insist that a security policy exists. However he may not accept
the existing policy.
Q492. Cryptographic systems provide for:

A. Linearity of messages.
B. Integrity of messages.
C. Intelligibility of messages.
D. Availability of messages
Q493. While evaluating the IT control environment for obtaining an

understanding of the management’s control over IT activities, the auditor
should consider:
A. The functions of the IT steering committee
B. The IT strategy of the management
C. The Security policy
D. The user’s perception of IT
Q494. “Biometric authentication” is based on:

A. Design features
B. Logical features
C. Depends upon the application to be authenticated
D. Physical features
125
Q495. Which of the following is not a validation done on instruction input?

A. Holistic validation
B. Lexical validation
C. Semantic validation
D. Syntactic validation
Q496. Which of the following is a control problem associated with spooling

software?
A. It is error-prone because the software is highly complex
B. It can be used to obtain an unauthorized copy of a report.
C. The output could be redirected to another printer
D. The output could be cancelled before printing.
Q497. A scanner with 36-bit depth gives the output in:

A. Less than 36 colour depth
B. More than 36 colour depth
C. Depends on the document being scanned
D. 24 bit depth only
Q498. A general guideline of a security policy does NOT

A. Keep the policy a secret
B. Identify acceptable activities
C. Update the policy
D. Identify and determine what is to be protected
Q499 Passwords are used as a basic mechanism to identify and authenticate

a system user. Which of the following password-related factors cannot
be tested by an IS auditor?
A. Password length
B. Password lifetime
126
C. Password secrecy
D. Password storage
Q500. A message authentication code is used to protect against

A. Changes to the content of a message
B. Traffic analysis
C. Release of message contents.
D. Exposures that arise when PINs are transmitted in the clear
Q501. A device to detect breaches of physical security is

A. Switch controls
B. Deadman Doors
C. Motion detectors
D. Identification badges
Q502. The first step in any security administration is:

A. Implement good access control mechanisms.
B. Ensure that good backup procedures have been set up.
C. Ensure that each user has a separate login.
D. Develop a good security policy for the organisation.
Q503. A detailed policy on firewalls should NOT:

A. Ensure that the firewall is logically secured
B. Include guidelines for assessment of logs
C. Ensue that the firewall is physically secured
D. Include log reports
127
Q504. Which of the following types of database access control is the most
difficult to enforce?
A. Name-dependent access control
B. History-dependent access control
C. Content-dependent access control
D. Context-dependent access control
Q505. For physical and environmental security, in which of the following areas
should policies and procedures be framed?
A. Independent (third-party) assurances
B. Layout of facilities
C. System Development Life Cycle (SDLC)
Q506. How many emergency power-off switches should provided in a computer

facility?
A. One
B. Two
C. Three
D. Four
Q507. “If a thief steals an ATM card and tries to break the PIN number by
trying all combinations, what type of attack will it be classified as? “
A. Keystroke logging
B. Man in the middle
C. Biometric
D. Bruteforce
128
Q508. “Which of the following feature may seriously affect or nullify the utility
of audit trails? “
A. Passwords are not recorded in the audit trail.
B. Security administrator cannot amend the details in the audit trail.
C. Audit trail records can be amended by the users
D. Date and time stamps are recorded automatically.
Q509. “The risk of piggybacking, in which an unauthorized person could enter

the secured facility by closely following an authorized person, may be
controlled by “
A. Deadman Doors
B. Bolting door locks
C. Electronic Door Locks
D. Cipher locks
Q510. Banking organisations make use of which form of data processing?

A. Batch processing
B. Online processing
C. Time sharing
D. Remote job entry
Q511. While valuing the assets, an information systems(IS auditor is likely to

value MOST
A. Data files and backup
B. Programs
C. Personnel like the DBA and systems analysts
D. Hardware
129
Q512. “Identify the correct statement with respect to guidelines for data-entry
screens? “
A. Both bright colours and automatic tabbing are to be avoided
B. Both bright colours and automatic tabbing should be used as
often as possible
C. Bright colours should be avoided and automatic tabbing should
be used as often as possible
D. Bright colours should be used as often as possible while
automatic tabbing should be avoided.
Q513. A check to ensure that the same data is not keyed twice is called:
A. Sequence checks
B. Limit check
C. Missing data check
D. Duplicate check
Q514. Which of the following physical control would be most appropriate in a

high security environment?
A. Combination locks
B. Identification badges
C. Electronic Door Locks
D. Biometric Door Locks
Q515. Surge, spike and sag are types of

A. Biometric systems
B. Electrical fluctuations
C. Fire suppression systems
D. Electromagnetic radiations
130
Q516. In context of expert systems, moving down to the symptoms from a fault
is called as
A. Forward chaining
B. Forward integration
C. Backward chaining
D. Backward integration
Q517. “To prevent the unauthorized use of floppy drives, which of the following
controls is suitable? “
A. Switch controls
B. Cable locks
C. Port controls
D. Biometric mouse
Q518. Commercial organisations are more likely to use

A. Discretionary access control.
B. Unrestricted access control.
C. Mandatory access control.
D. Compulsory access control
Q519. When drafting an information security policy, why would it be important

to require that the use of communications test equipment be controlled?
A. The equipment may damage network hardware.
B. The equipment is complicated and the user needs specific
training to use it correctly.
C. “The equipment can be used to view information passing through
the network. “
D. The equipment is expensive and needs to be protected from theft.
131
Q520. Which of the following provides error detection and error correction?
A. Cyclic Redundancy Check
B. Checksum
C. Parity check
D. Hamming code
Q521. “Who has the authority to delegate the operational responsibility of an

organisation’s data? “
A. Data user
B. Senior manager
C. Data custodian
D. Data owner
Q522. “A requirement that information and programs are changed only in a

specified and authorized manner is called: “
A. Confidentiality
B. Availability
C. System integrity
D. Data integrity
Q523. Which of the following is the best example of three-factor

authentication?
A. An ATM card and a PIN.
B. A thumbprint and password.
C. A smart card, password and thumbprint.
D. A RADIUS server.
Q524. “A software programmer writes a program to review the payroll records

each month to ensure that he is still employed. If the programmer’s
132
name is removed from the payroll, the program will activate another
piece of code to destroy vital files on the organi”
A. ActiveX
B. Logic Bomb
C. Virus
D. Denial of Service
Q525. “As a quality assurance measure in the batch processing of accounts

payable data, a firm sums the account numbers for all accounts
processed. This procedure results in a: “
A. Hash total
B. Batch number
C. Parity check
D. Check sum
Q526. The integrity of system cannot be lost due to

A. Trojan Horse
B. Packet Sniffers
C. Brute force attack
D. Firewalls
Q527. Identify the correct statement

A. There should be no water drains near a computing facility
B. “Water drains should be “negative”, that is, they should flow
inward, toward the building “
C. Water drains can be either “positive” or “negative”.
D. “Water drains should be “positive”, that is, they should flow
outward, away from the building “
133
Q528. To enforce the email policy, the management need NOT:

A. Educate employees
B. Take prompt action in case of misuse or complaints
C. Educate third parties
D. Prohibit subscription to e-newspapers and e-groups
Q529. Viruses that can change their appearance are known as:
A. Polymorphic virus
B. Boot sector virus
C. Stealth virus
D. Macro virus.
Q530. “If the series of data bits, 11001011, is received as 11001000 then it is
called a: “
A. Single bit error
B. Multiple-bit error
C. Burst error
D. Parity error
Q531. Which of the following would be used to deter casual intruders?

A. Biometric locks
B. Port controls
C. Perimeter fencing
D. Wireless Proximity Readers
Q532. Which one of the following can be attributed as a loss as a result of

poor network performance:
A. Lost revenues
B. Lost productivity
134
C. Intangible losses
D. All of the above
Q533. “A requirement that private or confidential information should not be

disclosed to unauthorized individuals is called: “
A. Confidentiality
B. Availability
C. System integrity
D. Data integrity
Q534. “A requirement that a system performs its intended function in

an unimpaired manner, free from deliberate or inadvertent
unauthorizedmanipulation of the system is called “
A. Confidentiality
B. Availability
C. System integrity
D. Data integrity
Q535. “A requirement intended to assure that systems work promptly and

service is not denied to authorized users is called: “
A. Confidentiality
B. Availability
C. System integrity
D. Data integrity
Q536. Data entry screens should have:

A. A slow but consistent display rate.
B. A fast and consistent display rate.
C. A slow and varying display rate
D. A slow and varying display rate
135
Q537. “Which techniques is best described as method of providing information

for error detection, usually calculated by summing a set of values
by both the sender of the information and the receiver of the
transmission?“
A. Uuencode
B. Algorithm
C. Data Mining
D. Checksum
Q538. Identify the correct statement.

A. Fire suppression systems make smoke detectors redundant
B. Smoke detectors make fire suppression systems redundant
C. Smoke detector should supplement fire suppression systems
D. “Neither smoke detector nor supplement fire suppression are
necessary “
Q539. “A principle that advocates for minimal user profile privileges on

computers, based on users’ job necessities is called: “
A. Principle of maximum privilege.
B. Principle of zero privilege.
C. Principle of least privilege.
D. Mandatory access control.
Q540. “If the product number A5723 is coded as A5753, this is an example of
a: “
A. Truncation error
B. Double transposition error
C. Random error
D. Transcription error
136
Q541. “A compan Section 1s labour distribution report requires extensive

corrections each month because of labour hours charged to inactive
jobs. Which of the following data processing input controls appears to
be missing? “
A. Completeness test
B. Limit check
C. Validity test
D. Control total
Q542. Which of the following may be used to protect a laptop?

A. Wireless Proximity Readers
B. Switch controls
C. Port controls
D. Biometric mice
Q543. “As a security precaution, visitors are escorted by a pre-designated

responsible employee or security staff. Which of the following would be
classified as visitors? “
A. Vendors only
B. Vendors and maintenance personnel only
C. Vendors, maintenance personnel and contract workers only
D. Vendors, maintenance personnel, contract workers and auditors
Q544. “The greatest risk of inadequate definition of policy relating to ownership

of data and systems is: “
A. All users are authorised to originate, modify and delete data.
B. Accountability cannot be established.
C. Difficulty in coordinate change within large organisations.
D. Audit recommendations may not be established.
137
Q545. A firewall is a system for

A. Enforcing an access control policy
B. Preventing viruses
C. Preventing intruders
D. Assisting auditors.
Q546. A cookie gets data from

A. Whatever the user enters from the console on a web page
B. What the web server sends to the web browser
C. User application programs.
D. The operating system and the web browser used at the clientend
Q547. “A†138Dry pip Section 1, which is an arrangement to extinguish fires is:

“
A. A Sprinkler system where the water is in the pipe, but the outside
of the pipe is dry
B. A Halon gas system that contains a dry pipe
C. “A carbon dioxide (CO2) gas system that has a dry chemical to
extinguish a fire “
D. “A sprinkler system where the water is not kept charged in pipes
but pipes remain dry and upon detection of heat rise by a sensor,
water is pumped into the pipes. “
Q548. “Which of the following is the most recommended water-based fire

suppression system for a computer facility? “
A. Dry pipe system
B. Wet pipe system
C. Drip pipe system
D. Preaction system
138
Q549. “In which of the following access control model is it necessary to

for each resource to be classified and for each user be assigned a
clearance level. “
A. Supervisory access control
B. Mandatory access control
C. Discretionary access control
D. Reactionary access control
Q550. “Which of the following would NOT protect a system from computer
viruses? “
A. Write protect all diskettes once they have been virus checked
B. Scan any new software before it is installed
C. “Do not allow vendors to run demonstration on company owned
machines “
D. Boot only from diskettes that were initially checked for viruses
Q551. The purpose of a file retention date is to:

A. Enable files with the same generation number to be distinguished
B. “Prevent the file from being overwritten before the expiry of the
retention date “
C. “Indicate when the file should be recovered from production
activities “
D. “Prevent the file from being read before expiry of the retention
date “
Q552. Access time is quickest with of the following devices?

A. Bolting door locks
B. Electronic Door Locks
C. Combination door locks
D. Wireless Proximity Readers
139
Q553. Programming language used exclusively for artificial intelligence

is____________.
A. C++
B. Java
C. Prolog
D. VB
Q554. ____________ is a feature of cooperative architecture in distributed job

scheduling.
A. Dependence on central server
B. Less scalability
C. Performance degradation
D. Fault tolerance
Q555. In distributed computing all the jobs are processed in:

A. Serial order
B. “Altered“
C. parallel order
D. Depends upon the application to be processed
Q556. Software licenses fall under which of the following categories of

Information Technology assets?
A. Hardware assets
B. Software assets
C. Network assets
D. Intangible assets
Q557. The conceptual model of a database is an output of which process?

A. Prior analysis
B. Logical design
140
C. Physical design
D. Testing
Q558. A successful project management practice involves training a project

team to achieve desired goals. Under which process does this fall?
A. Planning
B. Organising
C. Controlling
D. Leading
Q559. The Resolution power of a Printer measures its:

A. Speed
B. Quality
C. Type
D. Memory
Q560. The primary difference of a buffer from a cache is in terms of

___________
A. Memory space
B. Temporary storage
C. Process speed
D. Operational level
Q561. Size of registers in mainframes generally are:

A. 8 bit
B. 16 bit
C. 32 bit
D. 64 bit
141
Q562. Which of the following is not a preventive maintenance approach?

A. Complexity analysis
B. Functionality analysis
C. Forward engineering
D. Reverse engineering
Q563. A supercomputer created by networking many small computers is called

________
A. ASCI white
B. Grid
C. LAN
D. Network Super
Q564. Which of the following does not fall under the category of operational
controls?
A. Personnel security
B. Logical access control
C. Physical protection
D. Environmental protection
Q565. Which form of job scheduling uses triggers?

A. Manual scheduling
B. Distributed scheduling
C. Mainframe scheduling
D. Automated scheduling
Q566. Which of the following employs client-server computing?

A. Interactive multimedia
B. Networked multimedia
142
C. MPEG video
D. Virtual reality
Q567. Concept of charging an end-user on the number of times he/she has

used the software is called:
A. Shareware
B. Samplers
C. Meterware
Q568. Which of the following network architecture is most reliable?

A. star network
B. mesh network
C. ring network
D. multidrop line network
Q569. Licensing an email software is an example of:

A. Node-locking
B. User-based licensing
C. Site licensing
D. Network licensing
Q570. Which of the following Embedded Operating Systems has a wide set of
features for networking?
A. Windows CE
B. Windows NT embedded
C. Embedded Linux
D. Palm OS
143
Q571. Which of the following is not computer software?

A. operating system
B. telephone modem
C. spreadsheet
D. language translator
Q572. All video conferencing systems employ ____________.

A. ISDN lines
B. “Satellite based link “
C. Point-to-point conference
D. CODEC
Q573. The application can be secured through

A. Implementing strong authentication and access controls
B. Error check controls
C. Risk assessment
D. Directory browsing
Q574. Which of the following image formats is for the Apple Macintosh range
of Computers?
A. GIF
B. JPEG
C. PICT
D. TIFF
Q575. In a Mouse, there are three rollers that can rotate. How many rollers
are actually responsible for the movement of the curser?
A. One
B. Two
144
C. Three
D. None
Q576. A brokerage firm is moving into new office premises already equipped
with extensive telephone wiring. The firm is planning to install a PBX to
connect computers and office devices such as photocopiers, printers,
and facsimile machines. A limitation of usi
A. the firm would be dependent on others for system maintenance
B. coaxial cabling would have to be installed throughout the building
C. the system cannot easily handle large volumes of data
D. relocating devices in the office is an expensive and difficult task
Q577. A company uses a wide area network (WAN) to allow salesmen in the
field to remotely log onto to the office server using notebook computers
and dial-in modems. Which of the following methods would provide best
data security in such a situation?
A. end to end data encryption
B. dedicated phone lines
C. call-back features
D. enforcing regular password changes
Q578. In a two-tier client server architecture, the client is called-

A. Fat client
B. Thin client
C. Very thin client
Q579. The Internet protocol (IP) address is

A. Always same for any server.
B. More than 32 bits to provide high security
C. Can change even if the Domain Name remains the same
D. Not a part of the DNS
145
Q580 A company’s management wants to implement a computerised system

to facilitate communications among auditors, who are widely dispersed.
The company proposes to have a central electronic repository where
auditors can place messages and all other auditors ca
A. electronic bulletin board system
B. electronic data interchange
C. fax/modem software
D. private branch exchange
Q581. Which one of these Virtual Reality applications is used in developing

models for architectural landscapes and buildings?
A. Simulator training
B. Augmented reality
C. Telepresence
D. Virtual prototyping
Q582. Whichever language an application program may be written in, it can

be executed on a computer only if the primary memory contains
A. job scheduler
B. compiler
C. assembler
D. an operating system
Q583. While arguing the need for an IS auditor to be involved in a system

development, which of the following is LEAST important?
A. the total cost of ownership
B. the importance of the system to the organisation
C. the number of lines to be written
D. the desired benefits from the system
146
Q584. While conducting a detailed system design, the IS Auditor would be

LEAST concerned with:
A. adequacy of procedures to ensure that all transactions are input
B. adequacy of backups
C. handling of rejected transactions
D. adequacy of hardware to handle the system
Q585. While implementing an automated job scheduling system in a computer

center, the following concern needs to be addressed:
A. providing the majority of users with the ability to schedule their
own workload
B. implementing logical access security controls so that one user
does not violate the work plan of another
C. eliminating the need to submit proper documents to schedule
routine or ad hoc jobs
D. providing the facility to submit job control parameters directly into
jobs without assistance from computer center personnel
Q586. With respect to hard disk, seek time is described as:

A. Time taken by the arm assembly to reach the respective track
B. Time taken by the arm assembly to find the respective sector
after the heads have reached the track
C. Total time taken to access the data
Q587. Which of the following statements is true with regard to Operating

Systems (OS)?
A. It may allow many users to operate simultaneously.
B. It can run on systems with different memory and storage space
after minor changes.
147
C. It takes control of the computer as soon as the power is turned

on.
D. The user can customise RTOS Real Time Operating System) by
making changes to the interface
Q588. Which of the following statements relating to packet switching networks

is True?
A. passwords cannot be included in the packet
B. packet lengths are variable and each packet contains the same
amount of information
C. Transmission cost is not charged by packet
D. packets travel through the network depending upon channel
availability
Q589. Which of the following terms is commonly used for the agreement about
packaging and interpreting both data and control information, when two
devices in a data communications system are communicating?
A. Asynchronous communication
B. Synchronous communication
C. Communication protocol
D. Communication channel
Q590. Which of the following is almost inevitable with respect to hardware

problems in Computers?
A. Power faults
B. Aging Failures
C. Viruses
D. Magnetic Effects
148
Q591. “Which of the following types of Video on Demand simulation of

functions are performed to realise forward and reverse transitions in
discrete time intervals?
A. Pay-per-view
B. Quasi-VoD
C. Near-VoD
D. Broad VoD
Q592. Which of the mail processing technologies given below affects message
storage at the client end?
A. POP (Post Office Protocol)
B. MAPI (Messaging Application Programming Interface)
C. IMAP (Internet Message Access Protocol)
D. SMTP Simple Mail Transfer Protocol)
Q593. An Assembler is a translator program that converts _________________

into machine level language.
A. Assembly level language
B. High level language
C. Procedure oriented language
D. Object oriented language
Q594. An efficient asset management system contributes to the smooth

functioning of an organisation. Which of the following is false with
respect to an asset management practice.
A. It helps in providing quick support to the end-user.
B. It helps is tracking the movement of equipment within the
organisation.
C. It should be taken up at fixed time periods.
D. It helps in switching from one platform to another.
149
Q595. An organisation acquired a PC on lease and upgraded its memory.

At the end of the lease period, the management failed to take into
account the value addition it had made to the system. Which of these
statements aptly sums up the scenario?
A. Hardware asset mismanagement
B. Software asset mismanagement
C. Intangible asset mismanagement
Q596. Artificial Intelligence is now being used in every sphere of life. Which of
the following options justifies the statement?
A. Ability to work in hazardous places
B. Ability to think like human beings
C. Ability to work in artificial environments
Q597. For dynamic storage of messages in an email system, powerful search

engines are developed, based on______________.
A. Random access
B. “Non-volatility and low cost “
C. Full text index and user-defined meta data
D. Record management
Q598. Given below are major types of storage devices 1) Cache 2) Magnetic
disk 3) Flash 4) Main Memory 5) Tape Storage 6) Optical Storage Rank
them in the increasing order of their reading/writing capability.
A. 1,2,3,4,5,6
B. “5,6,2,3,4,1“
C. 6,5,4,3,2,1
D. 2,5,3,1,6,4
150
Q599. How can hackers get access to password files or configuration

information from a web server?
A. Poorly written active content such as CGI scripts
B. Poorly designed System Development Life Cycle
C. Non logging of web traffic
D. Poor physical control
Q600. Network Capacity Planning comprises the following three activities:1)

Predicting future utilisation2) Gathering data over time 3) Establishing
baseline. Arrange the above in the order in which they are performed:
A. 1,2,3
B. “3,2,1“
C. 1,3,2
D. 2,1,3
Q601. Network-based Intrusion Detection Systems cannot do which of the

following:
A. Filter and analyse packets over a network
B. Operate in Real-Time
C. Match against database of known attack signatures
D. Recognise new types of attacks
Q602. Single copy of a software product installed on the server and used by
all the connected clients is an example of:
A. End user piracy
B. Industrial Piracy
C. Corporate Piracy
D. Copyright Infringement
151
Q603. Steganography is the art of dealing the data by -

A. Hiding it to make it necessarily invisible and not easily detectable.
B. Hiding but not necessarily invisible and not easily detectable.
C. Detecting and destroying the hidden data.
D. Only encrypting it.
Q604. The Fibre Distributed Data Interface (FDDI) is a dual ring LAN that uses
a fibre optic cable. The ring is segmented when
A. One ring fails
B. One station fails
C. Two rings fail
D. Two rings fail
Q605. The process of mapping with respect to virtual memory involves: -

A. Converting real address into virtual address
B. Converting virtual address into real address
C. Sending a page from the hard disk to the main memory
D. Sending a page from the main memory to the hard disk
Q606. Voice recognition software does/is not:

A. Convert user input of words or phrases into text
B. Convert text into voice
C. Used in automobiles to use hands free dialling.
D. Used in call centres to collect data
Q607. When planning a software audit, the management does not consider:
A. The timing of the audit
B. Persons who should conduct the audit
C. Keeping the audit objective secret
D. Providing access to the required facilities
152
Q608. Which is the function that the audit software does not perform?
A. Scan each machine separately
B. Decide on the sampling method to be used
C. Report the program that it does not recognise
D. Identify software that is loaded, completely or partially
Q609. Which of the following activities needs to be undertaken first to identify

those components of a telecommunications system that present the
greatest risk
A. determine the business purpose of the network
B. review the open systems interconnect network model
C. identify the operating costs of the network
D. map the network software and hardware products into their
respective layers
Q610. Which of the following alerts an administrator to a threat to web server

security?
A. Software controls
B. Directory browsing by a hacker
C. Intrusion detection mechanism
D. User authentication controls
Q611. Which feature of a distributed database supports multi-user access?

A. Distribution design
B. Concurrency control
C. Replication
153
Q612. Which of the following controls protects against message modification?

A. error propagation codes
B. stream ciphers
C. message authentication codes
D. all the above
Q613. Which of the following conditions lead to increase in white noise:

A. faulty switching gear
B. temperature increases
C. thunder and lighting
D. poor contacts
Q614. Which of the following is not a benefit provided by a distributed

database?
A. Local autonomy
B. Improved performance
C. Shareability
D. Reduced costs
Q615. Embedded Systems make use of software called-

A. Middleware
B. Shareware
C. Firmware
Q616. In object-oriented technology, hiding the complexity of characteristics is

called:
A. Abstraction
B. Encapsulation
154
C. Inheritance
D. Polymorphism
Q617. The smallest unit of information on a hard disk is called:

A. Track
B. Sector
C. Cluster
Q618. Which of the following is not a desirable control feature in a modem:

A. attenuation amplification
B. dynamic equalisation
C. automatic dial-up capabilities
D. multiple transmission speeds
Q619. Which of the following do not come under the Workload Operational
Policy?
A. Backup and disaster recovery systems
B. Naming conventions
C. Job specification design
D. Training and support functions
Q620. Which of the following data items is most likely to appear in the
operations audit trail and not the accounting audit trail for the
communication subsystem?
A. image of message received at each node traversed in the
network
B. unique identifier of the source node
C. message transit time between nodes and at nodes
D. unique identifier of the person/process authorising dispatch of the
message
155
Q621. Which of the following functions of the database language SQL

contributes to maintaining the integrity of the database?
A. transactional management
B. schema definition
C. data retrieval
D. data definition
Q622. Which of the following is likely to be a benefit of electronic data

interchange (EDI)
A. the transmission speed of actual documents increases
B. liability relating to protection of proprietary business data
decreases
C. decreased requirements for backup and contingency planning
D. improved business relationships with trading partners
Q623. Which of the following is not a true statement, with respect to the
implementation of an automated job scheduling system in the computer
center?
A. it ensures that all jobs are run
B. it ensures that jobs run in sequence
C. it prevents jobs from being delayed
D. it ensures the elimination of job definition and job set-up errors
Q624. Which of the following is not an advantage of distributed computing vis-

à-vis centralised computing?
A. Lower communication costs
B. availability of alternate processing sites, in case of a disaster
C. investment in hardware is smaller for each site than for a central
site
D. security measures are easier to provide
156
Q625. Which of the following is not an important control step of the input/output
control group?
A. verifying input authorisation
B. identifying questionable data
C. verifying control totals
D. establishing control over output
Q626. Which of the following is not an objective in the analysis and planning
of storage management?
A. To store and manage large amounts of data efficiently
B. To speed up data retrieval
C. To decide on software that has to be loaded on the server
D. To bring down the cost of data storage, while keeping risk under
manageable limits
Q627. Which of the following is true with regard to a good Intrusion Detection
System Software?
A. It can investigate intrusions without human intervention
B. It can compensate for exploits based on errors in network
protocols
C. It is able to resist unauthorised modifications to itself
D. It is able to analyse all of the traffic on a busy network
Q628. Which of the following is true with regard to a Hardware Inventory

Policy?
A. Automated Asset software management tools can scan all
hardware devices
B. Hardware devices that are not scanned by asset software
management tool need to be tagged manually
C. Hardware should be scanned during peak-hours when all systems
are running
157
D. In case an end user make changes in hardware configuration, he

need not inform the IT department
Q629. Which of the following is true with regards to system and application
software?
A. System software uses application software to interact with
computer hardware
B. Application software uses system software to interact with
computer hardware
C. Both system and application software independently interact with
computer hardware
Q630. Which of the following must be implemented for authorised users

outside the network to securely access the web server?
A. Remote access control
B. Web firewalls
C. Change controls
D. Physical security controls
Q631. Which of the following risks is not greater in an electronic funds transfer
(EFT) environment than in a manual system using paper transactions?
A. higher cost per transaction
B. unauthorised access and activity
C. duplicate transaction processing
D. inadequate backup and recovery capabilities
Q632. Which of the following statements is (are) correct regarding the Internet
as a commercially viable network?
A. companies must apply to the Internet to gain permission to create
a home page to engage in electronic commerce
158
B. organisations must use firewalls if they wish to maintain security

over internal data
C. companies that wish to engage in electronic commerce on the
Internet must meet required security standards established by the
coalition of Internet providers
D. all of the above
Q633. The class of control used to minimise the impact of a threat is :

A. Preventive
B. Detective
C. Corrective
D. Suggestive
Q634. In Vulnerability Accessment the tester has:

A. No knowledge of the network
B. Access to the network
C. To perform completely blind testing
D. All of above
Q635. A process by which a user provides a claimed identity to access a

system is:
A. User authorization
B. User registration
C. User identification
D. User logging
Q636. Which of the following is NOT a common method used to gain

unauthorized access to Computer System ?
A. Password sharing
B. Password guessing
159
C. Password capturing
D. Password spoofing
Q637. The major advantage of a checksum program is that it:

A. Adds more bytes to programs
B. Verifies integrity of files
C. Increases boot-up time
D. Misleads a program recompilation
Q638. Preventing disclosure of information to unauthorized individuals or

systems is defined as:
A. Integrity.
B. Confidentiality.
C. Availability.
D. Utility.
Q639. Buffer overflow is:

A. A feature of every operating system
B. A feature of application osftware
C. A vulneratbility
D. All of above
Q640. Which one of the following is not a component of Application Controls:

A. Boundary controls
B. Input controls
C. Processing controls
D. Communication contorls
160
Q641. VPN does not provide:

A. Secure communication
B. Authentication of the user
C. Data storage
D. Encrypted connection
Q642. War-Dialing is a type of

A. Firewall
B. Denial of service
C. Penetration testing
D. Wire testing
Q643. Creation of an electronic signature:

A. Encrypts the message.
B. Verifies where the message came from.
C. Cannot be compromised when using a private key.
D. Cannot be used with e-mail systems.
Q644. While classifying controls on the basis of the operations involved, input
control can be classified as -
A. Organisation control
B. General control
C. Processing control
D. Application control
Q645. Which of the following logical access exposures involves changing data
before, or as it is entered into the computer?
A. Data diddling
B. Trojan horse
161
C. Worm
D. Salami technique
Q646. While reviewing firewall logs, the auditor does not attempt to keep track
of:
A. Unsuccessful logins
B. Successful logins
C. Unsuccessful logins
D. Unsuccessful logouts
Q647. Deadman doors are also called:

A. Biometric door locks.
B. Mantrap systems.
C. Bolting door locks.
D. None of these
Q648. The audit trails are useful to

A. Auditors
B. Management
C. Users
D. All of the above
Q649. A decrease in amplitude as a signal propagates along a transmission

medium is known as:
A. Noise.
B. Crosstalk.
C. Attenuation.
D. Delay distortion.
162
Q650. Intrusion detection /prevention system (IDS/IPS) are network vulnerability

management systems implemented in the ………………….level.
A. Application
B. Data
C. Perimeter
D. Network
Q651. During a review of system access rules, an IS Auditor noted that the
System Administrator has unlimited access to all data and program files.
Such access authority is:
A. Appropriate, but all access should be logged.
B. Appropriate, because System Administrator has to back up all
data and program files.
C. Inappropriate, since access should be limited to a need-to-know
basis, regardless of position.
D. Inappropriate, because System Administrator has the capacity to
run the system.
Q652. Which of the following steps would be performed FIRST in a security

review of a proposed system?
A. Conducting a thorough walk-through of the described area
B. Determining the risks /threats to the data center site
C. Determining whether business continuity procedures have been
established
D. esting for evidence of physical accesses at suspected locations
Q653. Programmers frequently create entry points into a program for

debugging purposes and/or insertion of new program codes at a later
date. These entry points are called
A. Logic bombs
B. Worms
163
C. Trap doors
D. Trojan horses
Q654. Access to the work area restricted through a swipe card or only
through otherwise authorised process and when visitors enter the work
area they are issued a pass and escorted in and out by a concerned
employee. These type of controls are called -
A. Organisational controls
B. Physical access controls
D. Operational controls
Q655. Which of the following concerns associated with the World Wide Web
would be addressed by a firewall?
A. Unauthorized access from outside the organization
B. Unauthorized access from within the organization
C. Delay in Internet connectivity
D. Delay in downloading using file transfer protocol
Q656. In a telecommunications system, the MOST effective method for

reducing the data interception exposure is :
A. Use of callback models
B. Encryption of data
C. Use of leased lines
D. Authentication of messages
Q657. A good email policy should state that:

A. All mails sent and received should be monitored
B. All messages should be encrypted
C. Emails should be used only for official purpose
164
Q658. Employees are compulsorily asked to proceed on a week long vacation

in many organisations to:
A. Remove possible disruption caused when going on leave for a
day at a time.
B. Cross train with another employee of another department.
C. Diminish chances of committing improper / illegal acts by the
employee.
D. Ensure a standard quality of life is lead by the employee which
could enhance productivity.
Q659. For a high security installation the most effective physical access control
devices is:
A. User ID and password
B. Magnetic Card reader
C. Bio-metric devices
D. Laser activated photo identification.
Q660. A firewall access control list may filter access based on each of the
following parameters EXCEPT:
A. Port.
B. Service type.
C. Network interface card (NIC).
D. Internet protocol (IP) address.
Q661. The Auditor checklist to check controls on network security requires to

take special considerations on
A. Management and change controls on network devices
B. Event logging and monitoring of logical access paths
C. Only a
D. Both a and b
165
Q662. During a fire in a data center, an automatic fire suppression would First:
A. Cut power to data processing equipment
B. Sound an alarm and begin a timed countdown
C. Discharge the fire suppression gas
D. Disengage the uninterruptible power supply
Q663. Authentication is a protection against fraudulent transactions. Which of

the following is NOT assured by the authentication process ?
A. The validity of messages being sent
B. The validity of work stations that sent the message
C. The integrity of the message being transmitted
D. The validity of the message originator
Q664. ____ is defined as policies, procedures, practices and enterprise

structure that are designed to provide reasonable assurance that
business objectives will be achieved and undesirable events are either
prevented or detected and corrected.
A. Audit
B. Access
C. Prevention
D. Control
Q665. …………… is an attack that adds spurious entries to a table in the

server that deals with the conversion of www.icai.org into network
address like 202.54.74.130.
A. Host Name Redirection
B. Traffic Name Server
C. Data Name Server Attacks
D. Domain Name Server Attacks
166
Q666. What is not true for firewall platforms:

A. Should be implemented on systems containing operating system
builds that have been stripped down and hardened for security
applications
B. Should never be placed on systems built with all possible
installation options
C. Should be based upon very wide feature sets
D. All appropriate operating system patches should be applied
before any installation of its components
Q667. Which of the following is most important when there is a lack of

adequate fire detection and control equipment in the computer areas?
A. Adequate fire insurance
B. Regular hardware maintenance
C. Offsite storage of transaction and master files
D. Fully tested backup processing facilities.
Q668. Which of the following environmental controls is appropriate to protect

computer equipment against short-term reductions in electrical power?
A. Power line conditioners
B. A surge protective device
C. An alternative power supply
D. An interruptible power supply
Q669. Naming conventions for system resources are an important prerequisite

for access control because they ensure that:
A. resource names are not ambiguous.
B. users’ access to resources is clearly and uniquely identified.
C. internationally recognized names are used to protect resources.
D. the number of rules required to adequately protect resources is
reduced.
167
Q670. The scope of a logical access controls review would include the
evaluation of:
A. effectiveness and efficiency of IT security and related controls.
B. confidentiality, integrity and availability of information to authorized
users.
C. access to systems software and application software to ensure
compliance with the access policy.
D. access to user authorization levels, parameters and operational
functions through application software.
Q671. Which of the following methods of suppressing a fire in a data center is

the MOST effective and environmentally friendly?
A. Halon gas
B. Wet-pipe sprinklers
C. Dry-pipe sprinklers
D. Carbon dioxide gas
Q672. Which of the following exposures could be caused by a line-grabbing

technique?
A. Unauthorized data access
B. Excessive CPU cycle usage
C. Lockout of terminal polling
D. Multiplexer control dysfunction
Q673. Which of the following techniques provides the BEST protection of

e-mail message authenticity and confidentiality?
A. Signing the message using the sender’s private key and
encrypting the message using the receiver’s public key.
B. Signing the message using the sender’s public key and
encrypting the message using the receiver’s private key.
168
C. Signing the message using the receiver’s private key and

encrypting the message using the sender’s public key.
D. Signing the message using the receiver’s public key and
encrypting the message using the sender’s private key.
Q674. An IS auditor is assigned to help design the data security, data integrity
and business continuity aspects of an application under development.
Which of the following provides the MOST reasonable assurance that
corporate assets are protected when the appl
A. A certification review conducted by the internal auditor.
B. A certification review conducted by the assigned IS auditor.
C. Specifications by the user on the depth and content of the
certification review.
D. An independent review conducted by another equally experienced
IS auditor.
Q675. Which of the following indicated CMM key processes is false?

A. Asset classification and control
B. Requirement management
C. Subcontract management
D. Software configuration management
Q676. Tools used to identify risks include all of the following, except
A. Audit workflow software
B. Risk analysis questionnaire
C. Flowchart of operations
D. Insurance policy checklist
Q677. A new field opportunity and career growth is

A. Computer forensic analyst
B. Network administrator
169
C. Business systems analyst

D. Information system auditor
Q678. Which IT audit area involves formal statements that describe a course
of action that should be implemented to restore or provide accuracy,
efficiency, or adequate control of audit subject?
A. Recommendations an audit report
B. Conclusion of an audit report
C. Audit tests
D. Findings of the audit reports
Q679. The advantage of trying the audit universe to organization objectives is

that it
A. Links the entire audit process to business objectives
B. Improves management’s understanding of the audit process
C. Develops the communication plan for the audit
D. Improves the quality of the audit report
Q680. Compliance with laws and regulations is a key business risk because
of
A. The sheet number of laws and regulations
B. The controls outlines in COBIT
C. The impact on security of an organization
D. The automation of financial processes
Q681. A technical review process helps ensure that

A. The right solution is selected that integrates with other technology
components
B. The project has included all the costs of the technology solution
C. The current infrastructure is sufficient to support the new
technology
170
D. The appropriate level of senior management approvals has been

received
Q682. Risk retention (self-insurance) methods should meet all the following
criteria, except
A. Develop an internal risk management group to monitor exposures
B. Risk should be spread physically to distribute exposure across
several locations
C. Determine whether a self-insurance reserve should be established
to cover a possible loss
D. Determine the maximum exposure to loss
Q683. Which of the following is false about ISO 9001 certification

A. All organizations can establish ISO 9001 compliance
B. Accreditation is accomplished after being certified by a notified
body
C. The most important benefit from the registration is access to
markets such as the EC that require compliance
D. The NACCB approves an organization to operate an assessment
an registration of certification scheme
Q684. A special condition where an auditor must be free of any bias or

influence, and have
A. Independence
B. IT skills
C. Good writing skills
D. Professional development
Q685. In the author’s opinion, an auditor must have

A. High ethical standards
B. Limited training
171
C. Poor communication skills

D. Poor time management skills
Q686. Cyberlaw is
A. Law governing use of the computer and the Internet
B. State law
C. Central law
D. International law
Q687. Which IT audit area involves formal statements that describe a course
of action that should be implemented to restore or provide accuracy,
efficiency, or adequate control of audit subject?
A. Recommendations an audit report
B. Conclusion of an audit report
C. Audit tests
D. Findings of the audit reports
Q688. The advantage of trying the audit universe to organization objectives is

that it
A. Links the entire audit process to business objectives
B. Improves management’s understanding of the audit process
C. Develops the communication plan for the audit
D. Improves the quality of the audit report
Q689. The task of examining a spreadsheet for reasonableness checks and

comparison with known output is
A. Verification of logic
B. Documentation
C. Extent of training
D. Support commitment
172
Q690. A new field opportunity and career growth is

A. Computer forensic analyst
B. Network administrator
C. Business systems analyst
D. Information system auditor
Q691. Measuring IT performance is dependent on

A. The strategy and objectives of the organization
B. Delivering successful projects
C. Keeping operations running
D. Reducing operating costs
Q692. Compliance with laws and regulations is a key business risk because
of
A. The sheet number of laws and regulations
B. The controls outlines in COBIT
C. The impact on security of an organization
D. The automation of financial processes
Q693. A technical review process helps ensure that

A. The right solution is selected that integrates with other technology
components
B. The project has included all the costs of the technology solution
C. The current infrastructure is sufficient to support the new
technology
D. The appropriate level of senior management approvals has been
received
173
Q694. Risk retention (self-insurance) methods should meet all the following
criteria, except
A. Develop an internal risk management group to monitor exposures
B. Risk should be spread physically to distribute exposure across
several locations
C. Determine whether a self-insurance reserve should be established
to cover a possible loss
D. Determine the maximum exposure to loss
Q695. Which of the following is false about ISO 9001 certification

A. All organizations can establish ISO 9001 compliance
B. Accreditation is accomplished after being certified by a notified
body
C. The most important benefit from the registration is access to
markets such as the EC that require compliance
D. The NACCB approves an organization to operate an assessment
an registration of certification scheme
Q696. Which of the following indicated CMM key processes is false?

A. Asset classification and control
B. Requirement management
C. Subcontract management
D. Software configuration management
Q697. A special condition where an auditor must be free of any bias or

influence, and have
A. Independence
B. IT skills
C. Good writing skills
D. Professional development
174
Q698. In the author’s opinion, an auditor must have

A. High ethical standards
B. Limited training
C. Poor communication skills
D. Poor time management skills
Q699. Measuring IT performance is dependent on

A. The strategy and objectives of the organization
B. Delivering successful projects
C. Keeping operations running
D. Reducing operating costs
Q700. Tools used to identify risks include all of the following, except
A. Audit workflow software
B. Risk analysis questionnaire
C. Flowchart of operations
D. Insurance policy checklist
Q701. The task of examining a spreadsheet for reasonableness checks and

comparison with known output is
A. Verification of logic
B. Documentation
C. Extent of training
D. Support commitment
Q702. Cyberlaw is
A. Law governing use of the computer and the Internet
B. State law
C. Central law
D. International law
175

Q471 Ans. d Q499 Ans. c Q527 Ans. d
Q478 Ans. c Q506 Ans. b Q534 Ans. c
Q488 Ans. c Q516 Ans. c Q544 Ans. b
176

Q558 Ans. b Q588 Ans. d Q618 Ans. a
Q570 Ans. b Q600 Ans. b Q630 Ans. a
Q572 Ans. d Q602 Ans. c Q632 Ans. b
Q573 Ans. a Q603 Ans. b Q633 Ans. C
Q574 Ans. c Q604 Ans. c Q634 Ans. B
Q575 Ans. b Q605 Ans. b Q635 Ans. C
Q576 Ans. c Q606 Ans. b Q636 Ans. A
Q577 Ans. a Q607 Ans. c Q637 Ans. B
Q578 Ans. a Q608 Ans. b Q638 Ans. B
Q579 Ans. c Q609 Ans. a Q639 Ans. C
Q580 Ans. a Q610 Ans. c Q640 Ans. D
Q581 Ans. d Q611 Ans. b Q641 Ans. C
Q582 Ans. d Q612 Ans. d Q642 Ans. C
Q583 Ans. c Q613 Ans. b Q643 Ans. B
177
Q644 Ans. D Q674 Ans. D

Q645 Ans. A Q675 Ans. A
Q673 Ans. A
178
Module 3 Questions
Q703. Which of these options is not a feature of VPN?
A. Uses Internet
B. Uses intranet
C. Uses extranet
D. Uses common standards
Q704. Path length, bandwidth, load are:

A. Routing metrics
B. Routing algorithms
C. Routing algorithms design type
D. Routing activities
Q705. What are the categories under which X.25 devices fall?
A. DCE only
B. DTE and PSEs
C. DTE and DCE only
D. DTE, DCE and PSEs
Q706. The PKI Architecture model in which latent trust is established on a

peer-to-peer basis is called the
A. Cross Certification Model
B. Hierarchical Model
C. Hybrid Model
D. Single Root Model.
179
Q707. Which of the following do not lend themselves to compression easily?

A. Text files
B. Files containing Programming language codes
C. Images
D. Dictionaries
Q708. Which of the following is NOT a Top-Level Domain (TLD)?

A. .com
B. mil
C. net
D. co
Q709. Telecommuting can be effectively facilitated by which one of the

following?
A. Intelligent modems
B. Integrated services digital network (ISDN)
C. Voice-Mail System
D. PBX equipment
Q710. Which one of the following local area network devices functions as a
data regenerator?
A. Network interface card
B. Switch
C. Repeater
D. Modems
Q711. Which one of the following databases supports programming languages?

B. Network model
180
C. Relational model
D. Object-oriented models
Q712. Which one of the following is not part of a computer capacity

management function?
A. Service management
B. Performance management
C. Capacity planning
D. Chargeback system
Q713. A large number of system failures are occurring when corrections to

previously detected faults are resubmitted for acceptance testing.This
would indicate that the development team is probably not adequately
performing which of the following types of testi
A. Unit testing
B. Integration testing
C. Design walkthroughs
D. Configuration management
Q714. “Unit testing is different from system testing because:“

A. Unit testing is more comprehensive.
B. Programmers are not involved in system testing.
C. System testing relates to interfaces between programs.
D. System testing proves user requirements are adequate.
Q715. Which is the component not found in a data dictionary?

A. Table definition
B. ER model of data
C. Actual data
D. Data element definition
181
Q716. “Which of the following is a primary purpose for conducting parallel

testing? “
A. To determine if the system is more cost-effective.
B. To enable comprehensive unit and system testing.
C. To highlight errors in the program interfaces with files.
D. To ensure the new system meets all user requirements.
Q717. A concept in geometry, that gives you the location of a point, given its
distance from three other points is-
A. GPS
B. Trilateration
C. Pseudo random code
D. Satellite Signals
Q718. Data normalization is typically found in which of the following database

management models?
A. Hierarchy data model
B. Network data model
C. Relational data model
D. File Inversion
Q719. Expansion of a network is easiest if the topology employed is:

A. Bus
B. “Ring“
C. Star
D. Mesh
Q720. “Software quality assurance takes care of: “

A. Error prediction
B. Error prevention
182
C. Error detection
D. Error correction
Q721. “When auditing the requirements phase of a software, an IS auditor

would: “
A. Assess the adequacy of audit trails.
B. Identify and determine the criticality of the need.
C. Verify cost justifications and anticipated benefits.
D. Ensure the control specifications have been defined
Q722. “The prototyping approach does not assume the existence of: “
A. Reusable software
B. Formal specifications languages
C. Detail requirements document
D. Fourth-generation programming languages
Q723. “Which of the following is NOT an advantage of an object-oriented

approach to data management systems? “
A. A means to model complex relationships.
B. The ability to restrict the variety of data types.
C. The capacity to meet the demands of a changing environment.
D. The ability to access only the information that is needed.
Q724. Which one of the following components of the database language

structured query language (SQL) hold the actual data in the database?
A. Schemas
B. Triggers
C. Reports
D. Tables
183
Q725. Which of the following is not a part of digital certificates -

A. Digital signature of the issuer
B. Public key of the subject
C. Private key of the subject
D. Serial number
Q726. “Which of the following concerns about the security of an electronic

message would be addressed by Digital Signatures? “
A. Unauthorised reading
B. Theft
C. Unauthorised copying
D. Alteration
Q727. “A decision table is used in program testing to check the branching of

distinct processes. It consists of: “
A. A condition stub and result
B. A condition stub, condition entry, action stub and action entry
C. An action stub and condition entry
D. An action stub and result
Q728. “A computerized information system frequently fails to meet the needs

of users because: “
A. User needs are constantly changing.
B. The growth of user requirements was inaccurately forecast.
C. The hardware system limits the number of concurrent users.
D. User participation in defining the system’s requirements is
inadequate.
184
Q729. “An organization is developing a new business system. Which of the

following will provide the MOST assurance that the system provides the
required functionality? “
A. Unit testing
B. Regression testing
D. Integration testing
Q730. Which one of the following protocols is used by the Internet?

A. DNA
B. ISO/OSI
C. TCP/IP
D. X.12
Q731. The designer of a cryptosystem is called a:

A. cryptoanalyst
B. cryptographer
C. cryptologist
D. cryptogenist
Q732. Where are larger cell structures commonly used?

A. Densely populated areas
B. Mountainous areas
C. “Rural areas“
D. Lightly populated urban areas
Q733. Which of the following is not a desirable property of a cipher system:

A. simplicity
B. small key
185
C. high error propagation

D. high work factor
Q734. “Which one of the following methodologies requires effi cient system
requirement analysis? “
A. Reverse engineering
B. The Delphi Design (JAD)
C. Joint application Design (JAD)
D. Traditional system development life cycle.
Q735. “_____________” is not exchanged immediately after a session between

two nodes is started.
A. DLSw Version number
B. NetBIOS support
C. Search frames support
D. MAC address of devices
Q736. “The arrows and letters P through W in the diagram represent: “

A. Events
B. Activities
C. Successor points
D. Predecessor points
Q737. “Which of the following is performed first in a system development life

cycle project? “
A. Developing program flow chart
B. Determining system inputs and outputs
C. Developing design documents.
D. Developing conversation plans
186
Q738. “Which of the following†187estimate of tim⁥Section 1 has most important

relevance in PERT evaluation technique? “
A. Most likely time
B. Pessimistic time
C. Actual time
D. Optimistic time
Q739. “Which of the following statements is false (with regard to structured

programming concepts and program modularity)? “
A. Modules should perform only one principal function.
B. Interaction between modules should be minimal.
C. Modules should have only one entry and one exit point.
D. Modularity means program segmentation.
Q740. “Data flow diagrams are used by IS auditors to: “

A. Order data hierarchically
B. Highlight high-level data definitions
C. Graphically summarise data paths and storage
D. Portray step-by-step details of data generation
Q741 The function of an access gateway is to:

A. “Connect components in the same network“
B. Access information for an end user
C. Connect one network to another
D. All of the above
Q742. “Which phase of SDLC uses Data Flow Diagrams? “

A. Requirements
B. Design
187
C. Implementation
D. Maintenance
Q743. Which one of the following is not an essential feature of LAN?

A. Range
B. Transmission Technology
C. Topology
D. Routing
Q744. Electronic methods of data transfer are involved in all of the following
except:
A. remote batch processing
B. stand alone data processing
C. message switching
D. time sharing
Q745 “An IS auditor who plans on testing the connection of two or more
system components that pass information from one area to another
would use: “
A. Pilot testing.
B. Parallel testing.
C. Interface testing.
D. Regression testing.
Q746 A Bluetooth piconet can have a maximum of __________ slaves.

A. One
B. Three
C. Five
D. Seven
188
Q747. The DES is an example of a:

A. short key cipher system
B. 32 bit key system
C. long key cipher system
D. encryption system that can not be used more than once
Q748. Which among the following hacking techniques DOES NOT facilitate
impersonation?
A. Forging the signature
B. Packet replay
C. Interception
D. Relay
Q749. The science of cryptography provides all of the following safeguards

except
A. system availability
B. data confidentiality
C. message authentication
D. message integrity
Q750. “In which of the following SDLC (System Development Life Cycle)
phases, is the IS audito⁲Section 1s participation unnecessary? “
A. Feasibility study
B. User requirements
C. Programming
D. Manual specifications
Q751. “In a system development project, the formal change control mechanism
is begun after: “
A. Completing the system planning document
189
B. Completing the system requirement document

C. Completing the system design document
D. Completing the program coding work
Q752. “Which of the following groups/ individuals assume ownership of

systems development life cycle projects and the resulting system? “
A. User management
B. Senior management
C. Project Steering committee
D. Systems development management
Q753. A public key cryptosystem uses:

A. two private keys
B. a two public keys
C. private key and a public key
D. a new key is generated for each transaction
Q754. Which of the following is not a function of operations management:

A. performance monitoring
B. file library
C. program source code modification
D. production work flow control
Q755. “In an information processing system, specific measures were

introducedto improve quality. An auditor however will not be assured of
the effectiveness of these measures by: “
A. A perceptible reduction in problems reported by users.
B. Increased satisfaction
C. An increase in the quality assurance budget.
D. A reduction in the maintenance cost of the application
190
Q756. Which of the following would NOT normally be part of a feasibility study?
A. Identifying the cost savings of a new system.
B. Defining the major requirements of the new system.
C. Determining the productivity gains of implementing a new system.
D. Estimating a pay-back schedule for cost incurred in implementing
the system.
Q757. The CSMA/CD Protocol is useful in

A. Correcting Collisions
B. Preventing Collisions
C. Eliminating Collisions
D. Detecting Collisions
Q758. The following is not a desirable property of a cipher system:

A. high work factor
B. low work factor
C. small key
D. low error propagation
Q759. “The primary function of the steering committee is: “

A. Reviewing user requirements and ensuring that all controls are
considered
B. Strategic planning for computer installation.
C. Evaluating specific project plans for systems
D. Conducting a major feasibility study, when it is required.
Q760. “Design prototyping is more likely to be needed when: “

A. The application system to be designed is a traditional accounting
system.
B. “There is substantial uncertainly surrounding the system to be
designed. “
191
C. “The designer believes that there is no need to develop user

specification for the system to be implemented. “
D. The SDLC approach to system development is adopted.
Q761. Access to the firewall should be limited to:

A. Firewall administrators
B. Top management
C. Security administrators
D. IT personnel
Q762. Which one of these features is specific to cross bar switches?

A. Direct control
B. Call supervision
C. Common control
D. Identification of path
Q763. Rapid Application Development is not appropriate when the development

cycle involves
A. Reusability
B. Short time cycle
C. High technical risks
D. Small-integrated teams
Q764. The least commonly used medium for local area network (LAN)
environment is:
A. Fiber optics cable
B. Twisted-pair (shielded) cable
C. Twisted-pair (unshielded) cable
D. Coaxial cable
192
Q765. Which of the following is not an aspect of data mining?

A. Data collection
B. Powerful multiprocessor computers
C. Data mining algorithms
D. Decision trees
Q766. “After the system is developed, the audito⁲Section 1s objective in

conducting a general review is to “
A. “ Determine whether a critical application system needs
modification due to recent change in the status. “
B. “Conduct a test of controls to ensure that the no necessary
control is omitted in the design? “
C. “Make an evaluation of the whole process to quantify
thesubstantive test required for the specialization audit of the
process. “
D. “Conduct a substantive test of the application system. “
Q767. “Which of the following issues requires more attention from an

information Systems (IS) auditor participating in a system development
life cycle project? “
A. Technical issues
B. Organisational issues
C. Behavioural issues
D. Contractual issues
Q768. “Which of the following represents a typical prototype of an interactive

application? “
A. Screens and process programs
B. Screens, interactive edits and sample reports
C. Interactive edits, process programs and sample reports
D. Screens, interactive edits, process programs and sample reports
193
Q769. “Which one of the following techniques is represented by structured

analysis and design? “
A. Function-oriented techniques
B. Data-oriented techniques
C. Control-oriented techniques
D. Information-oriented techniques
Q770. “Which of the following tasks would NOT be performed by IS

auditor when reviewing systems development controls in a specific
applications? “
A. Attend project progress meetings.
B. “Review milestone documents for appropriate sign-off. “
C. “Compare development budgets with actual time and amount
spent. “
D. “Design and execute testing procedures for use during
acceptance testing. “
Q771. “Which of the following is false with regard to expert systems? “

A. Expert system knowledge is represented declaratively
B. Expert system computations are performed through symbolic
reasoning
C. “Expert systems knowledge is incorporated in the program control
“
D. Expert systems control their own actions
Q772. “Use of asymmetric encryption over an Internet e-commerce site,where

there is one private key for the hosting server and the public key is
widely distributed to the customers, is MOST likely to provide comfort
to the: “
A. “Customer over the authenticity of the hosting organization. “
B. Hosting organization over the authenticity of the customer
194
C. Customer over the confidentiality of messages from the hosting

organization
D. “Hosting organization over the confidentiality of message passed
to the customer. “
Q773. “ PC† based analysis and design tools are used along with mainframe
computer-based tools. Identify the CASE tool that is required in this
situation. “
A. Diagramming tools
B. Simulation tools
C. Export / import tools
D. Diagram checking tools
Q774. “----------” is a component of virtual office.

A. Internet access
B. Cellular communications
C. Groupware
D. All of the above
Q775. “The use of coding standards is encouraged by IS auditors because

they: “
A. Define access control tables.
B. Detail program documentation.
C. Standardize dataflow diagram methodology.
D. Ensure compliance with field naming conventions.
Q776. “The primary role of an IS auditor in the system design phase of an

application development project is to: “
A. Advise on specific and detailed control procedures.
B. Ensure the design accurately reflects the requirement.
C. Ensure all necessary controls are included in the initial design.
D. Advise the development manager on adherence to the schedule.
195
Q777. “Which of the following statements is incorrect? “

A. “Expert systems are aimed at solving problems using an
algorithmic approach “
B. Expert systems are aimed at solving problems that have irregular
structure
C. “Expert systems are aimed at solving problems which have
incomplete information”
D. Expert systems are aimed at solving problems of considerable
complixity
Q778. “Which of the following is not a subsystem of the decision support

system? “
A. Language system
B. Knowledge system
C. Transaction processing system
D. Problem processing system
Q779. “An auditor evaluating a software package purchase contract will NOT
expect the contract to include. “
A. License cost
B. Maintenance cost
C. Operational costs
D. Outage costs
Q780. “Which of the following is an advantage of prototyping? “

A. The finished system normally has strong internal controls.
B. Prototype systems can provide significant time and cost savings.
C. Change control is often less complicated with prototype systems.
D. It ensures that functions or extras are not added to the intended
system.
196
Q781. “ Many IT projects experience problems because the development

time and / or resource requirements are underestimated. Which of
the following techniques would improve the estimation of theresources
required in system construction after the development of t”
A. PERT chart
B. Recalibration
C. Cost-benefit analysis
D. Function point estimation
Q782. “The critical path in a Program Evaluation Review Technique (PERT)

chart is identified by: “
A. “The project management team after identifying the critically of
the function. “
B. The path that has maximum slack time.
C. The path that has zero slack time.
D. Project development team after discussing with the uses.
Q783. “Objectives of risk assessment include: “

A. Sensitizing business processes
B. Prioritizing business processes
C. Criticising business processes
D. Evaluating business processes
Q784. “Introduction of CASE tools in a mainframe environment provides which

of the following benefit? “
A. Easy conversion of huge data
B. Adequate technical knowledge
C. Proper training personnel
D. Acts as supportive tools
197
Q785. “Which of the following is a management technique that enables

organizations to develop strategically important system faster while
reducing development costs and maintaining quality? “
A. Function point analysis
B. Critical path methodology
C. Rapid application development
D. Program evaluation review technique
Q786. SET transaction is initiated by the:

A. E-wallet
B. Merchant Server
C. Acquirer
D. Certificate Authority
Q787. “Which of the following project completion paths represents the critical
path? “
A. PUW
B. PTVW
C. RVW
D. QSVW
Q788. A (B 2 C) E commerce web site as part of its information security

program, wants to monitor, detect and prevent hacking activities and
alert the system administrator when suspicious activities occur.Which
of the following infrastructure components could b
A. Intrusion detection systems
B. Firewalls
C. Routers
D. Asymmetric encryption
198
Q789. “ Structured programming is BEST described as a technique that: “

A. Provides knowledge of program functions to other programmers
via peer reviews.
B. Reduces the maintenance time of programs by the user of small
scale program.
C. Makes the readable coding reflect as closely as possible the
dynamic execution of the program.
D. Controls the coding and testing of the high-level functions of the
program in the development process.
Q790. “Which of the following computer aided software engineering (CASE)

products is used for developing detailed designs, such as screen and
report layouts? “
A. Super CASE
B. Upper CASE
C. Middle CASE
D. Lower CASE
Q791. _______ ensures an undisturbed connection between two nodes during

data exchange
A. Application layer
B. Data link layer
C. Session layer
D. Presentation layer
Q792. “The biggest benefit of prototyping is: “

A. Better version control
B. Better communication between developers and users
C. Increased productivity
D. Quicker delivery
199
Q793. “For which of the following does the IS auditor NOT take part in the
development team deliberations? “
A. Ensuring adequacy of data integrity controls.
B. Ensuring adequacy of data security controls.
C. Ensuring that there are no cost and time overruns
D. Ensuring that documentation is accurate life cycle project?
Q794. “An IS auditor involved as a team member in the detailed system design
phase of a system under development would be MOST concerned with:
A. Internal control procedures.
B. user acceptance test schedules.
C. Adequacy of the user training program.
D. Clerical progress for resubmission of rejected items.
Q795 “Fuzzy Logic is most effective when: “

A. Used to develop decision support system
B. Combined with neural network technologies
C. Used to build hard disc controllers
D. Used to design memory caches
Q796. ____________ do not have an address table when they are first
installed
A. Simple bridges
B. Multiport bridges
C. Transparent bridges
200
Q797. “Which of the following is a management technique that enables

organizations to develop strategically important system faster while
reducing development costs and maintaining quality? “
B. Critical path methodology
D. Program evaluation review technique
Q798. “ E-cash is a form of electronic money that: “

A. Can be used over any computer network.
B. Utilizes reusable e-cash coins to make payments.
C. Does not require the use of an Internet digital bank.
D. Contains unique serial numbering to track the identity of the
buyer.
Q799. Removing sequences of extraneous zeros or spaces in a file is an

application of:
A. Disk striping
B. Data streaming
C. Data editing
D. Data compression
Q800. “Which of the following would be considered to be the MOST serious

disadvantage of prototyping systems development? “
A. The prototyping software is expensive.
B. Prototyping demands excessive computer usage.
C. Users may perceive that the development is complete.
D. The users needs may not have been correctly assessed.
201
Q801. “An IS auditor while conducting a post-implementation review, would

look for “
A. The documentation of the test objectives
B. The extent of issues pointed out in the user acceptance test and
the unresolved issues.
C. The documentation of the test results.
D. The log containing the problems reported by the users.
Q802. How is the DNS implemented on the client side?

A. Through “Binding”
B. Through “Resolver” programs
C. Through Virtual hosting
D. By registering with a registrar company
Q803. Which of the following technique/feature does ATM not integrate?

A. Multiplexing
B. Switching
C. Data/voice/video transmission
D. Encryption
Q804. The most important process in an SSL session is:

A. Client authentication
B. Server authentication
C. Encryption of data
D. Symmetric key creation.
Q805. Which one of the following risks is unique to wireless communication?

A. Lack of physical security
B. Denial of service
202
C. Spoofing attack
D. Disabling of network.
Q806. ISDN’s Basic Rate Interface (BRI) is also known as?

A. 23B+D
B. “23D+B“
C. 2B+D
D. 2D+B
Q807. “An IS auditor who has participated in the development of an application

system might have their independence impaired if they: “
A. Perform an application development review.
B. “Recommend control and other system enhancements. “
C. “Perform an independent evaluation of the application after its
implementation”
D. “ Are actively involved in the design and implementation of the
application system”
Q808. “ Which of the following is a characteristic of a decision support system

(DSS)? “
A. DSS is aimed at solving highly structured problems.
B. DSS combines the use of models with non-traditional data access
and retrieval functions.
C. “DSS emphasizes flexibility in the decision making approach of
users. “
D. “DSS supports only structured decision-making tasks. “
Q809. Which of the spread spectrum technologies is widely employed?

A. Frequency hopping
B. Direct Sequence
C. Time Hopping
D. Multipath Code Division Multiple Access
203
Q810 For ensuring adequate security of LAN, the auditor must exercise control
over
A. Password
B. Policies
C. Firewall
D. Applets
Q811 An electronic device that combines data from several low speed
communication lines into a single high-speed line is a :
A. modem
B. multiplexer
C. channel
D. Link editor
Q812. Which type of cipher has the highest work factor?

A. substitution cipher
B. product cipher
C. bit cipher
D. transmission cipher
Q813. “A significant problem is planning and controlling a software

development project is determining: “
A. Project slack times.
B. A project’s critical path.
C. Time and resource requirements for individual tasks.
D. Precedent relationships which preclude the start of certain
activities until others are complete.
204
Q814. “Which of the following statements pertaining to data warehouses is

FALSE? “
A. A data warehouse is designed specifically for decision support.
B. The quality of the data in a data warehouse must be very high.
C. “Data warehouses are made up of existing database, files and
external information. “
D. “A data warehouse is used by senior management only because
of the sensitivity of the data. “
Q815. While auditing the logical access control, the auditor need not review:
A. Authorisation of dial in access
B. Audit trail
C. Bugs in the firewall
D. Password management
Q816. In an Internet environment, firewall acts as

A. modem
B. brouter
C. router
D. bridge
Q817. Which of these benefits is unique to CDMA one?

A. Capacity gain
B. Improved call quality
C. Enhanced privacy
D. Soft handoffs
205
Q818. Internet Message Access Protocol or IMAP allows __________mode of

email access.
A. Online
B. Offline
C. Disconnected
Q819. Which RAID (Redundant Array of Independent Disks) type makes use
of embedded operating systems?
A. RAID-3
B. RAID-6
C. RAID-53
D. RAID-7
Q820. Which of these is not a benefit of datawarehousing?

A. Data creation
B. Immediate information delivery
C. Data integration
D. Business analysis
Q821. Network masquerading is countered effectively by:

A. Dial-forward technique
B. Dial-back technique
C. Dial-back combined with data encryption
D. Data encryption alone
Q822. SONET is a standard for which of the following networks?

A. Twisted-pair cable
B. Fiber-optic cable
206
C. Coaxial cable
D. Ethernet
Q823. Which of the following is not a PKI Component?

A. Certificate Authority
B. Merchant Server
C. “Time Server“
D. Signing Server
Q824. Passwords belong to the following class of authentication information:

A. physical attributes
B. personal details
C. possessed objects
D. remembered information
Q825. What is the similarity between a multiplexer and a hub?

A. Both of them use TDM
B. Both use FDM and STDM
C. Both are hardware
D. Both route multiple connections
Q826. A class-B GPRS terminal can support _________ service at a time.

A. GSM and GPRS
B. GSM or GPRS
C. TDMA
D. TDMA and GSM
Q827 A peer-to-peer network works under____________

A. A centralised environment
B. A decentralised environment
207
C. Server control
D. All of the above
Q828. A security management system should undertake _____________.

A. Local data reduction
B. Event correction
C. Low resource utilisation
D. All of the above
Q829. In WAP, the actual transfer of data is done by the ___________

A. Bearers
B. Session Layer
C. Transport Layer
D. Transaction Layer
Q830. “Proxy servers” acts as a mediator between:

A. Two Local Area Networks (LANs)
B. Local network and Internet
C. Two networks using different protocols
D. Router and Internet
Q831. While reviewing firewall logs, the auditor does not attempt to keep track
of:
A. Unsuccessful logins
B. Successful logins
C. Unsuccessful logins
D. Unsuccessful logouts
208
Q832. Normal Post Office Protocol (POP) session has three different stages:1)
Transaction state 2) Update state 3) Authorisation state.The correct
sequence is
A. 1,2,3
B. 3,2,1
C. 3,1,2
D. 2,3,1
Q833. Which of the following features is least likely to be found in a real time
application?
A. User manuals
B. Preformatted screens
C. Automatic error correction
D. Turnaround documents
Q834. The voice data is transformed from analog to digital mode or vice-versa
by:
A. Internet Service Provider
B. Gateway Server
C. VoIP Service Provider
D. PSTN Station
Q835. The modifications done in an image can be determined by

A. Patch work
B. Tamper proofing
C. Feature tagging
D. Embedded captions
Q836. Security problem(s) that a PC can create in a Local Area Network are:
A. Multiplication Factor
B. Channel Factor
209
C. Both and
D. Division Factor
Q837. Which of the following is used to append a digital signature?

A. Public Key
B. Private key
C. Trusted Key or Third party key
D. Any digital Key
Q838. Which of the following elements is unique to a Smart Card?

A. Magnetic stripe
B. Microchip
C. Signature
D. Photograph
Q839. Which of these services offered by the GSM provides a personal

security code to subscribers?
A. Short message service
B. Cell broadcasting
C. Advice of charge
D. Voice mail
Q840. Which SAN (Storage Area Network) architecture is most widely used?
A. Optical fibers
B. Fiber loop
C. Mainframes
D. Network attached storage
210
Q841. Under normal conditions, which of the following offers the fastest
connection to the Internet?
A. Analog connections
B. ISDN
C. DSL
D. Cable
Q842. Security assessment of capability levels does not involve:

A. Firewall rule set
B. Application server Configuration
C. Manual inspection
D. Eliminating the incorporation of security architecture
Q843. Which one of these options allows multicasting and broadcasting in an

ATM LAN?
A. Ethernet
B. Token ring
C. LES
D. BUS
Q844. Which of the following is not a characteristic of a modem?

A. Transmission Speed
B. Data Accuracy
C. Error Detection and Correction
D. Data Compression
Q845. The size of a cell does not depend upon__________

A. The subscriber density
B. Demand in an area
211
C. The landscape
D. The subscriber’s conversation time
Q846. ____________is not exchanged immediately after a session between

two nodes is started.
A. DLSw (Data Link Switching)Version number
B. Net BIOS (Network Basic Input/Output System) support
C. Search frames support
D. MAC Media access control)address of devices
Q847. #NAME?
A. PGP (Privacy Good Policy)
B. S/MIME (Secure/Multipurpose Internet Mail Extension)
C. PEP (Privacy Enhance Mail)
D. MIME Object Security Services
Q848. WAN helps in

A. Transferring data among resources in the same building
B. connecting different branches of an organisation within the city or
in different cities
C. determining the number of connections in a network
D. routing the data to various networks
Q849. “Biometric authentication” is a technique for secure data transfer. This

authentication is based on:
A. Design features
B. Logical features
C. Physical features
D. Depends upon the application to be authenticated
212
Q850. ________ are self replicating malicious code that bring down the speed
of the processor on entering a network, and are not dependent on the
action of the user
A. Viruses
B. Worms
C. Trojan Horse
D. Spoofing
Q851. __________ are Wireless LAN devices that act like the
“hubs” in traditional LANs and provide connectivity to
the user irrespective of his location.
A. Data carriers
B. Transmitters
C. Receivers
D. Access Points
Q852. A computer can call into primary storage only that portion of a program
and data needed immediately while storing the remaining portions in an
auxiliary storage device. This feature is commonly known as:
A. compiling
B. multiplexor channeling
C. virtual storage
D. on-line processing
Q853. A firewall cannot do one of the following:

A. Protect against unauthorised logins from external networks
B. Protect the network against users connecting to the Internet using
the office telephone and a modem
C. Appear transparent to the users
D. Log traffic to and from the local network
213
Q854 A major problem in networking is the slow rate of data transfer. Which
of the following would help counter this problem?
A. Data formatting
B. Decentralised control
C. Allocating adequate bandwidth
D. All of the above
Q855 A major way in which modern quality systems used to support the
information systems function differ from traditional quality systems is:
A. modern quality systems focus on customer satisfaction as the
primary goal
B. modern quality systems focus on the production of zero-defect
software as the primary goal
C. traditional quality systems fail to recognise the inherent conflict
that can exist among some goals established for an information
systems project
D. traditional quality systems do not take into account the need for
an independent QA group and independent testing
Q856. Which of the following is an application level firewall?

A. Packet filtering routers
B. Proxy systems
C. Stateful inspection
D. Circuit layer gateways
Q857. A multitasking capability in a client/server computing environment is

supported by which one of the following?
A. A “shell” program in the workstation
B. A database application program
C. An application program interface
D. A network operating system
214
Q858. A Packet Filter Firewall Ruleset ideally should:

A. Forward any packet with a source address of the local network
to the external network
B. Allow all access from the external network to the firewall system
itself
C. Expressly allow everything unless specifically prohibited
D. Expressly prohibit everything unless specifically allowed
Q859. A packet-sniffer is a software application which-

A. Identifies the packet that is required by the user.
B. Captures a packet moving across a network with help of a
Network Interface Card.
C. Identifies packets which have leaked while travelling through the
network.
D. Identifies packets, which are not safe to travel without encryption.
Q860. A PIN if stored for reference purposes, must be stored in:

A. plain text form in the eventuality that it has to be reissued at a
later stage, if the customer forget their PIN
B. ciphertext form produced only from an reversible encryption
algorithm
C. ciphertext form produced only from an irreversible encryption
algorithm
D. ciphertext form that is a function of the account number
Q861. Access to a computer system is conditional upon success of the

authentication process. The best methodology of authentication means
A. identifying who the user is
B. identifying what the user possesses
C. identifying what the user knows or remembers
D. identifying what the user is and what she/he knows/remembers
215
Q862. Which one of the following transmission media is unsuitable for handling
intrabuilding data or voice communications?
A. Unshielded Twisted pair
B. Microwave transmission
C. Shielded Twisted pair
D. Optical fiber
Q863. Which one of the following uses a modem technology as a common

means of communicating between computers?
A. Packet-switched networks
B. Frame relay
C. Wireless Local Area Network
D. Public switched telephone network
Q864. Which one of these options is incorrect? An IPSec is an extension of IP

and
A. Requires no encryption
B. Ensures message integrity
C. Implements WAN and LAN security measures
D. Ensures data confidentiality
Q865 While down sizing a material inventory system, data center personnel
considered redundant array of inexpensive disks (RAID for the inventory
database. One reason to use RAID is to ensure that :
A. all data can still be reconstructed even if one drive fails
B. all data are split evenly across pairs of drives
C. snap shots of all transactions are taken
D. write time is minimised to avoid concurrency conflicts
216
Q866. While planning for the security of the organisation

A. Old policies should never be followed
B. The statements in the documentation should be abstract for quick
understanding
C. Information classification and access control should be of more
importance than password management
D. The security policy could be treated as optional to be provided to
the employees
Q867. Which of the following statements is true:

A. A Proxy server is the best option for caching heavy network
loads.
B. Network caching facilitates the storage of user data in the
network.
C. Stand alones are costly and require large scale deployments.
D. The capacity for storing content on the user’s hard disk is
decided by the local network cache
Q868. LDAP (Lightweight Directory Access Protocols) has an edge over X.500
in Directory Enabled Networks (DEN), because it supports:
A. Static routing
B. Dynamic routing
C. Both
D. None
Q869. Which of the following statements regarding security concerns for lap
top computers is NOT false?
A. Decentralised controls over the selection and acquisition of
hardware and software is a major concern
B. The primary methods of controls usually involves general controls
217
C. segregation of duties becomes increasingly important

D. With the increase in use, the degree of concern regarding
physical security decreases
Q870. Which of the following tool allots a specific amount of space to packets
to handle traffic effectively?
A. Priority Queuing
B. Custom Queuing
C. Weighted Flow Queuing
D. FIFO, Basic store and forward capability
Q871. Which of the following would not be considered a characteristic of a

private key cryptosystem?
A. the encryption key can be transmitted through the system over
the normal communication path
B. two different keys are used for the encryption and decryption
C. Data Encyption Standard (DES) is a typical type of private key
cryptosystem
D. For the decryption, the decryption key should be equivalent to the
encryption key
Q872. Which of the following would not normally be considered a typical file
structure for a database management system:
A. Hierarchical structure
B. Batched sequential structure
C. Network structure
D. Relational structure
Q873. Which of these Internet protocols are used by Unified Messaging

framework:
A. Simple Mail Transfer Protocol (SMTP)
B. Post Office Protocol (POP)
218
C. Internet Message Access Protocol (IMAP)

D. All of the above
Q874. Which of these statements is true?

A. There can be only one internal perimeter router in a network
B. There can be more than one internal perimeter router in a
network
C. An internal perimeter router distinguishes between a network
under control & not under control
D. An internal perimeter distinguishes between the network and the
ISP
Q875. Which of these wireless technologies deploys Radio Frequency (RF) for
a WLL (Wireless Local Loop)?
A. Analog Cellular
B. Digital Cellular
C. Personal Communication system (PCS)
D. Proprietary systems
Q876. Which one of the following client/server implementation approaches

requires greater programming skills?
A. Image server configuration
B. Peer-to-peer communications
C. Applications programming interface
D. GUI-based operating system
Q877. Which one of the following computer systems is best to provide parallel
processing of documents in a business environment?
A. Network Management systems
B. Database Management systems
219
C. Workflow systems
D. Imaging and Mirroring systems
Q878. Which one of the following is a feature of Bluetooth security provisions?

A. Device authentication
B. “Compulsory pairing and bonding between two devices“
C. Constant authentication of device and user
D. Use of a single key for device authentication and link encryption
Q879. Which one of the following is not an operating control:

A. Library security and use of proper file labels
B. Halt and error controls
C. Batch controls
D. Duplicate files and backup procedures
Q880. Which one of the following is NOT an essential component of a

distributed computing environment?
A. Unix platform
B. Distributed computing infrastructure
C. Systems management
D. Distributed applications or services
Q881. The IEEE 802.4 Token bus LAN

A. Has no specific topology
B. Physically and logically linear or tree-shaped
C. Physically a ring and logically a bus
D. Physically linear and logically a ring
220
Q882. Which one of the following is NOT false:

A. Conversion to a database system is inexpensive
B. Data redundancy can be reduced
C. Multiple occurrences of data items are useful for consistency
checking
D. Backup and recovery procedures are minimised
Q883. Which one of the following is NOT true relating to the use of fiber optics:
A. Data is transmitted rapidly
B. Fiber optic cable is small and flexible
C. They are unaffected by electrical interference
D. It has high risk of wire tapping
Q884. Which one of the following is the most essential activity for effective
computer capacity planning:
A. Scheduling of documents
B. Planning of adequate security and controls in the computer center
C. Estimating electrical load
D. Workload forecasting
Q885. Which one of the following network architectures is designed to provide

data services using physical networks that are more reliable and offer
greater bandwidth?
A. Transmission control protocol/Internet Protocol (TCP/IP)
B. File transfer protocol
C. Permanent Virtual Circuit (PV)
D. Integrated services digital network (ISDN)
221
Q886. Which one of the following network types will play an important role in
implementing E-commerce?
A. Local area network
B. Wireless Local area network
C. Value-added network
D. Internet Servers Providers’ network
Q887. Which one of the following pair of items is a primary cause of signal
distortion in data communications?
A. Sudden change in weather and temperature
B. Attenuation and propagation delay
C. Phase hits and amplitude jitter
D. Number of concurrent users
Q888. Which one of the following pairs of protocols greatly conflict with
each other in the same pair of protocols? (TCP/IP is transmission
control protocol/Internet protocol, ISO/OSI is international standards
organization /open systems interconnection, SNA is
A. ISO/OSI and GOSIP
B. TCP/IP and ISO/OSI
C. ISO/OSI and SNA.
D. SNA and TCP/IP
Q889. Which one of the following statement is true with respect to VSAT?
A. Usage is restricted to geographical boundaries
B. Very high cost due to the usage of fibre optic cables
C. Though quality of data is high,it doesn’t support high bandwidth
D. It operates in two frequency bands namely Ku and C
222
Q890. Which one of the following statements concerning microcomputer

systems NOT true?
A. Database management systems are available for microcomputer
systems
B. Integrated packages are examples of operating systems for
microcomputers
C. An operating system program is a critical software package for
microcomputers
D. Electronic spreadsheet packages are types of application software
for microcomputers
Q891. Which feature makes an intranet similar to the Internet?

A. Corporate network
B. TCP/IP
C. LAN technology
D. Token ring
Q892. Which one of the following statements is False?

A. With a concentrator, the total bandwidth entering the device is
normally different from the bandwidth leaving it
B. Demodulation is the process of converting an analog
telecommunications signal into a digital computer signal
C. With a multiplexer, the total bandwidth entering the device is
normally different from the bandwidth leaving it
D. A communications terminal control hardware unit that controls a
number of computer terminals.
Q893. Which of the following uses RTP (Real-time Transport Protocol)?

A. Fiber Distributed Digital Interface (FDDI)
B. Ethernet
223
C. Mbone
D. Backbone
Q894. “Which part of the Universal Mobile Telecommunication system (UMTS)

network houses the ATM (Asynchronous Transfer Mode) standard?
A. Core Network
B. Radio Access
C. User Equipment
D. Mobile Station
Q895. All computers have a central processing unit (CPU) that works in
conjunction with peripheral devices. The function of the CPU are:
A. Input, Output and arithmetic-logic
B. Control and Output
C. Control and arithmetic-logic
D. Input and Control
Q896. An agreement between two computer systems on the ways in which the
data to be transmitted between them shall be packed and interpreted is
called
A. Communication channel
B. Communication protocol
C. Synchronous mode of transmission
D. Asynchronous mode of transmission
Q897. An electronic bulletin board system cannot do which one of the

following?
A. Sending and receiving messages
B. Transferring files with all major protocols
C. Searching textual database
D. Real time user-to-user chat facilities
224
Q898. Analyzing data protection requirements for installing a local area network
(LAN) does not include:
A. Uninterruptible power source
B. Fault tolerance
C. Operating systems
D. Destruction of the logging and auditing data
Q899. Asynchronous transfer mode (ATM) is an example of fast packet

switching network. Which one of the following statements about ATM is
FALSE?
A. ATM is a high bandwidth low delay switching and multiplexing
technology
B. ATM networks can carry video communications
C. ATM allows very high speed data transfer rates at up to 155
Mbits/s
D. ATM networks use long packets with varying sizes
Q900. Circuit switching technology is used for:

A. Sending data in small packets as in emails.
B. Sending data continuously in an order as in voice or video
messages.
C. Switching on and off circuits in the telecommunications network.
D. Storing messages and then transmitting them to the next node
depending on the address.
Q901. Client/server architecture has an edge over other system in :

A. providing a strong change control management procedures
B. controlling access to confidential and sensitive data
C. distributing the processing thus not tying up the mainframe
resources
D. avoiding obsolescence of components
225
Q902. Computer manufacturers generally install software programs

permanently inside the computers as part of its main memory to provide
protection against loss in case of a power supply interruption. This
concept is known as:
A. File integrity
B. Read Only Memory ROM)
C. Firmware
D. Random Access Memory (RAM)
Q903. Confidentiality and data integrity services are provided in a network in

which of the following layers of the ISO/OSI model?
A. Physical layer
B. Data Link layer
C. Presentation layer
D. Application layer
Q904. Connection Establishment and Termination in Transmission Control

Protocol (TCP) do not require?
A. connect and disconnect request
B. Confirmation of request
C. Acknowledgement of confirmation
D. Encryption of connection established message
Q905. Control over data preparation is important because:

A. it is often a major cost area taking about 50% of the data
processing budget
B. unauthorised changes to data and program can take place
C. the work is boring so high turnover always occurs
D. it can be a major bottleneck in the work flow in a data processing
installation
226
Q906. Which of the following statements is not a benefit for using the Voice-
over-Internet protocol?
A. High quality voice
B. Security
C. Use of vocoder
D. Use of TDMA
Q907. The IP address 135.0.0.2 (in decimal octet notation) belongs to which
IP addressing class?
A. Class A
B. Class B
C. Class C
D. Class E
Q908. Data is an important asset in an organisation. To prevent the

interception of data the auditor should determine
A. Whether the redundant network cabling schemes and
communication resources are being used
B. Whether access controls exist at the source and destination of
data transfers
C. Whether the audit trails and transaction monitoring exist for
sensitive applications
D. Whether the system automatically gets disconnected after
substantial inactivity
Q909. Determining what components to include in the network configuration is

called a:
A. Configuration control
B. Configuration management
C. Configuration status accounting
D. Configuration identification
227
Q910. Different controls are required in the software whether they are re
purchased, customised or developed. The auditor while auditing the
LAN determines that
A. There exists a license agreement for purchased software
B. All the users have contact number of the vendor
C. Users can ask the vendor to customize the software as required
by them
D. All the software used by the company is accessible by everybody
on the LAN
Q911. Digital subscriber line access multiplexer (DSLAM) is used for:

A. High-speed data transfer
B. Developing efficient digital network over network
C. Accessing remote computer
D. Synchronising protocols of different network
Q912. Dynamic Synchronous Transfer Mode (DTM) supports implementation

of Virtual Private Networks (VPNs) because of
A. PDH (Plesiochronous Data Hierarchy)
B. IP Internet Protocol) over DTM
C. SDH (Synchronous Digital Hierarchy) tunnelling
D. DTM Local Area Network (LAN) Emulation (DLE)
Q913. Environmental controls include protection from water, temperature, dust

and related matter. While auditing the environment controls in a LAN
environment the auditor should confirm that
A. LAN file server facility has dust, smoke and other particulate
matters
B. Consumption of food, beverage and tobacco is allowed
C. Air conditioning, humidity control system are followed as desired
by the users of the LAN
228
D. Fire protection equipment are adequate and appropriate
Q914. Extensible Business Reporting Language (XBRL) is an XML based

application that is used for financial processing. Which of the following
statements is false?
A. Data in an XBRL document can be accessed with any office tool
such as a spreadsheet etc.
B. It is a freely available electronic language for financial reporting.
C. It is compatible with virtually any software product that manages
financial information.
D. Organisation has to disclose additional information than required
in normal accounting standards
Q915. Extensible Markup Language or XML differs from HTML in the sense
that
A. It has predefined tags and semantics
B. It allows the applications to define its own tags and semantics
C. It has a larger set of predefined tags and semantics
Q916. Hardware controls usually are those built into the equipment by the
manufacturer. One such control, an echo check , is best described as:
A. a component that signals the control unit that an operation has
been performed
B. two units that provide read-after-write and dual-read capabilities
C. double wiring of the CPU and peripheral equipment to prevent
malfunctioning
D. validations logic to fields and records based o their
interrelationships with controls established for the batch.
229
Q917. How can OFDM (Orthogonal Frequency Division Multiplexing) be

implemented efficiently?
A. By using oscillators
B. Through Quadrature Amplitude Modulation QAM) only
C. Through Fast Fourier Transform (FFT) only
D. Using FFT and QAM
Q918. If a web site using the Internet Information Server from Microsoft does
not run dynamic scripts, which of the following tools can harden the
Web Server?
A. IIS Lockdown
B. CGI
C. URLScan
D. Microsoft Management Console
Q919. If possible, the quality goals for specific information systems project
should be formulated by:
A. the sponsor of the project
B. the project’s quality control group
C. QA personnel
D. the project leader
Q920. Implementing a large distributed system involves a number of unique

risks arising from both technical and management issues. Which one
of the following risks is common to both risk categories?
A. Error detection and correction
B. System response time and system uptime
C. Distributed databases and application programs
D. Security mechanisms
230
Q921. In 802.5 Token Ring LAN, when a data frame is in circulation, where is
the token?
A. At the receiving station
B. At the sending station
C. With a special station called Monitor station
D. Both the sending and receiving stations have a copy of the token
Q922. In a DeMilitarized Zone (DMZ) Network

A. There are no firewalls and hence the network is called
DeMilitarized
B. A firewall before the boundary router and one firewall after it, but
before the external WebServer
C. Both the firewalls lie between the external Web Server and the
internal (local) Server
D. A firewall between the router and the WebServer and another
between this Server and the local Server
Q923. In a thin client networking model

A. Database is available in server and application and the user
interface is available on the client.
B. Database is available on the client; application is available on the
server
C. Database and application are available on the server and user
interface on client.
D. Databse, application and user interface are available on server
Q924. In an Internet URL, “http://www.themanagementor.com”, what is the use

of “.com”?
D. Identifies the purpose of the site. It stands for commercial.
231
Q925. In order to trace data through several application programs, an auditor

needs to know what programs use the data, which files contain the
data, and printed records display the data. If database system is in use,
the auditor could probably find all of thes
A. Database schema
B. Data dictionary
C. Data encryptor
D. Decision table
Q926. In switching over to an Electronic Fund Transfer (EFT) environment,

which of the following risks DOES NOT occur?
A. Increased access violations
B. Increased cost per transaction
C. Inadequate backup and recovery procedures
D. Duplicate transaction processing
Q927. In Telecommunication Management Network (TMN) logical model, which

layer supports decision-making process at high level?
A. Network-Management Layer (NML)
B. Network-Element Layer (NEL)
C. Business-Management layer (BML)
D. Service-Management Layer (SML)
Q928. In the audit of LAN, inventory control helps the auditor in determining
the effectiveness of IS operations. Which of the following is not correct
with respect to inventory control?
A. Identify the person responsible for disposing obsolete or badly
damaged LAN equipment
B. Inventory control is maintained of all LAN software
C. Hardware components are marked with identification number
which cannot be erased or removed
D. Virus checking software is in use
232
Q929. In today’s business environment one can hardly find a company without
a computer. But an IPF (Information processing facility is typically a
large expense, in planning the physical location of the computer, the
primary consideration for selecting a site i
A. minimise the distance that data control personnel must travel to
deliver data and reports
B. provide security
C. be easily accessible by a majority of company personnel
D. be in the top floor
Q930. In utilizing Internet for extracting certain information, the BIGGEST

hurdle is
A. Finding out the best location of the required information
B. Establishing a connection to the location of the information
C. Access privileges required at the remote computer system
D. Purchasing and establishing the required equipment
Q931. In which of the following services is Public Key Infrastructure (PKI) and
Digital certification not a useful feature.
A. Virtual Private Networks
B. Web Authentication
C. File Encryption
D. Circuit Switching
Q932. Integration of asset management system, network performance data,

customer information, and call details results in improved help desk
customer satisfaction. Which one of the following is the most important
benefit that can be realized by integrating help
A. Number of errors are substantially reduced
B. The desired level of data and program security is met
C. Redundant data is not present
D. Service level agreements are met
233
Q933. It is essential to monitor telecommunication processes and ensure that

data transmission is complete and accurate. Which of the following
automated processes/reports measure this?
A. Turn around time reports
B. Help Desk response monitoring reports
C. Breakdowns/Downtime reports
D. On-line monitoring tools
Q934. LAN configuration if altered without proper controls may lead to

disrupted operations. Which of the following is the control objective over
configuration change control for the continuous satisfactory operation of
LAN?
A. Log book is maintained for LAN downtime
B. LAN server is adequately protected
C. There exists a procedure for changing configuration
D. Access to LAN is on need basis
Q935. Logical access control consists of usage of proper access control

mechanism and related security. In the audit of logical security in a LAN
environment the auditor ensures that
A. Virus checking software is in use
B. LAN audit trails for login ID are maintained for a reasonable
period of time
C. The inventory reports of the hardware are maintained
D. All the control files are identified
Q936. MIME essentially acts as:

A. A transport agent for e-mail
B. “An interface between the mail client and the web server“
C. A compressor that packages different formats into SMTP
compatible type
234
Q937. Most computer systems have hardware controls that are built in by the
computer manufacturer. Common hardware controls are :
A. duplicate circuitry, echo checks, tape file protection and internal
header labels
B. duplicate circuitry, echo check and internal header labels
C. tape file protection, cryptographic protection and limit checks
D. duplicate circuitry, echo checks and dual reading
Q938. Multi-layer IPsec is different from original IPsec because in ML-IPsec:

A. Data is transmitted over different layers
B. “Datagrams can be divided into different zones“
C. Multiple datagrams can be sent simultaneously
D. All of the above
Q939 To which of the following resource type are the most complex action
privileges assigned?
A. hardware
B. software
C. commodity
D. data
Q940. Network designers must be able to predict network performance if they

are to optimise a network. The probability of a lost call is referred to as:
A. Interactivity
B. Availability
C. Reliability
D. Grade of Service
235
Q941. Network downtime is very costly and should be kept to minimum as

much as possible. Which one of the following network monitoring
devices is best suited in a multivendor data center?
A. Line monitor
B. Circular routing
C. Protocol analyzer
D. Database replication
Q942. Network growth is inevitable and in on increase. Which one of the

following components of such growth is most difficult to predict?
A. Modifications to physical and facilities
B. Network utilization by the existing users
C. Increased business activity and revenue
D. Extension of the network to new users
Q943. Of the following, which is NOT an advantage of distributed over

centralized processing?
A. If a disaster occur at one site, processing can be continued in
another site
B. It is easier to implement security controls than in a centralized
environment
C. Investment is not huge and made onetime, the system can be
allowed to grow gradually,
D. The cost of communication subsystem is lower than in a
centralized system
Q944. One of the basic objectives of LAN audit is to ensure that

A. Effective controls exist for the security of organisational data files
and program libraries
B. “Logs are maintained for recording of all security related
incidents“
236
C. Passwords are chosen carefully

D. Administer account are renamed to deter intruder hacking
Q945. One of the main objectives of e-commerce is to attract as many

customers as possible and reach out to them irrespective of where
they are. Extensible Markup Language (XML) makes this possible by
_____________________ feature.
A. Standardisation
B. Internationalisation
C. Accessibility
D. Manageability
Q946. Operations in a LAN environment are day to day operation, processes,

activities etc. The auditor while auditing the controls over operation in a
LAN confirms that
A. There is segregation of duties
B. Operation staff can change the controls over operation as desired
by them
C. Roles are identified but the personnel performing the role define
the responsibility
D. LAN response time is not to be considered for the operation
Q947. Organizations which are unable to create and maintain their own private
networks are more likely to use
A. a wide area network
B. vendor delivered electronic mail system
C. fast-packet switching
D. public switched network
237
Q948. Out of the following pairs of services, which provides an access control
over a network of computers
A. Identification and authentication
B. Certification and accreditation
C. Access control lists and access control privileges
D. Accreditation and assurance
Q949. Personal Computers and Laptops have both a floppy disk drive and a
hard disk drive. The major difference between the two types of storage
is that a hard disk :
A. Has much larger storage capacity than a floppy disk and can also
access information much more quickly
B. is a direct access storage medium whereas a floppy disk is a
sequential access storage medium
C. provides an automatic audit trail, whereas a floppy disk does not
D. is suitable for an online system whereas a floppy disk is not
Q950. The integrity of system cannot be lost due to

A. Trojan Horse
B. Packet Sniffers
C. Brute force attack
D. Firewalls
Q951. Which of the following is not a key feature of distributed firewalls.

A. Dependence on network topology
B. Using IPSec
C. Using Policy language
D. Efficiency in detecting internal attacks
238
Q952. Remote workstations can be used effectively with client/server

applications. In addition to a modem, which one of the following devices
is required to operate a remote workstation?
A. Remote bridge
B. Remote controller
C. Remote router
D. Remote repeater
Q953. Replication management in a distributed system environment provides

data consistency between multiple copies of data. Which one of the
following replication process components would help achieve that
consistency?
A. Replica currency
B. Replica definition
C. Replica scalability
D. Replication operations management
Q954. Ring topology envisages

A. connecting all communication channels to form a loop and each
connection passing the communication to its neighbour to the
appropriate destination
B. grouping common messages and transmits them along one
common line
C. hierarchically organizing the communication through a central
computer
D. connecting each node to a central host computer like a hub
Q955. Satellite communications cannot be used in which of the following

cases?
A. Unencrypted Confidential data is to be sent
B. Mobile Communications
239
C. In case of natural calamities

D. Communication in rocky areas
Q956. Short Message Service (SMS) cannot be used to provide which of the
following services?
A. Notify a user if new email comes to user’s email account
B. Inform a user about news headlines or weather
C. Provide transmission of short messages between two users
D. Display a graphic-rich web page
Q957. Simple Software has just purchased a minicomputer. The make and
module selected will allow the company to attach additional units as
its needs expand. The company has taken advantage of a concept in
hardware design known as :
A. Emulation
B. Networking
C. Modularity
D. Standardisation
Q958. Staffing the QA function is often difficult because:

A. high levels of interpersonal conflict often arise among QA
personnel
B. incumbents have little opportunity to exercise high-level
information systems skills
C. QA personnel require high level of interpersonal skills because of
potential conflict between QA personnel and information systems
personnel is high
D. information systems personnel tend to prefer a development role
to a monitoring role
240
Q959. The auditor while reviewing the local area network (LAN) takes into
consideration the purpose and processing environment. In the pre-audit
phase the auditor
A. Considers LAN utilities which are used by the company and take
training on the same
B. Ensures whether the hardware inventory contains a unique
identification number
C. Ensures whether the procedure exists for operation staff to
manage change control
D. Review the problem resolution log to determine if the problems
are recurring
Q960. The best control to ensure that a customer uses a debit/credit card
carefully is:
A. to make the customer liable if the careless use of a card leads to
a fraud,
B. blocking a card if it is not used for a period of 3 months
C. to educate the customer about the importance of card security
D. enforced periodic change of the PINs
Q961. The database administrator is not responsible for which one of the
following functions?
A. Physical design of a database
B. Security of a database
C. Coordinate and resolve conflicting needs and desires of users in
their diverse application areas
D. Logical design of a database
Q962. The following device is used to connect one type of IEEE 802.x LAN to
another
A. Router
B. Repeater
241
C. Bridge
D. No device is necessary as they are all compatible and are hence
grouped under 802 series
Q963. The following method of obtaining customer selected PINs does not
require the cryptographic generation of a reference number, to initially
associate the PIN with the customer’s account number?
A. entry via phone
B. PIN entry at the issuer’s premises
C. PIN entry via a secure terminal
D. PIN entry at acquirer’s premises
Q964. The following method of PIN validation seems to result in the fewest
control problems?
A. allow the customer to make a small number of PIN entry
attempts, close the account after the limit has been reached, and
retain the card
B. allow the customer to make a small number of PIN entry
attempts, do not close the account after the limit has been
reached, but retain the card
C. allow a reasonable number of PIN entry attempts, close the
account after the limit has been reached, but do not retain the
card
D. allow a reasonable number of PIN entry attempts, close the
account after the limit has been reached, and retain the card
Q965. The following statement applies to a capability based approach to

authorisation?
A. a list of users who can access the resource is associated with
each resource together with each user’s action privileges with
respect to the resource
B. the mechanism associates with each user the resources they can
access together with the action privileges they have with respect
to each resource
242
C. a user is assigned capabilities as a function of the class into

which user’s password falls
D. the users are assigned privileges only if they know the password
for each resource
Q966. The following statement is true about a mandatory access control

policy?
A. it is not possible for users to change their classification level,
though they can change their clearance levels
B. it must be enforced by a more complex access control
mechanism compared with a discretionary access control policy
C. it is less likely to be used in a business systems environment
than a discretionary access control policy
D. an audit trail is not required with a mandatory access control
policy
Q967. The internal auditor’s first job while trying to identify the components of
a telecommunication system posing the GREATEST threat, shall be
A. Identify the business objectives of the network
B. Review the network with reference to the ISO/OSI model of seven
layers
C. Identify the various layers of ISO/OSI model to which each
component belongs
D. Estimate the operating costs of the communication subsystem
Q968. The main DISADVANTAGE of using a PBX-based communication

network for establishing a local area network is
A. rewiring is to be done using coaxial cabling
B. large volumes of data cannot be handled
C. system maintenance will have to be entrusted to outsiders
D. any relocation of the devices at a later stage is almost impossible
243
Q969. The major reason why quality metrics need to be chosen for a specific
information systems project is:
A. to alleviate conflict between stakeholders
B. to reduce the amount of monitoring of compliance with standards
that QA personnel will have to undertake
C. to clarify the basis on which QA personnel will evaluate whether
quality goals have been met
D. to alleviate conflict between the Statutory Auditors and Information
Systems Auditors
Q970. Which feature of the Interior Gateway Routing Protocol (IGRP) prevents
large loops of routers?
A. Poison-reverse updates
B. Split-horizon updates
C. Hold down
D. Composite metric
Q971. The manager of the information systems QA function should report to

the:
A. managing director of the organisation
B. project leader
C. manager in charge of the information systems function
D. manager responsible for the internal audit function
Q972. The MOST secured access control mechanism is

A. encryption
B. user identification with a password of not less than 6 characters
C. plastic cards with magnetic stripe and a PIN
D. call-back telephone facility
244
Q973. The presence of a Quality Assurance (QA function has an effect of

the auditors’ function. Which of the following statements about the
relationship between quality assurance and auditing is most likely to be
not true?
A. the extent of substantive testing to be carried out by the auditors
can be decreased substantially when QA function is working
reliably
B. QA personnel are likely to check information systems controls
more comprehensively than auditors
C. the inherent risk associated with an organisation decreases
considerably when an organisation has an information systems
QA function
D. It is more likely that the external auditors will focus on the
reliability of the QA function rather than undertaking direct tests
of information systems controls
Q974. The presence of an arbitrator in a digital signature system will prevent:

A. the senders from reneging on the contract by making their private
key public and claiming that the message was forged
B. the sender from forging a message using the receiver’s private
key
C. an unauthorised person from reading the message
D. the receiver forging a message using the sender’s private key
Q975. The primary advantage of the list-oriented approach to authorisation is:

A. it introduces run-time efficiency
B. it allows efficient administration of capabilities
C. access control lists are stored on a fast memory device to
facilitate easy access to the list
D. smaller protection domains are permitted
245
Q976. The primary purpose of Quality of Services is to

A. Provide efficient services of all applications in the network
B. Provide preference to large flows
C. Improved services to specified flows
D. Give equal preference to all resource
Q977. The principle of least privilege is a important concept in access controls

of a network. Among the four enumerated here, which does NOT
support this concept?
A. Privilege based on the time and day
B. Privilege based on an application
C. Either allow access to all resources or none
D. Privileges of the group inherited by the user
Q978. The purpose of electronic signature is

A. to establish the authenticity of the message
B. to encrypt the message for confidentiality
C. to prevent compromises when using a private key
D. to prevent misuse of email facilities
Q979. The relationship with vendors is important from the view of maintenance
of the systems and servicing. The auditor in his review of LAN ensures
that software meets the demand of the company and
A. The vendor reliability is not important
B. The license agreement exists
C. The vendor support for the installation,training need not exist
D. The software is purchased without approval of the senior officials
246
Q980. The significance of hardware controls to auditors is that they:

A. Ensure correct programming of operating system functions
B. Assure that the vendors support current versions of the software.
C. Assure the correct execution of machine instructions
D. Ensure that run-to-run totals in application systems are consistent
Q981. The use of multiple disks in Redundant Array of Independent arrays

results in_______
A. Increased MTBDL (Mean Time Between Data Loss)
B. Decreased Fault tolerance
C. Increased MTBF (Mean Time Between Failure)
D. Striping
Q982. The use of programming aids, data and instructions that are prepared
for one computer and can be used on another computer without
conversion or program modifications are examples of :
A. Modularity
B. Interfacing
C. Sequencing
D. Portability
Q983. To connect to an FTP site without being a registered user, one needs
to enter:
A. login name=anonymous : password=email address
B. login name=email address ; password=anonymous
C. login name=anonymous ; password=anonymous
D. cannot log on without being a registered user
247
Q984. To effectively implement the principle of least privilege, it is necessary

to have:
A. a ticket oriented approach to authorisation
B. a list oriented approach to authorisation
C. small protection domains
D. an open environment
Q985. Unified Messaging is a common way of receiving all kinds of messages

like email, fax, etc. through a single interface. Fax messages are
received as:
A. Simple mail that can be viewed in the editor window
B. Attachments that can be printed out
C. Messages notifying receipt of a fax that can be collected
Q986. Uninterruptible Power Supplies (UPS) are used in computer centers to

reduce the likelihood of :
A. failing to control concurrent access to data
B. losing data stored in main memory
C. dropping bits in data transmission
D. crashing disk drives read-write heads
Q987. Use of a local area network has its own restrictions when compared to
a wide area network. Which one of the following is not a restriction?
A. The number of workstations that can be connected to a network
B. The length of cable to connect a workstation to the network
C. A single link failure, a repeater failure, or a break in the cable
could disable a large part or all of the network.
D. The ability of a personal computer to act as a data terminal
248
Q988. Value added networks (VAN) DO NOT

A. convert transactions of a client to a standard protocol to enable
the recipient face lesser problem connected to non-standard
protocols
B. store orders of the exporter in one country to be accessed by
importers in various countries
C. maintain a transaction log of the import orders of an organization
from its trading partner
D. eliminate the need for trading partners to establish direct
connection for EDI
Q989. What does a firewall do when a security incident occurs?

A. Sound an audible alarm
B. Block all further traffic, irrespective of whether it is authorised
access or not
C. Correlate events, as the firewall is the gatekeeper to the entire
network
D. Reroute all traffic through a back up firewall
Q990. What does NAT mean in the context of Firewalls and Security?
A. NAT (Network Attack Terminator) and is a program used to hunt
and destroy malicious packets.
B. NAT, Network Administration Terminal,is an application-proxy
firewall and inspects incoming packets
C. NAT, Network Address Translation, hides the internal addressing
scheme in the network
D. NAT, Network Authentication tool,identifies authorised users and
allows them remote access
Q991. What function does Address Resolution Protocol (ARP) perform?

A. It relates IP addresses to Ethernet addresses
B. Prevents two computers from using the same IP address
249
C. Enables a diskless workstation to know its IP address by

broadcasting its Ethernet address
D. Resolves a name like www.themanagementor.com to the IP
address of the computer hosting the web site
Q992. What happens when the Session Manager opts for a persistent session?
A. Session data is stored permanently in the database
B. Session data for each transaction is stored in the database
C. Session data is stored in the memory for a limited time
D. Session data is not related to a persistent session
Q993. What is a MAJOR benefit of switching over to the electronic data

interchange (EDI system?
A. Improving of business relationship with trading partners
B. Increasing of the transmission speed of documents
C. Decreasing of contingency and backup planning efforts
D. Decreasing of the legal liabilities over proprietary data
Q994. What is Telecommunication Management Network (TMN) ?

A. A set of standards for all networks
B. A set of international standards for telecommunication network
C. A programming language
D. A type of software
Q995. “What is the similarity between a GSM (Global System for Mobile
Communication) network and EDGE (Enhanced Data for GSM
Environment)?“
A. Both use the TDMA frame structure
B. Both deliver a data rate of 384 Kbps
C. Both use the same transceiver unit
D. Both use phase shift modulation
250
Q996. When three or more nodes are linked together through a single
communication medium it is termed as,
A. Ring Logical Topology
B. Point-to-Point Topology
C. Multipoint Topology
D. Bus Logical Topology
Q997. When a compliance failure occurs, QA personnel should:

A. notify external auditors because it may affect the audit plan
B. implement corrective actions as and when compliance failure
occurs
C. take action to mitigate the effects of the compliance failure on
shareholders
D. consider appropriate corrective actions so they can make
recommendations to management
Q998. When constructing the communications infrastructure for moving data

over a local area network, the major implementation choices involve
decisions about all of the following except:
A. Repeaters
B. File servers
C. Routers
D. Terminal controllers
Q999. When data is accessed through both sequential and direct access
methods the process is called:
A. Sequential storage and retrieval
B. Direct access and retrieval
C. Indexed sequential storage and retrieval
251
Q1000. When emails are exchanged over the Internet, one server handles
incoming mails and the other outgoing. With respect to this, which of
the following options is true?
A. SMTP handles incoming mails and POP3 handles outgoing.
B. POP3 handles incoming mails and SMTP handles outgoing.
C. Microsoft Outlook handles incoming mails and Outlook Express
handles outgoing.
D. Outlook Express handles incoming mails and Microsoft Outlook
handles outgoing.
Q1001. When sending a signed message under a public key infrastructure, the
message is encrypted using the:
A. receiver’s private key
B. sender’s private key
C. receiver’s public key
D. sender’s public key and receiver’s private key
Q1002. When the exchange of information is the primary purpose for installing a
computer system, with an information repository accessible to its users,
the BEST system is:
A. Electronic Bullet Board System
B. Electronic Mail System
C. Private Branch Exchange (PBX)
D. Fax/modem software
Q1003. Where is the service logic located in an Advance Intelligent Network

(AIN)?
A. Service Control Point (SCP)
B. Service Switching Point (SSP)
C. Intelligent Peripheral (IP)
D. Location Routing Number (LRN)
252
Q1004. When users of an information system are dispersed over a wide area
and are authorized to use dial-up lines for getting access to confidential
data, the BEST form of control for data security and confidentiality is
A. forced change of password after every day
B. end-to-end encryption
C. dial-disconnect-callback features
D. dedicated telephone lines
Q1005. Where access control mechanism is implemented in an open

environment, the users are allowed to access a resource:
A. only if authorisation information specifies users can access the
resource
B. unless authorisation information specifies users cannot access
the resource
C. have to authenticate themselves only once, and not after that
D. with full access to read, write and execute
Q1006. Which among the following is a distinct benefit of installing a Local Area
Network (LAN ?
A. LANs enable sharing of resources like hardware, software and
data
B. LANs prevent virus attack
C. LANs provide better change management control
D. LANs provide greater confidentiality of data than other systems
Q1007. Which area of the ISO Network management Model is responsible for
identifying problems, logging reports and notifying the users, so that the
network runs effectively?
A. Performance Management
B. Accounting Management
C. Fault Management
D. Configuration Management
253
Q1008. Which component of the Local Multipoint Distribution Service (LMDS) is

vendor specific?
A. Central Office (CO) equipment
B. Customer Premises Equipment (CPE)
C. Network Operations Centre (NOC)
D. Fibre -based infrastructure
Q1009. Which feature gives Time Division Multiple Access the edge over other
spread spectrum technologies?
A. Hierarchical cell structures
B. Extended TDMA
C. Elimination of interference
D. Reduced infrastructure costs
Q1010. Which feature in UMTS (Universal Mobile Telecommunication system)

security is not derived from GSM standards?
A. Subscriber identity module
B. Radio interface encryption
C. Security against false base stations through mutual authentication
D. Subscriber identity confidentiality
Q1011. Which of the following actions should be undertaken when a file

retention date expires?
A. the storage medium on which the file resides should be retired
from use
B. the file should be purged
C. the file retention date should be extended
D. the file should be retrieved from back up storage
254
Q1012. Which of the following activities should not be permitted when operators
use a communications network control terminal:
A. Monitoring network activity levels
B. down line loading a program
C. transmitting system warning and status messages
D. altering the audit trail to correct an error
Q1013. Which of the following activities would not be performed by control

section personnel when they collect the output of a batch application
system from the computer room:
A. checking basic control totals
B. Checking to see whether any programs terminated abnormally
C. Scanning the output for obvious errors
D. checking the transaction log
Q1014. Which of the following requires two different keys for encryption and
decryption:
A. Symmetric Cryptography
B. Asymmetric Cryptography
C. Cryptanalysis
D. Cryptology
Q1015. Which of the following AIN (Advanced Intelligent Network) components

functions as an intelligent router?
A. Intelligent peripheral
B. Service Control Point
C. Service Switching Point
D. Signalling Transfer Point
255
Q1016. Which of the following best describes the role of QA management with
respect to the information systems function?
A. Carrying out a post implementation audit/review of the application
systems of a information systems function
B. monitoring IS activities for compliance with IS standards
C. advising information systems development staff on the quality of
the requirements specification an design specification that they
have prepared
D. working with internal auditors to devise a program of compliance
testing and substantive testing activities for the information
systems function
Q1017. Which of the following characteristics is not associated with a public key
cryptosystem?
A. the encryption key can be known to all communication users
B. the processing time required in private key cryptosystem is faster
than that of public key cryptosystem
C. the decryption key should be kept a secret
D. the decryption key is the same as the encryption key
Q1018. Which of the following controls applies to PIN transmission?

A. the PIN must always be encrypted under the issuer’s key
B. the PIN must always be encrypted under the acquirer’s key
C. a unique cipher must be generated for each transmission of the
PIN
D. the PIN check digit should not be stripped off before the PIN is
encrypted for transmission
Q1019. Which of the following decisions most likely cannot be made on the
basis of performance monitoring statistics that are calculated:
A. whether new hardware/system software resources are needed
B. whether unauthorised use is being made of hardware/system
software resources
256
C. whether the system being monitored has provided users with a

strategic advantage over their competitors
D. whether there is any abnormal work load during a particular shift
which may be because of private use of resources by some staff
Q1020. Which of the following decisions most likely could not be made on the
basis of reports prepared from the maintenance log:
A. whether to move files from one storage medium to another to
reduce read/write errors
B. whether only valid and authorised transactions were processed
C. whether a storage medium should be retired
D. whether a master file should be stored on a particular storage
medium
Q1021. Which of the following does not reflect good control over use or
removable storage media?
A. Personnel at off-site locations should receive and issue backup
files only in accordance with an authorised schedule or a signed
requisition
B. project managers should maintain records of media use
associated with the application systems over which they have
responsibility
C. sensitive files and non sensitive files should be stored on the
same removable storage medium
D. backup for all media except diskettes should be kept off site and
access to them must be restricted
Q1022. Which of the following events is recorded on a public audit trail in a

digital signature system?
A. registration of public keys
B. terminal identifier
257
C. resources provided/denied
D. modifications to private keys
Q1023. Which of the following feature is attributed to UDP?

A. Data reliability
B. Stable connection
C. Maximum protocol mechanisms
D. Uses checksum to check whether the data transferred has
reached destination without being corrupted.
Q1024. Which of the following features in Internet Information Server (IIS) 5.0
from Microsoft logs the CPU resources consumed by Web Services?
A. Application Protection feature
B. Centralised Administration
C. Kerberos
D. Process Accounting
Q1025. Which of the following features is not a part of DSL but of ADSL?
A. Use of Plain Old Telephone Service (POTS)
B. Use of copper wire as transmission medium
C. Facilitates more downstream rather than upstream transfer
D. Provides more bandwidth for voice
Q1026. Which of the following functions cannot be performed using a

communications network control terminal:
A. resetting message queue lengths
B. starting and terminating lines and processes
C. generating a control total for a point-of-sale device
D. correcting a hardware error in a modem
258
Q1027. Which of the following incidents can seriously damage a digital signature
system?
A. compromise of a key server’s private key
B. compromise of a receiver’s private key
C. compromise of a sender’s private key
D. use of a fake public key
Q1028. Which of the following information technologies or software products do

not mesh well with the information sharing concept?
A. Groupware products
B. Workgroup products
C. Stovepipe systems
D. Workflow software
Q1029. Which of the following is a component of Internet?

A. Routers to strengthen the attenuated signals
B. Repeaters to establish physical connection between various LANs
C. Gateways to allow a network to use the resources of another
main frame
D. Bridges to optimize the transmission path of messages
Q1030 Which of the following is considered the greatest threat to the corporate
network, as far as cyber theft is concerned:
A. Business partners who have authorised access to the network
B. External parties not having authorised access to the network
C. Suppliers and customers who have authorised access to the
network
D. Employees who are connected to the corporate network
259
Q1031. Which of the following is false related to watermarking?

A. It embeds copyright information in the object
B. It is sufficient to prove the ownership of the article
C. It should be invisible
D. It identifies the user with the help of a serial number
Q1032. Which of the following is incorrect with regard to IP multicasting?

A. It distributes large amounts of data
B. It reduces the choking of bandwidth, due to high data traffic.
C. It requires additional resources for efficient delivery of data.
D. It is a group concept.
Q1033. Which of the following is least likely to be a motivation to establish a

QA role within IS function?
A. Of all stakeholders, QA personnel are likely to be perceived
as the most independent if they assume responsibility for the
development, promulgation and maintenance of information
system standards
B. A QA role facilitates organisations successfully undertaking more
ambitious information systems projects
C. An organisation may not be able to sell some of its IS products
unless it can show its customers that it has a viable QA function
D. A QA role will substantially decrease the costs of review work and
testing work associated with the development and implementation
of an Information system
Q1034. Which of the following is least likely to be a reason for making QA

personnel responsible for identifying areas where quality improvement
can be made?
A. QA personnel should have the knowledge and experience to
make the best recommendations for improvements to information
systems standards
260
B. QA personnel are charged with being knowledgeable about and

remaining up-to-date with best practice in information systems
C. QA personnel should have the greatest incentives to effect
improvements to information systems standards
D. QA personnel are in the best position to decide whether quality
improvement will result in better achievement of the organisation’s
overall corporate strategy
Q1035. Which of the following is most unlikely to be a reason for having QA

personnel responsible for formulating, promulgating, and maintaining
standards for the information systems function?
A. QA personnel should have the most knowledge about the
impact of national and international quality standards on their
organisations
B. QA personnel will be best placed to recommend corrective actions
when they formulate, promulgate, and maintain standards
C. QA personnel should have most experience of information
systems development, implementation, operations, and
maintenance activities
D. QA personnel should have incentives to ensure their organisation
adopts the best set of quality assurance standards possible
Q1036. Which of the following is NOT a characteristic of optical fibre cables?

A. Transmission rates are very high
B. Transmission is free of distortion due to noise/cross talk
C. The cables are small and flexible
D. The signal gets attenuated
Q1037. Which of the following is not a function of the control section:

A. dispatching input to the computer room
B. altering source data to correct input errors
261
C. batch containing errors would be rejected for correction prior to

processing
D. follow-up on unpaid accounts if a transfer pricing scheme is being
used
Q1038. Which of the following is not a part of the Global System for Mobile
Communication (GSM) network?
A. Telecommunication standard Institute (ETSI)
B. Switching System (SS)
C. Base Station System (BSS)
D. Operation and Support System (OSS)
Q1039. Which of the following is not a problem that undermines the

establishment of quality goals for an IS project?
A. There are no widely accepted quality goals for Information
Systems
B. Quality can have different meanings for different stakeholders in
Information System
C. Top management may evaluate quality in terms of whether an
information system allows their organisation to compete better in
a market place
D. Quality goals can vary, depending on the nature of Information
System to be developed, implemented, and maintained
Q1040. Which of the following is not a responsibility of the production control

section with respect to acquisition of consumables that the information
systems function uses?
A. ensuring that consumables are stored securely
B. monitoring the price and quality of consumables used
C. performing credit control checks on vendors who provide
consumables
D. control over the use of consumables
262
Q1041. Which of the following is NOT a security option of Internet Information

server 4.0?
A. All scripts and programs must be thoroughly tested for wrong
input given with malicious intent
B. Enable Secure Sockets Layer (SSL)
C. Use NT File System (NTFS) instead of using File Allocation Table
(FAT file system)
D. If multiple sites are being hosted, they have to be appropriately
segregated
Q1042. Which of the following is not an audit objective in the review of hardware
acquisition?
A. ensuring that adequate information for sound management
decision making is available prior to contracting for the purchase,
rent or lease of new equipment
B. ensuring that the vendors are provided with appropriate and
uniform data for submission of bids according to management
approved specifications and guidelines
C. Ensuring that provisions are made to minimise damage or abuse
to hardware and to maintain the hardware in good operational
condition
D. Ensure that management’s hardware acquisition plan has taken
into consideration technological obsolescence.
Q1043. Which of the following is NOT an input control objective?

A. Maintenance of accurate batch registers
B. Completeness of batch processing
C. Authorisation of file updates
D. Appropriate accounting for rejections and exceptions
263
Q1044. Which of the following is NOT True as a mode of network reliability

enhancement:
A. Redundant switching equipment
B. Parallel physical circuits
C. Licensed software
D. Standby power supplies
Q1045. Which of the following is NOT true about a database management

system application environment?
A. Multiple users use data concurrently
B. Data are shared by passing files between programs or systems
C. The physical structure of the data is independent of user needs
D. Each request for data made by an application program must be
analysed by DBMS.
Q1046. Which of the following is not true with regard to SNMP?

A. It is a connectionless protocol
B. It guarantees data transmission
C. It can accommodate devices from different vendors
D. It reduces the resources required, and makes network
management simple
Q1047. Which of the following is true in relation to the “Frame Relay”?

A. A physical frame relay port will have a single virtual circuit
B. It is used to send analog information such as voice and data
C. It uses two OSI protocol layers as against three used in X.25
D. Using frame relay limits the type of resources that can be
connected to a network
264
Q1048. Which of the following is true regarding Remote Authentication Dial-In

User Service (RADIUS):[a] [b] [c] [d]
A. It can authenticate a single client at a time through a centralised
database
B. It can authenticate multiple clients at a time through a
decentralised database
C. It can authenticate multiple clients at a time through a centralised
database
D. It can authenticate a single client at a time through a
decentralised database.
Q1049. Which of the following provides mobile user network access over an air
interface in Wireless IP?
A. Core network
B. End-user Services Network
C. Radio Access Network
D. GSM
Q1050. Which of the following is true with regard to fibre optics?

A. It consists of inner cladding and an outer core.
B. It consists of an inner core and outer cladding.
C. Even though thinner and lighter than metal wires, they are more
susceptible to interference.
D. Less susceptible to interference than metal wires but carry analog
signals that slow down data.
Q1051. Which of the following is unlikely to be a capability of an automated

library system for removable storage media?
A. recording the names of the persons who are authorised to access
each storage medium
B. recording the dates when the contents of storage media can be
deleted
265
C. recording and maintaining the history of difficulties experienced

with the medium (read/write errors)
D. preparing reports indicating times when the temperature and
dust levels in the room where storage media are stored reached
unacceptable levels
Q1052. Which of the following modulation schemes does Orthogonal Frequency

Division Multiplexing (OFDM) deploy?
A. Multicarrier modulation
B. Phase shift keying
C. Amplitude /Phase keying
D. Digital amplitude modulation
Q1053. Which of the following options is true (with regard to SLIP)?

A. It includes a protocol identifier.
B. It allows communication with multi protocol computers.
C. It has no addressing scheme for routing purposes.
D. It is never used in a dial up connection.
Q1054. Which of the following pairs of items perform similar functions?

A. The Web server and the Web browser
B. Assembler and compiler
C. Bypass Label Processing and Central Processing Unit
D. Routers and gateways
Q1055. Which of the following principles should guide the ways in which QA
personnel monitor compliance with information systems standards?
A. QA personnel should use automated tools to ensure compliance
with information systems standards
B. QA personnel should seek to understand the reasons for a
compliance failure so that they can advise management
266
C. QA personnel should alert management on a timely basis when

they suspect a compliance deviation has occurred
D. QA personnel should avoid making comments to management
about the consequences of compliance failures
Q1056. Which of the following principles should not guide the way in which QA
personnel report to management?
A. the recommendation that QA personnel make should be backed
up by concrete facts
B. stakeholders should be informed of the contents of reports before
they are released to management
C. the recipients of project based reports should be agreed upon at
the start of a project
D. QA report must degenerate into a long list of defects that have
been identified
Q1057. Which of the following security practices are supported by most remote
control program products when accessing a host workstation on a local
area network?
A. Matching user ID and name with password
B. Principle of highest privilege should be implemented to perform
the file backup function
C. Limiting access to local drives and directories
D. Controlling file-transfer rights
Q1058. Which of the following statements about computer is correct?

A. Lap tops usually cost more than Personal Computers but less
than mainframes
B. Because of the increase in use of distributed system, the need
for mainframes will increase in the near future
C. PCs and Laptops must be programmed directly in machine
language while mainframes use higher level language
267
D. The cost per transaction to process on each type of computer has

decreased in recent years
Q1059. Which of the following statements about national and international

information systems standard is true?
A. the adoption of national and international information systems
standards will increase the cost of the QA function
B. QA personnel will perform better when their organisation adopts
national and international information systems standards
C. widespread acceptance of national and international information
systems standards can undermine an organisation’s competitive
position
D. the adoption of national and international information systems
standards reduces for conflict within the management
Q1060. Which of the following statements about personnel training in QA

standards and procedures is false?
A. a personal development plan with respect to QA training should
exist for each employee in the information systems function
B. training in general QA standards should be provided by QA
personnel whereas training in specific QA standards should be
provided by project managers
C. the quality of QA training is an important indicator of top
management’s commitment to the attainment of quality assurance
within the information systems function
D. QA training should be an ongoing process and all new QA
employees must be inducted in the QA goals, standards and
procedures that have been adopted by the information system
function
Q1061. Requirement specification errors lead to:

A. Function-related bugs
B. System bugs
268
C. Design bugs
D. Data bugs
Q1062. OCR stands for:

A. Original Character Recognition
B. Optical Character Recognition
C. Optical Character Record
D. Original Character Record
Q1063. Which one of the following is not a maintenance type?

A. Corrective maintenance.
B. Adaptive maintenance.
C. Perfective maintenance.
D. Detective maintenance.
Q1064. In monitoring and controlling a system development life cycle project

what is NOT formal and documented?
A. Change management forms
B. Logs
C. Checklists
D. Face-to-face communications
Q1065. A successful project management practice involves training a project

team to achieve desired goals. Under which process does this fall?
A. Planning
B. Organising
C. Controlling
D. Leading
269
Q1066. Which of the following is not a software implementation strategy?

A. Parallel Implementation.
B. Preventive Implementation.
C. Phased Implementation.
D. Abrupt change over.
Q1067. Data captured about real life events happening in day-to-day is

contained in:
A. Master file
B. Parameter file
C. Transaction file
D. All of these
Q1068. All of the following should be in place prior to programming except:

A. User manual
B. Coding standards
C. Detail design documents
D. Unit test cases
Q1069. Identify the one that is NOT a key concept of object-oriented technology.
A. Encapsulation
B. Idempotence
C. Polymorphism
D. Inheritance
Q1070. Identify the EARLIEST software development model

A. The Waterfall model
B. Spiral model
C. Prototyping model
270
Q1071. Object Oriented languages are:

A. Data Oriented
B. Process Oriented
C. Data and Process Oriented
D. Task oriented
Q1072. Interactive voice response is an application of:

A. Fuzzy Logic
B. Expert System
C. Natural Language
D. Robotics
Q1073. _________ tests individual programs.

A. Unit testing
B. System testing
D. Parallel testing
Q1074. XBRL stands for

A. Extreme Business Related Language
B. Extreme Business Reporting Language
C. Extensible Business Reporting Language
D. Exhaustive Business Reporting Language
Q1075. Feasibility study may not cover the ___________ aspects of a project:
A. Economic
B. Technical
C. Legal
D. Personal
271
Q1076. Risk analysis is MOST useful when applied during which phase of the
system development process?
A. Project initiation
B. System Construction
C. Acceptance Testing
D. Implementation Planning
Q1077. The attributes of a Web Based Application are:

A. Network Intensive
B. Content Driven
C. Continuous Evolution
D. All of the above
Q1078. CASE tools are:

A. Costly
B. Requires extensive training
C. Both (a) and (b)
Q1079. An upper CASE tool is used in :

A. Design
B. Code
C. Implementation
D. Maintenance
Q1080. A type of SDLC model where a time box can be used to limit the time
available for producing a working system.
A. Prototype
B. Spiral
272
C. RAD
D. Waterfall
Q1081. A good program will not have

A. Accuracy
B. Reliability
C. Robustness
D. Hardcoding
Q1082. Person responsible for overall cost and time lines of a project is:
A. Project Manager
B. Network Engineer
C. Team Leader
D. Systems Analysts
Q1083 Coding standards would provide which of the following?

A. Field naming conventions
B. Data flow diagrams
C. Access control tables
D. Program documentation
Q1084. Accuracy of data is important most likely to a

A. Decision Support System (DSS)
B. Strategic Planning System
C. Expert system
D. Management control system
Q1085. Which of the following is true with regard to White Box Testing?
A. Output of the program code is not required before the beginning
of the code.
273
B. It is not very expensive.

C. It may involve testing every line of code.
D. It shows errors caused by omission.
Q1086. Artificial Intelligence is now being used in every sphere of life. Which of
the following options justifies the statement?
A. Ability to work in hazardous places
B. Ability to think like human beings
C. Ability to work in artificial environments
Q1087. Which one of the following is performed FIRST in a system development

life cycle project?
C. Developing design documents
D. Developing conversion plans
Q1088. During the detailed design phase of SDLC, which one of the following
tasks performed?
A. Defining control, security, and audit requirements
B. Developing screen flows with specifications
C. Identifying major purpose(s) of the system
D. Developing system justification
Q1089. Fuzzy logic is most effective when :

A. Used to develop decision support systems
C. Used to build hard disk controllers
274
Q1090. A normally expected outcome of a business process re-engineering is

that:
A. Information technologies will remain unaltered.
B. It improves the product, service and profitability.
C. Information from clients and customers will not be required.
D. Business priorities will not be modified.
Q1091. A reasonably controlled practice in the distributed executable programs

and ActiveX controls, is -
A. installation of a firewall
B. usage of a secure web connection
C. acceptance of executable only from the established and trusted
source
D. hosting the website as part of your organisation
Q1092. In which testing is done by using the same test data in the new and old
system, and the output results are compared.
A. Unit Testing
B. Parallel Testing
C. Penetration Testing
D. All of the above
Q1093. Which of the following procedures would an IS Auditor not perform

during the design phase of a system project
A. Assist in developing a functional design for embedded audit
routines
B. Assess the adequacy of the system
C. Advise the analyst regarding control routine
D. Review the design for adherence to corporate policies
275
Q1094. With respect to various phases in the SDLC which of the following is
least likely to vary ?
A. Conduct of each phase
B. Sequence in which phases are performed
C. Presence of each phase
D. Resources needed to perform each phase
Q1095. Which of the following statements regarding the function of a System

Development Life Cycle Steering Committee is FALSE ?
A. Review projects progress regularly
B. Report only to senior management on project status
C. Serve as a Coordinator and Advisor to answer questions about
system and program design
D. Take corrective actions regarding personal changes on the project
team
Q1096. ___________ involves overseeing the effectiveness of risk responses,

monitoring residual risks, identifying and documenting new risks, and
assuring that risk management processes are followed.
A. Risk Identification
B. Risk Monitoring & Control
C. Risk Response Planning
D. Risk Management Planning
Q1097. A project manager has asked that you advise him of the potential risk
associated with the use of timebox development techniques in a system
development project. Which of the following would NOT be good
advice?
A. That the timebox technique should only be applied to projects that
can be completed within a reasonable timeframe.
B. For the timebox approach to be effective, end-users and
management should have agreed to core functionality to be
developed in the timebox.
276
C. That delivery of all functionality within the timebox is more

important than quality.
D. That the timebox approach will require the use of evolutionary
prototype techniques
Q1098. Many IT projects experience problems because the development

time and/or resource requirements are underestimated. Which of
the following techniques would provide the GREATEST assistance in
developing an estimate of project duration?
B. PERT chart
D. Object-oriented system development
Q1099. A Subject - oriented, integrated, time-variant, non-volatile collection of

data to support of management’s decision making process is
A. Data Warehouse
B. Data Mining
C. Both (a) and (b)
Q1100. Which one of the following is not true about emergency changes?
A. They are Required to resolve system problems and enable critical
processing to continue
B. It Involves the use of special logon-IDs that grant temporary
access to production environment during emergency situation.
C. Emergency IDs used for making emergency changes have
special privileges hence their usage should be logged & carefully
monitored
D. Passwords of emergency IDs used for making emergency
changes should never expire.
277
Q1101. The governance framework determines

A. Whom the organization is there to serve and how the purposes
and priorities of the organization should be decided
B. Whom the organization is there to serve
C. The legal framework for the administration of the organisation
D. The regulatory framework in which the organization operates
Q1102. The main purpose of corporate governance is:

A. To separate ownership and management control of organizations
and to make organizations more visibly accountable to a wider
range of stakeholders.
B. To separate ownership and management control of organisations
C. To maximize shareholder value
D. To ensure that regulatory frameworks are adhered to
Q1103. The two-tier board of an organization is particularly useful:

A. In ensuring that there is a counterbalance to the power of
managers
B. For managers to assert their power
C. In improving operational efficiency
D. In ensuring that employees can determine strategies for the
organisation
Q1104. The desire for more accountability of public sector organizations has
resulted in:
A. An increased proportion of independent members on governing
bodies
B. Pressure on all public sector organizations to be operated on a
profit making basis
C. Public sector managers to become more professional
D. Public sector organizations to develop plans for their strategic
development
278
Q1105. Stakeholders are the individuals or groups who:

A. Depend on the organization to fulfil their own goals and on whom
the organization depend
B. Are shareholders in key competitors
C. Dominate the strategy development process in an organization
D. Determine operational issues
Q1106. The purpose of stakeholder mapping is to:

A. Identify stakeholder interest and power
B. Outline policies on stakeholder relationships
C. Geographically locate different stakeholders
D. Identify stakeholder power
Q1107. Where a stakeholder has a high level of interest in the development

of an organization, but a low level of power, strategists or managers
should:
A. Keep these stakeholders informed
B. Keep these stakeholders informed and satisfied
C. Expend minimal effort on these stakeholders
D. Treat these stakeholders as key players
Q1108. Powers is:

A. The ability of individuals or groups to persuade others into
following certain courses of action.
B. The ability of individuals to persuade, induce or coerce others into
C. The ability of groups to persuade, induce or coerce others into
D. The ability of individuals or groups to persuade, induce or coerce
others into following certain courses of action.
279
Q1109. An indicator of power held by external stakeholders is:

A. The organisational perception of the status of an external party.
B. Negotiating skills.
C. Personal relationship with a key decision-maker.
D. Mutual resource dependency.
Q1110. Ethical issues concerning business and public sector organizations exist
at three levels:
A. Macro; Corporate: Individual
B. Corporate; Business; Functional
C. Corporate; Functional; Individual
D. Business; Family; Individual
Q1111. An ethical stance is the extent to which:

A. An organisation will exceed its minimum obligations to
stakeholders and society at large.
B. An organisation meets the expectations of its stakeholders.
C. An organisation meets regulatory requirements.
D. An organisation respects the dominant religious beliefs of the
country in which it operates.
Q1112. Corporate social responsibility concerns:

A. The ways in which an organisation exceeds its minimum required
obligations to stakeholders.
B. How an organisation meets the expectations of its stakeholders.
C. The behaviour of individual managers.
D. External stakeholder relationships.
280
Q1113. The cultural frames of reference include (this is not a comprehensive

list):
A. National; organisational; organisational field and functional/
divisional.
B. National; organisational field; competitors.
C. Unions; organisational; industrial.
D. Organisational; colleagues; organisational field.
Q1114. The culture of an organisation can be conceived as consisting of the

following layers:
A. Values; beliefs; behaviours; and taken-for-granted assumptions.
B. Values; beliefs; tasks.
C. Beliefs; tasks; personalities.
D. Individual; functional; organisational.
Q1115. Which of the following is NOT an influence on organizational purposes?

A. The organizational mission
B. Minor stakeholders
C. Business ethics
D. Corporate governance
Q1116. The governance framework determines

A. Whom the organization is there to serve and how the purposes
and priorities of the organization should be decided
B. Whom the organization is there to serve
C. The legal framework for the administration of the organisation
D. The regulatory framework in which the organization operates
281
Q1117. The main purpose of corporate governance is:

A. To separate ownership and management control of organizations
and to make organizations more visibly accountable to a wider
range of stakeholders.
B. To separate ownership and management control of organisations
C. To maximize shareholder value
D. To ensure that regulatory frameworks are adhered to
Q1118. The two-tier board of an organization is particularly useful:

A. In ensuring that there is a counterbalance to the power of
managers
B. For managers to assert their power
C. In improving operational efficiency
D. In ensuring that employees can determine strategies for the
organisation
Q1119. The desire for more accountability of public sector organizations has
resulted in:
A. An increased proportion of independent members on governing
bodies
B. Pressure on all public sector organizations to be operated on a
profit making basis
C. Public sector managers to become more professional
D. Public sector organizations to develop plans for their strategic
development
Q1120. Stakeholders are the individuals or groups who:

A. Depend on the organization to fulfil their own goals and on whom
the organization depend
B. Are shareholders in key competitors
C. Dominate the strategy development process in an organization
D. Determine operational issues
282
Q1121. The purpose of stakeholder mapping is to:

A. Identify stakeholder interest and power
B. Outline policies on stakeholder relationships
C. Geographically locate different stakeholders
D. Identify stakeholder power
Q1122. Where a stakeholder has a high level of interest in the development

of an organization, but a low level of power, strategists or managers
should:
A. Keep these stakeholders informed
B. Keep these stakeholders informed and satisfied
C. Expend minimal effort on these stakeholders
D. Treat these stakeholders as key players
Q1123. Powers is:

A. The ability of individuals or groups to persuade others into
B. The ability of individuals to persuade, induce or coerce others into
C. The ability of groups to persuade, induce or coerce others into
D. The ability of individuals or groups to persuade, induce or coerce
others into following certain courses of action.
Q1124. An indicator of power held by external stakeholders is:

A. The organisational perception of the status of an external party.
B. Negotiating skills.
C. Personal relationship with a key decision-maker.
D. Mutual resource dependency.
283
Q1125. Ethical issues concerning business and public sector organizations exist
at three levels:
A. Macro; Corporate: Individual
B. Corporate; Business; Functional
C. Corporate; Functional; Individual
D. Business; Family; Individual
Q1126. An ethical stance is the extent to which:

A. An organisation will exceed its minimum obligations to
stakeholders and society at large.
B. An organisation meets the expectations of its stakeholders.
C. An organisation meets regulatory requirements.
D. An organisation respects the dominant religious beliefs of the
country in which it operates.
Q1127. Corporate social responsibility concerns:

A. The ways in which an organisation exceeds its minimum required
obligations to stakeholders.
B. How an organisation meets the expectations of its stakeholders.
C. The behaviour of individual managers.
D. External stakeholder relationships.
Q1128. The cultural frames of reference include (this is not a comprehensive

list):
A. National; organisational; organisational field and functional/
divisional.
B. National; organisational field; competitors.
C. Unions; organisational; industrial.
D. Organisational; colleagues; organisational field.
284
Q1129. The culture of an organisation can be conceived as consisting of the

following layers:
A. Values; beliefs; behaviours; and taken-for-granted assumptions.
B. Values; beliefs; tasks.
C. Beliefs; tasks; personalities.
D. Individual; functional; organisational.
Q 1130 Which of the following is NOT an influence on organizational purposes?

A. The organizational mission
B. Minor stakeholders
C. Business ethics
D. Corporate governance
285

Q703 Ans. d Q731 Ans. b Q759 Ans. B
Q706 Ans. a Q734 Ans. D Q762 Ans. c
Q708 Ans. d Q736 Ans. B Q764 Ans. d
Q709 Ans. b Q737 Ans. B Q765 Ans. a
Q710 Ans. c Q738 Ans. A Q766 Ans. C
Q711 Ans. d Q739 Ans. D Q767 Ans. C
Q712 Ans. d Q740 Ans. C Q768 Ans. D
Q713 Ans. B Q741 Ans. c Q769 Ans. A
Q714 Ans. C Q742 Ans. B Q770 Ans. C
Q715 Ans. c Q743 Ans. d Q771 Ans. C
Q716 Ans. D Q744 Ans. b Q772 Ans. A
Q717 Ans. a Q745 Ans. C Q773 Ans. C
Q719 Ans. c Q747 Ans. a Q775 Ans. D
Q720 Ans. C Q748 Ans. b Q776 Ans. C
Q721 Ans. D Q749 Ans. a Q777 Ans. A
Q722 Ans. C Q750 Ans. C Q778 Ans. C
Q723 Ans. B Q751 Ans. B Q779 Ans. D
Q724 Ans. d Q752 Ans. A Q780 Ans. B
Q725 Ans. c Q753 Ans. c Q781 Ans. D
Q726 Ans. D Q754 Ans. c Q782 Ans. C
Q727 Ans. B Q755 Ans. C Q783 Ans. B
Q729 Ans. C Q757 Ans. d Q785 Ans. C
286
Q787 Ans. D Q817 Ans. d Q847 Ans. b

Q788 Ans. A Q818 Ans. a Q848 Ans. b
Q789 Ans. B Q819 Ans. d Q849 Ans. c
Q790 Ans. C Q820 Ans. a Q850 Ans. b
Q792 Ans. B Q822 Ans. b Q852 Ans. c
Q793 Ans. C Q823 Ans. b Q853 Ans. b
Q794 Ans. A Q824 Ans. d Q854 Ans. c
Q795 Ans. C Q825 Ans. c Q855 Ans. a
Q797 Ans. C Q827 Ans. b Q857 Ans. d
Q798 Ans. D Q828 Ans. d Q858 Ans. d
Q800 Ans. C Q830 Ans. b Q860 Ans. d
Q801 Ans. B Q831 Ans. d Q861 Ans. d
Q807 Ans. D Q837 Ans. b Q867 Ans. c
Q813 Ans. C Q843 Ans. d Q873 Ans. d
287

Q905 Ans. d Q935 Ans. b Q965 Ans. b
288

Q992 Ans. b Q1022 Ans. a Q1052 Ans. a
289
Q1057 Ans. a Q1082 Ans. A Q1107 Ans. A

Q1058 Ans. d Q1083 Ans. A Q1108 Ans. A
Q1059 Ans. c Q1084 Ans. D Q1109 Ans. A
Q1060 Ans. b Q1085 Ans. C Q1110 Ans. A
Q1066 Ans. B Q1091 Ans. C Q1116 Ans. A
Q1074 Ans. C Q1099 Ans. A Q1124 Ans. A
Q1077 Ans. D Q1102 Ans. A Q1127 Ans. A
290
Module 4 Questions
Q1131. “Insurance cover that reimburses a company for expenses incurred to
avoid or minimize the suspension of business is called: “
A. Business Interruption Insurance
B. Equipment and Facility Insurance
C. Data Reconstruction
D. Extra expense insurance
Q1132. “The IS auditor should ensure that insurance coverage is adequate and
reflects the actual cost of recovery. It is important that the organisation
not only covers the loss of property but also: “
A. Covers the health of the employees
B. Covers the cost of data reconstruction.
C. Covers employee fidelity
D. Covers the loss of revenue stream arising from that property
Q1133. “Insurance that protects the company in the case of a claim against
the company for negligence, errors, omissions, or wrongful acts in the
performance of the compan⁹Section 1s duties is called: “
A. Business Interruption Insurance
B. Equipment and Facility Insurance
C. Professional Liability Insurance
D. Extra expense insurance
Q1134. Which of the following terms best define a computer program looking
“normal” but containing harmful code?
A. Trojan horse
B. Trapdoor
291
C. Worm
D. Time bomb
Q1135. At which stage of the data process flow, from source to warehouse, is
detective controls implemented?
A. Data migration
B. Transformation
C. Loading
D. Reconciliation
Q1136. Which transmission impairment is dependent on propagation velocity as

a function of frequency?
A. Attenuation
B. Noise
C. Delay distortion
D. “Cross talk“
Q1137. A macro virus infections in a computer will __________.

A. Erases the hard disk
B. Clears the ROM
C. Destroys document files
D. Slows down processes on the server
Q1138. A restriction controls that merges cells containing sensitive statistics is

described as:
A. Partitioning
B. Order control
C. Rolling up
D. Relative table size control
292
Q1139. Which one of the following is not an application control to assure data
accuracy?
A. Crossfooting
B. Control total
C. Limit and reasonableness test
D. Echo checking
Q1140. “Auditor should ensure that the BC⁐Section 1s priorities: “

A. Support objectives of the organisation.
B. Meet regulatory requirements.
C. Conform to contractual requirements.
Q1141. Which application of Biometrics employs speech recognition systems?

A. Employee records
B. Telecommunications
C. Banking
D. Forensics
Q1142. Which of the following will least important basis for access control
A. What the user knows
B. What the user wants
C. What the user is
D. What the user has
Q1143. Which of the following is not a part of external access control?

A. Port protection devices
B. Secure gateways
C. Security labels
D. Host-based authentication
293
Q1144. Which of this is not an internal access control mechanism?

A. Passwords
B. Host-based authentication
C. Roles
D. Permission bits
Q1145. Parity checking and Access logging can be broadly classified as –

A. Preventive control
B. Detective control
C. Compensating control
D. Operations control
Q1146. The BEST transmission control that can be employed to protect data
during data transfer is –
A. Applying parity check
B. Data encryption
C. File header encryption
D. Use of standard protocol
Q1147. Which one of the following types of passwords is not user-friendly?

A. User selected passwords
B. System-generated passwords
C. One-time passwords
D. Time-based passwords.
Q1148. Which of the following worms does the friendly “Cheese worm”
counteract?
A. Adore worm
B. Sadmind/ IIS worm
294
C. Ramen worm
D. 1i0n worm
Q1149. Social Engineering is:

A. Creating a team for software development
B. Referred to as people hacking
C. A technique to motivate teams
D. A training method software development team
Q1150. All of the following control procedures can be used to ensure

completeness of data, EXCEPT –
A. Completeness check
B. File trailer records
C. Run to run control totals
D. Validity routines
Q1151. The feature of Linux that allows changing password without altering or
recompiling any utility is:
A. Shadow password
B. Pluggable Authentication Module (PAM)
C. LILO
D. Dual booting
Q1152. The BEST method to verify the data values through the various stages
of processing
A. Check digits
B. Hash totals
C. Run-to-run totals
D. Automated controls
295
Q1153. “Which of the following media has the least backup capacity? “
A. Removable Cartridges
B. Floppy Diskettes
C. Compact Disk
D. Tape Drives
Q1154. “Enhanced risk awareness and more emphasis on the importance

of good risk measurement and management and properly ensured
appropriate capital reserve requirements is a requirement of: “
A. Basel Committee’s principles for electronic banking
B. Basel II Capital Accord
C. COBIT
D. ISO/IEC 17799:2000
Q1155. A common backup method for portable computers is:

A. Electronic Vaulting
B. Tape Drives
C. Remote Mirroring
D. Synchronization
Q1156. “The correct order of steps for developing a BCP is: “

A. “Initiate, Risk assessment, Choose a recovery strategy, Testing
and validation, Develop and implement. “
B. “Initiate, Choose a recovery strategy, Risk assessment , Develop
and implement, Testing and validation. “
C. “Initiate, Risk assessment, Choose a recovery strategy, Develop
D. “Risk assessment, Initiate, Choose a recovery strategy, Develop
296
Q1157 “During exposure assessment the effects of a disruption may be

tracked:“
A. Over time
B. Across related resources and dependent systems
C. On the basis of historical costs
D. Over time and across related resources and dependent systems
Q1158. “Data or documentation that must be retained for legal reasons, for use
in key business processes, or for restoration of minimum acceptable
work levels in the event of a disaster is classified as: “
A. Desirable
B. Vital
C. Essential
D. Critical
Q1159. “ The response procedures for occupants of a facility in the event of a

situation posing a potential threat to the health and safety of personnel,
the environment, or property is contained in a/an: “
A. Business Resumption Plan
B. Cyber Incident Response Plan
C. Business Resumption Plan
D. Occupant Emergency Plan
Q1160. “With respect to a BCP, the auditor should test check contact information
(of vendors, employees) to ensure: “
A. They will honour their contractual agreements.
B. That they are current.
C. They are physically close by.
D. They are registered with tax authorities.
297
Q1161. “ Single points of failure are: “

A. Recommended
B. To be eliminated
C. Desirable.
D. To be encouraged
Q1162. “Which of the following RAID levels is NOT recommended as a data

recovery solution? “
A. RAID-1
B. RAID-0
C. RAID-10
D. RAID-100
Q1163. “ Identify the correct statement: “

A. “ Both differential and incremental backups take the same amount
of time. “
B. Incremental backups take longer to complete than differential
backups
C. “Differential backups take longer to complete than incremental
backups “
D. “ Incremental backups take longer when using tape drives. “
Q1164. Which of the following is NOT a type of system backup?

A. Incremental
B. Sequential
C. Differential
D. Full
298
Q1165. “A comprehensive statement of consistent actions to be taken

before,during, and after a disruptive event that causes a significant loss
is called a: “
A. Business continuity plan (BCP)
B. Disaster recovery plan (DRP)
C. Disaster continuity plan (DCP)
D. Business recovery plan (BRP)
Q1166. “Any force or phenomenon that could degrade the availability, integrity
or confidentiality of an Information Systems resource, system or network
is called a: “
A. Threat
B. Risk
C. Vulnerability
D. Threat-source
Q1167. “With respect to BCP testing, which of the following type of test will
involve considerable expenditure of time, effort and resources? “
A. Checklist
B. Structured walk-through
C. Full-interruption
D. Simulation
Q1168. “The potential for a threat-source to exercise (accidentally trigger or

intentionally exploit) a specific vulnerability is called a/an : “
A. Threat
B. Risk
C. Exposure
D. Hazard
299
Q1169. “Business functions that cannot be done manually under any

circumstances are classified as: “
A. Vital
B. Essential
C. Critical
D. Non-critical
Q1170. “Elimination of all risks is usually: “

A. Impractical or impossible
B. Easy to achieve
C. Vital to the survival of the company
D. Recommended by law
Q1171. “Which of the following is NOT data redundancy techniques used by

RAID technology? “
A. Mirroring
B. Parity
C. Blocking
D. Striping
Q1172. “A disruption of business operations that stops an organization from

providing its critical services caused by the absence of critical resources
is called a: “
A. Disaster
B. Vulnerability
C. Catastrophe
D. Calamity
300
Q1173. “Which of the following is the MOST reliable strategy for centralized
systems? “
A. Cold site
B. Reciprocal Agreement
C. Hot Site
D. Mirror site/Active Recovery Site
Q1174. “ Which of the following is the LEAST reliable strategy for centralized
systems? “
A. Mobile Site
B. Hot Site
C. Reciprocal Agreement
D. Mirror site/Active Recovery Site
Q1175. “Data that can be reconstructed fairly readily but at some cost is
classified as: “
A. Critical
B. Essential
C. Sensitive
D. Essential
Q1176. “Disaster recovery plan and insurance are: “

A. Controls of first resort.
B. Unreliable controls.
C. Preventive controls.
D. Controls of last resort
301
Q1177. “Among strategies for telecommunications systems, the strategy that

involves the use of different networks, circuits or end points when the
primary telecommunication facility is unavailable is called: “
A. Distributed Routing
B. Associative Routing
C. Diverse Routing
D. Alternative Routing
Q1178. “The auditor should evaluate the security of an offsite facility to ensure
that it has logical, physical and environmental controls. Ideally,these
controls should be: “
A. On par with that provided at the primary facility.
B. Less than that provided at the primary facility.
C. More than that provided at the primary facility.
D. Different from that provided at the primary facility.
Q1179. “With respect to BCP testing which is the most rigorous way to test a
business continuity plan? “
A. Full-interruption
B. Parallel
C. Simulation
D. Structured walk-through
Q1180. Business functions that can be performed manually but only for a brief
period of time are usually classified as:
A. Vital
B. Essential
C. Desirable
D. Critical
302
Q1181. “Banks must demonstrate that they have an overall data architecture
that integrates the various business functions from operations to finance
to risk management if they are to achieve compliance with: “
A. ISO/IEC 17799:2000
B. SAS 70
C. Basel Committee’s principles for electronic banking
D. Basel II Capital Accord
Q1182. “Risk assessment consists of: “

A. Data collection
B. Data analysis
C. Data collection and data analysis
D. Data collation
Q1183 “With respect to BCP testing, in which type of test is processing done
at both the primary and alternate location? “
A. Full-interruption
B. Parallel
C. Simulation
D. Structured walk-through
Q1184. “Which of the following technical methods for Backup does not require
restoration? “
A. Electronic Vaulting
B. Networked Disk
C. Tape Drives
D. Remote Mirroring
303
Q1185. “Which of the following type of system backup would require the
maximum storage? “
A. Incremental
B. Sequential
C. Full
D. Differential
Q1186 Auditor should verify that the recovery strategies adopted by the
company are:
A. In line with audit objectives
B. In line with costs
C. In line with the priorities
D. In line with that of major competitors
Q1187. Backup media should be stored:

A. On-site in a secure, environmentally controlled location
B. Off-site in a insecure, environmentally controlled location
C. On-site in a insecure, environmentally controlled location
D. Off-site in a secure, environmentally controlled location
Q1188. “Which of the following techniques used by RAID technology increases

performance? “
A. Mirroring
B. Parity
C. Striping
D. Hashing
Q1189. “A file-oriented environment that offers a common storage area for

multiple servers and which allows any application residing on or any
304
client using virtually any operating system to send data to or receive

data is called: “
A. Network-Attached Storage (NAS)
B. Remote Access Storage (RAS)
C. Redundant Array of Inexpensive Disks (RAID)
D. Storage Area Network (SAN)
Q1190. “ A list of persons or organisations to be notified in the event of a

disaster and often included in a business continuity plan is a called a: “
A. Crisis Communication Directory
B. Crisis Communication Plan
C. Call Directory
D. Notification Directory
Q1191. “The Generally Accepted System Security Principles (GASSP) is

intended to provide authoritative point of reference and legal reference
for information security principles, practices, and opinions. These
principles were modelled after: “
A. Basel II Capital Accord
B. SAS 70
C. The Generally Accepted Accounting Principles (GAAP).
D. ISO/IEC 17799:2000
Q1192 “Within any complex system, there are usually components or processes
that, if not replicated or otherwise backed up by redundant capabilities,
represent points of failure for the entire system. These are called “
A. Multiple points of failure
B. Cascading points of failure
C. Linear points of failure
D. Single points of failure
305
Q1193. “When backups of data and system files are taken together, they are
often called: “
A. Systems backup
B. Data backup
C. Incremental backup
D. Differential backup
Q1194. “The process of combining multiple physical storage devices into a

logical, virtual storage device that can be centrally managed and is
presented to the network applications, operating systems, and users as
a single storage pool is called: “
A. RAID
B. Storage virtualization
C. WAN
D. SAN
Q1195. Which of the following is not a visual programming language?

A. Control flow languages
B. Visual C++ language
C. Concurrent languages
D. Form based languages
Q1196. “A high-speed, high-performance network that enables different servers

with different operating systems to communicate with one storage
device is called: “
A. Network-Attached Storage (NAS)
B. Remote Access Storage (RAS)
C. Redundant Array of Inexpensive Disks (RAID)
D. Storage Area Network (SAN)
306
Q1197. “The plan that addresses the restoration of business processes after an
emergency, but which lacks procedures to ensure continuity of critical
processes throughout an emergency or disruption is called a: “
A. Business Continuity Plan
B. Crisis Communication Plan
C. Business Resumption Plan
D. Continuity of Operations Plan
Q1198. “Procedures that are designed to enable security personnel to

identify,mitigate, and recover from malicious computer incidents, such
as unauthorized access to a system or data, denial of service, or
unauthorized changes to system hardware, software, or dat”
A. Continuity of Operations Plan
B. Cyber Incident Response Plan
C. Crisis Communication Plan
D. Business Resumption Plan
Q1199. “An IT-focused plan designed to restore operability of the target system,
application, or computer facility at an alternate site after an emergency
is called a: “
A. Disaster Recovery Plan
B. B. Business Resumption Plan
C. C. Continuity of Operations Plan
D. D. Cyber Incident Response Plan
Q1200. A malicious user can change an application to get the full database. This
is a pitfall in which type of database security measure ?
A. Passwords
B. User Accounts
C. Isolation
D. Backup
307
Q1201. The overriding principle behind most continuity plans is

A. The protection of profits.
B. The protection of assets.
C. The protection of human life.
D. The protection of customers.
Q1202. “ The order of steps in the process of risk assessment for the purpose
of BCP is: “
A. “Asset identification and prioritization, Threat identification,
Exposure assessment, Objective formulation. “
B. “Objective formulation, Threat identification, Exposure
assessment, Asset identification and prioritization. “
C. “ Asset identification and prioritization, Exposure assessment,
Threat identification, Objective formulation. “
D. “Objective formulation, Asset identification and prioritization,
Threat identification, Exposure assessment. “
Q1203. “The maximum amount of time allowed for the recovery of the of the
business function is called the “
A. Maximum Recovery Time Period
B. Critical Recovery Time Period
C. Minimum Recovery Time Period
D. Vital Recovery Time Period
Q1204. “The technique that allows traffi c to be distributed dynamically across

groups of servers running a common application so that no one server
is overwhelmed is called: “
A. Server Load Balancing
B. Alternative Routing
C. Diverse Routing
D. Storage Area Network
308
Q1205. Computer viruses continue to pose a threat to the following

characteristics of information systems except:
A. Integrity
B. Availability
C. Reliability
D. Confidentiality
Q1206. Which of the following data items is MOST LIKELY to have its integrity
protected by controls over standing data?
A. Pay rate
B. Raw material receipts
C. Customer’s address
D. Quantity sold
Q1207. Object control is widely used in:

A. Single user systems
B. “Multi-user systems only“
C. Multi-user and distributed systems
D. Distributed systems only
Q1208. Run-to-run totals are part of which of the following control?

A. Input control
B. Process control
C. Manual control
D. Output control
Q1209. All the following application system controls are considered preventive
in nature except:
A. Batch control totals
B. Authorization
309
C. Preprinted forms
D. Passwords
Q1210. Hacking by making use of information on waste/discarded paper is

termed -
A. Finger protocol
B. “Ping“
C. Dumpster diving
D. Social engineering
Q1211. Searching for weaknesses in the Windows NT and Unix Operating

Systems is an example of:
A. Active attack
B. Security control bypassing attack
C. Passive attack
D. Tear-drop attack
Q1212. Direct Manipulation Interfaces (DMI) cannot help reduce?

A. Error-rates
B. Learning time
C. Easy remembering of operations
D. System resources
Q1213. Which feature of RBAC specifies event-triggered conditions?

A. Role perspective
B. Role activation
C. Role hierarchy
D. Role based management
310
Q1214. Which access control mechanism does security label fit into?
A. Logical access control
B. Discretionary access control
C. Physical access control
D. Mandatory access control
Q1215 A data unit 01000101 sent from the source was received as 01111101.
What is the type of error?
A. Single-bit error
B. Byte error
C. Burst error
D. Spike error
Q1216. Which of these biometric tools use thermal sensors along with infrared
rays for identification?
A. Key stroke dynamics
B. Iris/Retinal scan
C. Speech recognition
D. Fingerprint scanning
Q1217. In an automated processing system of records, processing control total

reconciliation is a type of -
A. File management control
B. Output control
C. Input control
D. Access control
Q1218. Hackers cover their tracks by masking their IP address. This is done
through:
A. Proxy Chaining
B. Denial of Service
311
C. Secure Sockets Layer hacking

D. IP spoofing
Q1219. The control procedure of installing the anti-virus software in the system
is called -
B. Compensating control
C. Detective control
D. Corrective control
Q1220. Which one of the following properties of information systems would be

compromised by the denial of service attacks?
A. Maintainability
B. Confidentiality
C. Reliability
D. Availability
Q1221. The logical access exposure involving data changing before and/or while
being entered into the computer is called -
A. Virus
B. Logical bombs
C. Trojan Horse
D. Data Diddling
Q1222. The general control that concern the proper segregation of duties and
responsibilities is called -
A. An output control
B. An access control
C. Organisation control
D. A Processing control
312
Q1223. In network protection technique of e-commerce, which one of the

following use Secure Socket Layer(SSL):
A. DMZ
B. “Firewalls“
C. Network segregation
D. Data encryption
Q1224. Which type of constrained user interface does an ATM have?

A. Menus
B. Physically constrained user interface
C. Database views
D. Access control lists
Q1225. The following are the checks used to determine if a field contains data
and not zeros and blanks, EXCEPT -
A. Parity bits
B. Check digits
C. Batch headers
D. Trailer records
Q1226. Physical access control does not depend upon which of these factors?
A. Working environment
B. Hiring procedure
C. Public key infrastructure
D. Access privileges
Q1227. In a manufacturing company, which of the following computer files is

MOST critical?
A. Debtor’s file
B. Invoices paid file
313
C. Materials ordered file

D. Contingent liabilities file
Q1228. Viruses that can change their appearance and use encryption are known
as:
A. Boot sector virus
B. Polymorphic virus
C. Stealth virus
D. Multipartite virus
Q1229. Components of an ACL include_______

A. Roles
B. “Roles and rights“
C. Roles, rights and resources
D. Roles, rights, resources and filters
Q1230. Which aspect of command language differentiates it from menu-driven

languages?
A. Compatibility
B. Precision
C. Users type notation and initiate action
D. Speed in learning
Q1231. Which of the following would be considered a programmed input control

in an application program,?
A. Read-after-write
B. Header-label checks
C. Embedded audit module
D. Reasonableness check
314
Q1232. Dual protection/mirroring provides protection against which of the

following?
A. Procedural error
B. Power loss
C. System software error
D. Application program error
Q1233. Which of the following is NOT a security concern while using Java?
A. Intrusion of Privacy
B. Message digests
C. Denial of Service
D. Irritations
Q1234. What is the methodology used in the Novell Netware Operating System
to implement the concept of Access control Lists?
A. File Rights
B. Trusteeship
C. Authentication
D. Property Rights
Q1235. The unauthorised use of data files can be best prevented by using -
A. hardware lock
B. library control software
C. tape librarian
D. access control software & procedures
Q1236. Which of the following primarily assists in detecting real memory errors?
A. Valid character checks
B. Parity-based hamming code check
315
C. Boundary register checks

D. Read-after-write checks
Q1237. The basic control requirement in a real time application system is :

A. Logging of all transactions
B. Logging of all terminals
C. Logging of console transaction
D. Audit log
Q1238. The best way to delete a highly confidential file from a microcomputer
would be by using which of the following:
A. Security card
B. Encryption routine
C. Disk utility
D. Multiplexor
Q1239. To disable easy detection of password, it should be arranged in the

following convention as shown below:
A. RAMA
B. TN37D2640
C. BHAGWAN SRIGANESH
D. XW7_TU
Q1240. Dial back modem uses which of the following feature for external access
control?
A. SLIP protocol
B. “Port protection“
C. Point-to-Point Protocol
D. Blue boxes
316
Q1241. Computer Forensics inspection has limitations due to?

A. Legal restrictions in the form of limited search warrants
B. CMOS information
C. Password Protection
D. Write-Protect capability
Q1242. For maintaining the integrity of data

A. Security policy should not be integrated with general policy
B. Staff should be trained in validation and incident response
procedures
C. Backup should be done only of data and not codes
D. Auditing is required only of operating system
Q1243. Which is the most important step that can save a company from social
engineering attacks?
A. Creation of helpdesk rules
B. Making people accountable for jobs
C. Including social engineering in the social policy
D. Using Id cards
Q1244 A “Dry pipe”, which is an arrangement to extinguish fires is:

A. A sprinkler system where the water is in the pipe, but the outside
of the pipe is dry
B. A Halon gas system that contains a dry pipe
C. A carbon dioxide (CO2) gas system that has a dry chemical to
extinguish a fire
D. A sprinkler system where the water does not enter the pipes until
the automatic sensor indicates that there is a fire in the area
317
Q1245. A company has policy to purchase microcomputer software only

from recognized vendors and prohibit employees from installing non-
authorized software on their microcomputers. To minimize the likelihood
of computer viruses infecting any of its systems, the
A. Restore infected systems with authorized versions.
B. Recompile infected programs from source code backups.
C. Institute program change control procedures.
D. Test all new software on a stand-alone microcomputer.
Q1246 A company’s labour costing report has to be corrected extensively due

to labour hours charged to inactive jobs. Which of the following controls
would prevent this happening?
A. Reasonableness test
B. Validity test
C. Limit test
D. Control total
Q1247 A compensating control for the weakness in access controls is the

daily review of log files. The IS Auditor reviewing the adequacy of this
compensating control would be least concerned with -
A. the contents of the log file
B. the controls available and implemented for the protection of the
log file
C. list of persons authorised to alter the log file contents and the
software controlling the log file updating.
D. The period up to which the log file is retained
Q1248 A competitor would gain by accessing sensitive operating information

stored on computer files. Which of the following control would best
prevent such losses?
A. Controlled disposal of documents
B. Encryption of data files and safe keeping of encryption keys
318
C. Access control at application system level

D. Access control at data base management system level
Q1249. A computer virus is a malicious code that can “infect” a computer

system. Which of the following statements is true about computer
viruses?
A. It can attach to a data field
B. It can attach to an executable program
C. It can attach to a data file
D. It can attach to a data record
Q1250. A computerized system should contain an audit trail of information to

facilitate detection of certain events. In an audit trail log of unauthorized
system access attempts, which of the following would not be included?
A. The terminal used to make the attempt
B. The date and time of access attempt.
C. The user-id used to make the attempt
D. The password used to make the attempt.
Q1251. A control procedure that checks that data was entered and does not
contain blank or zeros is called -
A. A mathematically calculated check digit
B. Control check to verify the data existence agrees to a
predetermined criteria
C. Completeness check
D. Reasonableness check
Q1252. A Data Base Management System locks out a record used by one user,
when it is simultaneously accessed by another user for updating. This
control is primarily intended to prevent:
A. Duplicate processing of transactions
B. LAN Server Overload
319
C. Transaction processing delay

D. Concurrent transaction processing
Q1253. A detective control designed to establish the validity and appropriateness

or numeric data elements, and to guard against errors made in
transcribing or keying data is -
A. Sequence check
B. Record check
C. Check digit
D. Field-size check
Q1254. A fraud involving accessing data by using other’s password and altering
the same for gain, was detected and investigated. The IS Auditor, during
investigation will be in a position to provide information about all the
following except –
A. details of access control procedures in use
B. administration of password security
C. the hurdles crossed by the perpetrator of the fraud
D. preventive methods to avoid similar attempts/
Q1255. A hacker changes data stored in hidden form fields to reduce the price
in online shopping. This type of attack is called:
A. Denial of Service
B. Dynamic Scripting
C. Data Manipulation
D. Identity Spoofing
Q1256. A main advantage of a standard access control software implemented

properly is -
A. use of security guards can be dispensed with
B. physical access to back up storage devices can be restricted
effectively
320
C. authorized files are logically allowed access to authorized users

D. data entry by the user department is made easy
Q1257. A major advantage of associating passwords with users in the access

control mechanism, over associating the passwords with the resources
is -
A. Processing time saved is substantial.
B. Control can be exercised to a very fine level of authorisation
C. Users need not remember multiple passwords rather than a single
passwords
D. Security administration is made simple
Q1258. A major drawback of a remote dial up network communication system

is
A. absence of logging of attempted sign-on
B. inability to disconnect after invalid access attempts
C. existence of call forwarding devices
D. required display of user codes and passwords
Q1259. A manually calculated figure of Rs. 12,50,000 was entered before

running a batch program for preparing vendor cheques in an accounts
payable system. The computer is programmed to display an error
message if the total amount of cheques prepared does not eq
A. A parity total
B. Check digit
C. A hash total
D. A control total
Q1260. A newly released virus was enabled into LAN, from a floppy drive in one
of the workstations connected to the LAN. The existence of such virus
in the LAN will be revealed effectively by which of the following?
A. ensuring compulsory scanning of all floppy disks before use
321
B. formatting of the network file server

C. regular scanning of all network drives as per the established
routines
D. installing anti-virus software on all nodes
Q1261. Access control list of a firewall can have the following parameters, on
the basis of which it may filter access, EXCEPT one.
A. IP address
B. Activity/service type
C. Port
D. Network interface card
Q1262. A reasonably controlled practice in the distributed executable programs

and ActiveX controls, is -
A. installation of a firewall
B. usage of a secure web connection
C. acceptance of executable only from the established and trusted
source
D. hosting the website as part of your organisation
Q1263. A receipt control is LEAST LIKELY to cover which of the following

exposures associated with online output?
A. User’s failure to read a message because they are absent
B. Improper forwarding of a message to another party
C. Acceptance of a letter bomb from an anonymous source
D. Downloading of a program file containing a virus
322
Q1264. A remote dial up order entry system using portable computers for sales
man to place order should have the following control system to prevent
it from misuse.
A. Modem equalisation
B. A call back procedure
C. An error-correcting code
D. Frequent access code revalidation
Q1265. A risk associated with the use of laptop computers is their loss or theft
and consequent disclosure of confidential information stored on them.
Which one of the following control measures is most effective and
inexpensive to protect the information stored
A. Briefings of users
B. Removable data storage media
C. Screen saver passwords
D. Encryption of data files on stored media
Q1266. A verification process by adding one or more redundant digits added at

the end of a word or number which was derived in relation to the other
digits in the word or number is called -
A. Hash total verification
B. Parity check verification
C. Check digit verification
D. Input edit check verification
Q1267. Abuse of information system (IS is BEST described as :

A. Unauthorized modification of pay roll cheque printing program to
inflate the amount for the perpetrator.
B. Any incident involving the IS whereby a perpetrator is able to
inflict a loss to a would-be victim for his/her personal gain
323
C. Breaching in the security of the IS resulting in destruction of

hardware or software
D. Willful damage to IS hardware or software.
Q1268. Access Control is implemented using __________ in Windows NT and

__________ in Unix?
A. Access control List and file system
B. Security Reference Manager and Syslog
C. File system and Access control List
D. Syslog and Security Reference Manager
Q1269. Access control procedure provides for access rights administration by

the Security administrator. However, the access to production data
should be authorised by –
A. Data owner
B. Data custodian
C. System analyst
D. Application programmer
Q1270. Access to an online system running an application program, requires

users to validate themselves with a user ID and password. This helps
in providing -
A. context-dependent security
B. write protect security
C. data security
D. physical security
Q1271. All of the following are the Environmental controls employed in an IS

department EXCEPT –
A. External file header label on storage device
B. Fire extinguishers
324
C. Good housekeeping procedures

D. UPS
Q1272. Which one of the following threats would cause the greatest concern to
an auditor auditing the data centre of a client organization?
A. Gun powder is stored in the basement of the building where the
data centre is also located
B. The data centre is located near airport.
C. The data centre is in close proximity (i.e., between one and
two miles) to one engaged in the refinement of highly explosive
chemicals or combustible and volatile products
D. The data centre is five to ten miles away from a nuclear power
plant
Q1273. The control and the procedure used in a program before data is
processed in a program is called -
A. Edit controls
B. Detective controls
C. Corrective controls
D. Compensating controls
Q1274. While classifying controls on the basis of the operations involved, input
control can be classified as -
A. Organisation control
B. General control
C. Processing control
D. Application control
Q1275. While attempting to discover a valid password, which of the following

factors a perpetrator is least concerned with?
A. The character set from which the password is composed
325
B. The password length

C. The power of the computer used to break the password code
D. The number of failed login attempts allowed before disconnect
Q1276. While carrying out an IS security review, the IS auditor observed the
following controls present in the client’s IS security system. Which of
these controls may detect that an IS security violation has occurred?
A. Terminals are disabled after three failed login attempts
B. Passwords are changed periodically
C. Log book are reviewed by security personnel
D. Employee ID cards are in use
Q1277. While carrying out IS Audit, you have discovered a Trojan Horse
program in the computer system. Which of the following actions you will
take FIRST?
A. Start an investigation to find its author
B. Immediately remove the code containing the portion of “ TROJAN
HORSE”
C. Investigate the underlying threat if any
D. Install a compensating control
Q1278. While designing logical access controls it is often required to balance

some of the often-competing interests. Which one of the following
should receive the highest priority while making a tradeoff when
designing such controls?
A. Security principles
B. Operational requirements
C. User-friendliness
D. Technical constraints
326
Q1279. While establishing an information security program which of the following

steps comes first
A. Adoption of a corporate information security policies
B. Preparation, adoption and implementation of an information
security standards manual
C. Acquisition of access control security software
D. A comprehensive security controls review by the IS auditor
Q1280. While implementing an application control system the management

wants to ensure that the critical fields in the master record are
properly posted. Which of the following controls may best address their
intention?
A. Reasonableness checks
B. Before and after maintenance report
C. Field checks
D. Control totals
Q1281. While reviewing an organisation that has a mainframe and a client/

server environment where all production data reside, the IS auditor
discovered several weaknesses. The most serious weakness of the
following is -
A. The database administrator also serves as the Security Officer.
B. Business continuity plan for the mainframe systems non - critical
applications is not proper
C. Regular back ups by many of the LAN nodes are not taken in the
file server.
D. Password controls are not administered over the client/server
environment
Q1282. While reviewing the file identification standards in a client, the IS auditor
may not be concerned with which of the following:
A. Retention period standards
327
B. Periodic file inventory

C. External labeling standards
D. High-level qualifier standards
Q1283. While reviewing the telecommunication access control, the primary

concern of the IS Auditor will be on the -
A. access logs on usage of various system resources
B. protection of stored data in the server by encryption or otherwise
C. ensuring accountability and identifying terminals accessing system
resources
D. proper procedure for verification of User ID and passwords,
ensuring authorisation and authentication before granting access
to resources
Q1284. Within an EDI system which of the following is used to determine non-
repudiation?, Only Digital signautres can ensure non-repudiation of
messages, since the messages are signed by the private key of the
sender which is known only to the sender.
A. Private key cryptosystem.
B. Digital Signatures.
C. Spoofing.
D. Terminal ID and passwor
Q1285. Which of the following statements regarding computer viruses is correct?

A. Using precompiled programs prevents the invasion of computer
viruses.
B. A “Trojan horse” is the same as a computer virus.
C. Scanning incoming e-mail would prevent all virus infection.
D. Computer security techniques can reduce the threat of computer
viruses.
328
Q1286. Which of the following terms best describes the purpose of control
practice over the input -
A. Authorisation of access to data files
B. Authorisation of access to program files
C. Completeness, accuracy and validity of update
D. Completeness, accuracy and validity of input
Q1287. Which of the following tests the compliance of internal accounting

control procedure?
A. getting confirmation letters from each of the Creditors and debtors
B. preparation and analysis of significant accounting ratios
C. reconciliation of balance of accounts and finding control totals
D. document inspection for verification of performance by employess
Q1288. Which of the following would be of great concern to an auditor reviewing

a policy about selling a company’s used microcomputers which have
been used to process sensitive information?
A. Whether deleted files on the hard disk have been completely
erased.
B. Whether the computer has viruses.
C. Whether all the software on the computer is properly licensed.
D. Whether the computer has terminal emulation software on it.
Q1289. Which of the following would not be appropriate to consider in the

physical design of a data centre?
A. Evaluation of potential risks from air flight paths
B. Proximity to earthquake zone.
C. Design of authorization tables for operating system access.
D. Inclusion of an uninterruptible power supply system and surge
protection.
329
Q1290. Which of the following, is the BEST procedure to find out whether
program documentation access is restricted only to authorized persons?
A. Back up and recovery procedure evaluation
B. Interview the programmers about the procedures currently
followed and if possible conduct a physical inspection of actual
access procedures
C. Programme library utilisation record verification
D. Review the detective control logs
Q1291. Which of these access control mechanisms is not based on multi-level

security?
A. Mandatory Access Control (MAC)
B. Discretionary Access Control (DAC)
C. Role Based Access Control (RBA)
D. Internal Access Control
Q1292. Which of these transaction types occupies the highest level of

significance for application control?
A. Error correction transactions
B. Master file change transactions
C. Normal transactions
D. Batch control transactions
Q1293. Which one of the following application controls is considered to be

detective in nature?
A. Maintaining transaction logs of terminal activity
B. Storing backup copies of application files in remote locations
C. Range check in an on-line data-entry system
D. Assigning passwords to users
330
Q1294. Which one of the following authentication mechanisms would be difficult

to implement when a mobile user is accessing a host computer?
A. Static password exchange mechanism
B. One-time password mechanism
C. Challenge response mechanism
D. Address-based mechanism
Q1295. Which one of the following computer fraud methods relates to obtaining
information that may be left in or around a computer system after the
execution of a job.
A. Scavenging
B. Data diddling
C. Salami technique
D. Piggybacking
Q1296. Which one of the following password construction procedures would be

the most difficult to remember?
A. Use a random number generation algorithm
B. Reverse or rearrange the characters in user birthday
C. Reverse or rearrange the characters in the user’s native place.
D. Reverse or rearrange the characters in the users spouses name
Q1297. Which one of the following statement is not true with regard to physical
security?
A. Examining the age of the cabling is not significant
B. Lack of proper cooling facility may cause hardware failure
C. Locked gates, entrances, parking places are properly lit
D. Employees have to undergo training in physical security
331
Q1298. Which one of the following user identification and authentication

techniques is least expensive and least secure?
A. Memory tokens
B. Retina scanner
C. User Ids and passwords
D. Smart tokens
Q1299. Which one of the following statements is not true about audit trails?
A. If a user is impersonated, the audit trail will establish events and
the identity of the impersonator.
B. There is an interdependency between audit trails and security
policy.
C. Audit trails may assist in recovery in case of certain types of
processing failure.
D. Audit trails can be used to identify breakdowns in logical access
controls.
Q1300. Which of the following instruments is used to measure atmospheric

humidity in Data Centres?
A. Hydrometer
B. Hygrometer
C. Barometer
D. Voltmeter
Q1301. Which one of the following user identification and authentication

techniques use reference profiles or templates?
A. Fingerprint recognition
B. Memory tokens
C. Smart tokens
D. Cryptography
332
Q1302. Access to the work area restricted through a swipe card or only
through otherwise authorised process and when visitors enter the work
area they are issued a pass and escorted in and out by a concerned
employee. These type of controls are called -
A. Organisational controls
B. Physical access controls
D. Operational controls
Q1303. Accounts Receivable Section personnel for a manufacturer frequently

access computer data on customer and product sales. Logical access
control for these users would be
A. Inappropriate
B. Use of a Accounts Receivable Section password
C. Use of individual passwords
D. Use of individual passwords plus separate access passwords for
customer data and product data
Q1304. After an action has been performed successfully in a database, the

changes are permanent, and must be present, even after a subsequent
failure. This is a principle of:
A. Durability
B. Atomicity
C. Consistency
D. Isolation
Q1305. After you enter a purchase order in an on-line system, you get the
message, “The request could not be processed due to lack of funds in
your budget”. This is an example of error
A. Detection
B. Correction
333
C. Prevention
D. Recovery
Q1306. Which of these devices can be used to evade the firewall?

A. Routers
B. Modems
C. Switches
D. CPU
Q1307. All the following features help discover a valid password, EXCEPT -
A. the nature and character of the password content
B. the No. of letters in a password
C. the no. of times attempts are allowed before disconnection due
to incorrect password.
D. The complexity of construction and special characters used for
construction.
Q1308 All the following statements are true regarding a water-based fire
extinguishing system except:
A. Water cools the equipment relatively quickly
B. The release of water can be localized to where it is needed
C. Water and Halon gas systems cannot co-exist
D. Jet sprayers can be an alternative to water sprinklers
Q1309 An access control policy for a Customer Service Representative in a

banking application is an example of the implementation of an :
A. User-directed policy
B. Role-based policy
C. Identity-based policy
D. Rule-based policy
334
Q1310 An access control review conducted by an IS auditor, highlighted the

following control weaknesses in the system. Which of the weakness will
not result in an exposure?
A. Audit trails are not enabled
B. Programmers have access to the live environment
C. Group logons are being used for critical functions
D. The same user can initiate transactions and also change related
parameters
Q1311 An auditor suspected that a program calculating interest on advances

gave erroneous results for certain conditions. In an earlier audit, the
auditor found no evidence of erroneous processing. The best audit
technique for investigating possible errors in t
A. Mapping
B. Use of a test deck
C. Integrated test facility
D. Snapshot
Q1312 An auditor using an integrated test facility (ITF) should:

A. Reverse ITF data from production data at appropriate cutoff times
B. Analyze ITF data to determine the reasonableness,
completeness,and consistency of data files
C. Embed ITF routines in production programs to sample specified
transactions
D. Code a test routine to process production dat
Q1313 An auditor wishes to detect duplicate payments of an invoice in an

automated accounts payable system. Which of the following sorting
order of the accounts payable file would contribute to this objective?
A. Payment number and date of payment
B. Payment number and amount of payment
335
C. Invoice number and amount of payment

D. Invoice number and date of payment
Q1314. An incorrect end-of-file protocol in an application update program tends

to result in which of the following?
A. Program getting into loops
B. Transaction file records not being processed
C. Standing data getting corrupted
D. The incorrect internal label being inserted into the header record
on a file
Q1315. An interest calculation program of a Bank has several schemes and

several interest rates. The MOST APPROPRIATE control to verify the
correctness of the interest rates entered into the program is :
A. Interviewing all data entry operators about the method of input
entry adopted
B. Physical verification of actual data entry operations
C. Usage of CAATs to verify the interest rates
D. Reviewing independently the transaction listing
Q1316. An IS auditor carrying out review of logical access control, shall have
the PRIMARY OBJECTIVE of
A. ensuring that access is given in accordance with the
organisations authorities
B. reviewing the software based access controls
C. carrying out personal examination of the existing physical access
environment
D. using CAAT techniques to know the access provided in the
software
336
Q1317. The most common concern regarding physical access to a data centre
is:
A. Piggybacking
B. Locks and keys
C. Fire suppression system
D. Electronic access control system
Q1318. An IS Auditor carrying out security review for verification of the

implementation of certain security measures, will be LEAST concerned
about -
A. the timely and efficient delivery of information by the EDP
department
B. existence of adequate controls to minimize the potential for loss
due to computer fraud or embezzlement
C. installation of proper physical security cover over the data
processing installation
D. preparations and plans for the accidental damage or loss in the
IPF
Q1319. An IS Auditor verifying the Physical and environmental control of an

IS facility has found that there are no adequate fire detection and fire
control facility available in the premises. Which of the following will help
alleviate a disaster BEST in the eve
A. Sufficient fire insurance cover
B. Proper Annual maintenance contract
C. Properly updated off-site storage of master and transaction files
D. Availability of back up processing facilities
Q1320. An IS Auditor, concerned that application controls are not adequate

to prevent duplicate payment of invoices, decided to review the data
337
processing files for possible duplicate payments. Which of the following

techniques/tools would be useful to the IS Au
A. An integrated test facility.
B. Statistical sampling.
C. Generalized audit software.
D. The audit review file.
Q1321. An online banking system permitted withdrawals from inactive customer

accounts. Which of the following controls would prevent this weakness:
A. Check-digit verification
B. Master file lookup
C. Duplicate record check
D. Range check
Q1322. An on-line data entry program is used for original entry of vendor
invoices. Subsequently a batch cheque-writing program is used to
prepare cheques; occasionally it is found that a cheque for a vendor
not yet included in the vendor file is prepared with n
A. A record lookup for vendors during data entry of vendor invoices
B. A batch control total check on vendor payments
C. A completeness test on fields in the cheque-writing program
D. A verification of vendors in the cheque-writing program
Q1323. An on-line teller application abruptly shuts down while some transactions
are in process. The best control to ensure that each unfinished
transaction is completed successfully when the system resumes
operation is:
A. Automatic restart that prompts tellers to complete in-process
B. Manual reconstruction of in-process transactions by tellers
C. Computer reconciliation of accepted-item totals
D. Manual reconciliation of accepted-item totals
338
Q1324. Applications access control will be seriously jeopardised if -

A. Passwords are allowed to be shared
B. Password files are not encrypted
C. Redundant log-on Ids are removed
D. Allocation of log-on Ids are controlled
Q1325. Arithmetically business risk is defined as business value x threat x

vulnerability. Thus if there are no threats it means that the business risk
A. Does not exist
B. Exist
C. Will exist in future
Q1326. Because of the sensitivity of its data, a database system for business
forecasting was implemented with access control at different levels.
Users’ initial log-in would be controlled by
A. Integrated Test Facility
B. Database authorizations
C. Application software
D. Operating System
Q1327. Before disposing off the PC used for storing confidential data the most
important precautionary measure to be taken is -
A. mid-level formatting of hard disk
B. deleting all the files in the hard disk
C. deleting all the data on the hard disk
D. demagnetising the hard disk
339
Q1328. Changes made on line to important master records will not be noticed
by which of the following controls ?
A. proper authorisation of updates before the actual entry of the
update in the system
B. the complete listing of all updates made are daily taken and
verified by independent supervisor
C. data entry operators are not authorised to operate the update
command, which shall be executed by an independent supervisor
after verification
D. access to master records denied to data entry operators, but
given only to independent supervisor
Q1329. Confidentiality of sensitive data transmitted over public communication

lines could best be protected by
A. Cable Modems
B. Authentication Techniques
C. Call-back techniques
D. Cryptographic devices
Q1330. Complete and accurate transmission of data can be ensured by which

of the following measures?
A. protecting all program files with password
B. implementing reconcilation procedures at the microcomputer and
mainframe levels
C. implementation of proper back up and review procedures
D. regular review of transmission equipment problems and proper
procedure for logging of all maintenance activities of transmission
equipments
Q1331. Computer viruses could be detected by which one of the following

actions?
A. Maintain backups of program and data
340
B. Monitor usage of the device.

C. Use write-protect tabs on disks.
D. Examine the creation date and file size.
Q1332. Data once input into the computer system cannot be changed in an
unauthorised manner. The controls established to achieve the above
objective is called –
A. data security controls
B. detective controls
C. compensating controls
D. operations controls
Q1333. Data security function review examines the following areas EXCEPT –
A. Security policy and responsibility for implementation
B. Application controls
C. Access controls
D. Password administration controls
Q1334. Which of the following resources not controlled by the application

controls ?
A. User
B. Data processing environment
C. Automated application system
D. Data used for the application
Q1335. Duplication of submitting corrections to errors could be prevented by:

A. After errors have been corrected, the error reports should be
discarded
B. Data input validation programs should highlight the situation by
showing input controls do not balance
341
C. Corrected errors should be initialed by the person correcting the

error
D. Only one person should be responsible for correcting errors in
any application system
Q1336. During a fire in a data centre, an automatic fire suppression system

would first:
A. Cut power to data processing equipment.
B. Disengage the uninterruptible power supply.
C. Sound an alarm and begin a timed countdown.
D. Activate the fire extinguishing system.
Q1337. During a review of system access rules, an IS Auditor noted that the
System Administrator has unlimited access to all data and program files.
Such access authority is:
A. Appropriate, but all access should be logged.
B. Appropriate, because System Administrator has to back up all
data and program files.
C. Inappropriate, since access should be limited to a need-to-know
basis, regardless of position.
D. Inappropriate, because System Administrator has the capacity to
run the system.
Q1338. Which is the right combination with respect to pointing devices?

A. Light pen and tablet.
B. Mouse and digitizer.
C. Digitizer and tablet.
D. None of the above.
342
Q1339. Which of the following is a special signal sent by the different hardware
devices to the Operating System (OS)?
A. Process
B. Threads
C. Interrupts
D. Applications
Q1340. During the review of logical access controls over a company’s

various application systems, an auditor found that access controls are
programmed into each application. The best recommendation in this
situation is to:
A. Consider the use of access control software.
B. Consider the use of utility software
C. Consider the use of Data Base Management System
D. Expand the use of the built-in access controls to new
applications.
Q1341. Electronic card access system is used to control access to a data

centre. The documentation for this system should be up-to-date and
should include:
A. Procedures for annual review of the security reports.
B. Identification of the cardkeys documenting the data centre areas
to which they grant access.
C. A list of all cards issued and the individuals to whom they were
issued.
D. Identification on the cardkeys documenting the name and address
of the data centre.
Q1342. Errors in an information system based on computers are less tolerable

than in a manual system primarily because:
A. Users have almost a blind faith that any output generated by a
computers has to be correct
343
B. Computers systems commit errors sporadically and not in a

pattern
C. If a program is erroneously coded, it commits errors at a very
high speed resulting in wastage of resources for locating and
correcting it besides the loss
D. Computers systems handle large volume of data
Q1343. Establishing effective access control through the use of Sign-on

procedure involves -
A. entering of log id by the user
B. entering of password by the user
C. identification of terminal being used by the user
D. authorisation procedure involving, authentication through the entry
of user log-on ID and password and the terminal ID.
Q1344. Exposure that could have been caused by the line - grabbing technique
is -
A. excessive usage of the hard disk space
B. blocking of CPU functions
C. transmission delay
D. unauthorised access to data
Q1345. Expected losses associated with rounding errors in a calculation are

MOST LIKELY to be mitigated by the following application program
control?
A. Calling two or more subroutines that perform the same calculation
using different algorithms
B. Printing run-to-run control totals to allow the accuracy and
completeness of computations to be checked
C. Avoidance of closed routines when arithmetic instructions are
executed
D. Minimisation of human intervention in providing parameter values
344
Q1346. Which of these components of NFS uses authentication?

A. Cache file system
B. Virtual file system
C. Mount protocol
D. Remote procedure call
Q1347. For a high security installation the most effective physical access control
devices is
A. User ID and password
B. Magnetic Card reader
C. Bio-metric devices
D. Laser activated photo identification.
Q1348. For a stand alone system, the best security control is to have -
A. User ID and passwords
B. Detailed logical access control procedures
C. Restricted physical access
D. Regular back ups taken at periodical intervals
Q1349. For eCommerce deals through web based transactions involving

acceptance of payment through credit cards, installation of firewall with
strict parameters is required, having impact on the transaction itself.
State the parameter having the LEAST impact over
A. Encryption of all transactions
B. Authentication of all transaction in time
C. Architecture of the firewall hiding the internal network
D. Exchange of traffic through the firewall at the application layer
only
345
Q1350. The malicious program which put a constraint on server’s activities over
Network is:
A. Virus
B. Trojan horses
C. LOgic bombs
D. Worms
Q1351. For reviewing the physical security of the IPF facility, the necessity of
the following document is the LEAST -
A. Complete details of the IPF floor plans
B. SDLC procedure statement
C. List of all authorised users of IPF
D. Detailed organisation chart
Q1352. For secure exchange of data, database has to ensure ACID properties.
A property of database that avoids conflict between two or more
transactions running simultaneously is:
A. Atomicity
B. Consistency
C. Integrity
D. Durability
Q1353. For successful implementation of the preventive security it is necessary

that
A. Preventive security should be implemented based on activities of
the company
B. Preventive security should always remain the same
C. Preventive security should not be related to the cost
D. Preventive security need not be based on any policy
346
Q1354. For which of the following audit tests, parallel simulation would be an
appropriate approach:
A. Testing for the presence of authorized signatures on documents
B. Summarizing the results of accounts receivable confirmation work
C. Scanning the general ledger file for unusual transactions
D. Re-calculating amounts for declining balance depreciation charges
Q1355. For which of the following options does the Demilitarised Zone (DMZ)
Security in e-commerce work as a protection technique?
A. Network protection
B. “Application-level protection“
C. Platform protection
D. Database protection
Q1356. Hackers avoid detection of attacks by changing the URL such that it is
difficult to write programs to detect the attacks. This is done through:
A. Spoofing
B. Physical attacks
C. Smurfing
D. Hexadecimal encoding of URLs
Q1357. Host 1 wants to prove its identity to Host 2. Host 2 is also authenticating
Host 3, but by mistake uses Host 1’s credentials. This is possible in
which type of authentication?
A. Zero Knowledge Proofs
B. Message Digests
C. Kerberos
D. Token Authentication
347
Q1358. How the control in a loan processing edit program which ensures a
logical relationship between the amount advanced, the number of
repayments and the installments could be classified:
A. A format check
B. An existence check
C. A dependency check
D. A sequence check
Q1359. In a mainframe operating system software all of the following controls

can be incorporated EXCEPT –
A. header-label checks
B. address reference checks
C. parity checks
D. record length checks
Q1360. Implementation of control totals should begin at which point to prevent

the loss of data during the processing?
A. in the error report given for verification to the user department
B. in the computer itself at the time of processing
C. at the time of process changeover
D. at the time of data preparation & at input stage
Q1361. Implementing a firewalls is not the best solution for Virtual Private
Networks because:
A. Firewalls cannot detect spoofing attacks.
B. “Firewalls cannot be installed on VPNs“
C. Firewalls cannot alter data over a network
D. All of the above
348
Q1362. In a Bank, the updating programme for bank account balances

calculates check digit for account numbers. This procedure is called -
A. File management control
B. Output control
C. Input control
D. Access control
Q1363. In a central computer system users specify where their output is printed,
but some users give the wrong destination code and tie up other
departments’ printers. The best approach to ensure that printing occurs
on an appropriate device is to:
A. Centrally monitor the print queues for correct destinations
B. Create destination defaults for printing based on each employee’s
departmental affiliation.
C. Centrally print and distribute the outputs.
D. Train current users in how to specify the right destination codes
for their printing.
Q1364. In a client server environment, if all printing options are commonly

accessed by all users, it may result in the following exposure -
A. unauthorised users may receive information
B. any one can print any report at any time thereby improving
operating efficiency
C. information is easily available
D. flexibility and user friendliness is facilitated
Q1365. In a data processing environment, where the data is centrally stored at

a database and data entry is carried out from remote terminals, it would
be more effective to perform editing/validation of data at the:
A. Remote processing site after transmission to the central
processing site.
B. Central processing site after application program processing.
349
C. Central processing site during application program processing.

D. Remote processing site prior to transmission to the central
processing site.
Q1366. In a Denial of Service attack, a TCP SYN flood attack is an example of:
A. Network Resource exhaustion
B. Memory consumption
C. Exploiting of the targets own resources
D. Configuration information alteration
Q1367. In a microcomputer small business environment, the following will be

the BES T security control procedure that can be employed effectively.
A. day to day review by the management of the trouble log
B. storage of computer back up media in a security area
C. application system design to be reviewed independently
D. regular and daily supervision and monitoring of computer usage
Q1368. In a network using Novell Netware, a user has full rights to a directory.
The user, however, must not access one file in that directory. What
feature of Netware can be used to achieve this?
A. Inheritance
B. Inherited Restriction Filter
C. Attributes
D. Security Equal To
Q1369. In a stand-alone small business computer environment which control

procedure for security will be the most effective?
A. Review of the trouble log by the management everyday
B. Closely supervising the usage of computers
C. Using a locked cabinet for storage of all computer media
D. An independent quality assurance review of all applications
developed
350
Q1370. In an accounting audit trail for online output, which of the following
information is LEAST LIKELY to be stored?
A. The time at which the output was received
B. The contents of the output
C. The persons who received the output
D. The resources consumed to produce the output
Q1371. In an accounting audit trail for processing subsystem, which of the

following events is MOST LIKELY to be included?
A. Hardware malfunctioning
B. Attempted integrity violation
C. A triggered transaction
D. Program start time
Q1372. In an accounts payable system, clerks who enter invoices for payment
also maintain the file containing valid vendor codes. This practice
increases the risk that:
A. The vendor table will not contain current information.
B. Clerks will enter an incorrect but valid code for payment.
C. Vendors not in the table file will be paid.
D. Unauthorized vendors’ invoices will be pai
Q1373. In an inventory maintenance application, the batch processing to update

the inventory master file could not detect several inventory transaction
records that were missing. Identify the pair of controls that would help
to ensure that missing records are de
A. Record counts and hash totals
B. Limit tests and record counts
C. Hash totals and reasonableness tests
D. Check digits and missing data tests
351
Q1374. Which of the following is NOT a condition for deadlock to arise?

A. Lockout
B. Pre-emption
C. Circular wait
D. Additional request
Q1375. In an IS environment, routing all links to external systems via a firewall,

scanning all diskettes and CDs brought in from outside the company
before use and use of anti-virus software to update users anti-virus
configuration files every time they log in,
A. Corrective controls
B. Preventive controls
C. Detective controls
D. Programming controls
Q1376. In an online processing system, to reconstruct correctly the interrupted

transactions on a failure, the system should have a control procedure
called -
A. Reconciliation of batch control totals
B. Anticipation and hash total
C. Concurrency and sequence number
D. logging and restart verification
Q1377. In auditing an on-line perpetual inventory system, an auditor selected

certain transactions for detailed testing. The audit technique which will
provide a computer trail of all relevant processing steps applied to a
specific transaction is described as:
A. Simulation
B. Snapshot
C. Integrated Test Facility
D. Tagging and tracing
352
Q1378. In deciding about the “ need to know “ basis access for the following,
the data classification plays an important role :
A. Test programs and data
B. Production programs and data
C. Test and production programs
D. Production and test data and programs
Q1379. In general, mainframe computer production programs and data are

adequately protected against unauthorized access. Certain utility
software may, however, have privileged access to software and data.
The risk of unauthorized use of privileged software could
A. Preventing privileged software from being installed on the
mainframe
B. Restricting privileged access to test versions of applications.
C. Limiting and monitoring the use of privileged software.
D. Keeping sensitive programs and data on an isolated machine.
Q1380. In general, output controls over reports of batch systems would be more
compared with that of online systems because:
A. Batch output is more detailed than online output.
B. There are more intermediaries involved in producing and
distributing batch output.
C. Only managers typically receive online reports so less misuse is
likely.
D. The only way to breach the privacy of online reports is to wiretap
the communications line
Q1381. In implementing a covert storage channel whereby one process can

communicate sensitive information to another unauthorised process,
which of the following technique is UNLIKELY to be used?
A. Changing the number of files deleted from a directory
B. Changing the name of a file in the directory
353
C. Changing the workload demands placed upon the central

processor
D. Changing the date on which a file was last modified
Q1382. In preventing unauthorised access to a computer file from a remote

terminal, which of the following controls can be used with best results?
A. User ID and passwords
B. Biometric checks
C. Frequently changed access controls
D. Call back procedures
Q1383. In relation to an out put recovery process, which of the following factors
makes the recovery process EASIER?
A. In-place update rather than batch update is used
B. Avoidance of use of checkpoint facilities
C. Transaction data to be recovered instead of status data
D. Lack of use of spooling or printer files
Q1384. In relation to database access controls, which of the following types of

access control is the most difficult to enforce?
A. Content-dependent access control
B. Name-dependent access control
C. History-dependent access control
D. Context-dependent access control
Q1385. In relation to online output production and distribution which of the

following exposures is LEAST LIKELY to be covered by source
controls?
A. Lack of authenticity in relation to files that can be accessed
publicly through Internet
B. Unauthorised modification of an online output distribution list kept
on a list server
354
C. Unauthorised placement of copyrighted information in Web pages

D. Inappropriate use of information obtained from a bulletin board
Q1386. In the case of a generalised software that is available to interrogate the

operations audit trail in the processing subsystem, which of the following
would NOT be a report that could be typically generated?
A. Account implosion report
B. Program run time report
C. Hardware utilisation report
D. Report on programs abnormally terminated
Q1387. In the case of online output, which of the following is LEAST LIKELY to
be an exposure covered by disposition controls?
A. Unauthorised copying of online output to diskettes
B. Unauthorised viewing of confidential data displayed on a screen
by a passerby
C. Failure to forward e-mail received in a general mailbox to persons
responsible for addressing the matters mentioned in the e-mail
D. Forwarding of confidential e-mail to unauthorised parties
Q1388. In Windows XP, which component controls access to the credentials of

users who are permitted to log onto the system?
A. Certification Authority
B. Credentials Prompting User Interface
C. Group Policy Settings
D. Local Security Authority
Q1389. Inaccurate data input can NOT be detected by the employment of which
of the following controls ?
A. Reasonableness checks
B. Validity checks
355
C. Completeness checks
D. Hash totals, and run to run totals.
Q1390. Information system crimes and abuses in comparison to those of the

general category are likely to be
A. Of less serious nature
B. Unaffected by stringent legal and/or organizational controls
C. Of higher volume and of bigger size
D. Punishable by law relatively easily
Q1391. IS Auditor performing a security review will perform all the following
steps. However he will begin with -
A. Test of evidence of physical access at suspected locations
B. An overview understanding of the functions being audited and
evaluate the audit and business risk
C. Determine the risks/threats to thedata center site
D. Interviewing people at the site for the specific tasks performed by
them.
Q1392. IS security policy of an organisation will not contain details about the
following:
A. the overall security philosophy of the organisation
B. the authorisation procedure for accessing data
C. security awareness programme
D. highlights and identity of the sensitive security features
Q1393. It would not be possible to use the Checkpoint/restart facilities when:

A. A Power loss occurred
B. The hardware temporarily malfunctioned.
C. A wrong tape reel is loaded in a multireel file
D. The program contained a serious logic error
356
Q1394. “Kerberos is a user authentication mechanism. Which of the following

methods does it not use, to establish a secure connection between the
client and the target server?“
A. Tickets
B. “Secret key“
C. Password
D. Encryption
Q1395. Lock-and-key mechanism is MOST likely to be used in which of the

following types of real memory access control system?
A. Single user, contiguous storage allocation system
B. Multiple user, contiguous storage allocation system
C. Single user, non-contiguous storage allocation system
D. Multiple user, non-contiguous storage allocation system
Q1396. Logging of authorised and unauthorised attempts to access the

computer systems and Disconnection of a terminal after it has been
inactive for a period of time are classfied as
A. Physical access controls
B. Terminal access controls
C. Processing controls
D. Operations controls
Q1397. Logical access controls are built into___________

A. software and operating system
B. Operating system, hardware and communication devices
C. Software, hardware, operating system and communication devices
D. Communication devices and operating system
357
Q1398. Logical access security could be compromised by various elements

of a computer system. Which one of the following could contribute to
compromise of security?
A. Smart cards with PIN
B. Non-reusable passwords
C. Last login messages
D. Network cabling
Q1399. Many users on a network want to use a single Operating System (OS)
to perform their tasks. Which of the following operating systems can be
used in this situation?
A. Real-time Operating System (RTOS)
B. Single-User Operating System
C. Multi-tasking Operating System
D. Multi-user Operating System
Q1400. Mr. R. sends a signed message to Mr. S. If Public Key cryptosystem

is used for sending the messages, then Mr. R. encrypts the message
under the -
A. Mr. R. s private key.
B. Mr. S s public key
C. Mr. R s public key
D. Mr. S s private key
Q1401. On-Line Analytical Processing (OLAP) is a much better solution than

data warehousing as OLAP supports:
A. On-line access
B. Decision making
C. Relational databases
D. Large amounts of data storage
358
Q1402. Networked micro computers can be protected from viruses by practising

the following EXCEPT –
A. Unchecked bulletin board software should not be allowed to be
used
B. Installing a latest anti-virus software
C. Implementing the corporate security policy for the IS environment
D. Using untested software on system and testing new software
before use.
Q1403. Notebook computers are portable and used to access the company’s
database while the executives are on travel. Which of the following
would provide the least security for sensitive data stored on a notebook
computer?
A. Encryption of data files on the notebook computer.
B. Setting up a password for the screensaver program on the
notebook computer.
C. Installing an access control software.
D. Using a locking device that can secure the notebook computer to
an immovable object.
Q1404. On a computer, the Random Access Memory is limited to 32 M The

operating system allocates memory for an application, which needs
more memory to run by using?
A. Main Memory
B. Cache Memory
C. Virtual Memory
D. Read Only Memory (ROM)
Q1405. On June 23, 2000, an accounting clerk prepared an invoice dated June
33, 2000 and sent it to data entry as part of a batch of invoices. The
input control most likely to detect this error is:
A. Completeness (field) test
359
B. Size check
C. Hash total
D. Range check
Q1406. One of the advantages of using naming convention for access control
is that -
A. ambiguity in the resource name is avoided
B. rules for protecting resources can be minimised
C. naming convention gives a unique identity to the resources
D. fancy and international names can be used
Q1407. One of the disadvantages of residual dumping is:

A. It cannot take place as a background operation
B. There is less flexibility in levelling system workloads
C. There is more duplicate backup
D. Recovery is more complex than with physical dump
Q1408. One of the main advantages of employing biometric devices is that -

A. it provides effective physical access control
B. it helps check virus attack
C. it monitors air pollution
D. it helps detect electromagnetic fields in the area
Q1409. One of the main tasks performed by a Security Administrator is -

A. formulating the data classification methodology
B. supervision of data entry
C. error correction in the data entry
D. distribution of output
360
Q1410. One of the production supervisors who has got access to the corporate
database sold sensitive product pricing information to a competitor.
Which of the following controls would best prevent such a situation?
A. Software configuration management is established and enforced
B. User access to the corporate database is controlled by passwords
C. Data ownership resides with the most appropriate users
D. Access privileges are established on a need-to-know basis
Q1411. Output control is best described by which of the following ?

A. the controls that are designed to provide reasonable assurance
that data received for processing have been properly authorixed
and are in a suitable form
B. the controls that provide reasonable assurance that all
transactions are processed as authorised
C. the controls that prevents unauthorised and improper use of data
and program
D. the control that reconciles input with processing control totals to
ensure that all transactions have been processed and gives a
reasonable assurance of the accuracy of processing results and
that only authorized personnel receive the results.
Q1412. Overall responsibility to protect and control the database and monitor
and improve the efficiency of the database are the job of -
A. Security administrator
B. Data owner
C. Data custodian
D. Database administrator
Q1413. Password control procedures incorporate all the following features

EXCEPT -
A. Forcing frequent changes of password by the user
B. Ensuring that the passwords are not distributed indiscriminately
361
C. Disabling all the redundant passwords

D. Helping the user by reminding the users password through the
screen
Q1414. Passwords are the commonly used technique to identify and

authenticate a user to a computer system. Which of the following
password-related factors cannot be tested by an auditor?
A. Password secrecy
B. Password storage
C. Password length
D. Password lifetime
Q1415. Processing control procedures include

A. Authorisation and authentication of users
B. Access control for on line data
C. Reporting of before and after images
D. Reasonableness checks and Hash totals
Q1416. Protection of a system from virus can be ensured by complying with

which of the following activities ?
A. all diskettes once they are checked for virus, should be made
write protected
B. all new software should be installed only after scanning for
viruses
C. after checking the diskettes for virus, daily before booting, then
boot the system by using the checked diskettes only
D. no vendor should be allowed to show their demonstration in the
companys systems
Q1417. Retention date on magnetic tape files would:

A. Enable files with the same generation number to be distinguished
362
B. Indicate when the file should be again backed up

C. Prevent the file from being overwritten before the expiry of the
retention date
D. Prevent the file from being read before expiry of the retention
date
Q1418. Select the BEST control to mitigate the risk of creation of duplicate user
name and password during sign on procedures, if encountered during
an audit of an IS configuration.
A. security policy should be modified
B. users should be educated about weak password
C. proper validation procedures to be built in during user creation
and password change
D. require a periodic review of matching of user ID and passwords
for detection and correction
Q1419. Session-hijacking refers to

A. A type of attack where the web pages are defaced
B. A type of attack where the session ids of other users are guessed
C. A type of attack leading to increased privileges for the attacker
D. Using sessions to track the state of users
Q1420. Specify the IS application control in the following, while others are
general controls -
A. the security policy of the company and the organisaiton and
control of security activity
B. all the physical access control routines
C. control over the systems installed
D. Hash totals and batch totals
363
Q1421. Spooling software can be subject to one of the following control

problem:
A. It is error-prone because the software is highly complex.
B. The output could be redirected to another printer.
C. It can be used to obtain an unauthorized copy of a report.
D. The output could be cancelled before printing.
Q1422. The access control program in a Database Management system can

control access to which of the following ?
A. Data storage locations
B. Subroutines
C. Data elements, files and records
D. Programs
Q1423. The answer sheets in most examinations require the candidates to

answer by marking the correct choice. This kind of data is converted
into computer readable form through:
A. Optical Character Reader (OCR)
B. Optical Mark Reader (OMR)
C. Magnetic Ink Character Reader (MICR)
Q1424. “The auditor before commencing audit of access controls should obtain
the following information by interviewing the organisation’s staff“
A. IT organisation structure
B. Key business activities
C. Significant changes to network
D. Method of authorising access
364
Q1425. The Best information about Unauthorized input from a terminal can be
derived from which of the following?
A. Printout of the Console log
B. Transaction journal
C. Error report
D. Listing of all suspence file generated automatically
Q1426. Which of the following is a passive measure for securing the Linux
Operating System?
A. Restricting administrator access
B. Logging
C. Running only necessary services
D. Application auditing
Q1427. The control practice of installing and using anti-virus software is

classified as -
A. detective control practices
B. preventive control practices
C. corrective control practices
D. compensating control practices
Q1428. The control procedure of totalling specified fields in a series of

transaction or records, to check whether transactions or records are
either lost or entered or transmitted incorrectly or duplicated, is called -
A. limit checks on calculated amounts
B. programmed controls
C. existence check
D. hash totals
365
Q1429. The control procedure to be followed in the administration of password

should incorporate the following feature :
A. Password can be displayed on terminal screen for correct
entering by the user
B. Password may be shared by the user for easy and fast access
C. Password should be changed by the user frequently
D. Password should not be changed by the user frequently
Q1430. The control to provide security against accidental destruction of records

and to ensure continuous operations is called -
A. A processing control
B. An operations control
C. A development control
D. A documentation control
Q1431. The default authentication mechanism in a Solaris System is Kerberos.

If a third party mechanism is to be implemented instead of the default,
which of the following can be used for this purpose?
A. Access Control Lists
B. Secure NFS Distributed File Service
C. Solstice SunScreen
D. Pluggable Authentication Module
Q1432. The Digital Signature system uses the services of an Arbitrator to

prevent
A. the complaint of non-receipt of message by the receiver
B. the sender from disowning the message
C. forging of messages by the receiver
D. defrauding by the receiver by colluding with the sender.
366
Q1433. The first step in the installation of an information security program is

the -
A. Installation of a security control software
B. A detailed review by the IS Auditor of the security controls
C. Preparation of the information security standards manual
D. Formulation of a corporate information security policy and its
adoption by the top management
Q1434. The following are examples of some of the preventive controls in

practice, EXCEPT -
A. shutting down of the terminal after a pre-determined number of
unauthorized attempts
B. forcing the change of employee password periodically
C. the log book review by security personnel
D. scanning of all floppies before being loaded into the system
Q1435. The following control procedure helps us verify data values through
various stages of application processing, ensuring that data read into
the computer was accepted and then applied to the updating process
A. Edit checks
B. Run-to- run totals
C. Completeness checks
D. Reasonableness checks
Q1436. The following is NOT a pre-requisite for installing a new anti-virus

software
A. the machine should have a compatible operating system
B. the security policy should be clear about administration of the
anti-virus policy
C. the installation of the anti-virus software should be properly
authorised
D. the earlier anti-virus software should be uninstalled.
367
Q1437. The following measures will protect the computer systems from virus
attack EXCEPT:
A. once the diskettes are checked for virus and cleaned, write
protect them
B. all new software before loaded should be scanned for viruses and
cleaned
C. no demonstration packages should be allowed to be run on the
company owned machines
D. always boot from the diskettes
Q1438. The following resources are protected by Logical access controls

A. All the nodes in a LAN
B. The entire storage devices in all the servers
C. All the back up storage devices and the backed up floppies &
disks
D. Data ownership and classification
Q1439. The IS Manager of a small company senses that unrestricted access

to production library results in the risk of untested programs being
installed. Which one of the following controls would protect the
production libraries without compromising the efficienc
A. Restrict updating and read access to one position
B. Permit updating and read access for everyone in IS
C. Permit updating for everyone in IS but restrict read access to
source code to one position
D. Restrict updating to one position but permit read acccess to
source code for everyone in IS
Q1440. The IS security policy of a company usually incorporates all of the

following features EXCEPT -
A. complete details about the computer hardware and software used
B. commitment of the management for the implementation of the
policy
368
C. procedure for authorising access to computer resources

D. details of complete authentication steps and security procedures
to allow access
Q1441. The main activity of the input/output control function is -

A. Loading and returning of master data tape files
B. Loading and returning of transaction data tape files
C. Verifying the key data
D. Keeping a log of all batches and hash total reconciliation
Q1442. The management must take various security measures to mitigate the
risk. Which of the following measure aims to minimise the damage and
prevent the reoccurrence of incident?
A. Reductive measure
B. Detective measure
C. Repressive measure
D. Corrective measure
Q1443. The most appropriate audit strategy for a large organisation which relies
on comprehensive user controls over the micro computer usage is -
A. Tests of user controls
B. Edit checks of data entered
C. Tests of general controls
D. Substantive tests of executed program logic
Q1444. The most serious exposure in a Digital Signature system is caused by

which of the following?
A. Receivers private key becoming public
B. Senders private key becoming public
C. Key servers private key becoming public
D. Forgery of public keys
369
Q1445. The password administration procedure should follow the following

principle in implementing the access control :
A. Passwords may be changed by the user at his discretion
and users at their discretion need not even change the initial
password allotted also
B. Initial password assignment shall be done by the user department
incharge
C. The system should display the password to enable the user to
enter it correctly
D. Password files are encrypted and the system should force
the user to change the initial password allotted and also at
subsequent intervals.
Q1446. The person responsible for providing access rights to each of the user
and access profile for each data element stored in the computer system
is -
A. Data Custodian
B. Security administrator
C. Data owner
D. The database administrator
Q1447. The primary objective of security software is to:

A. Control access to information system resources.
B. Restrict access to prevent installation of unauthorized utility
software.
C. Detect the presence of viruses.
D. Log attempts of unauthorized access.
Q1448. The process of creating sample transactions for processing through a

system to generate results for comparison with predetermined results
is:
A. Desk checking
370
B. Random sampling
C. Use of a test deck
D. Parallel simulation
Q1449. The public audit trail of a Digital Signature system will not contain which
of the following?
A. Public Key registrations
B. Signature registrations
C. Key compromise notifications
D. Private key modifications
Q1450. The salient features of the data file access control shall address the
following EXCEPT –
A. Access by computer data entry operators
B. Access through terminals
C. Access by production programs
D. Access to physical resources
Q1451. The technical support personnel should have unlimited access to all
data and program files to do their job. Which of the following is the right
prescription for proper access authority devolution.
A. Such access authority is appropriate, if they are logged
completely.
B. Such access authority is appropriate because they have the full
knowledge and understanding about the entire system.
C. Such access authority is inappropriate because it violates the
principle of “access on need - to - know basis, irrespective of
position
D. Such access authority is inappropriate because they have the full
knowledge and understanding about the system
371
Q1452. The test of access control, over a distributed database, can be carried
out by -
A. Reconciliation of batch control totals
B. Examination of logged activity
C. Prohibition of random access
D. Analysis of system generated core dumps
Q1453. The validity of a program recalculation could be audited by the following

techniques except:
A. Use of Generalized Audit software
B. Source code review
C. Source code comparison
D. Manual recalculation of sample items
Q1454. To determine the authorized sign on in an EDI transaction, the EDI

system uses the following method
A. User ID and Password
B. Anti-virus and anti-piracy softwares
C. DES Cryptosystem
D. Digital signature.
Q1455. To effectively prevent intrusion, usually the following controls are

established. Of this which control BEST detects intrusion attempts
effectively?
A. only through authorized procedures, user creation and privileges
are granted
B. procedure to ensure that the workstation is logged off
automatically when not in use for a particular period of time
C. unsuccessful attempts after a specified number of times, should
result in the automatic log off of the workstation
D. log of unsuccessful log on attempts are reviewed online and the
active monitoring of the same by the security administrator
372
Q1456. To ensure that only authorised transactions have been posted to

accounting records, which of the following controls can be relied upon?
A. Proper physical access control procedures
B. Proper password security administration procedure
C. Proper authorisation procedure for the input documents
D. Periodic closing balance total calculation from the opening
balance and the authorised input transaction and comparing the
same with the system closing balance output.
Q1457. To prevent virus attack effectively in an IS environment, the first and the
foremost step to be taken is -
A. formulating and adopting a detailed anti-virus policy for the
organisation as a whole and appraising all users about the same
and implementing it.
B. Installing the latest anti-virus software regularly
C. Prohibiting the usage of disk drives in workstations
D. Have a proper and highly secured physical access control
environment
Q1458. To properly control access to accounting data held in a Database

Management System, the database administrator should ensure that
database system features are in place to permit:
A. e. Read-only access to the database files.
B. f. Updating from privileged utilities.
C. Access only to authorized logical views.
D. User updates of their access profiles.
Q1459. To protect computer systems from short term power fluctuations, the
best environmental control is -
A. an alternative source of power
B. a dedicated power generator
373
C. an UPS and spike buster

D. a continuous voltage stabilizer
Q1460. Under certain conditions, an inventory batch-update program ignores

transactions with invalid transaction code types. Which of the following
controls would detect the presence of such errors in processing:
A. Check digit
B. Limit test
C. Hash total
D. Reasonableness test
Q1461. Uninterruptible power supply (UPS systems are an environmental control

to address electric power failures. Which one of the following factors
would be a least concern in selecting a UPS system?
A. The quantity of the electric load it can support
B. The time duration when it can support the load in case of mains
power failure
C. Size of the gas fuel supply
D. The speed with which it assumes the load when the primary
source fails
Q1462. Updating of master records critical field can be monitored by which of

the following ?
A. check digit fields to ensure that it contains the correct type of
characters
B. a key field to detect transposition or other data entry errors
C. verification before updating and after updating of the master
report
D. run to run control totals
374
Q1463. What feature of Windows 2000 allows for delegation of security

responsibilities in terms of group policies ?
A. Kerberos
B. Centralised Management
C. Encrypted File System (EFS)
D. NTLM Authentication
Q1464. User authentication determines who is making a system request or

access. There are various ways by which users can identify themselves
to a computer system. Which of the following identification techniques
provide the best means of user authentication?
A. What the user knows
B. What the user has and what the user knows
C. What the user is
D. What the user has
Q1465. Validation of a transaction is carried out by the following control function-

A. Authentication of data entry by a supervisor of another
department
B. Authentication of data entry by a supervisor of the same user
department
C. Reasonableness check & completeness check carried out on the
data entry
D. Comparison of the transaction against predefined criteria, by a
separate program
Q1466. What does the Automated Security Access Tool (ASET) (provided by
Solaris) in Medium setting, do?
A. Checks for file permissions and makes sure standard permissions
are set
B. It modifies permissions of certain system files such as ttytab etc)
and restricts access
375
C. Makes the OS highly secure by severely restricting access

D. Denies login attempts and checks for passwords
Q1467. What feature of Linux allows a secure connection between client and
server for generally insecure services such as Telnet?
A. Password Protection
B. Logging
C. Secure Sockets Layer (SSL)
D. Secure Shell (SSH)
Q1468. What feature of Microsoft Windows XP Professional Operating System

protects the data of a user, even if the computer is shared between
users?
A. Passwords
B. Network Access controls
C. Firewall
D. Encrypting File System
Q1469. What feature of the Windows 2000 Operating System provides a single,
centralised security administration capability?
A. Active Directory Integration
B. Flexibility in Authentication
C. Consistently enforcing Authorisation
D. Public Key Infrastructure
Q1470. When the account number is entered into an online banking system, the
computer responds with a message that reads: “Account number that
you entered is not assigned to an active number. Please reenter”. What
technique is the computer using.
A. Existence check
B. Dependency check
376
C. Format check
D. Check digit
Q1471. When the results of production data files processing with a generalized
audit software do not agree with the total balance according to the
inventory application reports, what should the IS Auditor do first?
A. Tell data processing that the inventory application has a bug in it.
B. Review the data field definitions and logic in the audit software.
C. Rerun the audit software against a backup of the inventory
master file.
D. Process the data using a different generalized audit software.
Q1472. When the user department complains of an input error to EDP

department, the best method to verify whether the particular input with
the error is processed, and if so to what extent is the control procedure
used to track the distribution of data, which is
A. check digit verification
B. input edit check verification
C. error log
D. verification of the transmittal document
Q1473. When transmitting online output through Internet, which of the following
controls is likely to offer MOST protection?
A. Symmetric cryptography
B. Asymmetric cryptography
C. File compression algorithms
D. Message routing protocols
Q1474. Where a transaction processing application is very complex, involving

many sources of data capture and many routes for output, the
377
following control is used to ensure that transactions are not lost during
processing.
A. controls for validating data
B. checking of internal credibility
C. manual control procedures
D. balancing procedures through the system itself automatically
Q1475. Which component in the Java Virtual Machine checks the compiled
code to see if it matches all the rules and specifications of the Java
language?
A. Class Loader
B. Security Manager
C. Byte code Verifier
D. Garbage collector
Q1476. Which of the following access rights if allotted to a computer operator,

will violate a standard access control rules :
A. Right only to read data
B. Right to read and execute program
C. Access to Job control languages/script files
D. Authority to access and delete transaction data files
Q1477. Which of the following allows the most granular access control
mechanism for database security ?
A. System and Object Privileges
B. Database Integrity mechanisms
C. Data Encryption
D. Row-Level Security
378
Q1478. Which of the following cannot prevent a Denial of Service attack?

A. Implementing good password policies
B. Router filtering, firewalls and patching the OS
C. Using centralised logging
D. Applying patches when required
Q1479. Which of the following combination of authentication mechanisms is

arranged in the decreasing sequence of effectiveness against intrusion
into computer systems?
A. Password only, password and PIN, challenge response, one-time
password
B. Password and PIN, challenge response, one-time password, and
password only
C. Challenge response, one-time password, password and PIN,
password only
D. Challenge-response, password and PIN, one-time password,
password only
Q1480. Which of the following control objectives is violated when the theft of
proprietary software or corporate data is stolen:
A. preserving data integrity
B. ensuring system efficiency
C. achieving system effectiveness
D. safeguarding the assets
Q1481. Which of the following controls is the most basic and simple login
control?
A. Logging unsuccessful login attempts
B. Validating user-name and password
C. Sending alerts to the Security Administrator
D. Disabling accounts when a break-in occurs
379
Q1482. Which of the following controls would address the concern that data
uploaded from a microcomputer to the company’s mainframe system in
batch processing may be erroneous.
A. The mainframe computer should be backed-up on a regular basis.
B. Two persons should be present at the microcomputer when it is
uploading data.
C. The mainframe computer should subject the data to the same
edits and validation routines that on-line data entry would require.
D. The users should be required to review a random sample of
processed data.
Q1483. Which of the following controls would prevent unauthorized access to

specific data elements in a database management system?
A. Sign-on verification security at the physical terminals.
B. Sign-on verification security when logging on to the database
management system
C. Authorized user access privileges for each data file or element
D. Sign-on verification security at the operating system level
Q1484. Which of the following data base environment controls enforces access
rules in addition to maintaining standardized definitions?
A. Active data dictionary system
B. Passive data dictionary system
C. Deadlock resolution
D. Record locking
Q1485. Which of the following faults is MOST LIKELY to be detected by a parity

check?
A. An instruction that is not within the valid set of instructions
B. Incorrect execution of an instruction because of a design error in
the logic unit
380
C. Corruption of data in a register by electromagnetic interfaces

D. Failure of a computational process in the arithmetic unit through
component fatigue
Q1486. Which of the following feature may seriously affect or nullify the utility
of audit trails for an application system ?
A. User ids are not recorded in the audit trail
B. Security administrator can amend the details in the audit trail
C. Date and time stamps are not recorded automatically but only
with manual interferance
D. Audit trail records can be amended by the users.
Q1487. Which of the following is a feature of ActiveX controls that can both be
used as well as misused?
A. ActiveX controls can be reused
B. ActiveX controls can access system resources
C. Many pre-developed controls for performing many tasks are
available
D. Execution of ActiveX controls can be controlled using Internet
Explorer security settings
Q1488. Which of the following is a major problem associated with terminal-

dependent access controls?
A. Terminals can be allowed to access specific transactions
B. Terminals can be allowed to access specific resources
C. A specific access control procedure can be associated with the
definition for a terminal
D. The security specified for the terminal can override any security
allocated to the user of the terminal
381
Q1489. Which of the following is an advantage of Hardware-based Keystroke

logging over Surveillance cameras for observing data input?
A. Physical access to the equipment
B. Electrical interference does not affect the functioning
C. Technical skill is not required
D. Independent of the Operating System
Q1490. Which of the following is an operating system penetration technique,

which takes advantage of the time during which a legitimate user is still
connected to the system but is inactive?
A. Masquerading
B. Piggybacking
C. Between lines entry
D. Spoofing
Q1491. Which of the following is LEAST likely to be an objective of file handling

controls?
A. To prevent inefficient access by programs to data
B. To ensure the correct file has been loaded for a program
C. To ensure data is retained for a certain period
D. To prevent data items from being accidentally overwritten
Q1492. Which of the following is NOT a feature of Software Keystroke loggers?

A. They are difficult to detect
B. No physical device is needed to be installed
C. They can transmit the keystrokes externally via the network
D. They cannot record BIOS passwords
382
Q1493. Which of the following is the control information that prevents

undetected removal of the last page of a batch report?
A. End-of-job marker
B. Page title
C. Security classification
D. Page number
Q1494. Which of the following is the most common type of input validation to
verify the length of a number entered by a user in a numeric field?
A. Form-Level
B. Validation lists
C. Field-Level
D. Filtering Keyboard Input
Q1495. Which of the following is the most objective and relevant evidence in a
computer system related fraud investigation?
A. Physical examination
B. Computer logs
C. Physical observation
D. Inquiries of people
Q1496. Which of the following is TRUE about perturbation controls, compared

with restriction controls?
A. Allow fewer statistics to be calculated on the data contained in
the database
B. Result in an information loss associated with the variance of the
perturbed statistic around the true value
C. Are not subject to averaging attacks
D. Eliminate biases or inconsistencies that arises as a result of
implementing interface controls
383
Q1497. Which of the following is true regarding ActiveX controls?

A. ActiveX is a completely unsafe technology
B. ActiveX controls are nothing but exe files run inside Web
Browsers
C. A digitally-signed control is completely safe
D. Even a digitally-signed control may be dangerous
Q1498. Which of the following may be the least important factor for
implementing a password control system?
A. Encrypting the password file
B. Purchasing computers with boot level password facilities
C. Limiting the distribution of passwords
D. Not writing down the password
Q1499. Which of the following methods can detect burst errors only if the
number of errors is in each data unit is odd?
A. Vertical Redundancy check (VRC) - even parity
B. Vertical Redundancy check (VRC) - odd parity
C. Longitudinal Redundancy Check (LRC)
D. Checksum
Q1500. Which of the following pairs of items which are related to each other?
A. The segregation of duties principle, the “least privilege” principle
B. The parity check, the reasonableness check
C. The single-key system, the Rivest-Shamir-Adleman (RS) algorithm
D. The two-key system, the Data Encryption Standard DES)
algorithm
384
Q1501. Which of the following physical access control devices would be most
effective for a high security installation?
A. Proximity sensing card reader
B. Retina scanner
C. Photo identification card
D. Magnetic card reader
Q1502. Which of the following risks is not associated with utility programs?
A. Unauthorized manipulation of data
B. Incorrect batch totals
C. Override of password checking
D. Bypassing of system controls
Q1503. Which of the following security procedures is least useful in preventing

unauthorized access to on-line systems?
A. Terminal time-out from inactivity
B. Callback on dialup lines
C. Data encryption
D. Screen saver passwords
Q1504. Which of the following should be the least important criteria for selecting
a security software package
A. The memory and hard disk space used by the package
B. Compatibility with the in-house database management system
C. The financial stability of the software supplier
D. The number of personnel on the software supplier’s staff
Q1505. Which of the following statements is true about “Trojan-horse”?

A. It is a useful computer program
B. It is a malicious computer program
385
C. It is an anti-virus package
D. It is a powerful supercomputer
Q1506. Which one of the following recovery strategy has the GREATEST
chance of failure due to systems and personnel changes?
A. Hot site
B. Cold site
C. Reciprocal agreement
D. Redundant site
Q1507. The business impact analysis should critically examine the business
processes looking MOST at their:
A. Composition
B. Priorities
C. Dependencies
D. Service levels
Q1508. ------------------- act on behalf of the whole network to completely separate

packets from internal hosts and external hosts.
A. Proxies
B. Honeypots
C. IDSs
D. IPSs
Q1509. With respect to BCP, critical activities can be segregated into –

A. Essential activities, recommended activities, non-essential
activities
B. Essential activities and non-essential activities
C. Recommended activities and non-essential activities
D. There is no segregation
386
Q1510 The purpose of establishing Information System Security Evaluation

Team is to
A. Guide the management and help them in protecting information
assets
B. Help in recruitment of the staff
C. Assist in appointing auditors
D. Frame the security and other policies of the company
Q1511. Which of the following is the business continuity planning and

reconstruction team that is responsible for for updating the application
database working from terminals at the user recovery site during a
reconstruction?
A. Application team
B. Network recovery team
C. Emergency operation team
D. Data preparation and records team
Q1512. The MOST significant level of business continuity planning program

development effort is generally required during the:
A. Testing stage
B. Evaluation stage
C. Maintenance stage
D. Early stages of planning
Q1513. A company performs full backup of data and programs on a regular

basis. The primary purpose of this practice is to:
A. Maintain data integrity in the applications
B. Restore application processing after a disruption
C. Prevent unauthorized changes to programs and data
D. Ensure recovery of data processing in case of a disaster
387
Q1514. An IS auditor reviewing an organization’s information systems disaster

recovery plan should verify that it is:
A. Tested every 6 months
B. Regularly reviewed and updated
C. Approved by CEO
D. Communicated to every departmental head in the organization
Q1515. During an audit of a reciprocal disaster recovery agreement between

two companies, the IS auditor would be PRIMARILY concerned about:
A. The soundness of impact analysis
B. Hardware and software compatibility
C. Differences in IS policies and procedures
D. equency of system testing
Q1516. Which of the following methods would best ensure the adequacy of a
disaster recovery plan?
A. Regular reviews of timeliness of information detailed in the plan
B. Unannounced shut down of the primary installation during quiet
periods
C. Regular recovery exercises using expert personnel
D. Unannounced recovery exercises at regular intervals
Q1517. Classification of information systems is essential in business continuity

planning. Which of the following system cannot be replaced by manual
methods?
A. Critical systems
B. Vital systems
C. Sensitive systems
D. Non-critical systems
388
Q1518. The window of time for recovery of information processing capabilities

is based on the:
A. Criticality of the processes affected
B. Quality of data to be processed.
C. Nature of the disaster.
D. Applications that are mainframe based
Q1519. Which of the following would best describe a cold backup site?
A. A computer facility with electrical power and HVAC, all needed
applications installed and configured on the file/print servers, and
enough workstations present to begin processing
B. A computer facility with electrical power and HVAC but with
no workstations or servers on site prior to the event and no
applications installed.
C. A computer facility with no electrical power or HVAC
D. A computer facility with electrical power and HVAC and some
file/print servers, although the applications are not installed or
configured and all of the workstations may not be on site or ready
to begin processing
Q1520. Which of the following represents the GREATEST risk created by

a reciprocal agreement for disaster recovery made between two
companies?
A. Developments may result in hardware and software
incompatibility.
B. Resources may not be available when needed
C. The recovery plan cannot be tested
D. The security infrastructure in each of the company may be
different
389
Q1521. Losses can be minimized MOST effectively by using outside storage

facilities to do which of the following?
A. Include current, critical information in backup files
B. Ensure that current documentation is maintained at the backup
facility
C. Test backup hardware
D. Train personnel in backup procedures.
Q1522. Which of the following pair of phrases is the BEST example of operating
watch words to remember in developing disaster recovery plans:
A. No policy, No procedure
B. No ring, No write
C. No backup, No recovery
D. No security, No protection
Q1523. Determining the criticality of each computer based application system in

the productions environment is important so that scarce resources can
be allocated to highly critical systems. The BEST way to accomplish this
objective is to:
A. Ask the application programmer who is developing and/or
maintaining the system
B. Ask the computer operator who are running day-to-day production
jobs
C. Ask the internal and external auditors during their routine audit
work
D. Ask the end users how they would continue their operations if the
system were unavailable for a specified period of time
Q1524. At the end of a simulation of an operational contingency test, the IS

auditor performed a review of the recovery process. The IS auditor
390
concluded that the recovery was more than the critical time frame that
was necessary. Which of the following actions w
A. Widen the physical capacity to accomplish better mobility in a
shorter time.
B. Shorten the distance to reach the hot site.
C. Perform an integral review of the recovery tasks
D. Increase the number of human resources involved in the recovery
process
Q1525. While reviewing the business continuity plan of an organization, the

IS auditor observed that the organization’s data and software files are
backed up on a periodic basis. Which characteristics of an effective plan
does this demonstrate?
A. Deterrence
B. Mitigation
C. Recovery
D. sponse
Q1526. There are several methods of providing telecommunications continuity.

The method of routing traffic through split cable or duplicate cable
facilities is:
A. Alternative routing
B. Diverse routing
C. Long haul network diversity
D. Last mile circuit protection
Q1527. Which of the following is a continuity plan test that uses actual
resources to simulate a system crash to cost effectively obtain evidence
about the plan’s effectiveness?
A. Paper test
B. Post test
391
C. Preparedness test
D. Walkthrough
Q1528. Responsibility of business continuity rests with the management and IT

operations. To ensure this the management need not ensure which of
the following:
A. The plan is tested
B. Plan is maintained
C. Plan is distributed to authorised people
D. Plan is static
Q1529. What is it called when the firewall ignores an attach

A. Shunning
B. Logging
C. Notification
D. False negative
Q1530. Secured waste, audit checks, and applicant screening all act:
A. Data security
B. Software protection
C. Privacy detection
D. License protection
Q1531. One form of built-in software protection for data is:

A. User profiles
B. Secured waste
C. Applicant screening
D. Audit checks
392
Q1532. Which device can limit traffic on a network and allow access onto
specific TCP/IP port numbers when security is a concern?
A. Firewall
B. Hub
C. DNS
D. Modem
Q1533. Authorisation to make multiple software copies is called:

A. Site licensing
B. Copy protection
C. Copy control
D. Controlled privacy
Q1534. To reduce the possibility of security break-ins from unauthorised users,

which should be implemented?
A. Firewall
B. Packet sniffers
C. Port scanners
D. Intrusion detection system
Q1535. What is the purpose of a port scanner?

A. Search the network host for open ports
B. Scan UDP for closed ports
C. Scan TCP for closed ports
D. Scan IP for closed ports
Q1536. Both data integrity and system security are required to:
A. Protect a person’s right to privacy
B. Increase the speed of processing
393
C. Reduce the cost of processing

D. Eliminate the need for data backup
Q1537. Internal controls are the rules and procedures that are followed to
maintain the integrity and security of:
A. The data, records and financial assets of an organization
B. The hardware and networks in an organization
C. Policies
D. The Internet
Q1538. You have a remote user who can connect to the internet but not to the
office via their VPN client. After determining the problem, which should
be your next step?
A. Make sure the user has the correct VPN address and password
B. Have the client reboot their host
C. Have the client reinstall their VPN software
D. Reboot the router at the corporate office.
Q1539. If you have a device in a telecommunications closet owned and installed

by the telecommunications company (telco) and it’s your responsibility
to cable from this box to the CPE, which term should you use to refer
to the device?
A. Demarcation point
B. Customer premises equipment
C. Toll network
D. Central office
Q1540. Authorisation to make multiple software copies is called:

A. Site licensing
B. Copy protection
C. Copy control
D. Controlled privacy
394
Q1541. Which of the following govern how the network is configured and
operated as well as how people are expected to behave on the
network?
A. Policies
B. Baselines
C. Laws
D. Procedure
Q1542. The “what you are” criteria for computer system access involve:
A. Bio metrics
B. A badge
C. A swipe card
D. A password
Q1543. Secured waste, audit checks, and applicant screening all act:
A. Data security
B. Software protection
C. Privacy detection
D. License protection
Q1544. One form of built-in software protection for data is:

A. User profiles
B. Secured waste
C. Applicant screening
D. Audit checks
Q1545. Both data integrity and system security are required to:
A. Protect a person’s right to privacy
B. Increase the speed of processing
395
C. Reduce the cost of processing

D. Eliminate the need for data backup
Q1546. Internal controls are the rules and procedures that are followed to
maintain the integrity and security of:
A. The data, records and financial assets of an organization
B. The hardware and networks in an organization
C. Policies
D. The Internet
Q1547. To reduce the possibility of security break-ins from unauthorised users,

which should be implemented?
A. Firewall
B. Packet sniffers
C. Port scanners
D. Intrusion detection system
Q1548. You have a remote user who can connect to the internet but not to the
office via their VPN client. After determining the problem, which should
be your next step?
A. Make sure the user has the correct VPN address and password
B. Have the client reboot their host
C. Have the client reinstall their VPN software
D. Reboot the router at the corporate office.
Q1549. Which device can limit traffic on a network and allow access onto
specific TCP/IP port numbers when security is a concern?
A. Firewall
B. Hub
C. DNS
D. Modem
396
Q1550. Which is not a type of access control list (ACL)?

A. Standard
B. Referred
C. Extended
D. Outbound
Q1551. What is it called when the firewall ignores an attach

A. Shunning
B. Logging
C. Notification
D. False negative
Q1552. ------------------- act on behalf of the whole network to completely separate

packets from internal hosts and external hosts.
A. Proxies
B. Honeypots
C. IDSs
D. IPSs
Q1553. If you have a device in a telecommunications closet owned and installed

by the telecommunications company (telco) and it’s your responsibility
to cable from this box to the CPE, which term should you use to refer
to the device?
A. Demarcation point
B. Customer premises equipment
C. Toll network
D. Central office
Q1554. What is the purpose of a port scanner?

A. Search the network host for open ports
397
B. Scan UDP for closed ports

C. Scan TCP for closed ports
D. Scan IP for closed ports
Q1555. The “what you are” criteria for computer system access involve:
A. Bio metrics
B. A badge
C. A swipe card
D. A password
Q1556. Which is not a type of access control list (ACL)?

A. Standard
B. Referred
C. Extended
D. Outbound
Q1557. Which of the following govern how the network is configured and
operated as well as how people are expected to behave on the
network?
A. Policies
B. Baselines
C. Laws
D. Procedure
398

Q1131 Ans. D Q1159 Ans. D Q1187 Ans. D
Q1132 Ans. D Q1160 Ans. B Q1188 Ans. C
Q1134 Ans. a Q1162 Ans. B Q1190 Ans. D
Q1135 Ans. d Q1163 Ans. C Q1191 Ans. C
Q1136 Ans. c Q1164 Ans. B Q1192 Ans. D
Q1137 Ans. c Q1165 Ans. B Q1193 Ans. A
Q1138 Ans. c Q1166 Ans. D Q1194 Ans. B
Q1139 Ans. d Q1167 Ans. C Q1195 Ans. b
Q1140 Ans. D Q1168 Ans. A Q1196 Ans. D
Q1141 Ans. b Q1169 Ans. C Q1197 Ans. C
Q1142 Ans. b Q1170 Ans. A Q1198 Ans. B
Q1143 Ans. c Q1171 Ans. C Q1199 Ans. A
Q1144 Ans. b Q1172 Ans. A Q1200 Ans. b
Q1145 Ans. b Q1173 Ans. D Q1201 Ans. C
Q1147 Ans. b Q1175 Ans. C Q1203 Ans. B
Q1148 Ans. d Q1176 Ans. D Q1204 Ans. A
Q1149 Ans. b Q1177 Ans. D Q1205 Ans. d
Q1150 Ans. d Q1178 Ans. A Q1206 Ans. a
Q1151 Ans. b Q1179 Ans. A Q1207 Ans. c
Q1152 Ans. c Q1180 Ans. A Q1208 Ans. b
Q1153 Ans. B Q1181 Ans. D Q1209 Ans. a
Q1154 Ans. B Q1182 Ans. C Q1210 Ans. c
Q1155 Ans. D Q1183 Ans. B Q1211 Ans. c
Q1156 Ans. C Q1184 Ans. D Q1212 Ans. d
Q1157 Ans. D Q1185 Ans. C Q1213 Ans. b
Q1158 Ans. D Q1186 Ans. C Q1214 Ans. d
399

400

Q1323 Ans. a Q1353 Ans. a Q1383 Ans. b
401

402

Q1487 Ans. b Q1512 Ans. D Q1537 Ans. A
Q1488 Ans. d Q1513 Ans. B Q1538 Ans. A
Q1489 Ans. b Q1514 Ans. B Q1539 Ans. A
Q1495 Ans. b Q1520 Ans. A Q1545 Ans. A
Q1497 Ans. d Q1522 Ans. C Q1547 Ans. A
Q1499 Ans. a Q1524 Ans. C Q1549 Ans. A
Q1500 Ans. a Q1525 Ans. B Q1550 Ans. A
Q1501 Ans. b Q1526 Ans. B Q1551 Ans. A
Q1503 Ans. c Q1528 Ans. D Q1553 Ans. A
403
404
Module 5 Questions
Q1558. “The primary objectives for auditing IT change management is to ensure
that: “
A. Only approved changes were made
B. All changes are documented
C. Change control procedure variances are recorded and accounted.
D. Latest version of software is used
Q1559. “In an organization providing services of outsourcing, the PRIMARY

objective of a Business Continuity Plan (BCP) is to ensure: “
A. Safeguard assets from a disaster
B. Redundancy of IT resources
C. Continuity of critical business processes as per SLA
D. Identify single points of failure relating to Technology.
Q1560. “The MOST critical consideration for an IS Auditor in reviewing access

authorizations is to understand the: “
A. Security policy
B. IT Resources
C. Functionalities
D. Organization structure
Q1561. “The most important resource for successful deployment of Information

technology in an enterprise is: “
A. Effective Business processes
B. Trained Human Resources
C. Well-defined Organization structure
D. Implementing Latest technology
405
Q1562. “ In addition to defining the policy objective, which of the following is

MOST critical to ensure implementation of policy? “
A. Provide adequate allocation of resources
B. Establish clear-cut responsibilities.
C. Commitment from senior management
D. Monitor changes required on a regular basis.
Q1563. “In review of Job description, IS Audito⁲Section 1s concern from control

perspective is: “
A. Are current, documented and readily available to the employee.
B. Establish instructions on how to do the job and policies define
authority of staff.
C. Establish responsibility and the accountability of the employee’s
actions.
D. Communicate management’s specific expectations for job
performance.
Q1564. “Which of the following is not a function of the IT steering committee? “

A. Establish size and scope of IT function
B. Set priorities for the IT projects
C. Formulate IT procedures and practices
D. Review and approve standards, policies and procedures
Q1565. “The primary purpose in management implementing IT controls and IS

auditor reviewing these controls is to: “
A. Maintain Data integrity
B. Safeguard computers are
C. Provide assurance that business objectives are achieved
D. Provide proper segregation of duties
406
Q1566. “The MOST critical consideration in preparing a security policy is the: “

A. Analysis of the assets.
B. Analysis of the perceived risks.
C. Review of intellectual property to be safeguarded.
D. Availability of tools to monitor security.
Q1567. “Which of the following is the basis for providing authorization and
access to employees in an enterprise? “
A. Organization Structure
B. Nature of Business process
C. Type of technology
D. Style of management
Q1568. “The most critical consideration in IT strategy planning from perspective

of IT governance is: “
A. Senior management should develop and implement long- and
short-range plans
B. “IT issues as well as opportunities are adequately assessed and
reflected “
C. “IT is aligned with the mission and business strategies of the
enterprise. “
D. “Strategic plan must address and help determine priorities to meet
business needs “
Q1569. “In reviewing segregation of duties, the IS Auditor as a measure of

BEST control would review whether the Security Administrator (SA) is: “
A. “Performing functions as defined “
B. Well trained in business processes
C. Technically competent
D. Aware of the security policy
407
Q1570. “Which of the following is MOST likely to be result of inadequate IT

policies and standards? “
A. Absence of guidelines and benchmark
B. Security and controls may be compromised
C. Audit opinion on quality of control and security will be open to
question.
D. Time required for audit is higher
Q1571. Which of the following is not a component of Electronic Data

Interchange?
A. Standards
B. Management Involvement
C. Software
D. Communication
Q1572. Which of the following is preventive as well as recovery control

measure?
A. Business Continuity Plan
B. Password controls
C. Backups
D. Encryption
Q1573. The communication of signals is subjected to noise MOST LIKELY

because of
A. Defective switching equipment
B. Poor contact points in the wiring
C. Humidity increase
D. Temperature increase
408
Q1574. Which of the following is used to determine authorised sign on in an

EDI transaction?
A. Spoofing
B. Masking
C. Digital signature
D. Private key cryptosystem
Q1575. Which of the following is not related to an electronic-mail system?

A. X.500
B. X.400
C. Pretty good privacy (PGP)
D. Digital signature standard (DSS)
Q1576. Which of the following is TRUE about an electronic-mail (E-mail)

network?
A. Co-operative processing system
B. Distributed system
C. Centralised system
D. Decentralised system
Q1577. Which one of the following forms a part of transmission control in EDI
control layers?
A. Interchange
B. Functional group
C. Transaction set
Q1578. The two overall primary goals of IT Governance are:

A. Consider critical success factors that leverage IT resources and
measure them
409
B. Ensure delivery of information to business and measure using

Key Goal Indicators
C. “Create and maintain system of process/control excellence and
monitor business value delivery of IT “
D. Add value to business and balance risk versus return
Q1579. “ The GREATEST risk on account of inadequate IT policies and

standards is: “
A. Lack of benchmarks for evaluating the operations
B. Security and controls may be compromised.
C. Audit opinion on quality of control and security will be open to
question.
D. Time required for audit is higher.
Q1580. “Which of the following additional duties performed by the information

security manager poses the GREATEST risk to the organization? “
A. Maintaining custody of documents
B. Operating computer hardware
C. Entering data for processing
D. Programming
Q1581. “Which among the following combination of roles results has maximum
risk “
A. Data entry and Operations
B. Librarian and Help Desk
C. Systems Analysis and Quality Assurance
D. Database Administration and Data entry
Q1582. “In auditing outsourcing, which of the following is the IS Auditor most
likely to consider for formulating the audit scope and objectives: “
A. Benefits of outsourcing
410
B. Technical skills of service provider

C. Service level agreement
D. Quality of services provided
Q1583. “The MOST critical factor to be considered in segregation of duties in

an IT environment is: “
A. Business operations
B. Security policy
C. Organization structure
D. IT resources
Q1584. “Which of the following is the most critical consideration in providing

access to information in an enterprise? “
A. Job descriptions
B. Technical skills
C. Work Experience
D. Security policy
Q1585. Security policy to be MOST effective has to be defined, based on:

A. Technology deployed
B. Risk analysis
C. User requirements
D. Security standards
Q1586. “Which of the following statement relating to policies is incorrect? “

A. “Provide management guidance and direction overall effective
deployment of Information and its activities. “
B. Provide details of actions to be taken for preventing, detecting,
correcting and reporting security lapses.
C. Refers to specific security rules for particular systems.
D. State the high-level enterprise position and scope
411
Q1587. “ Which of the following statement relating to practices is correct? “

A. Refer to implementation aspects for various Information systems
and related activities
B. Outline set of steps to be performed to ensure that a policy
guideline is met
C. Provide management guidance and direction overall effective
deployment of information and its activities
D. Formulated by senior management and represents strategic
philosophy
Q1588. “The primary objective of segregation of duties is: “

A. Distribution of work responsibilities as per experience
B. Prevention/Monitoring of accidental or purposeful errors/
omissions.
C. Distribution of work as per technical skills
D. Provide better service to customers
Q1589. “Which of the following is the MOST critical consideration in segregation

of duties? “
A. The possibility for a single individual to subvert a critical process
is prevented
B. Senior management ensures implementation of division of roles
and responsibilities.
C. Staff is performing only those duties stipulated for their respective
jobs and positions.
D. Experienced staff review all critical functions performed by junior
staff.
Q1590. “At the preliminary review stage of IT strategic plan; the most critical
audit procedure involves verification of: “
A. Short-range plan, which has been prepared outlining the specific
project.
412
B. Specific task activities delegated to section manager that support

completion of short-range plan.
C. Methodology for progress reporting and monitoring relating to
adequacy of long range and short-range plan
D. Documented long-range plan for facilities, hardware, system
software and application software.
Q1591. “Which of the following is most critical for effective implementation of

security “
A. Defining and communicating individual roles, responsibilities, and
authority
B. Having regular external audit of security implementation
C. User training covering all aspects of security
D. Senior management is well versed with technical aspects of
security
Q1592. For IT steering committee to be effective, it’s members must necessarily

include:
A. Users
B. IT head
C. Director
D. Functional Heads
Q1593. “The MOST critical consideration for an IS Auditor in reviewing access

authorizations is to understand the: “
A. IT Resources
B. Organization structure
C. Functionalities
D. Nature of business
413
Q1594. “ During the preliminary stage of a review of an IT strategic plan, the

MOST critical audit procedure is to verify the existence of: “
A. “Documented long-range plan or facilities, hardware and system
and application software. “
B. “Short-range plans, which has been prepared outlining specific
projects. “
C. “Specific assignments for each IT manager that supports
completion of short-range plans. “
D. “Methodology for progress reporting and monitoring relating to
adequacy of long/short-range plans “
Q1595. Dual protection or mirroring of servers mitigates the exposures from

A. power loss
B. an operating system error
C. an application program error
D. a procedural lapse
Q1596. Conditioning of the transmission lines is LEAST effective against

A. Attenuation
B. Wiretapping
C. Delay distortion
D. White noise
Q1597. Rapid recovery is MOST crucial in the case of which of the following
applications?
A. Departmental chargeback
B. Corporate planning
C. Point-of-sale
D. Regulatory reporting
414
Q1598 Which image processing display technique is also known as point

operations?
A. Pre-processing
B. Image coding
C. Local operations
D. Contrast enhancement
Q1599. Maximum reliability is available in

A. Bus topology network
B. Ring topology network
C. Star topology network
D. Mesh topology network
Q1600. Internal controls of EDI should address which of the following risks?
A. Storage errors
B. Transmission errors
C. File errors
D. Accounting errors
Q1601. Active attack on communication network DOES NOT include

A. Flooding the network with spurious messages
B. Changing the order of the message
C. Traffic analysis
D. Modification of the message
Q1602. Which of the following is not part of an emergency plan?

A. Disaster notification to personnel
B. Equipment shutdown procedures
C. Evacuation procedures
D. Restart procedures
415
Q1603. Generally, which of the following is considered as a major threat to a

computer installation?
A. Tornadoes
B. Fire
C. Structural damage
D. Floods
Q1604. Wiretapping CANNOT easily be done without detection in

A. optical fibre transmission
B. satellite transmission
C. twisted pair wire transmission
D. thin ethernet cable transmission
Q1605. Which step comes just before the final approval of the BCP?
A. Collecting data
B. Organising and documenting the plan
C. Testing the plan
D. Writing policies and procedures
Q1606. As against link encryption, end-to-end encryption cannot protect against

A. insertion of a spurious message
B. spurious associations
C. changing the order of the message
D. traffic analysis
Q1607. Which of the following alternate facilities has the GREATEST chance of
failure due to change in systems and personnel?
A. Reciprocal agreement
B. Hot site
416
C. Warm site
D. Cold site
Q1608. Which of the following is not a measurement criterion for the Personal
Software Process?
A. Defects
B. Time
C. Task
D. Lines of codes
Q1609. The responsibility of business continuity does not rest with

A. Management
B. IT operation
C. Auditor
Q1610. For getting high speed access in telecommuting, which of the following
connection is used?
A. Internet Connection
B. Ethernet Connection
C. Modem connection
Q1611. Interference is resisted MOST by

A. transmission by radio frequency
B. transmission over coaxial cable
C. transmission on terrestrial microwave
D. transmission on satellite microwave
417
Q1612. Which of the following plans specifies the actions to be taken

immediately on the occurrence of a disaster?
A. Emergency plan
B. Recovery plan
C. Restart plan
D. Backup plan
Q1613. In the case of a bank teller the access control policy is an example of:
A. User directed policy
B. Role based policy
C. Rule based policy
D. Identity based policy
Q1614. An electronic-mail security program is not effective in the case of the

following attacks?
A. Playback attacks
B. Key management attacks
C. Bogus traffic
D. Cryptanalytic attacks
Q1615. The technique employed in packet switching mode of transmission is:

A. modulation technique
B. multiplexing technique
C. line conditioning technique
D. concentration technique
Q1616. Which of the following systems are MOST important for business
resumption following a disaster?
A. Vital systems
B. Sensitive systems
418
C. Critical systems
D. Non-critical systems
Q1617. Which one of the following is TRUE about Pretty Good Privacy (PGP ,
an electronic mail security program?
A. PGP is a protocol
B. PGP is a standard
C. PGP is a product
D. PGP is not portable
Q1618. ___________ is a clause in trading partner agreement which means

that no party shall be liable for any failure to perform their obligation if
such failure is due to reasons beyond their control
A. Accountability
B. Error correction
C. Force majeure
D. Security
Q1619. A bank performs a backup of its online deposit files each day after all
processing is over and retains it for 7 days. The bank does not retain a
copies of each days transaction. This approach is:
A. Valid, since it minimises the complexity of backup/recovery
procedures if the online file has to be restored
B. Valid, since having a weeks worth of backups permits recovery
even if one backup could not be restored.
C. Risky, since restoring from the most recent backup file would omit
subsequent transactions
D. Risky, since no checkpoint/restart information is kept with the
backup files
419
Q1620. A Data Replication Architecture that updates the secondary site by

capturing changes using the asynchronous process is,
A. Shadowing
B. Mirroring
C. Transaction Aware Replication
D. Hosting on a warm site
Q1621. A disaster recovery plan for a companys computer system usually

focuses on which of the following?
A. The probability that a disaster will occur
B. Operations turnover procedures
C. Alternative procedures to process transactions
D. Strategic long range planning
Q1622. A modem is NOT intended to

A. reduce the noise level in the transmission
B. encrypt the messages transmitted and decrypt them on reception
C. convert digital signals to analog signals
D. convert analog signals to digital signals
Q1623. A primary objective of BCP is:

A. To provide a sense of security
B. To make systems reliable by providing back ups
C. To ensure continuity and survival
D. To minimise decisions to be made during times of disaster
Q1624. A recovery plan for restoring computer operations after a processing

outage should ensure that:
A. Planned changes in equipment capabilities are compatible with
estimated workloads
420
B. Backup/restart procedures have been built into job streams and

programs
C. Documented service level agreements with owners of applications
are available
D. Operating personnel cannot bypass change control procedures
cannot
Q1625. Access to the Electronic Funds Transfer (EFT) terminal should be

restricted to authorised persons. The auditor need not
A. Check the security of the place in which the terminal is located
B. Check whether or not the terminal is kept locked when not in use
C. Check the level of management supervision over the terminal
D. Check if there is a proper segregation of duties
Q1626. While conducting a business continuity audit, which of the following

would an IS auditor consider to be MOST important to review?
A. A business continuity manual is available and current
B. Backups are performed on a timely basis and stored offsite
C. Insurance premiums are current and coverage is adequate
D. Availability of hot site
Q1627. While preparing a cost benefit analysis of a security objective for an

electronic data interchange (EDI transaction, which one of the following
costs should be part of a detection method?
A. Cost of preventive action
B. Cost of implementation of management directives
C. Cost of recovery action
D. Cost of technical action
Q1628. With respect to BCP, critical activities can be segregated into:

A. Essential activities, recommended activities, non-essential
activities
421
B. Essential activities and non-essential activities

C. Recommended activities and non-essential activities
D. There is no segregation
Q1629. Which of the following would BEST ensure continuity of a Wide Area
Network (WAN ?
A. A maintenance contract with a service provider
B. Full system back-up taken on a daily basis
C. A duplicate machine alongside each server
D. Built-in alternative routing
Q1630. Which one of the following in NOT true statement about encryption used
in an electronic data interchange (EDI transaction?
A. Encryption ensures data integrity
B. Encryption ensures data availability
C. Encryption ensures data confidentiality
D. Encryption prevents unauthorised viewing of data
Q1631. Which one of the following is a control weakness in the treatment of

user messages in electronic mail system?
A. Retransmission of the corrupted messages
B. Restoration of corrupted message from backups
C. Editing of corrupted message by the network staff
D. Introduction of automated checks to detect corruption of
messages
Q1632. Which one of the following is NOT true about an electronic data
interchange (EDI) system?
A. Direct or dedicated transmission channels with trading partners
B. Elimination of paper records
422
C. Possibility of human oversight is minimal

D. Error propagation is eliminated
Q1633. Which one of the following network configurations used by electronic

data interchange (EDI trading partners does not have a storage
capability and does not provide any message status information?
A. Use of dedicated network
B. Use of a single value-added network
C. Use of two VANs
D. Point-to-point network
Q1634. Which one of the following statements is correct with regard to

reciprocal processing agreement?
A. It should be documented in writing and signed by both parties.
B. It provides for parallel processing capability at a hot site and in
the production environment.
C. It requires the hardware vendor to provide compatible computer
equipment.
D. It provides for full processing capability in the event of a disaster.
Q1635. An IS auditor reviewing an organisation’s Business Continuity Plan

discovered that the plan provides for an alternate site which can
accommodate about 50% of the processing requirements of the
organisation. Which of the following steps should the IS Audit
A. Ensure that the alternate site could process all the critical
applications.
B. Recommend that the processing capacity of the alternate site
should be increased.
C. Under normal circumstances only about 25% of the processing
is critical to an organisation. Hence, there is no need to take any
action.
D. Identify applications that could be processed at the alternate site
and develop manual procedures for other applications.
423

discovered that the plan was prepared many years ago and has never
been updated, tested or approved by the senior management. In this
situation the IS auditor should recommend that:
A. The existing plan should be approved by the Board of Directors
B. The plan be tested once in a year
C. The plan be circulated to all key management personnel
D. A senior management personnel co-ordinate creation of a new
plan or revised plan within a defined timeframe.

discovered that the software backups are not stored in an offsite
location and the management is not aware of where backups are being
kept. In this situation which of the following recomme
A. Software backup should be kept in an offsite location in a
fireproof safe.
B. An inventory of backup tapes at the offsite storage location
should be maintained.
C. IS security measures including controls over access to data
should be strengthened.
D. Offsite storage location should be secured and should not be
easily identified from the outside.
Q1638. An organisation has an application level gateway and allows only

electronic-mail to pass between the organisations network and the
outside world. In such situation the organisations electronic mail system
is used to do which of the following?
A. Remote access
B. File transfer
C. The firewalls that refuse to forward anything unless it is from the
gateway
D. The firewalls that refuse to forward anything unless it is to the
gateway
424
Q1639. Audit of LAN disaster backup and recovery plan ensures that business
is restored after a system failure or disaster. Which of the following is
FALSE with respect to such plans
A. Plan identifies the critical hardware and equipments
B. Confidential information is not disclosed in the plan
C. Plan is reviewed and accepted by the management
D. Plan is communicated to the employees
Q1640. Companies are exposed to various kinds of e-mail threats-mails

containing racist, sexual content are typical of:
A. Spam
B. “Information leakage“
C. Interception and tampering
D. Offensive contents
Q1641. BCP (Business Continuity Plan) should focus on:

A. Departments that are greatly affected by a disaster
B. Departments that are least affected
C. Departments that have at least 50% IS related assets
D. The entire enterpris
Q1642. Business continuity plan of an organisation should address early

recovery of which of the following?
A. All applications designed by the IS Manager
B. All information system processes
C. Processes in priority order, as defined by the business manager
D. All financial processing applications
425
Q1643. Checks should exist in an Electronic Funds Transfer (EFT), to ensure

that messages transmitted are delivered completely and are fully
accounted for. The auditor should ensure that
A. A permanent record of all transmitted messages is maintained
B. Messages are encrypted
C. All changes to a user function are properly authenticated
D. The system prevents unauthorised transmission
Q1644. Concentration technique in a communication network DOES NOT

A. route the message over alternate path if the normal path fails
B. reduce the wiretapper’s capabilities to tap more data
C. send different packets of the same message over different
available lines
D. free channel utilization to make more capacity available for the
user
Q1645. During exposure analysis, which of the following is NOT done?

A. Evaluating the possibility of the threat to be successful given the
controls that are in place
B. Identifying the source of threats to assets
C. Assessing the reliability of the controls that are in place
D. Assessing the losses that will result, if a threat circumvents the
controls in place
Q1646. Electronic Data Interchange

A. Is another name for e-mail
B. Is not of much use in data transfer between two computers
C. Provides strategic, operational and opportunity benefits
D. Is a tool that can even transmit information in an unstructured
format
426
Q1647. Electronic mail message authenticity and confidentiality is BEST

protected through which of the following techniques?
A. Signing the message using the receivers private key and
encrypting the message using the senders public key
B. Signing the message using the receivers public key and
encrypting the message using the senders private key
C. Signing the message using the senders private key and
encrypting the message using the receivers public key
D. Signing the message using the senders public key and encrypting
the message using the receivers private key
Q1648. Every organisation should have a contingency plan regardless of its

size. Contingency plan should be detailed for the management and
staff to actually act in event of a disaster. The contingency plan need
not address
A. Event declaration and escalation
B. Audit of the plan
C. Employee responsibility
D. Recovery operation
Q1649. Factors such as Distribution channel and Target Segment are

considered in which of the following profiles:
A. Cultural Profile
B. Relationships Profile
C. Technology environment profile
D. Existing security profile
Q1650. Generation of PIN in EFT/PoS involves: 1. Acquirer validates

information; 2. Acquirer sends resonse to the acceptor; 3. Authorisation
request is sent to the acquirer; 4. PIN entered is encrypted. Which
option indicates the correct order of events?
A. 1,2,3,4
B. 1,3,4,2
427
C. 4,3,1,2
D. 4,3,2,1
Q1651. Hot site is:

A. Equipped with facilities such as air-conditioning, power, cables,
but no computer systems
B. A remote facility that provides hardware and operations facilities
C. Data storage space in other corporate systems
D. An internal reciprocal arrangement
Q1652. If outsourcing a hot site is a feasible solution, then which of the following
should be considered while interacting with the vendor?
A. Hardware, software and networking requirements
B. “Location and testing requirements“
C. “Staff expertise“
D. All the above
Q1653. In an electronic data interchange (EDI) system, assessment of risks

would help to determine which one of the following loss categories?
A. Actual loss, catastrophic loss
B. Single occurrence loss, actual loss
C. Expected loss, single occurrence loss
D. Expected loss, catastrophic loss
Q1654. In an electronic data interchange (EDI) trading partner agreement, which

one of the following requires a clear and precise definition?
A. Resolution of disputes
B. Elimination of disputes
C. Co-ordination between partners
D. Message format
428
Q1655. In determining new controls that might be implemented to reduce

exposures to an acceptable level, which of the following is not used as
a basis?
A. Analyse the scenarios developed during the exposures analysis
phase
B. Choose controls that emphasise design secrecy
C. Examine the control profiles used in similar installations
D. Review the answers to questions on the internal control
questionnaires completed during the exposure analysis phase
Q1656. In residual dumping technique for backup, the records that are backed
up are those that have not undergone any change since
A. the last full dump
B. the last residual dump
C. the second-last full dump
D. the second-last residual dump
Q1657. In the case of a large database with on-line communication network

environment where the critical business continuity period is 7 days,
which of the following alternative business recovery strategies would
be LEAST appropriate?
A. Dual information processing facilities
B. Warm site
C. Hot site
D. Reciprocal agreement
Q1658. In the case of electronic funds transfer (EFT) , which one of the
following is MOST vulnerable to fraud and physical attacks?
A. Point-of-sale system
B. Home banking system
C. Automated teller machine system
D. Telephone bill paying system
429
Q1659. In the event of a disaster, the crisis management team should first:
A. Inform the stakeholders
B. Assess the impact of disaster on the company
C. Take care of personnel and their dear ones
D. Form an emergency response team
Q1660. Internet was established NOT for

A. minimizing the high risk protocol conversion functions that the
gateways perform
B. controlling all the networks connected in a better way
C. improving the overall reliability of the networks
D. restricting access to sensitive messages by restricting them to
specific parts of the network
Q1661. It is widely accepted that every company should have a disaster

recovery plan. Importing of data (a component of LAN disaster recovery
plan) does not help in keeping track of
A. Equipment inventories
B. Policy inventory
C. Software inventories
D. Data that is necessary for the recovery process
Q1662. It was observed that there is no fire detection and control equipment in
an organisations computer processing area. Which of the following is
MOST important in such circumstances?
A. Offsite storage of transaction and master backup files
B. Adequate fire insurance
C. Fully tested backup processing facility
D. Regular hardware maintenance
430
Q1663. Link encryption in communication of signals

A. controls the exposures from traffic analysis
B. ensures that even if compromise of encryption key takes
place, the loss is restricted to a single user associated with the
compromised key
C. does not require each node through which the message passes
to be protected against hacking
D. renders charge back system easier and effective
Q1664. Logging of transaction is an important means of backup. Which purpose

among the following is not served by logging the transactions in a
financial institution?
A. Both rollforward and rollbackward of transactions after a disaster
is rendered easier
B. After a disaster, the transactions can be reentered easily, if
needed
C. The transactions shall be recorded chronologically as they are put
through
D. There will be no need for taking a data dump
Q1665. MAC or message authentication code prevents

A. messages getting changed by hackers
B. traffic analysis by sniffing
C. violating the confidentiality of the message
D. the exposures associated with transmitting credit card PINs as
clear text
Q1666. Modems do enhance the quality of transmission. Which among the

following is NOT a control feature that enhances the quality?
A. multiple transmission speeds
B. auto-dial features
431
C. dynamic equalization
D. attenuation amplification
Q1667. Most important risk to be addressed in an electronic data interchange

(EDI transaction is:
A. Delay in transmission of the data
B. Duplicated transactions
C. Invalid transactions
D. Repudiated transactions
Q1668. Operations audit trail rather than the accounting audit trail is likely to
show
A. message sequence number
B. queue length at each network node the message traverses before
reaching the destination
C. time and date of dispatch of the message
D. the unique identifier of the sender’s node from which it was sent
Q1669. OSI model of ISO presents a model of seven layers through which data
communication across computers passes. Encryption is NOT done in
any form in
A. Presentation
B. Physical
C. Data Link
D. Transport
Q1670. Reciprocal Agreements are normally entered between two or more

organisations:
A. Within same geographical location
B. With different business activities
432
C. With compatible equipment and applications

D. With similar business activities
Q1671. Responsibility of business continuity rests with the management and IT

operations. To ensure this the management need not ensure which of
the following:
A. The plan is tested
B. Plan is maintained
C. Plan is distributed to authorised people
D. Plan is static
Q1672. Ring topologies have an edge over bus topologies. Which of the
following statements is FALSE?
A. In ring topology, nodes are connected on a point to point basis
whereas it is a multipoint connection in a bus network
B. The connectors in a bus topology attenuate the signals and
distort them, whereas repeaters in a ring topology are relatively
harmless
C. If a connector in bus topology is malfunctioning, the whole
network will not be brought down, whereas malfunctioning
repeaters will bring the network down
D. Encryption is resorted to as a control technique more in bus
topology than ring topology
Q1673. Rollback is an effective means of recovering data. In which of the

following situations after an error has occurred but many processes
have updated the corrupt database before it is detected?
A. Rollback may not be too useful if many users have updated the
corrupt database before the discovery of the corruption
B. To set right the situation, all the elements that have been
updated after the corruption must be traced and efforts started
for correcting them
433
C. If afterimages have been corrupted, rollback is not achievable

D. It is not always possible to determine how much damage has
been done for undoing it
Q1674. Rollback is easily accomplished with differential file backup technique

for which of the following reasons?
A. Beforeimages of the modified records have been kept in the
differential file
B. Beforeimages of the modified records have been kept in the
primary file
C. It facilitates identification of the users that have effected changes
to the database
D. The technique provides for taking the backup on a high speed
medium like CDROM
Q1675. Rollforward and rollback are two important techniques for backup. Which
among the following should be logged for facilitating rollforward?
A. Afterimages
B. Beforeimages
C. All valid transactions
D. All input transactions
Q1676. Software change management

A. Is all about managing alterations, irrespective of the stage of
lifecycle of a product
B. Is done only in the development stage
C. Is done only in the maintenance stage
D. Activities decrease after the product release.
Q1677. Team software process, a software configuration management tool:

A. Identifies the roles of a team and assigns respective jobs to team
members
434
B. Focuses on managing tasks of individual developers

C. Focuses only on the role of developers
D. Does not require a customer interface
Q1678. The residual dump technique in backup has the disadvantage of

A. complexity of recovery more than a physical dump
B. the inability of the backup operation to run in the background
while operations are being carried out
C. duplicity of backup operations more than other techniques
D. lesser flexibility in leveling system workloads
Q1679. The Security Profile Model helps a company to prioritise security

management. Which of the following features is not a part of the asset
profile?
A. A company needs to classify its assets
B. It needs to identify interdependencies between assets
C. Its employees should be able to identify and evaluate security
matters
D. It should identify assets that contain sensitive information
Q1680. The time required for recovery of information processing facility in the
case of a disaster is based on which of following?
A. Nature of disaster
B. Criticality of the operations affected
C. Mainframe based applications
D. Quality of the data to be processed
Q1681. Transaction logs generally consist of successful transactions. Rejected

transactions are printed to a separate log. This segregation facilitates
A. both rollforward and rollback to be effected in case of a disater
B. recording the time sequence of the successful transactions alone
435
C. avoiding the reappearing of rejection messages when the

transactions are resubmitted after a disaster and a restoration of
the backup
D. elimination of control total problems when the transactions are
resubmitted after a disaster and a restoration of the backup
Q1682. Transmission of electronic signals is not free of impairments. Which of

the following statements is true?
A. Satellite signals are not easily affected by other electronic
transmissions.
B. Attenuation is the delay in transmission of signals due to
difference in frequency
C. Inductive wiretaps can pick up the free space emissions
emanating from amplifiers
D. Analog signals are less attenuated than digital signals
Q1683. Which among the following is NOT a serious problem in a ring topology
based LAN?
A. Corruption of tokens during transmission may occur
B. Collision of tokens during transmission may occur
C. Tokens may be captured by a node and before releasing it the
node may fail
D. The receiver might not have captured the token but it might have
passed the addressee node
Q1684. Which among the following is NOT true of start topologies?

A. Ring topologies are more reliable than start topologies
B. Star networks are more easily maintained than a bus network
C. Malfunctioning in one node will not bring a star network down
D. Malfunctioning of the hub will bring the star network down
436
Q1685. Which of the following activities is a task during scenario analysis?

A. Determine the assets to be protected
B. Identifying controls and their associated level of reliability
C. Assessing the probability of threat occurrence
D. Identifying how threats can circumvent controls
Q1686. Which of the following approach is ideal in order to test the electronic
data interchange (EDI) system for a value added network (VAN) user?
A. Test mailbox
B. System programmer mailbox
C. Production mailbox
D. Application programmer mailbox
Q1687. Which of the following are NOT true about electronic data interchange
(EDI) ?
A. EDIs data is processed by computer application systems without
human intervention
B. Standardisation is not key to EDI transaction
C. EDI concept is different from electronic commerce
D. EDI promotes a paperless environment
Q1688. Which of the following BEST describes “reducing exposure to an

acceptable level”?
A. Residual threats have been eliminated
B. All controls implemented are totally reliable
C. The cost of implementing and operating further controls exceed
the reduction in expected losses that will occur
D. Threats for which no control exists and have a low probability of
occurrence
437
Q1689. Which of the following BEST describes a residual risk?

A. Risk that must be treated as a cost of doing normal operations
B. Risk that cannot be handled by the installation and will not be
covered in the insurance policy for data processing assets
C. Risk remaining after risks have been controlled by system design,
installation of security measures, and regular security audits
D. Risk that will not be handled by an insurance company
Q1690. Which of the following BEST describes a warm site?

A. Partially equipped site where the computer environment consists
of few equipment without the main computer.
B. Fully equipped computer centre in a ready state for continuing
operations within hours.
C. A site where the computer environment is maintained without any
equipment.
D. Dedicated, self developed recovery site that can backup critical
applications
Q1691. Which of the following BEST describes an exposure?

A. The expected loss that will occur, given the reliability of the
existing controls
B. Any threat that may eventuate
C. The expected loss that will occur prior to implementation of any
controls
D. Any threat for which no controls have been implemented
Q1692. Which of the following controls should be introduced in the case of EDI
transaction with a trading partner for efficient data mapping?
A. Manual recalculations
B. Functional acknowledgements
C. Key verification
D. One-for-one checking
438
Q1693. Which of the following controls would be useful in reducing losses

from some types of threats that would result in structural damage to a
computer installation?
A. Housing the computer on the upper floor of a building
B. Fail-safe doors
C. Voltage regulator
Q1694. Which of the following cryptographic algorithm does both encryption and
digital signature?
A. International data encryption algorithm (IDE)
B. Digital signature standard (DSS)
C. Rivest, Shamir, Adleman (RS
D. Data encryption standard (DES)
Q1695. Which of the following encryption algorithms or schemes is MOST

difficult to break?
A. International data encryption algorithm (IDE)
B. RC2 and RC4
C. One-time pad
D. Data encryption standard (DES)
Q1696. Which of the following electronic commerce systems handle non-

monetary documents?
A. Society for Worldwide Interbank Financial Telecommunication
(SWIFT)
B. Electronic funds transfer system (EFTS)
C. Electronic data interchange (EDI)
D. Electronic benefits transfer system (EBTS)
439
Q1697. Which of the following electronic document management areas is

of the MOST concern for an IS auditor reviewing an electronic data
interchange (EDI system?
A. Data storage
B. Data classification
C. Data retention
D. Data indexing
Q1698. Which of the following involves routing of traffic through split or duplicate
cable facilities in providing telecommunication continuity?
A. Long haul network diversity
B. Diverse routing
C. Redundancy
D. Alternate routing
Q1699. Which of the following is an advantage of the use of hot sites as a

backup alternative?
A. Hot sites can be used for an extended amount of time.
B. Hot sites can be made ready for operation within a short period
of time.
C. Costs associated with the hot sites are low.
D. Hot sites do not require that equipment and systems software to
be compatible with the primary installation being backed up.
Q1700. Which of the following is covered in a business interruption insurance?

A. Costs involved in reconstructing the computer facility
B. Additional costs incurred because the organisation is not
operating from its normal facilities
C. Loss in business income because the organisation is unable to
trade
D. Claims against the organisation by the customers because the
organisation cannot service its customers
440
Q1701. Which of the following is not an EDI risk?

A. Segregation of duties is not possible
B. Audit trail may not be available for transactions which are in
electronic format
C. Data that is transmitted is always error free
D. Dependency of trading partners on each other increases
Q1702. Which of the following is NOT considered in a backup plan?

A. Priorities to be assigned to recover the various systems
B. Site where resources can be assembled and operations restarted
C. Personnel who are responsible for backup resources
D. Procedures for periodically testing to ensure that recovery can be
effected
Q1703. Which of the following is NOT relevant in the case of a Business

Continuity Plan Testing?
A. Involvement of key business continuity team members
B. Test should address all critical components
C. Test should simulate actual prime time processing conditions
D. Advance information about the test to non-business continuity
team members.
Q1704. Which of the following is NOT true about a reciprocal agreement for an
alternative processing facility?
A. The reciprocal data centre may not be available during normal
business hours
B. They are expensive to maintain
C. The reciprocal data centre may not have adequate capacity
D. Incompatibilities in the operating software may occur
441
Q1705. The objective of compliance testing is to determine whether:

A. Procedures are valid
B. Controls functions as intended
C. Assets are properly valued
D. Programs operate consistently
Q1706. Which of the following is NOT true about Pretty good privacy (PGP) and
privacy enhanced mail (PEM)?
A. They are both based on public-key cryptography
B. They both have same uses
C. They both encrypt messages
D. They both sign messages
Q1707. Which of the following is not true of a Disaster Management Team:

A. “To decide on locations from where remote access is possible, in
the event of disaster“
B. To make a list of employees, who should be called to remote
sites for work
C. To provide remote access to the network to all employees
D. To continuously check whether security and intrusion systems are
functioning effectively
Q1708. Which of the following is the MOST effective and environment friendly
methods of suppressing fire in a data centre?
A. Carbon dioxide gas
B. Wet-pipe sprinklers
C. Halon gas
D. Dry-pipe sprinklers
442
Q1709. Which of the following is the BEST disaster recovery plan for the
communication processor for a large chain of shops which has a central
communication processor for connecting with the banking network with
electronic fund transfer (EFT at point-of-sale de
A. Alternate standby processor at another network node
B. Alternative standby processor onsite
C. Installation of duplex communication links
D. Offsite storage of daily backup
Q1710. Which of the following is the LEAST important in the case of backup
and recovery plan?
A. Frequency of the backup
B. Usage of backup tapes
C. Frequency of offsite backup
D. Frequency of restoration of backups to test the backup tapes
Q1711. Which of the following is the MOST effective test of a Business

Continuity Plan?
A. Structured walkthrough of the plan by all key personnel
B. Conduct mock disaster and carry out disaster recovery
procedures
C. Review the plan in detail by external auditor
D. Detailed review of the plan by IS audito
Q1712. Which of the following is the primary objective of a recovery plan?

A. Specify how backup can be assembled for recovery purpose
B. Identify a recovery committee that will be responsible for working
out the specifics of the recovery to be undertaken
C. Specify precisely how recovery will be effected
D. Identify which applications are to be recovered immediately
443
Q1713. Which of the following is TRUE about Automated Teller Machines

(ATMs) ?
A. Uses protected telecommunication lines for data transmissions
B. Must provide high levels of logical and physical security
C. Are usually located in populous areas to prevent theft or
vandalism
D. Allow for cash withdrawal and cash deposits only
Q1714. Which of the following is TRUE about Electronic Data Interchange (EDI)
application system?
A. Transmits transactions using sophisticated formats and file
definitions
B. Applications, transactions and trading partners supported remain
static over time
C. System that performs based on business needs and activities
D. Provides utility programs for a limited number of application
systems
Q1715. Which of the following is TRUE about most of the business continuity
tests?
A. Address all system components
B. Conducted at the same time as normal business operations
C. Monitored by the IS auditor
D. Evaluate the performance of personnel
Q1716. Which of the following is TRUE in relation to the input controls of EDI ?
A. The data that is entered into the system should have sequence
numbers
B. Data that is entered into the system need not be translated to
EDI standard
C. Parity and redundancy checks should be used
D. Any changes to EDI should be tested before implementation
444
Q1717. Which of the following offsite alternative for business recovery would
require the least amount of funds?
A. Cold site facility
B. Reciprocal agreement
C. Warm site facility
D. Hot site facility
Q1718. Which of the following network risk apply to EDI transactions irrespective
of the type of network involved?
A. Failure to detect the recipient
B. Data being transmitted to the wrong recipient
C. Delay in transmission of the data
D. The data being intercepted and disclosed to others without
authorisation
Q1719. Which of the following project scheduling techniques does not provide
information about predecessor and successor relationships –
A. Gantt Charts
B. Critical Path Method
C. Program Evaluation and Review Technique
D. Critical Chain Path Method
Q1720. Which of the following security control is MOST effective to prevent

fraud and abuse in the case of electronic fund transfers?
A. Encryption
B. Unique password
C. Unique user ID and password
D. Unique user ID, password and personal identification number
(PIN)
445
Q1721. Which of the following should be verified by an IS auditor reviewing a

Business Continuity Plan?
A. Approval of the plan by Board of Directors.
B. Plan is tested once in a year.
C. Plan is reviewed and updated regularly.
D. Plan is circulated to all the Head of Departments
Q1722. Which of the following should find a place in a disaster recovery plan
A. Program coding standards for the organization
B. History of updates to the operating system
C. List of applications under development
D. Responsibilities of each organizational unit
Q1723. Which of the following statement is TRUE about an offsite information

processing facility?
A. Should be located near to the originating site so that it can
quickly be made operational
B. Should have the same amount of physical access restrictions as
the primary processing site
C. Need not have the same level of environmental monitoring as the
originating site since this would be cost prohibitive
D. Should be easily identified from outside so that in the event of an
emergency it can be easily found
Q1724. Which of the following statement is true with respect to Electronic Fund
Transfer/ Point of Sale transaction?
A. To verify the identity of the cardholder, using signature is more
secure than using the PIN
B. All cards are not checked with hot card numbers
C. A central authority verifies the signature of the person holding the
card
D. Before payment, the cardholder and the merchant agree upon the
amount
446
Q1725. Which of the following statements about digital signatures is NOT true?
A. It prevents non-repudiation by the receiver
B. It provides sender authenticity
C. It facilitates repudiation by the sender
D. It prevents repudiation by the sender
Q1726. Which of the following statements about encryption is NOT correct?

A. Encryption protect data in transit from unauthorised interception
and manipulation
B. Verify authenticity of a transaction or document
C. Encryption will solve all problems of industrial espionage
D. Some countries will not allow transborder encryption of
information
Q1727. The IT strategy committee works at:

A. Board level only
B. Executive level only
C. Board and Executive levels
Q1728. IS auditors must have a through understanding of the risk assessment

process. Risk assessment is a(n):
A. Subjective process
B. Objective process
C. Mathematical process
D. Statistical process
Q1729. Which of the following is a detective control?

447
C. Back-up procedures
D. Audit trails
Q1730. While appointing an auditor to conduct the IS audit the company need
not look into ________ of the auditor?
A. Legal capability
B. Experience
C. Proficiency in different computer languages
D. Secrecy bond, if penetration test is to be done
Q1731. When planning a software audit, the management does not consider:
A. The timing of the audit
B. Persons who should conduct the audit
C. Keeping the audit objective secret
D. Providing access to the required facilities
Q1732. A procedure to have an overall environmental review which is NOT

performed by an IS auditor during pre audit planning is
A. Understanding of business risks by interviewing management’s
key personnel.
B. Determining adherence of regulatory requirements by conducting
compliance tests.
C. Reviewing audit reports of the previous years.
D. Touring key activities of the organisation.
Q1733. A sampling technique used to estimate the average or total value of a

population based on a sample is termed as :
448
Q1734. A Systems Analyst’s duties and roles comprises of:

A. Scheduling of computer resources.
B. Testing and evaluating programmer and optimisation tools.
C. Ascertaining user needs for application programming.
D. Corporate database definition.
Q1735. An audit technique used to select items from a population for audit
testing purposes based on the characteristics is termed as
A. Continuous Sampling
Q1736. Which of the following are considered to be the best practices in

enterprise governance:
A. Strategic Oversight and enterprise risk management
B. Enterprise risk management and the acquisition process
C. The acquisition process and board performance
D. All the above.
Q1737. While developing a risk based audit program which of the following
would the IS auditor MOST likely focus on
A. Business processes
B. Critical IT applications
C. Corporate objectives
D. Business strategies
449
Q1738 Which of the following is the MOST appropriate audit evaluation

technique to provide assurance that adequate data backups exist to
allow timely recovery of system operations following service disruptions
A. Stop-or-go sampling
B. Interview personnel and review information system organization
structure
C. Review applicable documented procedures and observe the
process
D. Use any automated tool
Q1739. When an IS auditor obtains a listing of current users with access to the
selected WAN/LAN and verifies that those listed are active associates,
the auditor is performing a:
A. Compliance test.
B. Substantive test
C. Statistical sample
D. Risk assessment
Q1740. A long-term IS employee with a strong technical background and broad

managerial experience has applied for a vacant position in the IS audit
department. Determining whether to hire this individual for this positions
should be based on the individual’s vas
A. The length of service since this will help ensure technical
competence.
B. The individual’s age as training in audit techniques may be
impractical
C. IS knowledge since this will bring enhanced credibility to the audit
function
D. Existing IS relationships where the ability to retain audit
independence may be difficult
450
Q1741. Which of the following statements pertaining to the determination of

sample size is TRUE
A. The larger the confidence level, the smaller the sample size
B. The larger the standard deviation, the larger the sample size
C. The smaller the precision amount, the smaller the sample size
D. Sample size is not affected by the expected error rate in the
population
Q1742. In a risk-based audit approach, an IS auditor is not only influenced by

risk but also by:
A. The availability of CAATs
B. Management’s representations
C. Organizational structure and job responsibilities
D. The existence of internal and operational controls.
Q1743. Which of the following is a substantive audit test?

A. Verifying that a management check has been regularly performed
B. Observing that user IDs and password are required to sign on to
the computer
C. Reviewing reports listing short shipments of goods received
D. Reviewing an aged trail balance of accounts receivable.
Q1744. Which of the following is NOT an advantage of a continuous auditing

approach?
A. It tests cumulative effects for the year
B. Findings are generally more material to organization
C. Audit resources are more effectively directed
D. Current decisions can be based on audited information
451
Q1745. In planning attribute sampling of data, which one of the following factors
would be LEAST important?
A. Review and evaluation of internal controls
B. Age of the system being examined
C. Past audit experience and previous test results
D. Expected error rate
Q1746. The people, who have contact with the system such as employees and
customers, are:
A. Users
B. Systems analysis
C. Programmers
D. Clients/Customers
Q1747. A Plan to trace data to its source is called

A. An audit trace
B. A vector
C. Rollback
D. Two way hashing
Q1748. The person who fills the role of the change agent is the
A. System analyst
B. Administration
C. Programmer
D. User
Q1749. The kind of interview where all question are planned in advance is
called
A. Structured
B. Unstructured
452
C. Audit program
D. Checklist
Q1750. When the entire new system is used by a portion of the users it is called
A. Pilot conversion
B. Direct conversion
C. Parallel conversion
D. Phased conversion
Q1751. A set of choices on the screen is called a(n):

A. Menu
B. Editor
C. Template
D. cursor
Q1752. A well- controlled implementation minimizes the following risks except

A. Attrition turnover
B. System bugs
C. Misaligned staff
D. Performance issues
Q1753. A program written when the programmer is employed by the

organization is owned by:
A. The organization
B. The programmer
C. The IT/IS department
D. The user
453
Q1754. If a program fails to par a test, the programmer can call for a
………………… program run to check on the status of the registers after
each program operations
A. Trace
B. Mapping
C. Linker
D. Loader
Q1755. A project management package can help managers identify the

………………. path so that they can direct their attention to the
sequence of tasks in that path.
A. Critical
B. Shortest
C. Most expensive
D. Least expensive
Q1756. Integrating software shells allow users to exchange date between:

A. Separate programs produced by different vendors
B. Separate programs produced by the same vendor
C. Suite of programs produced by the same vendor
D. Hardware using different character codes
Q1757. The screen displays produced by a proto typing software package

A. May closely model the outputs that may be produced by the
completed programs
B. Are the outputs produced by the completed programs
C. Hinder communication between system users and model builders
D. Discourage users from becoming involved in defining system
needs
454
Q1758. Is the ratio of correct information the total amount of information

produced over a period
A. Accuracy
B. Reliability
C. Consistency
D. Dependability
Q1759. Which of the following is false in relation to documentation in a system

implementation?
A. IS strategy
B. The sequence of programs and steps to be taken in case of
processing failure
C. Code with comments embedded
D. Pseudocode and flowcharts
Q1760. A set of choices on the screen is called a(n):

A. Menu
B. Editor
C. Template
D. cursor
Q1761. The kind of interview where all question are planned in advance is
called
A. Structured
B. Unstructured
C. Audit program
D. Checklist
455
Q1762. Is the ratio of correct information the total amount of information

produced over a period
A. Accuracy
B. Reliability
C. Consistency
D. Dependability
Q1763. The people, who have contact with the system such as employees and
customers, are:
A. Users
B. Systems analysis
C. Programmers
D. Clients/Customers
Q1764. The person who fills the role of the change agent is the
A. System analyst
B. Administration
C. Programmer
D. User
Q1765. When the entire new system is used by a portion of the users it is called
A. Pilot conversion
B. Direct conversion
C. Parallel conversion
D. Phased conversion
Q1766. The data gathering vehicle that permits high-volume anonymous

answers is:
A. Questionnaire
B. Unstructured interview
456
C. Structured interview
D. Observations
Q1767. A Plan to trace data to its source is called

A. An audit trace
B. A vector
C. Rollback
D. Two way hashing
Q1768. A program written when the programmer is employed by the

organization is owned by:
A. The organization
B. The programmer
C. The IT/IS department
D. The user
Q1769. If a program fails to par a test, the programmer can call for a
………………… program run to check on the status of the registers after
each program operations
A. Trace
B. Mapping
C. Linker
D. Loader
Q1770. A project management package can help managers identify the

………………. path so that they can direct their attention to the
sequence of tasks in that path.
A. Critical
B. Shortest
C. Most expensive
D. Least expensive
457
Q1771. Integrating software shells allow users to exchange date between:

A. Separate programs produced by different vendors
B. Separate programs produced by the same vendor
C. Suite of programs produced by the same vendor
D. Hardware using different character codes
Q1772. A well- controlled implementation minimizes the following risks except

A. Attrition turnover
B. System bugs
C. Misaligned staff
D. Performance issues
Q1773. The screen displays produced by a proto typing software package

A. May closely model the outputs that may be produced by the
completed programs
B. Are the outputs produced by the completed programs
C. Hinder communication between system users and model builders
D. Discourage users from becoming involved in defining system
needs
Q1774. Which of the following is false in relation to documentation in a system

implementation?
A. IS strategy
B. The sequence of programs and steps to be taken in case of
processing failure
C. Code with comments embedded
D. Pseudocode and flowcharts
458
Q1775. The data gathering vehicle that permits high-volume anonymous

answers is:
A. Questionnaire
B. Unstructured interview
C. Structured interview
D. Observations

Q1558 Ans. A Q1578 Ans. D Q1598 Ans. d
Q1559 Ans. C Q1579 Ans. A Q1599 Ans. d
Q1560 Ans. D Q1580 Ans. C Q1600 Ans. b
Q1561 Ans. B Q1581 Ans. D Q1601 Ans. c
Q1562 Ans. B Q1582 Ans. C Q1602 Ans. d
Q1563 Ans. C Q1583 Ans. C Q1603 Ans. b
Q1564 Ans. C Q1584 Ans. A Q1604 Ans. a
Q1565 Ans. C Q1585 Ans. B Q1605 Ans. c
Q1567 Ans. A Q1587 Ans. A Q1607 Ans. a
Q1568 Ans. C Q1588 Ans. B Q1608 Ans. c
Q1569 Ans. A Q1589 Ans. A Q1609 Ans. c
Q1570 Ans. B Q1590 Ans. D Q1610 Ans. b
Q1571 Ans. b Q1591 Ans. A Q1611 Ans. b
Q1572 Ans. a Q1592 Ans. B Q1612 Ans. a
Q1573 Ans. d Q1593 Ans. B Q1613 Ans. b
Q1574 Ans. c Q1594 Ans. A Q1614 Ans. c
459

Q1645 Ans. b Q1675 Ans. a Q1705 Ans. D
460

Q1709 Ans. a Q1732 Ans. B Q1755 Ans. A
Q1719 Ans. a Q1742 Ans. D Q1765 Ans. A
Q1720 Ans. a Q1743 Ans. D Q1766 Ans. A
461
Module 6 Questions
Q1776. “An IS auditor conducting a review of software usage and
licensingdiscovers that numerous PCs contain unauthorized software.
Which of the following actions should the IS auditor perform FIRST? “
A. Personally delete all copies of the unauthorized software.
B. Inform auditee of the unauthorized software and follow-up to
confirm deletion.
C. Report the use of the unauthorized software to auditee
management and the need to prevent recurrence.
D. Take no action, as it is a commonly accepted practice and
operations management is responsible for monitoring such use.
Q1777. “The audit procedure which could be common to auditing Information

Security as well as for a financial audit and for IS audit is: “
A. Review technical documentation
B. Inspection
C. Use CAATs for finding open ports
D. Review of Information Security Policy
Q1778. IS audit standards:

A. Specify the manner in which an IS audit should be carried out
B. Provide recommendations on improvement of audit performance
C. Provide auditors with a clear idea of the minimum level of
acceptable performance
D. Provide guidance to professionals on audit on performing IS audit
in specified environments.
462
Q1779. Which of the following is a detective control?

C. Back-up procedures
D. Audit trails
Q1780. “An important distinction an IS auditor should make when evaluating

and classifying controls as preventive, detective or corrective is: “
A. The point when controls are exercised as data flows through the
system.
B. Only preventive and detective controls are relevant.
C. Corrective controls can only be regarded as compensating.
D. Classification allows an IS auditor to determine which controls are
missing.
Q1781. During a review of the controls over the process of defining IT service
levels an IS auditor would MOST likely interview the:
A. Business unit manager.
B. Legal staff.
C. Systems programmer.
D. Programmer.
Q1782. The risks of using the integrated test facility is:

A. The controls in application may not be tested
B. The processing of data may not be tested
C. The effects of testing using test data may adversely impact the
integrity of the production database
D. The modifications for audit testing made to application in live
environment may not be removed entirely.
463
Q1783. “ Sarbanes-Oxley Act 2002 seeks to regulate: “

A. “Control requirements relating to Information Technology
governance and controls, especially those relating to financial
disclosure controls “
B. “To enhance requirements as regards quality and transparency
of financial reporting and disclosure and related internal controls
and corporate responsibility thereof “
C. To empower audit committees
D. “To check the rate of growing computer crime “
Q1784. Exposures refer to:

A. Quantification of potential impact of problem
B. Causes of risk
C. Audit objectives
D. Alignment of functions
Q1785. “The document least likely to be considered in an Application Controls

audit is: “
A. User manual
B. Business process rules
C. Work flow procedures
D. Coding standards
Q1786. Which of the following is an anti-virus detective control?

A. Route all links to external systems via a firewall.
B. Scan all diskettes and CDs brought in from outside the company
before use.
C. Scan all files on all file server hard disks daily, moving suspect
files to a safe areA.
D. Use anti-virus software to update users’ anti-virus configuration
files every time they log in
464
Q1787. “Which of the following is a not an offence under the Information

Technology Act, 2000: “
A. Introducing a virus into the network of an organisation
B. Providing assistance to any person to facilitate unauthorized
access to any computer system.
C. Creating a software to cause denial of service attack
D. Damaging the computer system by changing an operating system
parameter with a view to cause disruption to business
Q1788. “Which of the following would qualify to be a requirement under the IT

Act, 2000: “
A. Requiring signatures on all documents generated
B. Controls over time and date stamping of data messages
C. Controls over physical security of computer equipment
D. Use of standard software for firewalls
Q1789. The key objective of control is to:

A. Implement appropriate policy, procedures and practices
B. Establish appropriate organisation structure
C. Provide reasonable assurance that business objectives are
achieved.
D. Facilitate management of information systems
Q1790. CIS under AAS 29 of ICAI refers to:

A. Continuous and systematic information
B. Continuous and Intermittent Simulation
C. Computerised Information Systems
D. Computerised Information Sources
465
Q1791. Entrusted with the objective of identifying errors or deviations in the

controls relating to inventory application software, which of the following
would the auditor find most appropriate for the purpose
A. Black box approach
B. Snapshot technique
C. Integrated test facility
D. Waterfall model
Q1792. “The Information Technology Act does not apply to all of the following,
except: “
A. e-banking mechanism used instead of a cheque
B. A will
C. Electronic contract for sale of building through electronic means.
D. Notification of documents in the Government Gazette
Q1793. Identify the one that is NOT a key concept of object-oriented technology.
A. Encapsulation
B. Reusability
C. Messaging
D. Inheritance
Q1794. COBIT is:

A. “A standard to be followed by IS auditors while conducting IS
Audit “
B. A comprehensive standard for IT Governance
C. A multi-purpose audit tool for testing application controls
D. A standard for Corporate Governance
466
Q1795. IT Infrastructure Library (ITIL) deals with:

A. “Information Technology controls for organisations requiring
secure implementation “
B. Best practices for quality of IT services and its management
C. A governance model for management of IT
D. Internal controls in Information Technology for integrity of financial
reporting.
Q1796. The scope and objective of an IS audit assignment is:

A. Always specified by regulation
B. Determined by the IS auditor
C. Specified by the user management
D. Agreed in discussion with the senior management
Q1797. IS auditors, auditing through computers are not expected to:

A. Be aware of the fundamental concepts of Information Technology
B. Know the key components of IT and how they function
C. Be experts in technology behind development of CAATs
D. Understand business process controls
Q1798. “The most important factor to be considered in case of an IT

environment is: “
A. Inherent risks
B. Physical access control impact IT
C. Environmental controls impact IT
D. CAATs are used for audit
467
Q1799. Internal testing is a part of __________

A. Stress testing
B. Penetration testing
C. Beta testing
Q1800. Identify the factor that is not part of an expert system architrcture.
A. Knowledge base
B. Computing environment
C. Inference engine
D. End user interface
Q1801. “An IS Auditor has been assigned the task of reviewing the Information
Systems Security of a Sales Database, this refers to evaluation of
Information based on the following criteria: “
A. Effectiveness, Efficiency and Authenticity
B. Confidentiality, Integrity and Availability
C. Availability, Integrity and Reliability
D. Confidentiality, Compliance and Reliability
Q1802. “The risk that an IS auditor uses an inadequate test procedure and
concludes that material errors do not exist when, in fact, they do, is an
example of: “
A. Inherent risk.
B. Control risk.
C. Detection risk.
D. Audit risk.
468
Q1803. The most critical impact on an internal control system on account of

computerization is:
A. High volume of processing of transactions
B. Extent of substantive procedures could be reduced
C. Internal control systems get in-built into the applications
D. Inherent risks of information technology as deployed
Q1804. “The most effective option of using computer programs for testing client
data is: “
A. Use the client’s program
B. Write a program specifically for the purposes of the audit
C. Use a generalized audit software
D. Use a walk-through approach to understanding the process
Q1805. “An auditor plans to use CAATs extensively for conducting an internal
audit of manufacturing operations of an enterprise. CAATs are least
likely to be used for: “
A. Drawing out appropriate samples
B. Interface with production databases to query
C. Report the audit findings with evidence
D. Uncover fraudulent transactions
Q1806. “With regard to an external audit agency entrusted with review of

controls in sales and inventory processes in a computerized information
systems environment, the audit approach will significantly differ with
regard to: “
A. The method of fixation of audit objectives and scope
B. “The procedures followed by the auditor in obtaining a sufficient
understanding of the accounting and internal control system. “
C. The methods for rating of risks based on his findings
D. “The degree of performance of compliance and substantive test
procedures in a computerized environment as compared to a
non-computerised environment “
469
Q1807. Using Generalised Audit Software for testing application if correct rates
are applied to sales invoices involves
A. Testing the logic and sales data of the auditee
B. Testing the actual sales data from the database of the client
organisation.
C. Testing the auditee’s sales application software
D. Testing the access controls
Q1808. As a basis of determining the size of the project, COCOMO model uses:
A. Function Points
B. Object Points
C. Lines of Code
Q1809. Method used for identification of risk is called:

A. Risk chart
B. Risk graph
C. Risk item checklist
Q1810. Requirement specification errors lead to:

A. Function-related bugs
B. System bugs
C. Design bugs
D. Data bugs
470
Q1811. Processes in a Transaction Processing System are: 1) Data Validation

2) Data Preparation 3) Data Entry. The order in which they are
performed is:
A. 2,3,1
B. 1,2,3
C. 2,1,3
D. 3,1,2
Q1812. Compliance testing could be most effectively used for testing the:
A. Completeness of transactions
B. Accuracy of transactions
C. Implementation of controls as per policy
D. Processing of transactions
Q1813. An auditor would use the black box approach:

A. To test for suspected transactions or suspected practices
B. In case the audit does not involve testing controls in a
computerized information systems environment.
C. To evaluate the controls in computerized systems by analyzing
the outputs from a computerised system against calculated
results for a given set of inputs
D. To map the logic path and controls in the application software.
Q1814. “An organisation seeks to get its Information Security

ManagementSystems certified by an independent certifying agency,
which of the following standards would be useful in this regard: “
A. COBIT
B. SAS 70
C. BS7799
D. ITIL
471
Q1815. “The most critical risk in embedded audit facility is: “

A. “Specially designed modules are not appropriately embedded in
the application”
B. Selected data is stored on the auditee’s computer
C. Selected data can be modified by the auditee’s management
D. Data collection modules are inserted in the application at points
determined by the auditee management.
Q1816. “The Information Technology Act: “

A. Defines the method of authentication of an electronic record
B. Provides for authentication of all electronic records using digital
signature.
C. Encourages the use of digital signatures for all government
transactions
D. Requires the use of electronic signatures using symmetric
cryptography
Q1817. An upper CASE tool is used in :

A. Design
B. Code
C. Implementation
D. Maintenance
Q1818. “IS audit refers to any audit that encompasses review and evaluation
of:”
A. Efficiency of computing resources and networking technologies
B. Controls in Computerised information systems
C. Risks and controls as regards use of IT for business
D. Automated information processing systems and its interfaces
472
Q1819. “ An audit firm is offered the engagement to conduct a Network security

audit of the ATM systems of a large national bank. In such a situation,
the audit firm should: “
A. Accept the audit even though internal competencies may not be
available
B. Not accept the assignment since it does not possess the
competencies
C. First evaluate the audit risk of conducting the audit with available
internal competencies and explore the options of relying on the
services of an expert
D. Accept the audit first and take immediate steps to gain the
knowledge and competence through intensive training.
Q1820. Companies use Enterprise Resource Planning (ERP) packages to:

A. Plan future requirements
B. Integrate the work of various departments
C. Utilise minimum resources
D. Find errors in a database
Q1821. In SDLC, in which phase would you perform Boundary value analysis?
A. Requirements
B. Design
C. Implementation
D. Maintenance
Q1822. A lower cost software product metric that is used for data collection :
A. Requirements tracing
B. Defect counts
C. Function points
D. Test coverage
473
Q1823. For effective implementaion of a software quality program the MOST

important prerequisite is:
A. Quality metrics
B. Process improvement
C. Software reengineering
D. Commitment
Q1824. Risk mitigation deals with:

A. Avoiding risk
B. Transferring risk
C. Accepting risks
D. All of the above
Q1825. Which of the following is an upper CASE tool?

A. Debugging tool
B. Source code generation tool
C. Flow-charting tool
D. Project Management tool
Q1826. The most common reason for IS exposures is due to:

A. Errors, negligence and low-tech manipulations by insiders
B. Hacking
C. Computer Equipment breakdown
D. Natural disasters such as fire, earthquake and floods.
Q1827. The first step to using an audit software is to:

A. Collect the test data
B. Understand the test objectives
C. Evaluate the test results
D. Identify IT resources required for the testing
474
Q1828. “The most critical control consideration in designing the audit procedures
in a computerized environment is: “
A. Lack of segregation of duties
B. Lack of management control
C. Lack of IT knowledge by IT staff operating the system
D. The online and real time nature of the system
Q1829. The objective of an audit charter is to:

A. Serve as a control framework for outsourced audit engagements
B. “Outline the responsibility, authority and responsibility of the IS
Audit function “
C. Prescribe the audit program and procedures
D. A top level document that defines the rights, authority and
responsibilities of the management towards the audit function
Q1830. An IS Auditor appointed to conduct an IS audit of networking controls

is expected to perform all of the following except:
A. Identify and evaluate control weaknesses
B. Provide report on the findings and recommendations
C. Follow up implementation of recommendations
D. Ensure that controls are effectively installed by participating in
implementing the controls
Q1831. “An IS auditors is expected to use due professional care when

performing audits, which requires that the individual exercise skill or
judgment: “
A. Commonly possessed by practitioners of that specialty.
B. Which includes programming skills in the software under review.
C. Relating to the selection of audit tests and evaluation of test
results
D. Where an incorrect conclusion based on available facts will not
be drawn.
475
Q1832. “The objective of IS security is least likely to include: “

A. Strategy for risk management
B. Procedures and practices to assure that computer facilities are
available at all required times
C. Complete and efficient processing of data occurs
D. Restriction of data access to authorized users
Q1833. The objective of the audit mission statement is to:

A. Outline the purpose and value addition of the audit function
B. Lay down the priority for the areas of audit
C. Outline the responsibility, authority and responsibility of the IS
Audit function
D. Assess the competency and skill requirements of the IS Audit
function.
Q1834. IS security is not concerned with:

A. Possibilities of fraud and error
B. Ability to manage IT resources effectively
C. Attempt of company to keep its information intact
D. Ability to recover from disasters like data loss with minimum
damage.
Q1835. “Changes in traditional controls in a computerized environment is least

likely to impact: “
A. Transfer of responsibilities
B. Decline in accountability
C. Audit objectives
D. Alignment of functions
476
Q1836. “The risk assessment approach should ensure that formal agreement
on residual risk. The most critical factor on which this depends is: “
A. Risk identification and measurement
B. Corporate policy
C. Adopting risk assessment approach of that of the competitor
D. Cost effectiveness of implementing safeguards and controls
Q1837. The risk assessment process involves all of the following except:
A. Take steps to reduce risk to an acceptable level
B. Assess probability of occurrence of threats
C. Identify the IT resources
D. Ascertain the risk profile
Q1838. “Which of the following forms of evidence would be considered to be

the MOST reliable? “
A. An oral statement from the auditee
B. The results of a test performed by an IS auditor
C. An internally generated computer accounting report
D. A confirmation letter received from an outside source
Q1839. Skills and competence requirements of an IS Auditor must include:

A. Proficient programming skills
B. Sound knowledge of business operations, practices and
compliance requirements and related IT risks and controls
C. A general understanding of systems design and project
management concepts
D. In-depth knowledge of risks and controls relating to various
Information technologies
477
Q1840. At which stage of Software Development Life Cycle (SDLC) the program
development work is completed
A. Design specifications
B. “Program specifications
C. System testing
D. Unit testing
Q1841. Ability to operate on multiple computer types from different vendors is

envisaged by
A. Integrity
B. Reliability
C. Maintainability
D. Portability
Q1842. The longest phase in SDLC is :

A. Requirements and analysis
B. Design
C. Implementation
D. Maintenance
Q1843. Which of the following tests would be used to ensure whether a

software product fails or not?
A. Quality assurance test
B. Interface test
C. Integration test
D. Volume test
478
Q1844. Which of the following phase involves gathering of cost of data?

A. The Pre-delivery phase
B. The early operational phase
C. The mature operational phase
D. The evolution/replacement phase
Q1845. Error seeding should be done in which of the following phases of a

system development life cycle?
A. Analysis
B. Design
C. Implementation
D. Maintenance
Q1846. With regards to systems development, hardware and software studies

are performed in
A. System analysis phase
B. System design phase
C. System implementation phase
Q1847. With respect to expert systems, a heuristic is not a:

A. Rule of thumb
B. Known fact
C. Known procedure
D. Guaranteed procedure
Q1848. Which phase of SDLC uses Data Flow Diagram?

A. Requirements
B. Design
C. Implementation
D. Maintenance
479
Q1849. Which one of the following is a Fourth Generation Language (4GL):

A. C
B. PHP
C. Oracle
D. Visual Basic
Q1850. The main objective of a system test is to:

A. Make the system fail.
B. Test the control totals
C. Determine the program
D. Determine that manuals are complete and adequate
Q1851. Which would ensure that IS organizations do not take more resources
for less output?
A. Full-scale projects
B. Pilot projects
C. Grand design projects
D. Conversion projects
Q1852. In Reverse Engineering, ______________ deals with the restructuring

of existing source code.
A. Abstraction
B. Completeness
C. Interactivity
D. Directionality
Q1853. What does predictive validity specify?

A. Quantitative score
B. Assessment model
C. Quality assurance
D. Relationship between process capability and performance
480
Q1854. A document-driven approach is used in :

A. The prototyping model
B. The waterfall model
C. The spiral model
D. The iterative model
Q1855. What is the maximum number of critical paths in a program evaluation

review technique (PERT chart?
A. only one
B. less than 3
C. less than 10
D. as many paths as there are in the chart
Q1856. Identify the non-cost factor while analysing feasible system alternatives
for an organisation.
A. Conversion
B. Supplies
C. Maintenance
D. Obsolescence
Q1857. If a program cannot be executed, then it requires:

A. Adaptive maintenance
B. Preventive maintenance
C. Perfective maintenance
D. Corrective maintenance
Q1858. Prototyping approach does not assume the existence of

A. Reusable software
B. Formal specification languages
C. Detail requirements document
D. Fourth-generation programming languages
481
Q1859. In the Software Capability Maturity Model, the Productivity and Quality
of a software project is measured in:
A. Level 1
B. Level 2
C. Level 3
D. Level 4
Q1860. A catastrophic failure in a memory chip is due to:

A. A short or open circuited wire
B. Improper chip insertion
C. Unconnected wires
D. Physical or electrical damage
Q1861. An auditor evaluating a software package purchase contract will NOT

expect the contract to include
A. licence cost
B. maintenance cost
C. operational costs
D. outage costs
Q1862. Identify the element that is not connected with structured design.
A. Coupling
B. Cohesion
C. Objects
D. Structure charts
Q1863. In which phase of SDLC would you use software sneak circuit analysis?
A. Requirements
B. Design
C. Implementation
D. Maintenance
482
Q1864. The boundary conditions incorporated in a program are tested in

A. regression test
B. conversion test
C. stress test
D. integration test
Q1865. The most efficient stress testing tool used for both front end and
backend applications is:
A. Open STA
B. Microsoft web application stress tool
C. Compuware’s QA load
D. Pureload
Q1866. Which of the following can be construed as a COMPREHENSIVE

preventive method in locating a bug?
A. Formal inspections
B. Programming languages
C. Software compilers
D. Software testing
Q1867. Which file format requires an acrobat reader to view the file?
A. .zip
B. .pdf
C. .html
D. .arc
483
Q1868. Which of the following is done at various testing points in the production
process.
A. Regression Testing
B. Vee Testing
C. Black Box Testing
D. Integration Testing
Q1869. Which one of the following is NOT a part of software quality metrics?
A. Completeness
B. Ergonomics
C. Correctness
D. Reliability
Q1870. Which of the following would greatly affect the project estimate if any
changes made to it while developing a project?
A. Time
B. Scope
C. Quality
D. Resources
Q1871. Software metric that deals with measurement of lines of code is:
A. Requirements metrics
B. Design metrics
C. Code metrics
D. Test metrics
484
Q1872. Software Acquisition Innovation Management and Continuous Process

Improvement belong to which level of SA-CMM.
A. Level 5
B. Level 4
C. Level 3
D. Level 2
Q1873. Where would you handle finite state machines in SDLC?

A. Requirements
B. Design
C. Implementation
D. Maintenance
Q1874. Identify the item that is not a part of performance guarantees in software
contract negotiations.
A. Terms of payment
B. Warranty provisions
C. Package fixes
D. Penalty provisions
Q1875. Which one of the following errors will occur because of overflow
conditions?
A. Requirement errors
B. Design errors
C. Process errors
D. Data errors
485
Q1876. The testing process conducted during the “live” application of software
is a ___________
A. Functional test
B. Performance test
C. Beta test
D. Acceptance test
Q1877. What makes Rapid prototyping technique portable?

A. User friendliness
B. Quality
C. Software independence
D. Productivity
Q1878. Which of the following is the most difficult to manage in a SDLC project?
A. Personnel turnover
B. Changes in hardware
C. Creeping functions
D. Changes in project scheduling
Q1879. In software maintenance, the NON technical tool is: maintenance?

A. Cross referencer
B. Change control
C. Comparator
D. Diagnostic routines
Q1880. IS Auditor’s participation is necessary during the following steps in the

SDLC, EXCEPT?
A. Feasibility study
B. User requirements
C. Programming
D. Manual specifications
486
Q1881. Which of the following is not a congestion management tool?

A. Priority queuing
B. Custom queuing
C. Network traffic queuing
D. Weighted fair queuing
Q1882. The process of visualising the design of a project that is yet to take
shape is called:
A. data abstraction
B. Data modeling
C. Data transparency
D. Data designing
Q1883. Software quality assurance envisages

A. Error prediction
B. Error prevention
C. Error detection
D. Error correction
Q1884. In monitoring and controlling a system development life cycle project

what is NOT formal and documented?
A. Change management forms
B. Logs
C. Checklists
D. Face-to-face communications
Q1885. All of the following should be in place prior to programming except:

A. User manual
B. Coding standards
C. Detail design documents
D. Unit test cases
487
Q1886. The cost incurred in collecting data comes under: [a] [b] [c] [d]
A. Prevention cost
B. Appraisal cost
C. Internal failure cost
D. External failure cost
Q1887. The of information design type used for navigational aids and graphs
for geographical use is:
A. Pictogrammatic
B. Diagrammatic
C. Cartographic
D. Hybrid
Q1888. Which one of the following statements is true?

A. Testing follows debugging
B. Debugging follows testing
C. Requirements follow design
D. Coding follows implementation
Q1889. In which of the following phases of a system development life cycle

decision tables being used?
A. Requirements Definition
B. Detailed Design
C. Implementation
D. Testing
488
Q1890. Incorrect initialization occurs on account of which of the following faults?

A. Data fault
B. Requirement fault
C. Output fault
D. Design fault
Q1891. Which of the following is not an element of measurement program?

A. Cost to the software project
B. Cost of technical support
C. Cost of analysis and packaging
D. Cost to the hardware
Q1892. Stress testing is mainly done to test the _____________.

A. Feasibility of a program
B. Database reliability.
C. Website
D. Efficiency of hardware components.
Q1893. Which of the following is a party to the escrow agreement?

A. Mortgagor
B. Lessor
C. Lessee
D. Beneficiary
Q1894. Which phase of SDLC uses “Program slicing” technique?

A. Requirements
B. Design
C. Implementation
D. Maintenance
489
Q1895. The component of Management Information System (MIS) that assist in

planning and decision making in a organisation is/are: -
A. Hardware
B. Software
C. Database
D. All of the above
Q1896. A less formal review technique is:

A. a Inspections
B. b Testing
C. Reviews
D. Walkthroughs
Q1897. Design phase in the linear sequential model deals with:

A. Designing the data structure
B. Designing the user interfaces
C. Designing the algorithms
D. All of the above
Q1898. The sequence and level of testing of an item or function is decided at

A. Test strategy
B. Test Plans
C. Test Case Design
D. Test procedure
Q1899. Each of the following should be included in a user manual, EXCEPT :

A. Data entry format
B. On-line menu descriptions.
C. Checkpoint/restart procedures.
D. Edit criteri
490
Q1900. Which of the following is NOT associated with structured programming?

A. program design languages
B. top-down approach to development
C. modularization
D. uncontrolled looping
Q1901. The biggest benefit of prototyping is:

A. Better version control
B. Better communications between developers and users
C. Increased productivity
D. Faster delivery
Q1902. Which one of the following metrics deal with “number of entries/exits per
module” ?
B. Design metrics
C. Code metrics
D. Test metrics
Q1903. Which of the following approaches is used in the waterfall development

model?
A. Entity-based approach
B. Risk-based approach
C. Rule-based approach
D. Data-based approach
Q1904. CASE Tools do not help in:

A. Understanding requirements
B. “Code generation”
C. Security Labels
D. System prototyping
491
Q1905. Software quality assurance process does NOT undertake:

A. Reviewing library controls
B. Monitoring and reporting system
C. Reviewing change controls
D. Evaluating software distribution
Q1906. Identify the EARLIEST software development model

A. The Waterfall model
C. Spiral model
Q1907. While acquiring software which of the following criteria should be

applied?
A. Useful life
B. Resale value
C. Cost of capital
D. All the above
Q1908. In the development life cycle model, the place to start software quality
process is:
A. Requirements phase
B. Design phase
C. Coding phase
D. Testing phase
Q1909. The software test objective of operating in different platforms is achieved

by conducting:
A. Recovery test
B. Regression test
492
C. Integration test
D. Configuration test
Q1910. Availability of computer time is taken care of in which part of the Project
Planning and scheduling ?
A. Milestones
B. Deliverables
C. Baseline
D. Assumptions
Q1911. In which phase of SDLC Desk Checking is practiced?

A. Requirements
B. Design
C. Implementation
D. Maintenance
Q1912. You would NOT use stubs or drivers in which of the following testing
approaches?
A. A top-down approach
B. A bottom-up approach
C. A sandwich approach
D. A big bang approach
Q1913. Which of the following is not a subsystem of Decision Support System

(DSS)?
A. Language System
B. Knowledge System
C. Transaction Processing System
D. Problem Processing System
493
Q1914. The testing process in which the user participate is called:

A. a Acceptance testing
B. Program testing
C. Conversion testing
D. d System testing
Q1915. Which of the following is NOT a characteristic of legacy systems?

A. Focus on specific problems
B. Limited scope
C. Selective functionality
D. Effective and efficient management of databases
Q1916. User interface prototyping may NOT focus on :

A. Screen layouts
B. Dialogue styles
C. Ergonomics
D. System performance
Q1917. Which of the following is a dynamic analysis to detect software errors?

A. Inspections
B. Code reading
C. Testing
D. Tracing
Q1918. What is the most important factor to be considered when comparing

system alternatives before making the final selection ?
A. ROI
B. IRR
C. User satisfaction
D. Benefit-cost ratio
494
Q1919. Which of the following is useful in auditing the Program Change

Management?
A. User manual
B. System logs
C. Standards and procedures
D. Operators run manuals
Q1920. Which of the following software metrics would refer to function points?
B. Design metrics
C. Code metrics
D. Test metrics
Q1921. In unit testing, which one of the following can be mechanised?

A. Syntax checking
B. Desk checking
C. Quality assurance audit
D. Quality assurance review
Q1922. Which of the following is not a component of audit risk?

A. Inherent risk
B. Control risk
C. Detection risk
D. Restrictive risk
Q1923. The development of IS security policy is the responsibility of the

A. IS department
B. Security committee
C. Security administration
495
Q1924. Which of the following socio-technical design principle is applicable to

environmental guidelines?
A. Compatibility
B. Information flow
C. Boundary location
D. Support congruence
Q1925. ------------ is an activity conducted in the last stages of the contract

before accepting an information technology product: (1.2.3.4.)
A. Benchmarking
B. Testing
C. Contract negotiation
D. Vendor evaluation
Q1926. “----------” is an activity performed in the pre-contract phase of a software

acquisition project
A. Identification of alternatives
B. Testing and acceptance
C. Contract management
D. Preparation of the invitation document
Q1927. A computer programmer altered the program for Saving Bank accounts
so that his account would be not be listed, when a list of accounts
with over draft was prepared. Following controls would be effective in
preventing or detecting this fraud EXCEPT?
A. a User sign-off for program changes.
B. Special Internal Auditor review of all employee accounts
C. Independent code review following any changes
D. Prohibiting the programmers to move complied programs to
production.
496
Q1928. A decision table is used in a program testing to test the branching to

distinct processes. It consists of
A. condition stub and result
B. condition stub, condition entry, action stub and action entry
C. action stub and condition entry
D. action stub and result
Q1929. A feasibility study should be conducted when:

A. a decision must be made on the best way of sequencing SDLC
during system development
B. the consequences of decentralising data processing functions
must be assessed
C. an assessment must be made of whether or not the security
policy and procedures work
D. decision must be made on whether or not a new operations
schedule will increase throughput and staff efficiency
Q1930. A majority of defects are attributed to a few number of causes. Which

of the following basic tools would BETTER depict this scenario?
A. A scatter diagram
B. A Pareto diagram
C. A run chart
D. A control chart
Q1931. A project manger must know which of the following, in order to be

sure that the schedule will work, even though he has a detailed project
schedule?
A. Detailed cost for each phase
B. b Programmer assignments
C. Task interdependencies
D. Resource allocation
497
Q1932. A software metric will NOT define which one of the following?
A. Number of defects per thousand lines of code
B. Number of defects over the life of a software product
C. Number of customer problems reported to the size of the product
D. Number of customer problems reported per user month
Q1933. A Software Quality Assurance team performs the job of:

A. Prepares an SQA Plan
B. Participate in the development of the projects software process
description
C. Review software engineering activities to verify compliance with
defined process
D. All the above
Q1934. Which one of the following will be included in the application software
testing phase for effective controls?
A. Test cases, test documentation
B. Test summaries, test execution reports
C. Activity logs, incident reports, software versioning
D. Test cases rejected, test cases accepted
Q1935. While auditing system acquisition, the auditor’s objective is to ensure

that the system acquisition is based on complete and accurate lists of
the functional needs of the user. For this, the auditor reviews which one
of the following?
A. The security policy of the organisation
B. The requirements and specifications statement of the project
C. The acquisition-plan document
498
Q1936. While development is in progress, changes are likely to occur. But

modifications should be effected in a controlled manner. Which of the
following principles will guarantee this?
A. Project management
B. Quality assurance
C. Configuration management or change control techniques
D. Time management
Q1937. With respect to the various phases in the system development life cycle,
which of the following is least likely to vary:
A. conduct of each phase as planned
B. sequence in which the phases are performed
C. resources and time needed to perform each phase
D. presence of each phase
Q1938. Which of the following statements is true with regard to Computer Aided
Software Engineering (CASE) workbench?
A. A single CASE tool is more effective when used individually than
when combined with more than two
B. It is very difficult to add a new case workbench or replace an
existing one
C. An organisation has to depend on a single supplier
D. Workbench can be easily managed with the aid of the
configuration management system
Q1939. Which of the following system life factors is most difficult to control by
a user organization?
A. The length of time the system will satisfy the needs of the initial
user
B. The rate at which computer technology is expected to advance
C. The probability of continued availability of system support
D. The time required for subsequent acquisition to meet the
requirement
499
Q1940. Which of the following Technical specifications will NOT be included in

a functional requirements document for a software package?
A. System design
B. Mean-time-between-failure
C. Mean-time-to-repair
D. On-line system response times
Q1941. Which of the following testing approaches will test the system’s ability
to withstand misuse by inexperienced users?
A. Functional testing
B. Unit testing
C. Resiliency testing
D. User acceptance testing
Q1942. Which of the following testing method is used when the loops in a
program are not structured.
A. Flow graphs
B. Graph Matrix
C. Concatenating loop
D. No testing is done until loops are redesigned and structureD.
Q1943. Which of the following tests address the interaction and consistency
issues of successfully tested Parts of a system?
A. Unit testing
B. Acceptance testing
C. Integration testing
D. System testing
500
Q1944. Which of the following tests ensures that all the programs in the system
being developed work in concert and their communication among
themselves is as designed?
A. Unit test
B. Interface test
C. Regression test
D. Integration test
Q1945. Which of the following threats, vulnerabilities, or risks do not arise in an

in-house system development project?
A. Signing poor contracts
B. Planting Trojan horses
C. Writing incorrect program code
D. Using inappropriate tools
Q1946. Which one of the following criteria shall NOT be considered for choosing
an appropriate Computer platform to suit a given application software
system?
A. Database size
B. Data usage
C. System development tools
D. Data storage
Q1947. Which one of the following design approaches would address data
sharing and system access problems in legacy application systems?
A. Develop a shareware application
B. Develop a freeware application
C. Develop an API application
D. Develop a GUI application
501
Q1948. Which one of the following documents would be least effective in

performing unit testing of an applications software?
A. Program source code
B. System requirements definition
C. Detailed design documents
D. General design documents
Q1949. Which one of the following errors cannot be detected during an

inspection activiy?
A. Incomplete requirements errors
B. Infeasible requirements errors
C. Conflicting requirements errors
D. Input/output errors
Q1950. Which one of the following graphical user interface (GUI development
approaches would create more user-friendly interactions ?
A. Object-oriented user interfaces
B. Application-oriented user interfaces
C. Screen-oriented manipulation user interfaces
D. Menu-oriented user interfaces
Q1951. Which one of the following is an example of process metric?

A. Number of software developers
B. Size and complexity of the system
C. System performance levels
D. Resolution time for fixing errors
Q1952. Which one of the following is performed FIRST in a system development

life cycle project?
502
C. Developing design documents

D. Developing conversion plans
Q1953. Which one of the following maintenance aspects would greatly ensure
the currency of the plan as time passes?
A. Incorporate into hardware upgrades
B. Incorporate into change management procedures
C. Incorporate into software upgrades
D. Incorporate into revision procedures
Q1954. Which one of the following methodologies require efficient system

requirements analysis?
A. Reverse engineering
B. The Delphi method
C. Joint application design (JAD)
D. Traditional system development life cycle
Q1955. Which one of the following options is not a characteristic of structured

analysis?
A. It uses bottom up approach.
B. It uses several tools and techniques.
C. It uses physical and logical models”
D. It incorporates several steps simultaneously
Q1956. Which one of the following pairs, when performed simultaneously, would
pose a major Risk?
A. Systems analysis and design
B. System design and programming
C. Programming and testing
D. Test case preparation and test case execution
503
Q1957. Which one of the following reasons is the most important to retain a
legacy application system?
A. It meets the needs of the organization
B. Changing the computing platform may not improve the legacy
system
C. resistance to change
D. Low maintenance cost
Q1958. Which one of the following software test methods should invariably
perform Input-tolerance testing?
A. Unit testing
C. Production operations acceptance testing
D. User acceptance testing
Q1959. Which one of the following techniques is represented by structured

analysis and design?
A. Function-oriented techniques
B. Data-oriented techniques
C. Control-oriented techniques
D. Information-oriented techniques
Q1960. Which one of the following testing order is correct?

A. Integration test, unit test, systems test, acceptance test
B. Unit test, systems test, integration test, acceptance test
C. Acceptance test, unit test, integration test, systems test
D. Unit test, integration test, systems test, acceptance test
Q1961. “According to Gartner, the three components of systems management

are: Knowledge and control, Policy setting and Continuous
504
improvement. Which of the following forms the foundation of systems

management?”
A. Knowledge and control
B. Policy setting
C. Continuous improvement
Q1962. Activities related to determining strategic business objectives based on

market needs, or threat analysis falls under which stage of software
acquisition?
A. Predevelopment
B. Development
C. Post development
D. Concept Exploration
Q1963. After the system is developed, the auditors objective in conducting a

general review is to
A. determine whether a critical application system needs modification
due to a recent change in the statute
B. conduct a test of controls to ensure that the no necessary control
is omitted in the design
C. make an evaluation of the whole process to quantify the
substantive test required for the specialized audit of the process
D. conduct a substantive test of the application system
Q1964. After which of the following testing , should formal change control
mechanism start?
A. After completion of integration testing
B. After completion of unit testing
C. After completion of systems testing
D. After completion of acceptance testing
505
Q1965. All of the following assumptions about legacy application systems are
correct except
A. A legacy system is a mainframe computer-based application
system
B. A legacy system is old and hence no longer good
C. A legacy system uses a proprietary programming language
D. A legacy system is difficult to port to other environments
Q1966. Among the various software analyses listed below, the controlling
functionality against software failure is provided by:
A. Safety analysis
B. Sneak circuit analysis
C. Fault tree analysis
D. Hazard analysis
Q1967. An analysis of the project requirements for the activities of an

organisation is done in which stage of the Software Development Life
Cycle (SDLC)
A. Feasibility study stage
B. “Business requirement specifications stage
C. Functional specifications stage
D. Design specifications stage
Q1968. An IS auditor takes part in the development team deliberations NOT for
A. ensuring adequacy of data integrity controls
B. ensuring adequacy of data security controls
C. ensuring that there are no cost and time overruns
D. ensuring that documentation is accurate and complete
Q1969. An IS auditor while conducting a post-implementation review, would look

for
A. the documentation of the test objectives
506
B. the extent of issues pointed out in the user acceptance test and
the unresolved issues
C. the documentation of the test results
D. the log containing the problems reported by the users
Q1970. An off-the-shelf applications software package requirement document

does NOT include which one of the following?
A. Both organizational and functional requirements should be
precisely stated to vendors
B. System reliability should be expressed to vendors in MTBF and
MTTR terms
C. System response time should be stated to vendors under
average-case conditions
D. System response time should be stated to vendors under worst-
case conditions
Q1971. Auditing of development project works in the prototyping model presents

the IS auditors difficult problems. Which of the following is the MOST
difficult?
A. Exhibiting flexibility to new approaches vis-à-vis traditional
approaches
B. Evaluating the adequacy of the documentation
C. Maintaining cordial relation with the team members
D. Keeping the technical knowledge up to date
Q1972. Auditors gather evidence during the review of the system design of a
software project. Which of the following tools will they NOT depend?
A. Observation of the design process
B. Interviewing the development team
C. Verifying the documented plan
D. Circulating questionnaires among the members of the team for
their self evaluation
507
Q1973. Black-box testing is depicted by which of the following?

A. Test all features mentioned in the specifications
B. Execute every statement at least once
C. Execute every branch at least once
D. Test the use of all data objects
Q1974. Business risk does not include:

A. Risk of developing software that has no takers
B. Risk that effects the entire project plan
C. Risk of developing software for an outdated business strategy
D. Risk of losing the support of the top management, due to change
in business focus.
Q1975. Customer details like address changes etc are being used in too many
mainframe application systems calling for a great deal of data entry
redundancy effort. In this situation, which one of the following method
will be useful?
A. Develop “seamless” processes
B. Eliminate mainframe computer processing
C. Develop a data synchronization software
D. Develop a client/server system
Q1976. Decision tables are used in programs to branching to various distinct

processes. Which of the following systems generally use decision
tables?
A. Transformational systems
B. Interactive systems
C. Concurrent system
D. Distributed systems
508
Q1977. Detection of changes to program source code files in an unauthorized

fashion can be detected by the IS auditor by
A. analytical review
B. code review
C. comparison of codes
D. log of authorized changes
Q1978. Difference between the spiral model and the incremental model is:
A. The former is an evolutionary process, the latter is a classic
process
B. “The former is time consuming, the latter is time saving”
C. The former does not ensure delivery of product after every
iteration, the latter does
Q1979. During which of the following stages is user resistance encountered in

Computer Aided Software Engineering (CASE) Life Cycle ?
A. Procurement
B. Evolution
C. Case system Introduction
D. Obsolescence
Q1980. Each of the following are preventive controls over the systems
development EXCEPT:
A. Standard methodology
B. Documentation standards.
C. Post implementation reviews.
D. User training program.
Q1981. During conversion the primary purpose of parallel running is to:

A. provide the basis for users training and acceptance testing
509
B. provide the basis for carrying out comprehensive system and user
tests
C. determine whether there are any bugs in the new hardware/
system software configuration that has been chosen
D. provide the basis for validating the design and implementation of
the new system
Q1982. During system design phase an auditor participating in system

development attempts to:
A. ensure refreezing methodology has been designed
B. determine whether necessary controls have been designed into
the system
C. ensure that the actual cost of the system development project is
within the budgeted cost
D. evaluate whether all the phases of SDLC is being performed
serially
Q1983. During the conduct of a source code review, the examination of the data
processing installation’s programming standards occurs:
A. after the source code listing has been obtained
B. concurrently with the source code review
C. before reviewing the program’s specifications
D. standard may not be reviewed at all
Q1984. In an organisation, Integrated Test Facility (ITF) is not used in:

A. Maintenance
B. Automatic testing
C. Quantity control
D. Quality control
Q1985. During the entry phase the system designer:

A. explains to users various alternative designs that can be
implemented
510
B. freezes and unfreezes the organisation requirements

C. carries out a preliminary study to evaluate the feasibility of the
new system
D. undertakes to understand the requirements of the proposed
system
Q1986. During the problem definition phase, the terms of reference do not
describe:
A. boundaries of the system to be examined
B. proposed objectives of the new system
C. problems of the stakeholders
D. organisational and resource constraints
Q1987. Expert systems are NOT associated with one of the following:
A. Expert systems are aimed at solving problems using an
algorithmic approach
B. Expert systems are aimed at solving problems that are
characterized by irregular structure
C. Expert systems are aimed at solving problems characterized by
incomplete information
D. Expert systems are aimed at solving problems characterized by
considerable complexity
Q1988. Find the CRITICAL PATH among the following paths in a PERT chart?
Path 1: A-D-E-G- 120 MANDAYS, Path 2: A-B-C-D-G- 125 MANDAYS,
Path 3: A-F-G -135 MANDAYS, Path 4: A-B-F-G -137 MANDAYS
A. Path 1
B. Path 2
C. Path 3
D. Path 4
511
Q1989. For an effective application development, each of the following would

help EXCEPT:
A. Active participation by user departments.
B. Management involvement
C. Prioritisation of applications to be developed
D. Post implementation reviews.
Q1990. For assessing process variations in software development and

maintenance projects which one of the following will be useful?
A. A control chart
B. A run chart
C. A bar graph
D. A Pareto diagram
Q1991. For reducing the complexity of a computer-based application program

which should be done?
A. Limit the length of the program as represented by the number of
characters
B. Limit the size of the program as represented by the number of
statements
C. Limit the number of independent paths in the program
D. Limit the type of programming language used in the program
Q1992. Formal change control mechanism would start after which of the
following in an overall system development project?
A. Completing the system planning document
B. Completing the system requirements document
C. Completing the system design document
D. Completing the program coding work
512
Q1993. Fuzzy logic is most effective when :

A. Used to develop decision support systems
C. Used to build hard disk controllers
Q1994. Identify the contractual provision that is objective and enforceable

among the parties involved in a system development life cycle project?
A. Commitment to quality
B. Penalties for late delivery
C. Problem support
D. Project staff skills
Q1995. Identify the correct sequence in the acceptance testing process:

A. Execution, validation, reporting, preparation
B. Validation, Execution, reporting, preparation
C. Preparation, validation, execution, reporting
D. Preparation, execution, validation, reporting
Q1996. Identify the cost that does NOT form part of software package
installation or implementation cost?
A. Cost of hardware
B. Cost of file conversion
C. Cost of computer downtime
D. Cost of initial debugging of software
Q1997. Identify the document which is LEAST effective during the acceptance
test of applications software.
A. Program source code
B. System requirements definition
513
C. Software acceptance criteria

D. System external specifications
Q1998. Identify the technique that mostly prevents a system failure from
occurring or facilitates quick recovery from failures.
A. Component isolation
B. Component modularity
C. Component redundancy
D. Information hiding
Q1999. Identify the test-case design techniques that is used in unit and
integration testing of applications software.
A. White-box, code-based, logic-driven technique
B. Black-box, code-based, data-driven technique
C. White-box, specification-based, logic-driven technique
D. Black-box, specification-based, data-driven technique
Q2000. Identify the wrong statement with respect to structured programming

concepts and program modularity.
A. Modules should perform only one principal function
B. Interaction between modules should be minimal
C. Modules should have only one entry and one exit point
D. Modularity means program segmentation
Q2001. In a project development complimentary and compensating controls, if

properly implemented ensure success of the project. Among the four
listed below, which DOES NOT act as a complimentary or compensating
control to any of the other?
A. Users active involvement in the project
B. Auditors participation
514
C. Applying standard system development methodologies

D. Contracting external consultants/contractors
Q2002. In a software development process, the MOST useful parameter or

activity for measuring the progress is
A. periodic management review
B. regular interactions by management with developers
C. milestones reached
D. expenses incurred
Q2003. In an ex-post review audit of the system development process, the

auditor:
A. evaluates the overall monitoring controls that were exercised in
the system development process
B. evaluates the system development process, in general, as a basis
for reducing the extent of substantive testing needed
C. carries out a substantive test of the system development process
for all accounting application systems within the installation
D. focuses only on the application controls that have been built into
the system to ensure that user requirements are met
Q2004. In an information processing system, certain measures were introduced

for improving the quality. An auditor looking for the effectiveness of the
measures WILL NOT be assured of the effectiveness by
A. a perceptible reduction in problems reported by users
B. an increased user satisfaction
C. an increase in quality assurance budget by the management
D. a reduction in the maintenance cost of the application
Q2005. In developing a system for automated diagnosis for a hospital, which of

the following shall be the MOST important in the design phase?
A. Meeting the project schedule
B. Remaining within the project budget
515
C. Ensuring software safety

D. Documenting the work meticulously
Q2006. In Information Technology projects, which of the following factors is most

crucial?
A. Adhering to the project schedule
B. Anticipating problems
C. Testing the system thoroughly
D. Managing end-user expectations
Q2007. In most GUI applications, when the application is busy processing

some data, an hourglass symbol is displayed. Which principle of User-
Interface is in action here?
A. Visual Grammar
B. Shortcuts
C. Focus
D. Safety
Q2008. In order to achieve more perfection of an already working software

system, what method will be adopted?
A. Program changes due to changes in rules, laws, and regulations
B. Program changes due to errors discovered
C. Program changes due to fine tuning of existing systems
D. Program changes due to changes in data formats
Q2009. In order to achieve the requirements of the user, the BEST option in
acquiring an off-the-shelf applications software package is
A. Build or buy
B. Purchase and tailor
C. Lease or purchase
D. Rent or purchase
516
Q2010. In program development, the bottom-up methodology involves

A. including driver routines to facilitate testing
B. testing of major interfaces only
C. creating prototypes
D. even usage of the resources
Q2011. In terms of Software Configuration Management, baseline refers to:

A. Point of first release of the software
B. Point of latest release of the software
C. Point of latest change to the software
D. Point of change approved in the software and added to the
project database
Q2012. In the system development life cycle approach, which of the following
is MOST likely to be constant?
A. Allocation of resources for purchase of software platforms and
hardware
B. Certain phases can be dropped
C. Each phase will have to be present
D. The sequence of the phases cannot vary
Q2013. In which of following system development life cycle models one phase
has to be completed before starting another phase?
A. Waterfall model
C. Spiral model
Q2014. In which of the five stages in a system Life Cycle, is IT security

implication involved?
A. Initiation Phase
B. Implementation Phase
517
C. Operation/Maintenance Phase
D. All the five stages of system development life cycle
Q2015. Incremental Model as an approach adheres to:

A. More of linear sequential, less of prototyping
B. Less of linear sequential, more of prototyping
C. Best practices of both linear sequential and prototyping
D. Is an independent approach.
Q2016. Information Systems auditors can take part in the system development
life cycle as an independent member is not likely to jeopardize his/her
audit quality. In which of the following stages will the participation will
be the MOST effective?
A. Design phase
B. Requirements definition phase
C. Development phase
D. Testing phase
Q2017. Introducing CASE tools in a main frame environment is MOST likely to

encounter
A. huge data conversion efforts
B. lack of technical knowledge
C. dearth of training personnel
D. absence of supportive tools
Q2018. Introduction of CASE tools in an IS environment in the early stages of

implementation of a software project will impact in the LEAST :
A. data base administrator(DB
B. data base designer
C. system designer
D. programmer
518
Q2019. IS auditors participation in the development process improves the quality

of the product. In which of the following phases is the participation likely
to be LEAST beneficial?
A. Requirements definition
B. Coding
C. Testing
D. Configuration planning
Q2020. Many automated tools are designed for testing and evaluating computer
systems. Which one of the following such tools impact the system s
performance with a greater load and stress on the system?
A. Test data generators
B. Statistical software packages
C. Test drivers
D. Network traffic analyzers
Q2021. Normally detailed system specifications do NOT include:

A. A systems narrative depicting the systems objectives
B. A systems flow chart
C. Overviews of each program in the system.
D. Program, operations, and user documentation.
Q2022. PC-based analysis and design tools are used alongwith mainframe
computer-based tools. Identify the CASE tool that is required in this
situation.
A. Diagramming tools
B. Simulation tools
C. Export/import tools
D. Diagram checking tools
519
Q2023. Program Evaluation Review Technique charts aid

A. Identification of critical paths, interdependencies of the processes
and slack times on certain paths
B. Keeping a tab on the project cost
C. Keeping a tab on the project schedule
D. Keeping a tab on the programmers
Q2024. Project management needs are addressed first and artificial approach
to development is adopted in
A. rapid prototyping model
B. incremental development model
C. evolutionary development model
D. waterfall model or SDLC model
Q2025. Prototyping approach to system design is resorted to when

A. the SDLC method is chosen
B. the design is for a human resources division of the organization
C. the designer is circumspect of the users cooperation in spelling
out their requirements
D. the designer is uncertain as well as the user about the
requirements and it is likely to evolve as the design progresses
Q2026. Prototyping methodology is resorted to when :

A. there is no user specification document
B. there is a huge backlog of development work and incomplete
projects
C. the costs and schedule overruns increase by leaps and bounds
D. the need for meeting user requirements is very acute
520
Q2027. Since it is the end-users who are going to use an application, they
must be consulted and their opinions must be incorporated if found
reasonable. Which of the following principle of User-Interface Design
reflects the above statements?
A. User-Perceptions
B. Context-Sensitivity
C. User Testing
D. Aesthetics
Q2028. Software piracy is a common threat to an organization and so while

choosing an application software package what should be the prime
consideration?
A. Product portability
B. Vendor support
C. Software licensing
D. Product reliability
Q2029. Software quality assurance suffers MOST when

A. it is treated as another software testing
B. it is left to be inspected after the system is completely developed
C. a quality assurance library is established for subjecting the
programs to test
D. a quality assurance team is constituted for assessing the quality
Q2030. Stovepipe systems evolve more because of

A. End-user developing by employee empowerment to develop
B. Centralized developing by a core group of professionals
C. Standardizing the system development methodologies
D. Establishing a quality assurance function
521
Q2031. Structured programming is best described as a technique that:

A. Make the dynamic execution of the program.
B. Reduces the maintenance time of programs
C. Provides knowledge of program functions.
D. Controls the coding and testing functions in the development
process.
Q2032. Structured programming requires certain features for easy maintenance.

In so far as the size of a module in a program is concerned, which of
the following shall be the cardinal principle about the size of a module
to ensure structured design?
A. Fitting within one sheet of paper
B. Fitting within one page of the computer random memory
C. Module size shall not exceed one block of the hard disk to enable
faster retrieval
D. Size shall be small enough to make comprehension easier
Q2033. Symbolic evaluation is an error detection method. Where would you

handle this? An error detection technique “symbolic evaluation” is used
in which one of the following phases of a system development life
cycle?
A. Requirements
B. Design
C. Implementation
D. Maintenance
Q2034. System development controls are designed to prevent all of the following
EXCEPT:
A. Lack of project status reports
B. Implementation of unapproved system
C. Lack of adequate program controls.
D. Unauthorised program modification
522
Q2035. The auditor uses a normative model of the system development process
as a basis for:
A. determining what activities are usually undertaken during system
development
B. describing the activities that are to be carried during system
development that would change the distribution of power within
the organisation
C. determining the activities that should be carried out during system
development
D. determining development activities depending on the
circumstances at hand
Q2036. The comment which is a DISADVANTAGE concerning prototyping is:

A. Development through standard system development approach is
faster than Prototyping.
B. Users do not usually know sufficiently about systems to design
the system.
C. Active user involvement is more in the system development.
D. Change controls are more problematic to achieve than in a
traditional SDLC.
Q2037. The Commercial Off-The-Shelf software is:

A. Bought on commercial basis and can be given on rent or lease
B. Controlled by the integrator and the customer
C. Installed at only one place after it is available commercially
D. Maintained and controlled by original developer only
Q2038. The concurrent development model is used when:

A. The project under development is very complex
B. Two projects have to be tracked simultaneously
C. Various projects have to be tracked simultaneously
D. Various activities within a single project have to be tracked
simultaneously
523
Q2039. The correct sequence in a software systems development project is:

A. Identification, fact-gathering, evaluation, synthesis and installation
B. Identification, evaluation, fact-gathering, synthesis and installation
C. Identification, fact-gathering, synthesis, evaluation and installation
D. Identification, synthesis, fact-gathering, evaluation and installation
Q2040. The Critical path in a program evaluation review technique (PERT) chart
is identified by
A. the project management team looking at the criticality of the
function
B. the maximum slack time carrying path
C. the path containing zero slack time
D. an agreement after discussion among the users and the project
development team
Q2041. The data flow diagram can be used to:

A. Determine how to do a function efficiently
B. Restrict the number of times a function can be performeD.
C. Determine requirements of user.
D. It makes the data requirements in a system permanent
Q2042. The definition of beta sites is:

A. software environments where vendors send their product for
evaluation from users angle
B. software environments where programming teams productivity is
measured and analysis
C. software sites where the demand for the product is evaluated
D. software sites where the vendor commits to ship the product
earlier than others
524
Q2043. The estimate of time which has the MOST important relevance in
evaluation of the activities in a Program Evaluation Review Technique
(PERT is:
A. Most Likely time
B. Pessimistic time
C. Actual time
D. Optimistic Time
Q2044. The extent to which a newly developed or acquired system meets the
functionality required of it is determined in:
A. Unit testing of the individual program
B. Function test or whole-of-program test
C. User acceptance test (UAT)
D. Interface test
Q2045. The information systems requirements plan is derived directly from the:
A. information systems applications and general controls plan
B. long term master plan
C. organisational strategic plan
D. information systems strategic plan
Q2046. The information technology pilot projects envisages which of the

following concepts?
A. To test a new idea
B. To prove a new concept
C. The idea that not every theory tested will work as expected
D. To explore the use of new technology
Q2047. The main focus of the graphical user interface (GUI environments is:
A. Portability guidelines
525
B. Human-computer interaction guidelines

C. System navigation guidelines
D. System migration guidelines
Q2048. The major difference between a client/server and a mainframe-based

application may NOT likely to occur with regard to which of the following
areas from system testing viewpoint?
A. The system development environment
B. The system test deliverables
C. The information technology infrastructure
D. The information systems operational support
Q2049. The major risk in prototyping model is :

A. The prototype becomes the finished system
B. User expectations are inflated
C. No attention is paid to cosmetic details
D. The model is iterated too many times
Q2050. The most important factor while creating test data for checking a
system, is :
A. Have a sufficient quantity of data for each test case
B. Keep the test data to a minimum to conserve testing time
C. Select a random sample of actual data to ensure adequate
testing
D. Include data which represent conditions that occur in actual
processing
Q2051. The objective of software quality assurance is not:

A. Testing quality into a product
B. Designing quality into the product
526
C. Designing quality into the process

D. Designing quality into the interfaces
Q2052. The primary difference between program testing and system testing is:
A. program testing is more comprehensive than system testing
B. system testing is concerned with testing all aspects of a system
including user specification document, design document, job
designs and reward system designs
C. programmers have no involvement in system testing, whereas
designers and users are involved in program testing
D. system testing focuses on testing the interfaces between
programs, whereas program testing focuses on individual
programs
Q2053. The primary functions of a steering committee is:

A. reviewing the user requirements to ensure that all controls are
considered
B. strategic planning for a computer installation
C. evaluating specific project plans for systems
D. conducting any major feasibility study when it is needed
Q2054. The prototyping approach to software development is most suitable

when
A. Reusable components are available
B. The user is not fully aware of the requirements
C. There are time constraints
D. Minor changes have to be made in an existing product
Q2055. The purpose of the program development phase of SDLC is to:

A. Document a business problem
B. Prepare a high level design of a proposed system solution
527
C. Expand the general design of an approved system solution

D. Prepare, test, and document all computer programs
Q2056. The requirements specification phase needs a lot of operational

viewpoint input in the early stage of a system development. Which of
the following models that takes care of this aspect?
A. Waterfall model
B. Incremental development model
C. Evolutionary development model
D. Rapid prototyping model
Q2057. The statement which is NOT false regarding end user computing is:
A. Catering to the user’s requirement is more in such systems.
B. Implementation of change control procedures is easier.
C. Since the respective end users download their required data,
duplication of data does not occur.
D. Due to the programming staff not being involved, segregation of
duties is increased.
Q2058. The System Development Tool which gives the BEST results in an
application maintenance function is:
A. Network control programs
B. Tape Management systems
C. Project Management softwares
D. Test data generators
Q2059. The test approach that includes ALL of the systems requirement, system
design, and systems development documents is :
A. Unit testing
C. Systems testing
528
Q2060. To implement BPR, the best approach would be to:

A. Change marketing strategies in accordance with the data
gathered
B. Develop a plan based on the data gathered
C. Opt for the latest technology, irrespective of its relevance to the
business
D. Wait for an opportune moment, and chalk-out a short-term
strategy
Q2061. To provide the management with appropriate information about the

process being used by the software development project and of the
products being built is taken care by:
A. Software quality assurance management
B. Software configuration management
C. Software requirements management
D. Software project management
Q2062. To which one of the following issues that an information systems (IS)
auditor participating in a system development life cycle project should
devote more attention ?
A. Technical issues
B. Organizational issues
C. Behavioral issues
D. Contractual issues
Q2063. Under the contingency approach to system development, the major

factor affecting the requirements elicitation strategy chosen is the:
A. SDLC approach is a time consuming approach
B. nature of the job and organisational design proposed
C. level of uncertainty surrounding the system
D. likelihood of the sociotechnical design approach being
unsuccessful
529
Q2064. User acceptance testing (UAT)

A. Is done during conceptualisation of the product to analyse end-
userlikeness towards product
B. Is the final phase of validation and ensures that the system meets
the requirements of the user
C. Is done after designing, but before in-house testing
D. Involves testing a prototype
Q2065. Weaker manual control over authorization of changes will lead to

A. weaker policy implementation
B. weaker procedure implementation
C. weaker standards implementation
D. weaker change control/configuration management
Q2066. What is the control that should have been in vogue so as to enable
detection of a change made in a payroll program by a computer
operator?
A. Output of the payroll journal’s audit trail.
B. Review of the control totals.
C. Review of the payroll by the payroll department on a regular
basis.
D. Review of console logs for attempted / illegal intrusion.
Q2067. What is the cross-reference in the workbench used for?

A. Producing a cross-reference listing, indicating where all the
program names are declared and used
B. Loading the executable program into the computer memory prior
to execution
C. Processing the design and reporting on errors and anomalies
D. Controlling the execution sequence and viewing the program state
as execution progresses
530
Q2068. What is the MAJOR difference between business process reengineering

(BPR and business process improvement (BPI
A. The enormity of the changes contemplated and implemented
B. In measuring the process performance
C. The amount of focussing the customer needs get
D. The amount of focussing on the processes as primary analytical
units
Q2069. what is the major risk that is faced by a user organization during system
integration projects?
A. Isolated islands of information
B. Processing and computing power
C. Maintenance costs
D. System size and complexity
Q2070. What would you use to enforce integration rules so as to integrate one
component with another?
A. A data flow diagram
B. An entity relationship diagram
C. A state transition diagram
D. A data dictionary
Q2071. When a new system is envisaged to replace a legacy application

system, the next step that requires a detailed analysis is:
A. The Business Plan of the organization
B. The information systems audit plan
C. The organizations information technology architecture
D. How the new application will fit with other applications
531
Q2072. When a software application is acquired from a vendor, the terms of the
purchase order WILL NOT generally contain :
A. annual maintenance contract terms after the warranty period
B. details of software licence fees and other licence terms
C. terms of acceptance testing
D. dates of future updates and the fees for acquiring them
Q2073. When a systems development project is conceived and the planning

and analysis phase is started, the primary area of concern will be
A. data
B. development team personnel
C. the platform and tools
D. the processes involved
Q2074. When designing a User-Interface (UI), which principle refers to the

design of UI elements in a way that is easy to relate to everyday
examples?
A. User Profiling
B. Metaphors
C. Consistency
D. Visualisation
Q2075. When input control procedures are designed in an accounts package

development, which of the following gets LEAST importance?
A. Validation of the input data
B. Error reporting
C. Error correction
D. Data collection methods
532
Q2076. Whenever there is a modification made to an existing software, which

of the following testing approaches should be used?
A. Unit testing
B. Acceptance testing
C. Regression analysis and testing
D. System testing
Q2077. Which among the following is a detective control in a system

A. Including IS auditor as a member of the project team
B. Periodical design and code walkthroughs
C. Password implementation for vendors and outsourcing team
D. Adopting a standard development methodology for system
development
Q2078. Which controls would protect production programs from unauthorised

modifications:
A. Requiring operators to be maintain logbook.
B. Review of control totals.
C. Limiting accesses to source code by operators.
D. Restricting user access to the computer room
Q2079. Which is the correct sequence of concluding a software purchase

contract?
A. Receipt of contract terms from vendor, negotiations, modifications
to the terms, approval and execution of agreement
B. Negotiations, receipt of contract terms from vendor, modifications
to the terms, approval and execution of agreement
C. Receipt of contract terms from vendor, modifications to the terms,
negotiations, approval and execution of agreement
D. Receipt of contract terms from vendor, negotiations, approval,
modifications to the terms and execution of agreement
533
Q2080. Which is the correct sequence of data design phase in a software

A. data structure design, data requirements definition, data modeling,
data conversion
B. data conversion, data structure design, data requirements
definition, data modeling
C. data structure design, data conversion, data requirements
definition, data modeling
D. data requirements definition, data modeling, data structure design,
data conversion
Q2081. Which is the correct sequence of events in a software development

project?
A. User requirements definition, technical specifications development,
planning for implementation and system development(coding,
testing etc)
B. Technical specifications development, user requirements
definition, planning for implementation and system development
coding, testing etc)
C. User requirements definition, planning for implementation,
technical specifications development and system
development(coding, testing et
D. Implementation planning, programming, conversion, and system
testing
Q2082. Which is the LEAST important criteria while considering potential

software packages?
A. Vendor staff incompatibility
B. Hardware incompatibility
C. Operating system incompatibility
D. Requiring too much computer memory
534
Q2083. Which of the following are not part of the information systems design:
A. design of the data/information flow
B. design of the user interfaces
C. design of the user specification document layout
D. job design
Q2084. Which of the following factors would bring down the risks most in Joint
Application Design (JAD meetings?
A. The right software
B. The right people
C. The right training
D. The right hardware
Q2085. Which of the following CANNOT be used for measuring the progress of
a software development project?
A. Appraisal of the performance of the team members by the
superiors
B. Milestone achievement
C. Review of the codes generated
D. Review of the system design
Q2086. Which of the following characteristics of user developed systems has

been identified in empirical research:
A. usually have only a single user
B. typically obtain data from a centralised database
C. usually do not have basic control validations
D. often perform important, day-to-day operational functions
Q2087. Which of the following computer technologies is a major shift in the

develpoment and maintenance of application systems?
A. RDBMS technology
B. Client/server technology
535
C. Object-oriented technology
D. Graphical-user interface (GUI) technology
Q2088. Which of the following is addressed by software configuration

management as part of Software quality assurance?
A. At what point was the first baseline established?
B. Were the test strategies sufficient to determine whether the
software is safe and effective?
C. What actions were taken in response to the metrics results?
D. What error analysis techniques were used?
Q2089. Which of the following is deemed as good system design practice?

A. High cohesion of modules, low coupling of modules, and high
B. Low cohesion of modules, high coupling of modules, and high
C. High cohesion of modules, high coupling of modules, and high
D. Low cohesion of modules, low coupling of modules, and low
Q2090. Which of the following is false with regard to software engineering

metrics?
A. It helps in decision-making
B. It does not involve activities like designing, analysis and coding
C. It involves measuring productivity of individual designer
D. Metrics could be of no use or harmful due to wrong analysis
Q2091. Which of the following is most likely to be used to describe sequence

logic:
A. Table structures and table relationships
B. Data flow diagram
536
C. Business Process flow diagrams

D. Structured English
Q2092. Which of the following is NOT a constraint while using Computer Aided
Software Engineering (CASE tools running on workstations.
A. Lack of multi-user operations
B. Inability to handle large databases
C. Lack of security controls
D. Lack of tools for source code generation
Q2093. Which of the following is not a major benefit of applications software

prototyping ?
A. Reduction in development costs
B. Faster delivery of the system
C. Meeting user requirements
D. Reduced software maintenance efforts
Q2094. Which of the following is NOT a prerequisite for software system project
planning?
A. Availability of the technical expertise
B. Goals and objectives of the plan
C. The functional requirements
D. Programming area environment and infrastructure
Q2095. Which of the following is not an example of a strategic system

requirement:
A. overall goals and objectives to be accomplished
B. it forms the basis for evaluating the alternatives
C. use a high level language to program the system
D. maintain the existing organisational power structure
537
Q2096. Which of the following is NOT pertaining to change control/configuration

management in an computer-based IS environment?
A. Authorization of change requests
B. Message authorization code (MAC)
C. Authorized checking-in of programs to the library
D. Authorized checking-out of programs to the library
Q2097. Which of the following is not true in respect of Expert systems?

A. Expert systems knowledge is represented declaratively
B. Expert system computations are performed through symbolic
reasoning
C. Expert systems knowledge is combined into program control
D. Expert systems can explain their own actions
Q2098. Which of the following is not true with regard to Black Box Testing.
A. It may leave many program paths untesteD.
B. Both the tester and programmer are independent of each other.
C. Requires knowledge of internal working of the program.
D. Tests are designed to know if the system is sensitive to certain
input values.
Q2099. Which of the following is not true with regard to Commercial Off-The-
Shelf (COTS) systems:
A. Commercial Off-The-Shelf are highly secured
B. The cost of developing Commercial Off-The-Shelf is very high
C. There is no possibility of mismatch between Commercial Off-The-
Shelf components
D. The component user has little or no control over the evolution of
component
538
Q2100. Which of the following is the most likely sequence of phases in the
system development process:
A. feasibility study, system design, procedures and forms
development, acceptance testing
B. acceptance testing, procedures development, management of the
change process
C. entry and feasibility assessment, problem definition, analysis of
the existing system
D. feasibility study, information analysis, system design, program
development
Q2101. Which of the following is the NOT effective control for program
changes?
A. Independent review of changed program by quality assurance
group
B. Version control
C. Annual reviews of program listing
D. Compilation of source code by IS librarian
Q2102. Which of the following is true regarding software testing:

A. Debugging is same as software testing.
B. For better results, software testing is done after implementation
of the software.
C. Irrespective of the size of software, the documentation must be
of fixed size.
D. Tests are designed after each level of software specification has
been written.
Q2103. Which of the following is true with regard to the audit of acquisition risks.
A. Conversion costs need not be included in the cost benefit
analysis of the alternatives.
B. Analysis of each alternative takes into account only quantifiable
benefits.
539
C. The alternative analysis is not a part of the audit of acquisition

risks
D. The non-cost factor is an important part of the alternative analysis
of an acquisition project
Q2104. Which of the following is true with regard to White Box Testing?
A. Output of the program code is not required before the beginning
of the code.
B. It is not very expensive.
C. It may involve testing every line of code.
D. It shows errors caused by omission.
Q2105. Which of the following is true:

A. Workbenches are team based
B. Software Engineering Environments cannot include design and
documentation
C. In an integrated environment the project documents are stored in
different places
D. Software developed could be delivered for target system with a
completely different architecture
Q2106. Which of the following provide control over program maintenance?

A. Annual review of test results.
B. Source code reviewed by the IS AUDITOR
C. Programmers have access to the program library.
D. A written authorisation for program change to be obtained from
the user department.
Q2107. Which of the following requirements elicitation techniques is most

appropriate when the level of uncertainty surrounding the system to be
designed is the lowest
A. reviewing the existing system
540
B. asking others using similar type of system within the industry

C. asking the users of the system
D. deriving the requirements from an existing system
Q2108. Which of the following software defect prevention activities would ensure
the highest Rate on Investment?
A. Code inspection
B. Reviews with users/customers Design reviews
C. Design reviews
D. Unit test
Q2109. Which of the following statement is true with regard to management of

an acquisition project?
A. User involvement in the project is limited only to requirement
analysis stage.
B. It is not necessary for the top management to be involved in an
acquisition project
C. The project team is a mix of people with technical, functional and
contractual abilities.
D. Acquisition plan only specifies the details regarding the schedule
for the contract awardance.
Q2110. Which of the following system life factors is most difficult to control by
a user organization?
A. The length of time the system will satisfy the needs ofthe initial
user
B. The rate at which computer technology is expected to advance
C. The probability of continued availability of system support
D. The time required for subsequent acquisition to meet the
requirement
541
Q2111. Compliance auditing is used to do?

A. Complete audit under accepted auditing standards
B. Eliminate the need for substantive auditing
C. Verify specific balance-sheet and Profit and loss account values
D. Determine the degree to which substantive auditing may be
limited.
Q2112. Due Professional Care” requires an IS auditor to possess which of the

following quality
A. Good amount of programming skills in the required software.
B. Arriving at an correct conclusion based on the facts and figures
available.
C. Evaluating methodology of the audit test results.
D. Skills and judgement that are commonly possessed by IS
practitioners of that speciality.
Q2113. In segregation of duties, the organisation will exposed to a very HIGH

risk if the duties of
A. Computer Operator and Quality Assurance are combined.
B. The work of a Data entry clerk is also done by a Tape Librarian.
C. A tape librarian are carried out by an application programmer.
D. Systems analyst and database administrator are done by the
same person.
Q2114. During a review of a large data center an IS auditor observed computer

operators acting as back up tape librarians and security administrators.
Which of these situations would be most critical to report to senior
management
A. Computer operators acting as tape librarians
B. Computer operators acting as security administrators
C. Computer operators acting as tape librarians and security
administrators
D. It is not necessary to report any of these situations
542
Q2115. Which of the following would be included in an IS strategic plan

A. Specifications for planned hardware purchases
B. Analysis of future business objectives
C. Target dates for development projects
D. Annual budgetary targets for IS department
Q2116. In a small organization an employee performs the function of computer

operator and when the situation demands modifies programs. Which of
the following should the IS auditor recommend
A. Automated logging of changes to development libraries
B. Additional staff to provide separation of duties
C. Procedures that verify that only approved program changes are
implemented
D. Access controls prevents the operator from making program
modifications
Q2117. Data processing agreements should contain a statement of all the

following EXCEPT
A. Monitoring and contingency requirements
B. Data access standards
C. Service review options
D. Site security mechanisms
Q2118. Which of the following function(s) is (are) most likely to be performed

by the data administrator?
A. Determining the effects of database redefinition on the internal
schema
B. Formulating data retention and retirement policies
C. Preparing the data validation programs needed to populate the
database
D. Both a and c.
543
Q2119. Which of the following is not a capability of a librarian package?

A. Determining those programs that have inadequate documentation
B. Addition, modification and deletion of source code
C. Encryption of source code
D. Creating indexes of programs and their attributes
Q2120. Which of the following would provide a mechanism whereby IS

management can determine when and if the activities of the enterprise
have deviated from planned or expected levels
A. Quality management
B. IS assessment methods
C. Management principles
D. Industry standards/benchmarking
Q2121. Which of the following situations would increase the likelihood of fraud
A. Application programmers are implementing changes to production
programs
B. Application programmers are implementing changes to test
programs
C. Operations support staff are implementing changes to batch
schedules
D. Database administrators are implementing changes to data
structures.
Q2122. A database administrator is responsible for

A. Maintaining the access security of data residing on the computers
B. Implementing database definition controls
C. Granting access rights to users
D. Defining system’s data structure
544
Q2123. A company that has to guarantee zero downtime and 100 percent
functionality would choose which type of backup facility?
A. Redundant
B. Rolling site
C. Cold
D. Warm
Q2124. Risk assessment is a critical component of the BCP process. As such,

which risk-assessment method is scenario-driven and does not assign
numeric values to specific assets?
A. Qualitative Risk Assessment
B. Statistical Weighted Risk Assessment
C. Quantitative Risk Assessment
D. Asset-Based Risk Assessment
Q2125. Which of the following best describes the concept and purpose of BCP?
A. BCPs are created to prevent interruptions to normal business
activity
B. BCPs are used to reduce outage times
C. BCPs and procedures are put in place for the response to an
emergency
D. BCPs guarantee the reliability of standby systems
Q2126. What are the three goals of a business impact analysis?

A. Criticality prioritization, downtime estimation, resource
requirements
B. Downtime estimation, resource requirements, defining the
continuity strategy
C. Defining the continuity strategy, criticality prioritization, resource
requirements
D. Criticality prioritization, downtime estimation, documenting the
continuity strategy
545
Q2127. During the BCP process, which group directs the planning,
implementation, and development of the test procedures?
A. BCP committee
B. Senior business unit management
C. Executive management staff
D. Functional business units
Q2128. During a BIA, a vulnerability assessment is usually performed. What is

it s purpose?
A. To determine the impact of the loss of a critical business function
B. To determine the financial cost of preventing an identified
vulnerability
C. To comply with due diligence requirements
D. To determine the nonmonetary cost to the organization of the loss
of a critical business function
Q2129. Which of the following elements of the BCP process includes the
completion of a vulnerability assessment?
A. Business impact assessment
B. Plan approval and implementation
C. Scope and plan initiation
D. Business continuity plan development
Q2130. Which phase of the BCP process includes project parameter definition?
A. Scope and plan initiation
C. Business impact assessment
546
Q2131. Backups ensure that information stored on a workstation or server can

be restored if a disaster or failure occurs. Which type of backup makes
a complete archive of every file?
A. Full backup
B. Complete backup
D. Incremental backup
Q2132. Which of the following is not a feature of a hot site?

A. Hot sites can be ready to use in a few hours to at most several
days.
B. Hot sites contain preexisting Internet and network connectivity
C. Equipment and software must be compatible with the data being
backed up
D. A company may have exclusive rights to the facility at which the
hot site is located.
Q2133. A critical first step in disaster recovery and contingency planning is

A. Complete a business impact analysis
B. Determine offisite backup facility alternatives
C. Organize and create relevant documentation
D. Plan testing and drills
Q2134. In disaster recovery, each level of employee should have clearly defined
responsibilities. Which of the following is a responsibility of senior
executives?
A. Oversee budgets and the overall project
B. Develop testing plans
C. Establish project goals and develop plans
D. Identify critical business systems
547
Q2135. When is the emergency actually over for a company?

A. When all operations and people are moved back into the primary
site
B. When all people are safe and accounted for
C. When operations are safely moved to the off-site facility
D. When a civil official declares that all is safe
Q2136. There are several reasons for a company to develop and implement
a disaster recovery plan. What is the most important goal of disaster
recovery?
A. Protect human life
B. Protect the integrity of the business
C. Protect critical operating systems
D. Protect customer relationships
Q2137. What is the maximum tolerable downtime (MTD) for urgent systems and
functions?
A. 24 hours
B. Minutes of hours
C. 4 to 6 hours
D. 72 hours
Q2138. A company that has to guarantee zero downtime and 100 percent
functionality would choose which type of backup facility?
A. Redundant
B. Rolling site
C. Cold
D. Warm
548
Q2139. Risk assessment is a critical component of the BCP process. As such,

which risk-assessment method is scenario-driven and does not assign
numeric values to specific assets?
A. Qualitative Risk Assessment
B. Statistical Weighted Risk Assessment
C. Quantitative Risk Assessment
D. Asset-Based Risk Assessment
Q2140. Which of the following best describes the concept and purpose of BCP?
A. BCPs are created to prevent interruptions to normal business
activity
B. BCPs are used to reduce outage times
C. BCPs and procedures are put in place for the response to an
emergency
D. BCPs guarantee the reliability of standby systems
Q2141. What are the three goals of a business impact analysis?

A. Criticality prioritization, downtime estimation, resource
requirements
B. Downtime estimation, resource requirements, defining the
continuity strategy
C. Defining the continuity strategy, criticality prioritization, resource
requirements
D. Criticality prioritization, downtime estimation, documenting the
continuity strategy
Q2142. During the BCP process, which group directs the planning,
implementation, and development of the test procedures?
A. BCP committee
B. Senior business unit management
C. Executive management staff
D. Functional business units
549
Q2143. During a BIA, a vulnerability assessment is usually performed. What is

it s purpose?
A. To determine the impact of the loss of a critical business function
B. To determine the financial cost of preventing an identified
vulnerability
C. To comply with due diligence requirements
D. To determine the nonmonetary cost to the organization of the loss
of a critical business function
Q2144. Which of the following elements of the BCP process includes the
completion of a vulnerability assessment?
A. Business impact assessment
C. Scope and plan initiation
Q2145. Which phase of the BCP process includes project parameter definition?
A. Scope and plan initiation
C. Business impact assessment
Q2146. Backups ensure that information stored on a workstation or server can

be restored if a disaster or failure occurs. Which type of backup makes
a complete archive of every file?
A. Full backup
B. Complete backup
D. Incremental backup
550
Q2147. Which of the following is not a feature of a hot site?

A. Hot sites can be ready to use in a few hours to at most several
days.
B. Hot sites contain preexisting Internet and network connectivity
C. Equipment and software must be compatible with the data being
backed up
D. A company may have exclusive rights to the facility at which the
hot site is located.
Q2148. What is the maximum tolerable downtime (MTD) for urgent systems and
functions?
A. 24 hours
B. Minutes of hours
C. 4 to 6 hours
D. 72 hours
Q2149. A critical first step in disaster recovery and contingency planning is

A. Complete a business impact analysis
B. Determine offisite backup facility alternatives
C. Organize and create relevant documentation
D. Plan testing and drills
Q2150. In disaster recovery, each level of employee should have clearly defined
responsibilities. Which of the following is a responsibility of senior
executives?
A. Oversee budgets and the overall project
B. Develop testing plans
C. Establish project goals and develop plans
D. Identify critical business systems
551
Q2151. When is the emergency actually over for a company?

A. When all operations and people are moved back into the primary
site
B. When all people are safe and accounted for
C. When operations are safely moved to the off-site facility
D. When a civil official declares that all is safe
Q2152. There are several reasons for a company to develop and implement
a disaster recovery plan. What is the most important goal of disaster
recovery?
A. Protect human life
B. Protect the integrity of the business
C. Protect critical operating systems
D. Protect customer relationships
552

Q1776 Ans. C Q1804 Ans. C Q1832 Ans. B
Q1778 Ans. C Q1806 Ans. D Q1834 Ans. B
Q1779 Ans. D Q1807 Ans. A Q1835 Ans. C
Q1780 Ans. A Q1808 Ans. b Q1836 Ans. D
Q1781 Ans. A Q1809 Ans. c Q1837 Ans. A
Q1782 Ans. C Q1810 Ans. a Q1838 Ans. D
Q1783 Ans. B Q1811 Ans. a Q1839 Ans. B
Q1784 Ans. A Q1812 Ans. C Q1840 Ans. c
Q1785 Ans. D Q1813 Ans. C Q1841 Ans. d
Q1786 Ans. C Q1814 Ans. C Q1842 Ans. d
Q1787 Ans. C Q1815 Ans. A Q1843 Ans. a
Q1788 Ans. B Q1816 Ans. A Q1844 Ans. b
Q1789 Ans. C Q1817 Ans. a Q1845 Ans. c
Q1790 Ans. C Q1818 Ans. D Q1846 Ans. b
Q1792 Ans. D Q1820 Ans. b Q1848 Ans. a
Q1794 Ans. B Q1822 Ans. b Q1850 Ans. a
Q1795 Ans. B Q1823 Ans. d Q1851 Ans. b
Q1796 Ans. D Q1824 Ans. d Q1852 Ans. d
Q1797 Ans. C Q1825 Ans. c Q1853 Ans. d
Q1798 Ans. A Q1826 Ans. A Q1854 Ans. b
Q1799 Ans. b Q1827 Ans. B Q1855 Ans. d
Q1800 Ans. b Q1828 Ans. A Q1856 Ans. d
Q1801 Ans. B Q1829 Ans. B Q1857 Ans. d
Q1802 Ans. C Q1830 Ans. D Q1858 Ans. c
Q1803 Ans. C Q1831 Ans. A Q1859 Ans. d
553

Q1862 Ans. c Q1892 Ans. c Q1922 Ans. D
Q1863 Ans. c Q1893 Ans. d Q1923 Ans. D
554

Q1954 Ans. d Q1984 Ans. C Q2014 Ans. d
555

Q2050 Ans. d Q2080 Ans. d Q2110 Ans. B
Q2051 Ans. a Q2081 Ans. a Q2111 Ans. D
Q2052 Ans. d Q2082 Ans. a Q2112 Ans. D
Q2053 Ans. b Q2083 Ans. c Q2113 Ans. C
Q2054 Ans. b Q2084 Ans. b Q2114 Ans. B
Q2055 Ans. d Q2085 Ans. a Q2115 Ans. B
Q2056 Ans. d Q2086 Ans. d Q2116 Ans. C
Q2058 Ans. d Q2088 Ans. a Q2118 Ans. B
Q2059 Ans. c Q2089 Ans. a Q2119 Ans. A
Q2060 Ans. b Q2090 Ans. b Q2120 Ans. B
Q2061 Ans. a Q2091 Ans. d Q2121 Ans. A
Q2062 Ans. c Q2092 Ans. d Q2122 Ans. B
Q2063 Ans. c Q2093 Ans. a Q2123 Ans. A
Q2064 Ans. b Q2094 Ans. d Q2124 Ans. A
Q2065 Ans. d Q2095 Ans. c Q2125 Ans. A
Q2066 Ans. c Q2096 Ans. b Q2126 Ans. A
Q2067 Ans. a Q2097 Ans. c Q2127 Ans. A
Q2068 Ans. a Q2098 Ans. c Q2128 Ans. A
Q2069 Ans. d Q2099 Ans. d Q2129 Ans. A
556

557
Module 7 Questions
Q2153. In order to provide maximum assurance on user identification the best
method of user authentication should be based on what user
A. is.
B. knows.
C. has.
D. does.
Q2154. Primary objective of controls is:

A. IT Governance
B. Mitigate risk
C. Securing IT assets
D. Managing employees
Q2155. The controls in Client-Server architecure first addres the risks arising
out of:
A. Client malfuntion.
B. Ping of death attack.
C. Network failure.
D. Application development.
Q2156. A basic control in a real-time application system is a n :

A. Audit log.
B. Console log.
C. Terminal log.
D. Transaction log.
558
Q2157 Which of the following data validation edits is effective in detecting

transposition and transcription errors?
A. Range check
B. Check digit
C. Validity check
D. Duplicate check
Q2158. Which of the following is fist step in Data Classification?

A. Establish Ownership
B. Criticality Analysis
C. Access Definition
D. Data Dictionary
Q2159. Data quality in a data warehouse is achieved by:

A. Cleansing.
B. Restructuring.
C. Ensuring the credibility of source data.
D. Transformation.
Q2160. Which of the following information valuation methods is LEAST likely to

be used during a security review?
A. Processing cost
B. Replacement cost
C. Unavailability cost
D. Disclosure cost.
Q2161. IT Security policy is:

B. Detective control
559
C. corrective control
D. compensating control
Q2162. Defragmentation of hard disk means:

A. Formatting hard disk.
B. Degaussing hard disk.
C. Destroying hard disk.
D. optimizing hard disk.
Q2163. User found and repaired virus on his work station should first report to:
A. System administrator.
B. Network administrator.
C. Security administrator.
D. Data Base Administrator.
Q2164. Reconciliation of Control totals is the responsibility of :

A. Computer Operator.
B. Data entry Operator.
C. IS Manager.
D. Input Output Control Group.
Q2165. Which of the following is highest risk in implementing of VoIP (Voice

over Internet Protocol)?
A. Disrruption(Jitters)
B. Packet Loss.
C. Latency.
D. Sniffing.
560
Q2166. Which of the following would NOT be considered a security threat to

Internet web sites?
A. Hackers
B. Crackers
C. Virus writers
D. Asynchronous attacks
Q2167. Which of the following is the MOST reliable sender authentication

method?
A. Digital signatures
C. Digital certificates
D. Message authentication code
Q2168. In ISO:OSI network model processing and printing documents is handled

by:
A. Physical Layer.
B. Transport layer.
C. Application layer.
D. Session layer.
Q2169. During the audit, control self assessment questionnaire replied by the
local management was made available to IS Auditor. The IS auditor
should:
A. Substantiate the answers.
B. Rely the answers and do nothing.
C. Ignore it since it is out of scope.
D. Ask for previous audit report instead.
561
Q2170. The primary objective of IT security incidence response program is to:

A. Reduce the impact of incidence on business.
B. Prevent the security breach incidence.
C. Secure communication network.
D. Manage help desk operations.
Q2171. An IS Auditor reviewing the controls in application systems developed in

popular RDBMS, requested access for data base to retrieve the records
for auditing. Which access rights DBA should provide to the auditor?
A. Read only for entire database.
B. Read and update for entire database.
C. DBA rights on entire database.
D. All rights on entire database.
Q2172. In a financial organization the transaction are posted into the Date Base
by the accounts assistant. A member of managerial staff authorizes the
transaction after posting. Which of the following access rights can be
allotted to the member of supervising staff in addition to ‘Update the
data base for confirming authorization of transactions.’?
A. Generate report and query the contents of fields from the
database.
B. Enter the transactions when accounts assistant is on leave.
C. Change the access rights of other staff members.
D. Necessary rights to modify the programs which updates the data
base.
Q2173. A multinational organization decided to provide its customers access to

the organization’s computer system. Which of the following application
providing access to customers is MOST secure from intrusion attacks?
A. Interactive Voice responsive system giving and receiving
information about customer’s requirements.
B. Online order processing using Internet.
562
C. Providing direct access terminal at customer’s office.

D. Dial-up access for customer.
Q2174. Which of the following control functions will be most effective due to the
use of Biometric Security solutions?
A. Authentication
B. Access
C. Password
D. Smart Cards
Q2175. Which of the following is the MOST likely reason why e-mail systems
have become a useful source of evidence for litigation?
A. Poor housekeeping leads to excessive cycles of backup files
remaining available.
B. Strong access controls establish accountability for activity on the
e-mail system.
C. Data classification is often used to regulate what information
should be communicated via e-mail.
D. Clear policy for using e-mail within the enterprise ensures that the
right evidence is available.
Q2176. Which of the following is NOT an application control likely to be found

in an EDI interface?
A. Hash totals
B. Echo checks
C. Record counts
D. Validity checks
Q2177. Anti-virus software should be used as a:

A. Detective control.
B. Preventive control.
563
C. Corrective control.
D. Compensating control.
Q2178. Which of the following is a dynamic analysis tool for the purpose of
testing of software modules?
A. Black box test
B. Desk checking
C. Structured walk-through
D. Design and code
Q2179. An IS auditor’s substantive test reveals evidence of fraud perpetrated

from within a manager’s account. The manager had written his
password, allocated by the system administrator, inside his drawer,
which was normally kept locked. The IS auditor concludes that the:
A. Manager’s assistant perpetrated the fraud.
B. Perpetrator cannot be established beyond doubt.
C. Fraud must have been perpetrated by the manager.
D. System administrator could have perpetrated the fraud
Q2180. The risk that an IS auditor uses an inadequate test procedure and
concludes that material errors do not exist when, in fact, they do, is an
example of:
A. Inherent risk.
B. Control risk.
C. Detection risk.
D. Audit risk.
Q2181. Which of the following exposures associated with the spooling of

sensitive reports for off-line printing would an IS auditor consider to be
the MOST serious?
A. Sensitive data may be read by operators.
B. Data can be amended without authorization.
564
C. Unauthorized report copies might be printed.

D. Output would be lost in the event of system failure.
Q2182. An internal IS Auditor had been given charter to audit the software
implementation. During preliminary review the auditor found that the
scope of audit need to be enhanced to include review of software
development process. Which of the following should approve this
change?
A. Chief Information Officer
B. Board of Directors
C. Audit Committee
D. Chief Executive officer
Q2183. An IS auditor is assigned to help design the data security, data integrity
and business continuity aspects of an application under development.
Which of the following provides the MOST reasonable assurance that
corporate assets are protected when the application is certified for
production?
A. A certification review conducted by the internal auditor.
B. A certification review conducted by the assigned IS auditor.
C. Specifications by the user on the depth and content of the
certification review.
D. An independent review conducted by another equally experienced
IS auditor.
Q2184. Which of the following controls would BEST serve to effectively detect
intrusion?
A. User creation and user privileges are granted through authorized
procedures.
B. Automatic logoff when a workstation is inactive for a particular
period of time.
C. Automatic logoff of the system after a specified number of
unsuccessful attempts.
D. Unsuccessful logon attempts are actively monitored by the
security administrator.
565
Q2185. Which of the following information is LEAST likely to be contained in a

digital certificate for the purposes of verification by a Trusted Third Party
TTP /Certification Authority CA ?
A. Name of the TTP/CA
B. Public key of the sender
C. Name of the public key holder
D. Time period for which the key is valid
Q2186. Which of the following access control functions is LEAST likely to

be performed by a database management system DBMS software
package?
A. User access to field data
B. User sign-on at the network level
C. User authentication at the program level
D. User authentication at the transaction level
Q2187. Which of the following is a benefit of using callback devices?

A. Provide an audit trail
B. Can be used in a switchboard environment
C. Permit unlimited user mobility
D. Allow call forwarding
Q2188. A feature of a digital signature that ensures that the claimed sender
cannot later deny generating and sending the message is:
A. Provide an audit trail
B. Can be used in a switchboard environment
C. Permit unlimited user mobility
D. Allow call forwarding
566
Q2189. Sign-on procedures include the creation of a unique user-ID and

password. However, an IS auditor discovers that in many cases the
user name and password are the same. The BEST control to mitigate
this risk is to:
A. Change the company’s security policy.
B. Educate users about the risk of weak passwords.
C. Build in validations to prevent this during user creation and
password change.
D. Require a periodic review of matching of user-ID and passwords
for detection and correction.
Q2190. Naming conventions for system resources are an important prerequisite

for access control because they:
A. Ensure that resource names are not ambiguous.
B. Reduce the number of rules required to adequately protect
resources.
C. Ensure that user access to resources is clearly and uniquely
identified.
D. Ensure that internationally recognized names are used to protect
resources.
Q2191. Which of the following exposures could be caused by a line-grabbing

technique?
A. Unauthorized data access
B. Excessive CPU cycle usage
C. Lockout of terminal polling
D. Multiplexor control dysfunction
Q2192. While auditing IT infrastructure the IS auditor observed that there were
no procedures defined for the performance monitoring of third-party
567
vendor who was assigned the maintenance of hardware with a clause

for 99% uptime during business hours. The BEST course for the auditor
is:
A. To suggest procedures to functional management and report to
top management.
B. To consult legal counsel for non-performance by the vendor.
C. To request the vendor management to provide necessary uptime
reports.
D. To evaluate the performance of third-party vendor for estimating
expected performance.
Q2193. Which of the following is an advantage of using a local area network

LAN ?
A. LANs protect against virus infection.
B. LANs protect against improper disclosure of data.
C. LANs provide program integrity from unauthorized changes.
D. LANs provide central storage for a group of users.
Q2194. Which of the following is a strength of a client/server security system?

A. Change control and change management procedures are
inherently strong.
B. User can manipulate data without controlling resources on the
mainframe.
C. Network components seldom become obsolete.
D. Access to confidential data or data manipulation is strongly
controlled.
Q2195. An IS auditor reviewing an organization’s information systems disaster

recovery plan should verify that it is:
A. Tested every 6 months.
B. Regularly reviewed and updated.
568
C. Approved by the chief executive officer CEO .

D. Communicated to every departmental head in the organization.
Q2196. A programmer managed to gain access to the production library,

modified a program that was then used to update a sensitive table
in the payroll database and restored the original program. Which of
the following methods is MOST effective to detect these unauthorized
changes?
A. Source code comparison
B. Executable code comparison
C. Integrated Test Facilities ITF
D. Periodic review of transaction log files
Q2197. Utilizing audit software to provide code comparisons of production

programs is an audit technique used to test program:
A. Logic.
B. Changes.
C. Efficiency.
D. Computations.
Q2198. Observing employees at work will help IS auditor in testing compliance

of:
A. Blank Screen Policy
B. Forced password change.
C. Internet Usage.
D. BCP Awareness
Q2199 Given the typical risk ratings below, an IS auditor performing an

independent risk rating of critical systems would rate a situation where
functions could be performed manually, at a tolerable cost, for an
extended period of time as:
A. Critical.
B. Vital.
569
C. Sensitive.
D. Non-critical.
Q2200. Which of the following methods of results analysis, during the testing of
the business continuity plan BCP , provides the BEST assurance that
the plan is workable?
A. Quantitatively measuring the results of the test
B. Measurement of accuracy
C. Elapsed time for completion of prescribed tasks
D. Evaluation of the observed test results
Q2201. Which of the following is an implementation risk within the process of

decision support systems?
A. Management control
B. Semi-structured dimensions
C. Inability to specify purpose and usage patterns
D. Changes in decision processes
Q2202. An IS auditor performing a review of the electronic funds transfer EFT

operations of a retailing company would verify that the customers credit
limit is verified before funds are transferred by reviewing the EFT:
A. System’s interface.
B. Switch facility.
C. Personal identification number generating procedure.
D. Operation back-up procedures.
Q2203. Which of the following must be included in the IT governance audit

report?
A. Top management is responsible for internal control system of the
organization.
B. The system of internal controls provides absolute assurance
against material loss.
570
C. The long-term strategic plan for IT deployment will achieve the

defined objectives.
D. The selected IT infrastructure used for IT operations is suitable
and completely secure.
Q2204. Which of the following is a primary purpose for conducting parallel

testing?
A. To determine if the system is more cost-effective.
B. To enable comprehensive unit and system testing.
C. To highlight errors in the program interfaces with files.
D. To ensure the new system meets all user requirements.
Q2205. Which of the following program change controls is NOT the responsibility
of the user department?
A. Updating documentation to reflect all changes
B. Initiating requests within its scope of authority
C. Approving changes before implementation, based on the results
of testing
D. Approving changes before implementation, based on review of
changes to manual procedures
Q2206. An IS auditor who plans on testing the connection of two or more

system components that pass information from one area to another
would use:
A. Pilot testing.
B. Parallel testing
C. Interface testing.
D. Regression testing.
571
Q2207 Which of the following quality mechanisms is MOST likely to occur

when a system development project is in the middle of the construction
stage?
A. Unit tests
B. Stress tests
C. Regression testing
Q2208. Which of the following would be a major DISADVANTAGE of using

prototyping as a systems development methodology?
A. User expectations of project timescales may be over-optimistic.
B. Effective change control and management is impossible to
implement.
C. User participation in day-to-day project management may be too
extensive.
D. Users are not usually sufficiently knowledgeable to assist in
system development.
Q2209. Which of the following testing methods is MOST effective during the
initial phases of prototyping?
A. System testing
B. Parallel testing
C. Volume testing
D. Top-down testing
Q2210. CORBA and COM/DCOM technologies:

A. Use shared and resusable objects.
B. Establish remote connections.
C. Execute program on remote processors.
D. Prioritize and process messages.
572
Q2211. Which of the following network configuration options, contains a direct

link between any two host machines?
A. Bus
B. Ring
C. Star
D. Completely connected mesh
Q2212. Message Authentication code (MAC) suffixed to message depending

upon the contents of message is:
B. Detective Control
C. Corrective control
D. Deterrent control
Q2213. When reviewing the quality of an IS department’s development process,

the IS auditor finds that they do not use any formal, documented
methodology and standards. The IS auditor’s MOST appropriate action
would be to:
A. Complete the audit and report the finding.
B. Investigate and recommend appropriate formal standards.
C. Document the informal standards and test for compliance.
D. Withdraw and recommend a further audit when standards are
implemented.
Q2214. When a new system is to be implemented within a short timeframe, it

is MOST important to:
A. Finish writing user manuals.
B. Perform user acceptance testing.
C. Add last-minute enhancements to functionalities.
D. Ensure that code has been documented and reviewed.
573
Q2215. If the decision has been made to acquire software rather than develop
it internally, this decision is normally made during the:
A. Requirements definition phase of the project.
B. Feasibility study phase of the project.
C. Detailed design phase of the project.
D. Programming phase of the project.
Q2216. When auditing the requirements phase of a software acquisition, an IS

auditor would:
A. Assess the adequacy of audit trails.
B. Identify and determine the criticality of the need.
C. Verify cost justifications and anticipated benefits.
D. Ensure that control specifications have been defined.
Q2217. In regard to moving an application program from the test environment

to the production environment, the BEST control would be provided by
having the:
A. Application programmer copy the source program and compiled
object module to the production libraries.
B. Application programmer copy the source program to the
production libraries and then have the production control group
compile the program.
C. Production control group copy the source program and compile
the object module to the production libraries.
D. Production control group copy the source program to the
production libraries and then compile the program.
Q2218. Which of the following is the FIRST point at which control totals
should be implemented in order to prevent the loss of data during the
processing cycle?
A. During data preparation
B. In transit to the computer
574
C. Between related computer runs

D. During the return of the data to the user department
Q2219. Functionality is a characteristic associated with evaluating the quality of

software products throughout their lifecycle, and is BEST described as
the set of attributes that bear on the:
A. Existence of a set of functions and their specified properties.
B. Ability of the software to be transferred from one environment to
another.
C. Capability of software to maintain its level of performance under
stated conditions.
D. Relationship between the level of performance of the software
and the amount of resources used.
Q2220. A company disposing of personal computers that once were used to

store confidential data should first:
A. Demagnetize the hard disk.
B. Low level format the hard disk.
C. Delete all data contained on the hard disk.
D. Defragment the data contained on the hard disk.
Q2221. The primary reason for replacing cheques with elect ronic funds transfer
EFT systems in the accounts payable area is to:
A. Make the payment process more efficient.
B. Comply with international EFT banking standards.
C. Decrease the number of paper-based payment forms.
D. Reduce the risk of unauthorized changes to payment
transactions.
575
Q2222. A tax calculation program maintains several hundred tax rates. The
BEST control to ensure that tax rates entered into the program are
accurate is:
A. Independent review of the transaction listing.
B. Programmed edit check to prevent entry of invalid data.
C. Programmed reasonableness checks with 20% data entry range.
D. Visual verification of data entered by the processing department.
Q2223. An IS auditor reviewing database controls discovered that normal

processing changes to the database were handled through a standard
set of procedures. However, changes made after normal hours required
only an abbreviated number of steps. In this situation what would be
considered an adequate set of compensating controls?
A. Use of DBA user account to make the change.
B. Use of normal user account with access to make changes to the
database.
C. Use of DBA user account to make changes, logging of changes,
as well as before and after image with the changes being
reviewed the following day.
D. Use of normal user account to make changes, logging of change,
as well as before and after image changes being reviewed the
following day.
Q2224. Which of the following database administrator activities is unlikely to be

recorded on detective control logs?
A. Deletion of a record
B. Change of a password
C. Disclosure of a password
D. Changes to access rights
576
Q2225. An IS auditor is assigned to perform a post implementation review of an

application system. Which of the following situations may have impaired
the independence of the IS auditor? The IS auditor:
A. Implemented a specific control during the development of the
application system.
B. Designed an embedded audit module exclusively for auditing the
application system.
C. Participated as a member of the application system project team,
but did not have operational responsibilities.
D. Provided consulting advice concerning application system best
practices.
Q2226. Which of the following findings would an IS auditor be MOST concerned

about when performing an audit of backup and recovery and the offsite
storage vault?
A. There are three individuals with a key to enter the area
B. Paper documents are also stored in the offsite vault
C. Data files, which are stored in the vault, are synchronized
D. The offsite vault is located in a separate facility
Q2227. While reviewing the business continuity plan of an organization, the

IS auditor observed that the organization’s data and software files are
backedup on a periodic basis. Which characteristic of an effective plan
does this demonstrate?
A. Deterrence
B. Mitigation
C. Recovery
D. Response
Q2228. A general hardware control that helps to detect data errors when data
are communicated from one computer to another is known as a:
A. Duplicate check.
B. Table look up.
577
C. Validity check.
D. Parity check.
Q2229. An IS auditor attempting to determine whether access to program

documentation is restricted to authorized persons would MOST likely:
A. Evaluate the record retention plans for off-premises storage.
B. Interview programmers about the procedures currently being
followed.
C. Compare utilization records to operations schedules.
D. Review data file access records to test the librarian function.
Q2230. A detective control in a computer operation area is :

A. Policy
B. Log
C. Procedure
D. Standard
Q2231. Following an authorized person through a secured door in order to by-

pass security checks or gaining unauthorized access through authorized
telecommunications line is called :
A. Data Diddling.
B. Trap Door.
C. Asynchronous Attack.
D. Piggybacking.
Q2232. An IS auditor is concerned of software vendors’ request to use a stand-

alone Personal Computer to load and demonstrate the latest anti-virus
software developed by his firm, because :
A. The Personal Computer has sensitive data.
B. The Personal Computer may be exposed to virus.
C. It is against the Policy of the organization.
D. The anti-virus program may not be tested properly.
578
Q2233. The IT risk management program of an organization that has

implemented extended ERP solutions using Extranet applications,
should primarily address the:
A. Business processes.
B. Network connectivity.
C. Hardware and software.
D. Database server.
Q2234. Ownership of Personnel Data File in an organization has been assigned

to the MIS Department. The IS auditor feels that it should be with the
Personnel Department. What is the MOST serious problem arising out
of this ownership?
A. The MIS department may not use the data.
B. The Personnel department may face problems in getting reports.
C. The data may not be up-to-date and accurate.
D. The Improper access rules might be implemented.
Q2235. To ensure continued operations data back-ups are stored off-site where
the redundant processing facilities are stored. Which of the following
statements is FALSE?
A. The site should bear the nameplate in order to identify the place
correctly in case of emergency.
B. The site should have similar physical access restriction as that of
original site.
C. The facilities are to be tested periodically in order to ensure
continued availability.
D. The hardware and software should be compatible
Q2236. In a situation where frequent power failures for varying periods from 6
to 8 hours, which of the following is the BEST possible solution?
A. Installation of UPS.
B. Installation of power generators.
579
C. Installation of UPS backed by power generators for prolonged

power failure.
D. Redundant power lines from another power sub-station.
Q2237. The PRIMARY objective of performing Domain Integrity testing is :

A. To verify that data confirms to definitions.
B. To verify that data items are in correct domain.
C. To ensure that data item has a legitimate value.
D. To ensure that edit and validation routines are working
satisfactorily.
Q2238. In an overall description of a database, the names of data elements,

their characteristics, and their relationship to each other are defined by
using a
A. Data definition language
B. Data control language
C. Data manipulation language
D. Data command interpreter language
Q2239. Which of the following is most likely characteristic of a direct access

file that uses indexes or dictionaries as its addressing technique when
processing randomly?
A. A randomizing formula is used
B. Two accesses are required to retrieve each record.
C. Synonyms will be generated that will result in extra accesses
D. There will be a high incidence of gaps or unassigned physical
records within the file.
Q2240. The manager of computer operations prepares a weekly schedule of

planned computer processing and distributes a copy of this schedule to
the tape librarian. The control purpose this serves is to:
A. Keep improper transactions from entering the computer facility
B. Specify file retention and backup policies
580
C. Authorize the release of data files to computer operators

D. Specify the distribution of printed outputs
Q2241. A systems analyst should have access to each of the following expect
A. Source code
B. Password identification tables
C. user procedures
D. Edit criteria
Q2242. Which of the following is not an important element in deciding whether

to lease or purchase computer equipment ?
A. Cost of money.
B. Tax consideration.
C. Maintenance expense
D. Parallel operations cost
Q2243. CASE (computer-aided software engineering )is the use of the computer
to aid in the development of computer-based information systems.
Which of the following could not be automatically generated with CASE
tools and techniques?
A. Information requirements determination
B. Program logic design
C. Computer program code
D. Program documentation
Q2244. A bank uses scanned signatures of customers to identify and

authenticate customers before authorizing the payments. Which of the
following process associated with this system needs maximum controls?
A. Capturing(imaging) the signatures.
B. Retrieving the signature images.
581
C. Storing the signatures images.

D. Displaying the image on monitor.
Q2245. One of the major problems in a computer system is that incompatible

functions may be performed by the same individual. One compensating
control is the use of:
A. Echo checks
B. A self-checking digit system
C. Computer-generated hash totals
D. A computer log
Q2246. Which of the following statements regarding security concerns for laptop
computers is true ?
A. The primary methods of control usually involve general controls .
B. Centralized control over the selection and acquisition of hardware
and software is not a major concern
C. Some traditional controls such as segregation of duties become
more important
D. As their use becomes more sophisticated, the degree of concern
regarding physical security decreases.
Q2247. Which of the following is a control that will prevent accessing the
accounts receivable files from a hardwired terminal located in a
manufacturing department?
A. An echo check.
B. A device authorization table
C. Providing only dial-up terminals
D. Using data encryption .
582
Q2248. The telecommunication control of dial-up/disconnect/dial-back can be

circumvented by using
A. Dedicated line technology
B. Automatic call forwarding
C. Encryption algorithms
D. High baud rate lines
Q2249. Good planning will help an organization restore computer operations

after a processing outage. Good recovery planning should ensure that:
A. Backup/restart procedures have been built into job streams and
programs .
B. Change control procedures cannot be bypassed by operating
personnel .
C. Planned changes in equipment capacities are compatible with
projected workloads .
D. Service level agreements with owners of applications are
documented.
Q2250. To increase the security of application software, the internal audit direct
or recommended that programmers be given diskless workstations
Using diskless workstations would increase security by
A. Making theft of programs more difficult
B. Reducing workstation maintenance expense
C. Imposing a stricter level of access control
D. Prompting programmers to work more closely together
Q2251. Scavenging for residual information in the main memory of a computer

can be best prevented by
A. Resetting the values of memory locations to zero .
B. Requiring passwords for memory access .
C. Setting memory access for asynchronous control.
D. Setting memory access for synchronous control.
583
Q2252. Security Policy for Information technology of a Bank specifies that all the
employees should clear the screen of monitor when not working. Which
of the following best describes the reason for this policy?
A. Prevent shoulder surfing.
B. Restrict electronic eavesdropping.
C. Save monitor from damage.
D. Avoid password sniffing.
Q2253. A executive of an company received an e-mail by mistake, from trading

partner which was meant for another company. Which of the following
is the best action the executive should take?
A. Inform the sender about the mistake and hold the mail for
sender’s disposal.
B. Forward the mail to the system administrator to decide the further
action.
C. Do nothing except deleting the mail from inbox.
D. Forward the mail to the actual recipient of the mail and inform
sender.
Q2254. Authentication is the process by which the:

A. System verifies that the user is entitled to input the transaction
requested.
B. System verifies the identity of the user.
C. User identifies himself to the system.
D. User indicates to the system that the transaction was processed
correctly.
Q2255. The IS auditor has determined that protection of computer files is

inadequate. Which of the following is LEAST likely to have caused this
problem?
A. Arrangements for compatible backup computer facilities
B. Procedures for release of files
584
C. Offsite storage procedures

D. Environmental controls
Q2256. If inadequate, which of the following would MOST likely contribute to a

denial of service attack?
A. Router configuration and rules
B. Design of the internal network
C. Updates to the router system software
D. Audit testing and review techniques
Q2257. Which of the following implementations of digital encryption standard is

the simplest implementation?
A. Electronic code block ECB
B. Cipher block chaining CBC
C. Cipher feedback CFB
D. Output feedback OFB
Q2258. IS Auditor needed the expert on networks to help in performing Network

security audit. Who should approve the inclusion of network engineer in
the audit team?
A. Network Administrator.
B. Chief Information officer.
C. Steering Committee.
D. Audit committee.
Q2259. Which of the following manages the certificate life cycle of public key
pairs to ensure adequate security and controls exist in e-commerce
applications?
A. Registration authority
B. Certificate authority
C. Certification relocation list
D. Certification practice statement
585
Q2260. Losses can be minimized MOST effectively by using outside storage

facilities to do which of the following?
A. Include current, critical information in backup files
B. Ensure that current documentation is maintained at the backup
facility
C. Test backup hardware
D. Train personnel in backup procedures
Q2261. Which of the following would warranty a quick continuity of operations

when the recovery time window is short?
A. A duplicated back-up in an alternate site
B. Duplicated data in a remote site
C. Transfer of data the moment a contingency occurs
D. A manual contingency procedure
Q2262. Which of the following is MOST important to have in a disaster recovery

plan?
A. Backup of compiled object programs
B. Reciprocal processing agreement
C. Phone contact list
D. Supply of special forms
Q2263. When auditing the proposed acquisition of a new computer system, the
IS auditor should FIRST establish that:
A. A clear business case has been approved by management.
B. Corporate security standards will be met.
C. Users will be involved in the implementation plan.
D. The new system will meet all required user functionality.
586
Q2264. When implementing an application software package, which of the

following presents the GREATEST risk?
A. Multiple software versions are not controlled
B. Source programs are not synchronized with object code
C. Parameters are not set correctly
D. Programming errors
Q2265. Following the development of an application system, it is determined

that several design objectives have not been achieved. This is MOST
likely to have been caused by:
A. Insufficient user involvement.
B. Early dismissal of the project manager.
C. Inadequate quality assurance QA tools.
D. Non-compliance with defined approval points.
Q2266. Which of the following types of firewalls provide the GREATEST degree
and granularity of control?
A. Screening router
B. Packet-filter
C. Application-gateway
D. Circuit-gateway
Q2267. Risk of hash compromise is BEST mitigated using:

A. Digital signatures.
B. Message encryption.
C. Message authentication code.
D. Cryptoanalysis.
587
Q2268. Which of the following is least likely indicator of segregation of duties in

auditee area?
A. Job descriptions.
B. Organization charts.
C. Network diagram.
D. IT Security policy.
Q2269. During a post-implementation review of an enterprise resource

management system an IS auditor would MOST likely:
A. Review access control configuration.
B. Evaluate interface testing.
C. Review detailed design documentation.
D. Evaluate system testing.
Q2270. An executable module is about to be migrated from the test environment

to the production environment. Which of the following controls would
MOST likely detect an unauthorized modification to the module?
A. Object code comparison
B. Source code comparison
C. Timestamps
D. Manual inspection
Q2271. While performing the security audit of information processing facility an

IS auditor observed a dial-up connection provided to network node of
departmental head. The proactive action for the auditor is to inform:
A. IS security manager
B. Audit manager
C. User manager
D. Top management
588
Q2272. The use of object-oriented design and development techniques would

MOST likely:
A. Facilitate the ability to reuse modules.
B. Improve system performance.
C. Enhance control effectiveness.
D. Speed up the system development life cycle.
Q2273. A dry-pipe fire extinguisher system is a system that uses:

A. Water, but in which water does not enter the pipes until a fire has
been detected.
B. Water, but in which the pipes are coated with special watertight
sealants.
C. Carbon dioxide instead of water.
D. Halon instead of water.
Q2274. Which of the following would provide a mechanism whereby IS

management can determine when, and if, the activities of the enterprise
have deviated from planned, or expected levels?
A. Quality management
B. IS assessment methods
C. Management principles
D. Industry standards/benchmarking
Q2275. Which of the following is the BEST way to handle obsolete magnetic
tapes before disposing of them?
A. Overwriting the tapes
B. Initializing the tape labels
C. Degaussing the tapes
D. Erasing the tapes
589
Q2276. Which of the following data entry controls provides the GREATEST
assurance that data entered does not contain errors?
A. Key verification
B. Segregation of the data entry function from data entry verification
C. Maintaining a log/record detailing the time, date, employee’s
initials/user-id and progress of various data preparation and
verification tasks
D. Check digits
Q2277. A universal serial bus USB port:

A. Connects the network without a network card.
B. Connects the network with an ethernet adapter
C. Replaces all existing connections.
D. Connects the monitor.
Q2278. How can an enterprise provide access to its intranet i.e., extranet across
the Internet to its business partners?
A. Virtual private network
B. Client/server
C. Dial-in access
D. Network service provider
Q2279. Top management requested that an IS auditor assist the departmental

management in the implementation of necessary controls. The IS
auditor should:
A. Inform the management about inability to conduct follow-up audit.
B. Refuse the assignment since it is not the role of IS Auditor.
C. Perform the assignment and follow-up audit with due professional
care.
D. Obtain the approval of user management to perform the
implementation and follow up.
590
Q2280. In a client/server architecture, a domain name service DNS is MOST

important because it provides the:
A. Address of the domain server.
B. Resolution service for the name/address.
C. Resolution on the internet for the name/address.
D. Domain name system.
Q2281. Most effective preventive control for use against unlicensed software is:
A. Periodic scans.
B. IT Security Policy.
C. Frequent audits.
D. Inventory of licenses.
Q2282. Protocol analyzer:

A. Analyses the traffic as per protocol rules.
B. Measures performance of network.
C. Prompts for upgradation of networks.
D. Helps in maintaining networks.
Q2283. In a web server, a common gateway interface CGI is MOST often used
as an:
A. Consistent way for data transfer to the application program and
back to the user.
B. Computer graphics imaging method for movie and TV.
C. Graphic user interface for web design.
D. Interface to access the private gateway domain.
Q2284. A virtual private network VPN performs which of the following functions?
A. Hides information from sniffers on the net
B. Enforces security policies
591
C. Detects misuse or mistakes

D. Regulates access
Q2285. In a public key infrastructure PKI , the authority which is responsible

for the identification and authentication of an applicant for a digital
certificate i.e., certificate subjects is the:
A. Registration authority RA .
B. Issuing certification authority.
C. Subject certification authority.
D. Policy management authority.
Q2286. An IS auditor inspects an organization’s offsite storage and plans to

sample the system and program documentation. The IS auditor is
MOST likely interested in reviewing:
A. Error conditions and user manuals.
B. Application run books.
C. Job stream control instructions.
D. Exception processing instructions.
Q2287. Which of the following disaster recovery/continuity plan components

provides the GREATEST assurance for recovery after a disaster?
A. The requirement that the alternate facility be available until the
original information processing facility is restored.
B. User management involvement in the identification of critical
systems and their associated critical recovery times and the
specification of needed procedures.
C. Copies of the plan kept at the homes of key decision making
personnel.
D. Adequate feedback to management to assure that the business
continuity plans are indeed workable and that the procedures are
current.
592
Q2288. Which of the following is a continuity plan test that uses actual
resources to simulate a system crash to cost-effectively obtain evidence
about the plan’s effectiveness?
A. Paper test
B. Post test
C. Preparedness test
D. Walkthrough
Q2289. An IS auditor participating in new software development projects will

provide an increased contribution and the organization will experience
increased efficiency if:
A. Procedures to identify and document needs and requirements of
the users are established.
B. Procedures to store the developed software are defined in the
systems development life cycle phases.
C. Development, test and production environments are defined
separately from each other.
D. Procedures and formal guidelines are established that identify
each system development life cycle phase.
Q2290. Decision about selection, implementation and risk assessment of

extended ERP solutions is part of:
A. Short term plan
B. Long term plan
C. Steering committee meeting
D. Annual General meeting
Q2291. The difference between white-box testing and black-box testing is that
white-box testing:
A. Involves the IS auditor.
B. Is performed by an independent programmer team.
593
C. Examines the program internal logical structure.

D. Uses the bottom-up approach.
Q2292. Which of the following groups/individuals assume overall direction and

responsibility for costs and timetables of systems development life cycle
projects?
A. User management
B. Project steering committee
C. Senior management
D. Systems development management
Q2293. Which of the following is most appropriate indication that prompts for
changing operating system?
A. Vendor’s report.
B. Requirements.
C. Obsolescence.
D. Response time.
Q2294. Verification of parity bit over communication in network is done at which

layer of ISO:OSI network model?
A. Application layer.
B. Presentation layer.
C. Data Link layer.
D. Network layer.
Q2295. Which of following exposure to the data security occurs before the
computer security can protect the data?
A. Data diddling.
B. Trap Door.
C. Logic Bomb.
D. Trojan Horse.
594
Q2296. Failure to adequately define or manage the requirements for a system

can result in a number of risks. The GREATEST risk is:
A. Inadequate user involvement.
B. Inadequate allocation of resources.
C. Requirement change during development.
D. Inadequate estimation of the critical path.
Q2297. Which of the following is a measure of the size of an information system

based on the number and complexity of a system’s inputs, outputs and
files?
A. Program evaluation review technique PERT
B. Rapid application development RAD
C. Function point analysis FPA
D. Critical path method CPM
Q2298. Which of the following should be performed FIRST when acquiring

software?
A. Identify data processing requirements
B. Compare delivery schedules to requirements
C. Negotiate price
D. Establish business needs
Q2299. The need for the modification of validation and editing routines to
improve efficiency is normally indicated by:
A. Excess overrides.
B. An override activity report.
C. Error control and correction.
D. Separation of duties.
595
Q2300. Which of the following methodologies is appropriate for planning and

control activities and resources in a system project?
A. Critical path methodology CPM
B. Program evaluation review technique PERT
C. Gantt charts
D. Function point analysis
Q2301. An enterprise has established a steering committee to oversee its

e-business program. The steering committee would MOST likely be
involved in the:
A. Documentation of software requirements.
B. Escalation of project issues.
C. Design of interface controls between systems.
D. Specification of management reports.
Q2302. An IS auditor reviewing the design phase of the program development

life cycle would seek to determine that:
A. Program documentation provides little evidence about the quality
of the design approach used during software development.
B. Programmers specify the structure and operations of a program
that will satisfy a requirement specification.
C. An object-oriented approach to design is employed when low-
level programming languages are used to develop programs.
D. A formal approach to design is not followed when high-level
languages are used to develop programs.
Q2303. A company uses a bank to process its weekly payroll. Time sheets and
payroll adjustment forms e.g., hourly rate changes, terminations are
filled in and delivered to the bank, which prepares checks cheques and
reports for distribution. To BEST ensure payroll data accuracy:
A. Payroll reports should be compared to input forms.
B. Gross payroll should be recalculated manually.
596
C. Checks cheques should be compared to input forms.

D. Checks cheques should be reconciled with output reports.
Q2304. An external auditor was planning for the audit for effectiveness of IT
controls. However only internal auditor’s audit report was available
but not the work papers. The auditor could not determine type of tests
performed by the internal auditor to assure the effectiveness of controls
by internal auditor. The auditor should:
A. Change the scope of audit to include the tests.
B. Refuse to perform audit till work papers were made available.
C. Rely on previous audit report and not work papers.
D. Differ the tests till work papers were made available.
Q2305. The performance of flow of traffic within network is handled by which

layer of ISO:OSI model?
A. Data Link.
B. Session.
C. Transport.
D. Network.
Q2306. All of the following are examples of corrective controls except

A. Transaction trails
B. Passwords
C. Upstream resubmission
D. Automatic error correction
Q2307. Which of the following report is most useful for internal auditor in order
to gain understanding about auditee area?
A. Long term IT plan.
B. Annual financial results
C. Annual financial audit report
D. Minutes of Steering committee meeting
597
Q2308. Which of the following is essential process in forensic investigations to

establish the integrity of electronic evidence?
A. Chain of custody
B. Hard disk analysis
C. Third party witness
D. Copy of complaint
Q2309. IS auditor observed that some controls defined by security policy were
not implemented by auditee management. What should auditor do next?
A. Compliance testing of implemented controls .
B. Substantive testing of implemented controls.
C. Risk assessment of non-implemented controls.
D. Suspend the audit and report to Management.
Q2310. Implementing of Questionnaire based Control Self Assessment program

without creating awareness will result in local management:
A. Answering all questions in affirmative.
B. Treating it as replacement of internal audit.
C. Not analyzing the replies.
D. Treat it as another report to top management.
Q2311. In a small organization only one employee looks after analysis,

development and maintenance of application software. Which of the
following function can be entrusted to that employee additionally without
additional controls?
A. Data Base Administrator.
B. Quality Assurance.
C. Computer Operations.
D. System Administration.
598
Q2312. An IS Auditor found that System administrator does user maintenance.

Which of the following controls auditor should check to ensure fictitious
users are not added? Users added into the system should be:
A. Authorized
B. Identified.
C. Authenticated.
D. Registered.
Q2313. While auditing the Business continuity plan for information systems, the
IS auditor should first ensure that the plan:
A. Covers all business processes.
B. Provides for recovery of IT resources.
C. Specifies for insurance cover.
D. Has address of alternate site.
Q2314. Which of the following functions in Information Processing facility if

combined causes serious security concern?
A. Data Base Administrator and System Analyst.
B. Data Base Administrator and Application Programmer.
C. System analyst and Data Entry.
D. System analyst and Application Programmer.
Q2315. Primary objective of reviewing of IT security policy by IS auditor is to:

A. Justify IT implementation projects.
B. Establish the standard of compliance.
C. understand security technology.
D. ensure updation cycle of policy.
599
Q2316. Which of the following will help management in getting feedback about
the achievement of planned IT goals?
A. Key Goal Indicators.
B. Balance Score Card.
C. Critical Success Factors.
D. Key Performance Indicators.
Q2317. Essential difference between RDBMS and Data warehousing is that,

data warehouse:
A. Stores data in relational tables.
B. Implemented using RDBMS systems.
C. Stores data in denormalized form.
D. Implementation precedes RDBM implementation.
Q2318. Which of the following risk in wireless LAN must be controlled first?
A. Terminals are not connected to server.
B. Unauthorized terminal/client.
C. Possible unauthorized use of LAN.
D. Unauthorized software.
Q2319. Which of the following is most useful in providing indication about

required upgradation of hardware?
A. Downtime reports.
B. Availability reports.
C. Utilization reports.
D. Error reports.
Q2320. During the Business continuity audit an IS auditor found that the BCP
covered only critical applications. The IS auditor should first:
A. Assess the impact on business due to non-availability of
processes not covered.
B. Insist on redesigning the BCP covering all is related processes.
600
C. Report the findings with recommendations for redesigning BCP.

D. Look for the approval from the top management.
Q2321. Which of the following technology enables broad band network?

A. Full duplex communication.
B. Vectoring of multiple channels on single carrier.
C. Packet switching network.
D. Store and forward switch.
Q2322. Scalability of network refers to:

A. Flexibility to expand network and support new services.
B. Ability to maintain, support and troubleshoot.
C. Continuous and reliable communication service.
D. Communication between disparate technologies.
Q2323. Which of the following is TRUE about outsourcing?

A. It is only cost dependant decision.
B. It improves internal technical expertise.
C. It has more control implications.
D. It is the decision of legal department.
Q2324. Which of the following is highest risk associated with outsourcing of IT

based business processes?
A. Hidden costs.
B. Performance failure.
C. Loss of ownership.
D. Financial viability of vendor.
601
Q2325 In the event of outsourcing vendor refusing to allow internal IS auditor

to perform audit vendor’s site, which of the following is best alternative?
A. Review vendor’s self audit report.
B. Provide for penalty clause in SLA.(Service level agreement)
C. Review the audit report from independent auditor.
D. Terminate the agreement immediately.
Q2326. IS auditor’s first concern in organization adopting recognized standards

(like ISO) is:
A. Compliance of documented procedures.
B. All IT processes are documented.
C. Critical IT processes achieve planned goals.
D. Cost of implementing standards.
Q2327. While auditing Risk Management program, the auditor should first
ensure that:
A. Management accepts all natural risks.
B. Program monitors all residual risks.
C. Risk mitigation does not have preventive controls
D. Program use qualitative measurement standards.
Q2328. Which of the following will help auditor in determining the effectiveness
of help desk operations?
A. Problem aging analysis.
B. Query log maintained by help desk.
C. problem escalation report.
D. awareness level of end users.
602
Q2329. A manufacturing organization has deployed IT based solutions to reduce

the business process cycle time. Which of the following will give the
feedback on achieving this objective?
A. Business processes.
B. Network connectivity.
C. Hardware and software.
D. Database server.
Q2330. Exception reports generated by application systems are useful to the

management
A. As compensating control for segregation of duties.
B. As feedback on the processing status.
C. In resolving problems in data processing.
D. In evaluating supervisory performance.
Q2331. IS auditor gets first opportunity to understand the compliance of security

policy by:
A. Observing people at work.
B. Reviewing policy document.
C. Performing substantive testing.
D. Reviewing minutes of steering committee meeting.
Q2332. Block sum check in network communication is extension of:

A. Parity check.
B. Encryption.
C. Sequence check.
D. Hash function.
603
Q2333. While auditing hardware acquisition the IS auditor should first ensure
that:
A. Request for Proposal is in accordance with requirement analysis.
B. Hardware is selected on the basis of through put.
C. Request for proposal was sent to all vendors.
D. Selected hardware was offered at lowest cost.
Q2334. Which of the following feature of Job Scheduling software will be most
useful in ensuring successful completion of scheduled jobs?
A. Sequencing of processes.
B. Completion and error reporting.
C. Documentation of system.
D. Defined job dependencies.
Q2335. Centralize data base server is being accessed by users from various
geographical locations. Concurrency controls provided in this system
primarily ensures:
A. Integrity of data.
B. Usability of data.
C. Confidentiality of data.
D. Availability of data.
Q2336. Picture oriented languages like Japanese uses Unicode communication.

The conversion of Unicode to ASCII is handled by:
A. Session layer.
B. Presentation layer.
C. Application layer.
D. Network layer.
604
Q2337. An IS Auditor was asked to audit ERP implementation. The auditor did
not have prior experience of ERP implantation. The auditor should:
A. Take help of independent skilled professional.
B. Refuse the assignment in absence of required skills.
C. Attend the training program on implementation of ERP.
D. Conduct the audit with due professional care.
Q2338. Some organizations have ‘required paid vacation’ facility for its’
employees. The purpose of this facility is :
A. A motivating incentive for hard working employees.
B. Increase the opportunity to discover fraudulent/irregular activities
of the employee.
C. A rest and recuperation refreshes the mind and improves the
quality of life.
D. Give opportunity to spend more time with family.
Q2339. Cross-training means training by colleagues. It helps in decreasing

dependence on one employee. It has some risks associated with it.
Which of the following is MOST serious risk?
A. Risk of all trained employees remain absent.
B. A risk of back-up personnel may be over-worked.
C. A risk of one person knowing all parts of the system.
D. A risk of not having control on situation described in C.
Q2340. It was decided to introduce the image processing technique for handling
of documents. IS auditor is concerned about the use of this technique.
Which of the following is PRIMARY reason of IS auditors’ concern.
A. The image processing software is very expensive.
B. Inadequate training may result in poor quality of images.
C. Imaging system may change or eliminate the traditional controls.
D. Workflow processes may have to be redesigned.
605
Q2341. Which of the following would BEST ensure the proper updating of critical
fields in a master records?
A. Field checks.
B. Control totals.
C. Reasonableness checks.
D. Before and after maintenance report.
Q2342. While auditing the computer installation internal IS auditor found a virus-
infected file. What IS auditor should do FIRST?
A. Report to the IS manager and top management about the
presence of virus.
B. Inform the IS manager about the infection so as to enable him to
take the necessary steps.
C. Disinfect or Erase the infected file and check other computer
systems for infection.
D. Check the other computer systems whether they have similar
infection.
Q2343. Programmers frequently create entry points into a program for

debugging purposes and/or insertion of new program codes at a later
date. These entry points are called :
A. Logic bombs.
B. Worms.
C. Trap doors.
D. Trojan horses.
Q2344. System administrator of a public utility company has to change the

access rights of users, frequently due to change in roles, on account of
leaves and/or transfers of employees. Which of the following the system
administrator should do first?
A. Verify authorization.
B. Create new user id.
606
C. Change access rights.

D. Grant the new role.
Q2345. The auditor observed that, in absence of explicit mention in SLA, the
third party has appointed a sub-contractor to perform the outsourced
function. The auditor should FIRST:
A. Look for the auditability option in third party and sub-contractor.
B. Ascertain the control of third party over sub-contractor.
C. Report the absence of mention about sub-contracting in SLA.
D. Report the risk associated in such arrangement.
Q2346. Which of the following is NOT a feature of an uninterruptible power

supply UPS ?
A. A UPS provides electrical power to a computer in the event of a
power failure.
B. A UPS system is an external piece of equipment or can be built
into the computer itself.
C. A UPS should function to permit an orderly computer shutdown.
D. A UPS uses a greater wattage into the computer to ensure
enough power is available.
Q2347. Which of the following would BEST ensure continuity of a wide area
network WAN across the organization?
A. Built-in alternative routing
B. Full system back-up taken daily
C. A repair contract with a service provider
D. A duplicate machine alongside each server
Q2348. Cryptographic processing depends on the use of keys, which are of

primary importance in the security of a cryptographic system. Which of
607
the following key algorithms decrypt data with the same key used for
encryption?
A. Symmetric key algorithm.
B. Asymmetric key algorithm.
C. Symmetric and public key algorithm.
D. Asymmetric and secret key algorithm.
Q2349. Risk management consists of risk assessment and risk mitigation. Which
of the following is NOT an element of risk mitigation?
A. Measure risk.
B. Select appropriate safeguards.
C. Implement and test safeguards.
D. Accept residual risks.
Q2350. Which of the following controls can validate a transaction?

A. Authorization of the transaction by supervisory personnel in an
adjacent department.
B. Use of programs to check the transaction against criteria set by
management.
C. Authorization of the transaction by a department supervisor prior
to the batch process.
D. Use of key field verification techniques in data entry.
Q2351. As business functions change, pre-printed forms and other supplies

are also likely to change. Which one of the following actions poses a
MAJOR risk to the organization?
A. Inventory list at off-site is not updated.
B. Inventory list, a backup computer and recovery facility is not
updated.
C. The emergency or alternate supplier is not assessed as to
whether or not he is still in business.
D. Outdated materials are not called from useful supplies.
608
Q2352. Your organization has hired a security-consulting firm for testing the
logical access security for dial-up connections. Which of the following
person MOST likely to be hired by the security firm?
A. Hackers.
B. Crackers.
C. Hardware Engineer
D. Software Engineer.

Q2153 Ans. A Q2173 Ans. A Q2193 Ans. C
Q2155 Ans. B Q2175 Ans. A Q2195 Ans. D
Q2158 Ans. A Q2178 Ans. B Q2198 Ans. D
Q2159 Ans. B Q2179 Ans. A Q2199 Ans. D
Q2160 Ans. A Q2180 Ans. C Q2200 Ans. B
Q2161 Ans. B Q2181 Ans. A Q2201 Ans. C
Q2162 Ans. A Q2182 Ans. A Q2202 Ans. B
Q2163 Ans. A Q2183 Ans. C Q2203 Ans. C
Q2164 Ans. C Q2184 Ans. D Q2204 Ans. D
Q2165 Ans. B Q2185 Ans. A Q2205 Ans. B
Q2166 Ans. A Q2186 Ans. A Q2206 Ans. B
Q2167 Ans. A Q2187 Ans. B Q2207 Ans. B
Q2168 Ans. B Q2188 Ans. D Q2208 Ans. B
Q2169 Ans. A Q2189 Ans. A Q2209 Ans. D
609
Q2213 Ans. A Q2243 Ans. C Q2273 Ans. C

Q2214 Ans. C Q2244 Ans. C Q2274 Ans. D
Q2217 Ans. B Q2247 Ans. A Q2277 Ans. C
Q2218 Ans. C Q2248 Ans. A Q2278 Ans. D
Q2219 Ans. C Q2249 Ans. B Q2279 Ans. D
Q2222 Ans. B Q2252 Ans. A Q2282 Ans. B
Q2223 Ans. D Q2253 Ans. B Q2283 Ans. B
Q2230 Ans. A Q2260 Ans. D Q2290 Ans. A
Q2233 Ans. C Q2263 Ans. A Q2293 Ans. C
Q2239 Ans. A Q2269 Ans. D Q2299 Ans. B
Q2241 Ans. D Q2271 Ans. B Q2301 Ans. C
Q2242 Ans. A Q2272 Ans. D Q2302 Ans. D
610

Q2306 Ans. C Q2323 Ans. D Q2340 Ans. D
Q2316 Ans. A Q2333 Ans. C Q2350 Ans. B
Q2317 Ans. D Q2334 Ans. A Q2351 Ans. C
Q2319 Ans. D Q2336 Ans. D
611
1. Which of the following BEST describes the purpose or B. formally document the audit department's plan of
character of an audit charter? action.
A. An audit charter should be dynamic and change often C. document a code of professional conduct for the
to coincide with the changing nature of technology auditor.
and the audit profession. D. describe the authority and responsibilities of the audit
B. An audit charter should clearly state audit's objectives department.
for the delegation of authority for the maintenance 8. Which of the following forms of evidence would be
and review of internal controls. considered to be the MOST reliable when assisting an IS
C. An audit charter should document the audit Auditor develop audit conclusions?
procedures designed to achieve the planned audit A. A confirmation letter received from a third party for
objectives. the verification of an account balance
D. An audit charter should outline the overall authority, B. Assurance via a control self-assessment received from
scope and responsibilities of the audit function. line management that an application is working as
2. Which of the following would NOT be a reason why an IS designed
auditor would prepare a formal audit program? C. Trend data obtained from World Wide Web
A. To structure the IS auditor's own planning (Internet) sources
B. To guide assistants in performing planned procedures D. Ratio analysis developed by the IS auditor from
C. To provide audit documentation for review reference reports supplied by line management
D. To assess the overall risk of operations within the 9. Which of the following forms of evidence would be
organization considered to be the MOST reliable?
3. In a risk-based audit approach, an IS auditor is not only A. An oral statement from the auditee
influenced by risk but also by: B. The results of a test performed by an IS auditor
A. the availability of CAATs. C. An internally generated computer accounting report
B. management's representations. D. A confirmation letter received from an outside source
C. organizational structure and job responsibilities. 10. Which of the following is the MOST likely reason why e-
D. the existence of internal and operational controls. mail systems have become a useful source of evidence
4. The MAJOR advantage of the risk assessment approach for litigation?
over the baseline approach to information security A. Poor housekeeping leads to excessive cycles of backup
management is that it ensures that: files remaining available.
A. information assets are over protected. B. Strong access controls establish accountability for
B. a basic level of protection is applied regardless of asset activity on the e-mail system.
value. C. Data classification is often used to regulate what
C. appropriate levels of protection are applied to information should be communicated via e-mail.
information assets. D. Clear policy for using e-mail within the enterprise
D. an equal proportion of resources are devoted to ensures that the right evidence is available.
protecting all information assets. 11. Which of the following computer-based tools would
5. Which of the following procedures would an IS auditor assist an IS auditor when performing a statistical
NOT perform during pre-audit planning to gain an sampling of financial transactions maintained in a
understanding of the overall environment under review? financial management information system?
A. Tour key organization activities A. Spreadsheet auditor
B. Interview key members of management to B. Parallel simulation
understand business risks C. Generalized audit software
C. Perform compliance tests to determine if regulatory D. Regression testing
requirements are met 12. Which of the following would NOT be a use of
D. Review prior audit reports generalized audit software programs?
6. The use of risk assessment techniques will NOT help to A. Verifying calculations and totals
determine the: B. Performing intricate calculations
A. areas or business functions to be audited. C. Selecting data that an auditor defines as unusual
B. nature, extent and timing of audit procedures. D. Producing multiple reports and machine-readable
C. likely audit findings, conclusions and output files
recommendations. 13. Which of the following BEST describes an integrated test
D. amount of time and resources to be allocated to an facility?
audit. A. A technique that enables the IS auditor to enter test
7. The primary purpose and existence of an audit charter is data into a live computer run for the purpose of
to: verifying correct processing
A. document the audit process used by the enterprise. B. The utilization of hardware and/or software to review
and test the functioning of a computer system
600 Questions Pg 1
C. A method of using special programming options to systems, they are often used to detect control
permit printout of the path through a computer problems in very complex systems.
program taken to process a specific transaction 19. An IS auditor's substantive test reveals evidence of fraud
D. A procedure for tagging and extending transactions perpetrated from within a manager's account. The
and master records that are used by an IS auditor for manager had written his password, allocated by the
tests system administrator, inside his drawer, which was
14. Which of the following statements regarding test data normally kept locked. The IS auditor concludes that the:
techniques is TRUE? A. manager's assistant perpetrated the fraud.
A. It tests only preconceived situations. B. perpetrator cannot be established beyond doubt.
B. It requires the use of a test data generator. C. fraud must have been perpetrated by the manager.
C. It requires a high degree of technical IS knowledge. D. system administrator could have perpetrated the
D. It requires limited computer time and clerical effort. fraud
15. Which of the following statements regarding sampling is
TRUE?
A. Sampling is generally applicable when the population 20. Which of the following statements pertaining to the
relates to an intangible or undocumented control. determination of sample size is TRUE?
B. If an auditor knows internal controls are strong, the A. The larger the confidence level, the smaller the sample
confidence coefficient may be lowered. size "
C. An example of attribute sampling would be to B. The larger the standard deviation, the larger the
estimate the number of obsolete object code modules sample size"
based upon a sample evaluation from the population C. The smaller the precision amount, the smaller the
of object code library. sample size"
D. Variable sampling is a technique to estimate the rate D. Sample size is not affected by the expected error rate
of occurrence of a given control or set of related in the population
controls. 21. Which of the following would NOT normally be
16. Which of the following is NOT an advantage of using performed using CAATs?
CAATs? A. Footing totals
A. Reduces the level of audit risk B. Selecting testing samples
B. Provides broader and more consistent audit coverage C. Reconciling account posting
C. Saves time for source data input D. Testing aging of receivables
D. Improves exception identification 22. To gain a full understanding of a LAN environment, an
17. An important distinction an IS auditor should make IS auditor should document all of the following
when evaluating and classifying controls as preventive, functions EXCEPT:
detective or corrective is: A. LAN topology and network design.
A. the point when controls are exercised as data flows B. technical support/help desk functions.
through the system. C. duties and responsibilities of the LAN administrator.
B. only preventive and detective controls are relevant. D. the various computer applications used on the LAN.
C. corrective controls can only be regarded as 23. During a review of a customer master file an IS auditor
compensating. discovered numerous customer name duplications
D. classification allows an IS auditor to determine which arising from variations in customer first names. In order
controls are missing. to determine the extent of the duplication the IS auditor
18. Which of the following statements regarding an IS would use:
auditor's use of a continuous audit approach is TRUE? A. test data to validate data input.
A. A continuous audit approach is desirable because it B. test data to determine system sort capabilities.
does not require an IS auditor to collect evidence on C. generalized audit software to search for address field
system reliability while processing is taking place, duplications.
thus allowing more flexibility in approach. D. generalized audit software to search for account field
B. When employing a continuous audit approach it is duplications.
important that the IS auditor review and follow up 24. A manufacturing company has implemented a new
immediately on all information collected. client/server system enterprise resource planning (ERP)
C. The use of continuous auditing techniques can system. Local branches transmit customer orders to a
actually improve system security when used in time- central manufacturing facility. Which of the following
sharing environments that process a large amount of controls would BEST ensure that the orders are
transactions. accurately entered and the corresponding products
D. Since continuous audit techniques do not depend on produced?
the complexity of an organization's computer A. Verifying production to customer orders
B. Logging all customer orders in the ERP system
600 Questions Pg 2
C. Using hash totals in the order transmitting process D. compliance testing tests for regulatory requirements,
D. Approving (production supervisor) orders prior to while substantive testing tests validations.
production 32. An IS auditors is expected to use due professional care
25. Which of the following would an IS auditor consider to when performing audits, which requires that the
be the BEST population to take a sample from when individual exercise skill or judgment:
testing program changes? A. commonly possessed by practitioners of that
A. Test library listings specialty.
B. Source program listings B. which includes programming skills in the software
C. Program change requests under review.
D. Production library listings C. relating to the selection of audit tests and evaluation
26. Which of the following tests is an IS auditor performing of test results.
when a sample of programs is selected to determine if D. where an incorrect conclusion based on available
the source and object versions are the same? facts will not be drawn.
A. A substantive test of program library controls 33. An internal audit department, that organizationally
B. A compliance test of program library controls reports exclusively to the chief financial officer (CFO)
C. A compliance test of the program compiler controls rather than to an audit committee, is MOST likely to:
D. A substantive test of the program compiler controls A. have its audit independence questioned.
27. An integrated test facility is considered a useful audit B. report more business-oriented and relevant findings.
tool because it: C. enhance the implementation of the auditor's
A. is a cost efficient approach to auditing application recommendations.
controls. D. result in greater effective action being taken on the
B. enables the financial and IS auditors to integrate their auditor's recommendations.
audit tests. 34. An IS auditor conducting a review of software usage and
C. compares processing output with independently licensing discovers that numerous PCs contain
calculated data. unauthorized software. Which of the following actions
D. provides the IS auditor with a tool to analyze a large should the IS auditor perform FIRST?
range of information. A. Personally delete all copies of the unauthorized
28. The primary reason for enabling software audit trails is software.
to: B. Inform auditee of the unauthorized software and
A. improve response time for users. follow-up to confirm deletion.
B. establish accountability and responsibility for C. Report the use of the unauthorized software to auditee
processed transactions. management and the need to prevent recurrence.
C. improve system efficiency since audit trails do not D. Take no action, as it is a commonly accepted practice
occupy disk-space. and operations management is responsible for
D. provide useful information to auditors who may wish monitoring such use.
to track transactions. 35. The risk that an IS auditor uses an inadequate test
29. When performing a procedure to identify the value of procedure and concludes that material errors do not
inventory that has been kept for more than eight weeks, exist when, in fact, they do, is an example of:
an IS auditor would MOST likely use: A. inherent risk.
A. test data. B.control risk.
B. statistical sampling. C. detection risk.
C. an integrated test facility. D. audit risk.
D. generalized audit software. 36. A primary benefit derived from an organization
30. Data flow diagrams are used by IS auditors to: employing control self assessment (CSA) techniques is
A. order data hierarchically. that it:
B. highlight high-level data definitions. A. can identify high-risk areas that might need a detailed
C. graphically summarize data paths and storage. review later.
D. portray step-by-step details of data generation. B. allows IS auditors to independently assess risk.
C. can be used as a replacement for traditional audits.
31. A distinction that can be made between compliance
D. allows management to relinquish responsibility for
testing and substantive testing is:
control.
A. compliance testing tests details, while substantive
testing tests procedures. 37. An IS auditor's first step when implementing continuous
B. compliance testing tests controls, while substantive monitoring systems is to identify:
testing tests details. A. reasonable target thresholds.
C. compliance testing tests plans, while substantive B. high-risk areas within the organization.
testing tests procedures. C. the location and format of output files.
600 Questions Pg 3
D. applications that provide the highest potential 44. Which of the following is a detective control?
payback. A. Physical access controls
38. Which of the following is an anti-virus detective control? B. Segregation of duties
A. Route all links to external systems via a firewall. C. Back-up procedures
B. Scan all diskettes and CDs brought in from outside the D. Audit trails
company before use. 45. An IS auditor is assigned to perform a post
C. Scan all files on all file server hard disks daily, moving implementation review of an application system. Which
suspect files to a safe area. of the following situations may have impaired the
D. Use anti-virus software to update users' anti-virus independence of the IS auditor? The IS auditor:
configuration files every time they log in. A. implemented a specific control during the
39. Which of the following represents the MOST significant development of the application system.
exposure for an organization that leases personal B. designed an embedded audit module exclusively for
computers? auditing the application system.
A. Accounting for shared peripherals C. participated as a member of the application system
B. Frequent reassignment of hardware project team, but did not have operational
C. Obsolescence prior to lease termination responsibilities.
D.Software licensing issues on leased machines D. provided consulting advice concerning application
system best practices.
40. When reviewing a system development project at the
project initiation stage, an IS auditor finds that the 46. Detection risk refers to a:
project team is not proposing to strictly follow the A. conclusion that material errors do not exist, due to an
organization's quality manual. To meet critical deadlines inadequate test procedure.
the project team proposes to fast track the validation and B. control that fails to detect an error.
verification processes, commencing some elements C. control that detects a high-risk error.
before the previous deliverable is signed-off. Under D. control that detects an error but fails to report the
these circumstances the IS auditor would MOST likely: same.
A.report this as a critical finding to senior management. 47. Information requirement definitions, feasibility studies,
B. accept that different quality processes can be adopted and user requirements are significant considerations
for each project when:
C. report to IS management the team's failure to follow A. defining and managing service levels.
appropriate procedures. B. identifying IT solutions.
D. report the risks associated with fast tracking to the C. managing changes.
project steering committee D. assessing internal IT control.
41. During a review of the controls over the process of 48. Which of the following steps would an IS auditor
defining IT service levels an IS auditor would MOST normally perform FIRST in a security review?
likely interview the: A. Evaluate physical access test results
A. systems programmer. B. Determine the risks/threats to the data center site
B. legal staff. C. Review business continuity procedures
C. business unit manager. D. Test for evidence of physical access at suspect
D. programmer. locations
42. Which of the following sampling methods is MOST 49. Which of the following is the LEAST reliable audit
useful when testing for compliance? evidence?
A. Attribute sampling A. Results of data extractions
B. Variable sampling B. Results of test cases
C. Stratified mean per unit C. Oral representations
D. Difference estimation D. Record of transactions
43. While performing an audit, an IS auditor used an 50. Which of the following types of information would an IS
application software mapping technique and discovered auditor find LEAST valuable when gaining an
an error in system processing. In preparing the audit understanding of the IT process?
report the IS auditor should include: A. IT planning and deployment of documents with
A. a detailed (step-by-step) description of the mapping deliverables and performance results
technique. B. Organization's policies and procedures relating to
B. the detailed steps performed during the audit. planning, managing, monitoring and reporting on
C. a listing of relevant parameters or source code of the performances"
system. C. Prior audit reports
D. an overview of the application software mapping D. Reports of IT functional activities
technique used.
600 Questions Pg 4
51. When an IS auditor obtains a listing of current users D. to complete the entire audit.
with access to the selected WAN/LAN and verifies that 58. The responsibility, authority and accountability of the
those listed are active associates, the IS auditor is information systems audit functions is appropriately
performing a: documented in an audit charter and MUST be:
A. compliance test. A. approved by the highest level of management.
B. substantive test. B. approved by audit department management.
"C. statistical sample. C. approved by user department management.
D. risk assessment. D. changed every year before commencement of IS
52. Ensuring regular password change, assigning a new one- audits.
time password when a user forgets his/hers, and 59. The IS auditor should be able to identify and evaluate
requiring users not to write down their passwords are all various types of risks and their potential effects.
examples of: Accordingly, which of the following risks is associated
A. audit objectives. with trap doors?
B. audit procedures. A. Inherent risk.
C. controls objectives. B. Detection risk.
D. control procedures. C. Audit risk.
53. The FIRST task an IS auditor should complete when D. Error risk.
performing a new audit in an unfamiliar area is to: 60. IS auditors are MOST likely to perform tests of internal
A. design the audit programs for each system or function controls if, after their evaluation of such controls, they
involved. conclude that:
B. develop a set of compliance tests and substantive A. a substantive approach to the audit are more cost-
tests. effective.
C. gather background information pertinent to the new B. the control environment is poor.
audit. C. inherent risk is low.
D. assign human and economical resources. D. control risks are within the acceptable limits.
54. Risk assessments performed by IS auditors is a critical 61. An IS auditor performing an audit of the company's
factor for audit planning. An assessment of risk should information system (IS) strategy would be LEAST likely
be made to provide: to:
A. reasonable assurance that material items will be A. assess IS security procedures.
covered during the audit work. B. review both short and long-term IS strategies.
B. sufficient assurance that material items will be C. interview appropriate corporate management
covered during the audit work. personnel.
C. reasonable assurance that all items will be covered D. ensure that the external environment has been
during the audit work. considered.
D. sufficient assurance that all items will be covered
62. Which of the following organizational goals would
during the audit work.
normally be mentioned in an organization's strategic
55. IS auditors must have a thorough understanding of the plan?
risk assessment process. Risk assessment is a(n): A. Test a new accounting package.
A. subjective process. B. Perform an evaluation of information technology
B. objective process. needs.
C. mathematical process. C. Implement a new project planning system within the
D. statistical process. next 12 months.
56. The BEST time to perform a control self-assessment D. Become the supplier of choice within a given time
involving line management, line staff and the audit period for the product offered.
department would be during the: 63. Which of the following conditions should exist in order
A. compliance tests. for the local selection and purchase of IS products to be
B. preliminary survey. acceptable?
C. substantive tests. A. Local offices are independent and exchange data on
D. preparation of the audit report. an occasional basis.
57. While conducting a control self-assessment (CSA) B. Managers undertake a full cost-benefit analysis before
program, an IS auditor facilitated workshops involving deciding what to purchase.
management and staff in judging and monitoring the C. The same type of data base management system is
effectiveness of existing controls. Which of the following used throughout the organization.
is an objective of a CSA program? D. Acquisitions are consistent with the organization's
A. to enhance audit responsibilities. short- and long-term IS technology plans.
B. to identify problems.
C. to brainstorm solutions.
600 Questions Pg 5
64. The initial step in establishing an information security A. need to change accounting periods on a regular basis.
program is the: B. requirement to post entries for a closed accounting
A. development and implementation of an information period.
security standards manual. C. lack of proper policies and procedures for the
B. performance of a comprehensive security control segregation of duties.
review by the IS auditor. D. need to create/modify the chart of accounts and its
C. adoption of a corporate information security policy allocations.
statement. 71. Which of the following procedures would MOST
D. purchase of security access control software. effectively detect employee loading of illegal software
65. Which of the following documentation would an IS packages onto a network?
auditor place LEAST reliance on when determining A. The use of diskless workstations
management's effectiveness in communicating B. Periodic checking of hard drives
information systems policies to appropriate personnel? C. The use of current anti-virus software
A. Interviews with user and IS personnel D. Policies that result in instant dismissal if violated
B. Minutes of the IS Steering Committee meetings 72. Which of the following is LEAST likely to be associated
C. User department systems and procedures manuals with an incident response capability?
D. Information processing facilities operations and A. Developing a database repository of past incidents
procedures manuals and actions to facilitate future corrective actions.
66. An IS auditor who is reviewing application run manuals B. Declaring the incident, which not only helps to carry
would expect them to contain: out corrective measures, but also to improve the
A. details of source documents. awareness level.
B. error codes and their recovery actions. C. Developing a detailed operations plan that outlines
C. program logic flowcharts and file definitions. specific actions to be taken to recover from an
D. change records for the application source code. incident.
67. Which of the following statements pertaining to ISO D. Establishing multi-disciplinary teams consisting of
9000 is FALSE? executive management, security staff, information
A. The standard covers all aspects of an organization systems staff, legal counsel, public relations, etc. to
that may affect customer satisfaction. carry out the response"
B. The standard covers both internal and external 73. Which of the following should NOT be included in an
business processes. organization's IS security policy?
C. The standard defines a set of quality compliance A. Access philosophy
requirements. B. Access authorization
D. The standard focuses heavily on documentation of C. Importance of security awareness
activities. D. Identity of sensitive security features
68. Which of the following procedures would normally be 74. Which of the following should NOT be a role of the
performed last by an IS auditor who is auditing the security administrator?
outsourcing process? A. Authorizing access rights
A. Assess the business needs of the organization. B. Implementing security rule
B. Perform a cost/benefit analysis including the C. Allocating access rights
assumptions behind it. D. Ensuring that security policies have been authorized
C. Perform a control risk assessment. by management
D. Review contracts with legal counsel. 75. Which of the following is a role of an information
69. A written security policy serves to heighten security systems steering committee?
awareness and should include all of the following key A.Initiate computer applications.
components EXCEPT: B. Ensure efficient use of data processing resources.
A. an index of computer hardware and software. C. Prepare and monitor system implementation plans.
B. management's approved support of the policy. D. Review the performance of the systems department.
C. authorization process for gaining access to 76. Accountability for the maintenance of appropriate
computerized information. security measures over information assets resides with
D. awareness philosophy to security procedures on a the:
need-to-know basis. A. security administrator.
70. The function of general ledger setup in an enterprise B. systems administrator.
resource package (ERP) allows for the setting of C. data and systems owners.
accounting periods in the package. Access to this D. systems delivery/operations group.
function has been permitted to users in finance, 77. An IS auditor performing a review of the MIS
warehouse and order entry. The MOST likely reason for department discovers that formal project approval
granting such broad access is the:
600 Questions Pg 6
procedures do not exist. In the absence of these 83. Which of the following is NOT a responsibility of
procedures the MIS manager has been arbitrarily computer operations?
approving projects that can be completed in a short A. Analyzing system schedules
duration and referring other more complicated projects B. Analyzing user specifications
to higher levels of management for approval. The IS C. Analyzing system degradation
auditor should recommend FIRST that: D. Trouble-shooting teleprocessing problems
A. users participate in the review and approval process. 84. Which of the following functions should NOT be
B. formal approval procedures be adopted and performed by scheduling and operations personnel in
documented. order to maintain proper segregation of duties?
C. all projects are referred to appropriate levels of A. Job submission
management for approval. B. Resource management
D. the MIS manager job description be changed to C. Code correction
include approval authority. D. Output distribution
78. Responsibility and reporting lines cannot always be 85. Which of the following functions is NOT performed by
established when auditing automated systems since: the IS control group?
A. diversified control makes ownership irrelevant. A. Supervision of the distribution of output
B. staff traditionally change jobs with greater frequency. B. Logging of input data
C. ownership is difficult to establish where resources are C. Scrutiny of error listings
shared. D. Correction of errors
D. duties change frequently in the rapid development of
86. Which of the following exposures may result if an
technology.
adequate separation of duties between computer
79. Which of the following criteria would an IS auditor operators and application programmers is NOT
consider to be the MOST important when evaluating the maintained?
organization's IS strategy? A. Inadequate volume testing
A. That it has been approved by line management B. Unauthorized program changes
B. That it does not vary from the IS Department C. Unintentional omissions of data
preliminary budget D. Data loss during program execution
C. That it complies with procurement procedures
87. Which of the following tasks would NOT normally be
D. That it supports the business objectives of the
performed by a data security officer?
organization
A. Developing the data classification methodology
80. Which of the following statements relating to separation B. Implementing security measures (e.g., password
of duties is TRUE? change procedures)"
A. Employee competence does not need to be considered C. Monitoring the effectiveness of security over data
when evaluating an organization's policy on D. Monitoring the completeness and accuracy of the
separation of duties. data
B. An organization chart provides an accurate definition
88. An IS auditor has recently discovered that because of a
of separation of employee duties.
shortage of skilled operations personnel, the security
C. A restrictive separation of duties policy can help
administrator has agreed to work one late night shift a
improve an organization's efficiency and
month as the senior computer operator. The MOST
communication.
appropriate course of action that the IS auditor should
D.Policies on separation of duties in information
take is to:
systems must recognize the difference between logical
A. advise senior management of the risk involved.
and physical access to assets.
B. agree to work with the security officer on these shifts
81. Which of the following tasks is normally performed by a as a form of preventative control.
clerk in the control group? C. develop a computer-assisted audit technique to detect
A. Maintenance of an error log instances of abuses of this arrangement.
B. Authorization of transactions D. review the system log for each of the late-night shifts
C. Control of non-information systems assets to determine whether any irregular actions occurred.
D. Origination of changes to master files
89. Many organizations require an employee to take a
82. Which of the following is NOT a responsibility of a mandatory vacation of a week or more in order to:
database administrator? A. ensure the employee maintains a quality of life, which
A. Designing database applications will lead to greater productivity.
B. Changing physical data definition to improve B. reduce the opportunity for an employee to commit an
performance improper or illegal act.
C. Specifying physical data definition C. provide proper cross training for another employee.
D. Monitoring database usage D. eliminate the potential disruption caused when an
employee takes vacation one day at a time.
600 Questions Pg 7
90. The quality assurance group is typically responsible for: 97. Which of the following is NOT an activity associated
A.ensuring that the output received from system with information processing?
processing is complete. A. Systems analysis
B. monitoring the execution of computer processing B. Telecommunications
tasks. C. Computer operations
C. ensuring that programs and program changes and D. Systems programming
documentation adhere to established standards. 98. A local area network (LAN) administrator is restricted
D. designing standards and procedures to protect data from:
against accidental disclosure, modification, or A. having end-user responsibilities.
destruction. B. reporting to the end-user manager.
91. Which of the following would NOT be associated with C. having programming responsibilities.
well-written and concise job descriptions? D. being responsible for LAN security administration.
A. They are an important means of discouraging 99. Which of the following pairs of functions should not be
fraudulent acts. combined to provide proper segregation of duties?
B. They are often used as tools for use in performance A. Tape librarian and computer operator
evaluation. B. Application programming and data entry
C. They provide little indication of the degree of C. Systems analyst and database administrator
separation of duties. D. Security administrator and quality assurance
D. They assist in defining the relationship between
100. An IS auditor is reviewing the data base administration
various job functions.
function to ascertain whether adequate provision has
92. Which of the following BEST describes the role and been made for controlling data. The IS auditor should
responsibilities of a systems analyst? determine that the:
A. Defines corporate databases A. function reports to data processing operations.
B. Determines user needs for application programming B. responsibilities of the function are well defined.
C. Schedules computer resources C. database administrator is a competent systems
D. Tests and evaluates programmer and optimization programmer.
tools D. audit software has the capability of efficiently
93. Which of the following functions, if combined, would accessing the database.
provide the GREATEST risk to an organization? 101. A long-term IS employee with a strong technical
A. Systems analyst and database administrator background and broad managerial experience has
B. Quality assurance and computer operator applied for a vacant position in the IS audit department.
C. Tape librarian and data entry clerk Determining whether to hire this individual for this
D. Application programmer and tape librarian position should be based on the individual's vast
94. Which of the following statements relating to application experience and:
programmers is FALSE? A. the length of service since this will help ensure
A. They are responsible for maintaining systems in technical competence.
production. B. the individual's age as training in audit techniques
B. They should not move test versions into the may be impractical.
production environment. C. IS knowledge since this will bring enhanced
C. They are responsible for defining backup procedures. credibility to the audit function.
D. They should not have access to system program D. existing IS relationships where the ability to retain
libraries. audit independence may be difficult.
95. Which of the following is NOT an advantage of cross 102. An IS auditor reviewing the key roles and
training employees? responsibilities of the database administrator (DBA) is
A. It provides for succession planning. LEAST likely to expect the job description of the DBA to
B. It decreases dependence on one employee. include:
C. It provides back-up personnel in the event of absence. A. defining the conceptual schema.
D. It allows individuals to understand all parts of a B. defining security and integrity checks.
system. C. liaising with users in developing data model.
96. Responsibility for programmers and analysts who D. mapping data model with the internal schema.
implement new systems and maintain existing systems 103. Which of the following provisions in a contract for
is typically the role of the: external information systems services would an IS
A. operations manager. auditor consider to be LEAST significant?
B. database administrator. A. Ownership of program and files
C. quality assurance manager. B. Statement of due care and confidentiality
D. systems development manager. C. Continued service of outsourcer in the event of a
disaster
600 Questions Pg 8
D. Detailed description of computer hardware used by 109. An IS auditor reviewing an outsourcing contract of IT
the vendor facilities would expect it to define:
104. Is it appropriate for an IS auditor from a company which A. hardware configuration.
is considering outsourcing its IS processing to request B. access control software.
and review a copy of each vendor's business continuity C. ownership of intellectual property.
plan? D. application development methodology.
A. Yes, because the IS auditor will evaluate the adequacy 110. While conducting an audit of management's planning of
of the service bureau's plan and assist his/her IS, what would an IS auditor consider the MOST relevant
company in implementing a complementary plan. to short-term planning for the IS department?
B. Yes, because, based on the plan, the IS auditor will A. Allocating resources
evaluate the financial stability of the service bureau B. Keeping current with technology advances
and its ability to fulfill the contract. C. Conducting control self-assessment
C. No, because backup to be provided should be D. Evaluating hardware needs
adequately specified in the contract. 111. The data control department responsible for data entry
D. No, because the service bureau's business continuity should:
plan is proprietary information to which users' IS A. maintain access rules to data and other IT resources.
auditors are not usually allowed access. B. periodically review and evaluate the data security
105. Which of the following indicators would LEAST likely policy.
indicate that complete or selected outsourcing of C. ensure proper safekeeping of source documents until
computer operators should be considered ? processing is complete.
A. The applications development backlog is greater than D. monitor security violations and take corrective action.
three years. 112. Which of the following IS functions may be performed
B. It takes one year to develop and implement a high- by the same individual, without compromising on
priority system. control or violating segregation of duties?
C. More than 60 per cent of programming costs are spent A. Job control analyst and applications programmer
on systems maintenance. B. Mainframe operator and system programmer
D. Duplicate information systems functions exist at two C. Change/problem and quality control administrator
sites. D. Applications and system programmer
106. A probable advantage to an organization that has 113. Which of the following is the MOST important function
outsourced its data processing services is that: to be performed by IT management within an
A. greater IS expertise can be obtained from the outside. outsourced environment?.
B. more direct control can be exercised over computer A. Ensuring that invoices are paid to the provider
operations. B. Participating in systems design with the provider
C. processing priorities can be established and enforced C. Renegotiating the provider's fees
internally. D. Monitoring the outsourcing provider's performance
D. greater user involvement is required to communicate
114. Which of the following key performance indicators
user needs.
would an IS manager be LEAST likely to systematically
107. Service level agreements establish: report to its board of directors?
A. minimum service levels to be rendered by IS A. Average response time to users requirements
management. B. Cost per transaction
B. minimum service levels to be achieved in the event of C. IS costs per area
a disaster. D. Disk storage space free
C. maximum service levels to be rendered by IS support
115. Employee termination practices should address all of the
services.
following EXCEPT:
D.minimum levels of processing capabilities that can be
A. arrangement for the final pay and removal of the
affected by a disaster.
employee from active payroll files.
108. An organization has outsourced network and desktop B. notification to other staff and facilities security to
support. Although the relationship has been reasonably increase awareness of the terminated employee's
successful, risks remain due to connectivity issues. status.
Which of the following controls should FIRST be C. employee bonding to protect against losses due to
performed to assure the organization reasonably theft.
mitigates these possible risks? D. deletion of assigned logon-ID and passwords to
A. Network defense program prohibit system access.
B.Encryption/Authentication
116. Various standards have emerged to assist IS
C. Adequate reporting between organizations
organizations in achieving an operational environment
D. Adequate definition in contractual relationship
that is predictable, measurable and repeatable. The
600 Questions Pg 9
standard that provides the definition of the 123. A sound information security policy will MOST likely
characteristics and associated quality evaluation process include a:
to be used when specifying the requirements for and A. response program to handle suspected intrusions.
evaluating the quality of software products throughout B. correction program to handle suspected intrusions.
their life cycle is: C. detection program to handle suspected intrusions.
A. ISO 9001. D. monitoring program to handle suspected intrusions.
B. ISO 9002. 124. Who of the following, who is responsible for network
C. ISO 9126. security operations?
D. ISO 9003. A. Users, who periodically change their passwords.
117. Which of the following would provide the LEAST B. Security administrators, who control services and
justification for an organization's investment in a computers.
security infrastructure? C. Line managers, responsible for policies and
A. Risk analysis of internal/external threats procedures.
B. A white paper report on Internet attacks, companies D. Security officers, who administer the security policy.
attacked, and damage inflicted" 125. Which of the following would provide a mechanism
C. A penetration test of the organization's network whereby IS management can determine when, and if, the
demonstrates that the threat from intruders is high activities of the enterprise have deviated from planned,
D. Reports generated internally from use of high-profile or expected levels?
network tools A. Quality management
118. An IS auditor reviewing the organization IT strategic B. IS assessment methods
plan should FIRST review: C. Management principles
A. the existing information technology environment. D. Industry standards/benchmarking
B. the business plan. 126. Which of the following independent duties is performed
C. the present IT budget. by the data control group?
D. current technology trends. A. Access to data
119. Which of the following issues would be of LEAST B. Authorization tables
concern when reviewing an outsourcing agreement in C. Custody of assets
which the outsourcing vendor assumes responsibility of D. Reconciliation
the information processing function? 127. Which of the following situations would increase the
A. The organization's right to audit vendor operations. likelihood of fraud?
B. The loyalty of the third-party personnel. A. Application programmers are implementing changes
C. The access control system that protects the to production programs
outsourcing vendor's data. B. Application programmers are implementing changes
D. The outsourcing vendor's software acquisition to test programs
procedures. C. Operations support staff are implementing changes to
120. A database administrator is responsible for: batch schedules
A. maintaining the access security of data residing on D. Data base administrators are implementing changes
the computers. to data structures
B. implementing database definition controls. 128. Which of the following is the BEST way to handle
C. granting access rights to users. obsolete magnetic tapes before disposing of them?
D. defining system's data structure. A. Overwriting the tapes
121. The security administrator is responsible for providing B. Initializing the tape labels
reasonable assurance over the confidentiality, integrity C. Degaussing the tapes
and availability of information system controls. Another D. Erasing the tapes
duty that could be considered compatible, without 129. An IS steering committee should:
causing a conflict of interest, would be: A. include a mix of members from different departments
A. quality assurance. and management levels.
B. application programming. B. ensure that IS security policies and procedures have
C. systems programming. been properly executed.
D. data entry. C. have formal terms of reference and maintain minutes
122. The development of an IS security policy is the of its' meetings.
responsibility of the: D. be briefed about new trends and products at each
A. IS department. meeting by a vendor.
B. security committee. 130. Which of the following functions would represent a risk
C. security administrator. if combined with that of a system analyst, due to the
D. board of directors. lack of compensating controls?
600 Questions Pg 10
A. Application programming B. It interfaces with the operating system.
B. Data entry C. It operates on the content of the information.
C. Quality assurance D. It is concerned with the correct transmission between
D. Data base administrator two points.
131. Which of the following data entry controls provides the 139. Which of the following is NOT an advantage of an
GREATEST assurance that data entered does not contain object-oriented approach to data management systems?
errors? A. A means to model complex relationships
A. Key verification B. The ability to restrict the variety of data types
B. Segregation of the data entry function from data entry C. The capacity to meet the demands of a changing
verification environment
C. Maintaining a log/record detailing the time, date, D. The ability to access only the information that is
employee's initials/user -id and progress of various needed
data preparation and verification tasks" 140. Which of the following allow programmers to code and
D. Check digits compile programs interactively with the computer from
132. Which of the following would an IS auditor be MOST a terminal?
concerned with when evaluating the effectiveness and A. Firmware
adequacy of a computer preventive maintenance B. Utility programs
program? C. Online programming facilities
A. System downtime log D.Network management software
B. Vendors' reliability figures 141. A data dictionary is an example of software that is used
C. A log of regularly scheduled maintenance to:
D. A written preventive maintenance schedule A. describe application systems.
133. Which of the following provides the MOST effective B. assist in fast program development.
means of determining which controls are functioning C. improve operation efficiency.
properly in an operating system? D. test data quality.
A. Consulting with the vendor 142. Which of the following is NOT an advantage of image
B. Reviewing the vendor installation guide processing?
C. Consulting with the system programmer A. Verifies signatures
D. Reviewing the system generation parameters B. Improves service
134. Which of the following is NOT a common database C. Relatively inexpensive to use
structure? D. Reduces deterioration due to handling
A. Network 143. In a review of the operating system software selection
B. Sequential and the acquisition process, an IS auditor would place
C. Hierarchical more importance in finding evidence of:
D. Relational A. competitive bids.
135. Which of the following computer system risks would be B. user-department approval.
increased by the installation of a database system? C. hardware-configuration analysis.
A. Programming errors D. purchasing department approval.
B. Data entry errors 144. Which of the following line media would be MOST
C. Improper file access secure in a telecommunication network?
D. Loss of parity A. Broad band network digital transmission
136. The input/output control function is responsible for: B. Base band network
A. pulling and returning all tape files. C. Dial up
B. entering and key verifying data. D. Dedicated lines
C. logging batches and reconciling hash totals. 145. What type of transmission requires modems in a
D. executing both production and test jobs. network to be connected to terminals from the
137. Utility programs that assemble software modules computer?
needed to execute a machine instruction application A. Encrypted
program version are: B. Digital
A. text editors. C. Analog
B. program library managers. D. Modulated
C. linkage editors and loaders. 146. Which of the following is NOT a telecommunications
D. debuggers and development aids. control?
138. Which of the following statements pertaining to a data A. Trailer record
communication system is FALSE? B. Common carrier
A. It has multiple layers. C. Diagnostic routine
600 Questions Pg 11
D. Echo check 154. E-cash is a form of electronic money that:
147. An IS auditor needs to link his/her microcomputer to a A. can be used over any computer network.
mainframe system that uses binary synchronous data B. utilizes reusable e-cash coins to make payments.
communications with block data transmission. C. does not require the use of an Internet digital bank.
However, the IS auditor's microcomputer, as presently D. contains unique serial numbering to track the identity
configured, is capable of only asynchronous ASCII of the buyer.
character data communications. Which of the following 155. An organization is about to implement a computer
must be added to the IS auditor's computer to enable it network in a new office building. The company has 200
to communicate with the mainframe system? users located in the same physical area. No external
A. Protocol conversion and buffer capacity network connections will be required. Which of the
B. Network controller and buffer capacity following network configurations would be the MOST
C. Buffer capacity and parallel port expensive to install?
D. Parallel port and protocol conversion A. Bus
148. Which of the following is a telecommunication device B. Ring
that translates data from digital form to analog form and C. Star
back to digital? D. Mesh
A. Multiplexer 156. An organization is about to implement a computer
B. Modem network in a new office building. The company has 200
C. Protocol converter users located in the same physical area. No external
D. Concentrator network connections will be required. Which of the
149. Which of the following is a network architecture following network configurations would be the easiest
configuration that links each station directly to a main for problem resolution?
hub? A. Bus
A. Bus B. Ring
B. Ring C.Star
C. Star D. Mesh
D. Completed connected 157. Congestion control is BEST handled by which OSI layer?
150. Which of the following transmission media would NOT A. Data link
be affected by cross talk or interference? B. Session layer
A. Fiber optic systems C. Transport layer
B. Twisted pair circuits D. Network layer
C. Microwave radio systems 158. Which of the following is NOT an element of a LAN
D. Satellite radiolink systems environment?
151. In Wide Area Networks (WANs): A. Packet switching technology
A. data flow can be half duplex or full duplex. B. Baseband (digital signaling)
B. communication lines must be dedicated. C. Ring or short bus topology
C. circuit structure can be operated only over a fixed D. Private circuit switching technology
distance. 159. Which of the following would an IS auditor NOT review
D. the selection of communication lines will affect when performing a general operational control review?
reliability. A. User manuals
152. Which of the following Local Area Network (LAN) B. Re-run reports
physical layouts are subject to vulnerability to failure if C. Maintenance logs
one device fails? D. Backup procedures
A. Star 160. Which of the following is NOT a function of an online
B. Bus tape management system?
C. Ring A. Indicating which tapes should be cleaned
D. Completely connected B. Maintaining an inventory listing of tapes
153. Neural networks are effective in detecting fraud because C. Allowing external tape labels to contain a serial
they can: number only
A. discover new trends since they are inherently linear. D. Controlling physical access to the tape library area
B. solve problems where large and general sets of 161. Which of the following is NOT related to file
training data are not obtainable. identification?
C. attack problems that require consideration of a large A. Periodic file inventory
number of input variables. B. External label standards
D. make assumptions about the shape of any curve C. Retention period standards
relating variables to the output. D. High-level qualifier restrictions
600 Questions Pg 12
162. An IS auditor has discovered that the organization's totals by matching them against the input data and
existing computer system is no longer adequate for the control totals?
demands being placed on it by data processing, is not A. Batch header forms
compatible with new models and cannot be expanded. B. Batch balancing
As a result, a recommendation is made to use emulation. C. Data conversion error corrections
Emulation involves: D. Access controls over print spools
A. hardware which converts a new computer into an 169. Which of the following tools is NOT used to monitor the
image of the old computer. efficiency and effectiveness of services provided by IS
B. writing the programs in modules which simplify the personnel?
transition to a new computer. A. Online monitors
C. software which translates the old program into one B. Operator problem reports
readable by a new computer. C. Output distribution reports
D. simulating a new computer on the old computer to D. Console logs
produce machine independent code.
170. Which of the following would an IS auditor expect to
163. All of the following are properties of a relational find in a console log?
database EXCEPT: A. Names of system users
A. relational database technology separates data from B. Shift supervisor identification
applications C. System errors
B. operational efficiencies are significantly increased D. Data edit errors
with relational models
171. Which of the following systems-based approaches would
C. relational database models information in the
a financial processing company employ to monitor
structure of a table with columns and rows
spending patterns in order to identify abnormal
D. in a relational model there is always a primary key for
expenditures?
a tuple and there are no duplicate tuples
A. A neural network
164. Which of the following is the operating systems mode in B. Database management software
which all instructions can be executed? C. Management information systems
A. Problem D. Computer assisted audit techniques
B. Interrupt
172. Which of the following is the BEST form of transaction
C. Supervisor
validation?
D. Standard processing
A. Use of key field verification techniques in data entry
165. During a review of a large data center an IS auditor B. Use of programs to check the transaction against
observed computer operators acting as backup tape criteria set by management
librarians and security administrators. Which of these C. Authorization of the transaction by supervisory
situations would be MOST critical to report to senior personnel in an adjacent department
management? D. Authorization of the transaction by a department
A. Computer operators acting as tape librarians supervisor prior to the batch process
B. Computer operators acting as security administrators
173. An IS auditor needs to link his/her microcomputer to a
C. Computer operators acting as a tape librarian and
mainframe system that uses binary synchronous data
security administrator
communications with block data transmission.
D. It is not necessary to report any of these situations to
However, the IS auditor's microcomputer, as presently
senior management
configured, is capable of only asynchronous ASCII
166. Which of the following functions would be acceptable for character data communications. Which of the following
the security administrator to perform in addition to his must be added to the IS auditor's computer to enable it
or her normal function? to communicate with the mainframe system?
A. Systems analyst A. Buffer capacity and parallel port
B. Quality assurance B. Network controller and buffer capacity
C. Computer operator C. Parallel port and protocol conversion
D. Systems programmer D. Protocol conversion and buffer capability
167. Which of the following is a hardware device that relieves 174. Which of the following audit techniques would an IS
the central computer from performing network control, auditor place the MOST reliance on when determining
format conversion and message handling tasks? whether an employee practices good preventive and
A. Spool detective security measures?
B. Cluster controller A. Observation
C. Protocol converter B. Detail testing
D. Front end processor C. Compliance testing
168. Which of the following tools for controlling input/output D. Risk assessment
of data are used to verify output results and control
600 Questions Pg 13
175. Which of the following is NOT a way that executive C. Application of monitoring tools
information systems (EIS) are distinguished from other D. Proxy server trouble shooting
information systems? 182. An IS auditor consulting on a project to develop a
A. EIS are much easier to use than other systems. network management system, would consider all of the
B. EIS normally include user friendly features. following essential features EXCEPT:
C. EIS normally include other features such as e-mail A. the capacity to interact with the Internet for problem
and word processing abilities. solving.
D. EIS focus on broad problems to a specific view. B. a graphical interface to map the topology.
176. An organization is considering installing a local area C. a relational database to store the readings.
network (LAN) in a site under construction. If system D. the ability to gather information from various
availability is the main concern, which of the following network devices.
topologies is MOST appropriate? 183. In protocols like HTTP, FTP, and SMTP, the
A. Ring implementation of the TCP/IP suite is arranged in the
B. Line following manner:
C. Star A. TCP works at the transport layer and handles packets,
D. Bus while IP works at the network layer and handles
177. Capacity monitoring software is used to ensure: addresses.
A. maximum use of available capacity. B. TCP works at the transport layer and handles
B. future acquisitions meet user functionality demands. addresses, while IP works at the network layer and
C. concurrent use by a large number of users. handles packets.
D. continuity of efficient operation. C. TCP works at the presentation layer and handles
178. Receiving an electronic data interchange (EDI) proxies, while IP works at the data link layer and
transaction and passing it through the communications handles applets.
interface stage usually requires: D. TCP works at any of the OSI layers and handles
A. translating and unbundling transactions. circuits, while IP also works at any of the OSI layers
B. routing verification procedures. but handles messages.
C. passing data to the appropriate application system. 184. Public-key infrastructure (PKI) integrates all of the
D. creating a point of receipt audit log. following into an enterprise-wide network security
179. Which one of the following types of firewalls would architecture EXCEPT:
BEST protect a network from an Internet attack? A. public-key cryptosystem.
A. Screened sub-net firewall B. digital certificates.
B. Application filtering gateway C. certificate authorities.
C. Packet filtering router D. password key management.
D. Circuit level gateway 185. All of the following are common problems with firewall
180. A large manufacturing firm wants to automate its implementations EXCEPT:
invoice and payment processing system with its A. inadequately protecting the network and servers from
suppliers. Requirements state that the system of high virus attacks.
integrity will require considerably less time for review B. incorrectly configuring access lists.
and authorization. The system should still be capable of C. logging of connections is either insufficient or not
quickly identifying errors that need follow up. Which reviewed on a regular basis.
approach below is BEST suited in meeting these D. network services destined to internal hosts are passed
requirements? through the firewall unscreened.
A. Establishing an inter-networked system of client 186. When auditing operating software development,
servers with suppliers for increased efficiencies. acquisition or maintenance, the IS auditor would review
B. Outsourcing the function to a firm specializing in system software maintenance activities to determine:
automated payments and accounts receivable/invoice A. fallback or restoration procedures are in place in case
processing. of production failure.
C. Establishing an electronic data interchange (EDI) B. impact of the product on processing reliability.
system of electronic business documents and C. system software changes are scheduled when they
transactions with key suppliers, computer to least impact IS processing.
computer, in a standard format. D. current versions of the software are supported by the
D. Reengineering existing processing and redesigning vendor.
the existing system. 187. While evaluating a file/table design, an IS auditor should
181. Which of the following is widely accepted as one of the understand that a referential integrity constraint
critical components in networking management? consists of:
A. Configuration management A. ensuring the integrity of transaction processing.
B. Topological mappings B. ensuring that data are updated through triggers.
600 Questions Pg 14
C. ensuring controlled user updates to database. 196. Which of the ISO/OSI model layers provides service for
D. rules for designing tables and queries. how to route packets between nodes?
188. One of the responsibilities of the technical support A. Data link
function is: B. Network
A. ensuring job preparation, scheduling and operating C. Transport
instructions. D. Session
B. establishing, enhancing and maintaining a stable, 197. In a TCP/IP based network, an IP address specifies a:
controlled environment for the implementation of A. network connection.
changes within the production software environment. B. router/gateway.
C. defining, establishing and maintaining a standard, C. computer in the network.
consistent and well-defined testing methodology for D. device on the network such as a gateway/router, host,
computer systems. server, etc.
D. obtaining detailed knowledge of the operating system 198. Connection-oriented protocols in the TCP/IP suite are
and other systems software. implemented in the:
189. A universal serial bus (USB) port: A. transport layer.
A. connects the network without a network card. B. application layer.
B. connects the network with an Ethernet adapter C. physical layer.
C. replaces all existing connections. D. network layer.
D. connects the monitor. 199. The device to extend the network that must have storage
190. How can an enterprise provide access to its intranet (i.e., capacity to store frames and act as a storage and forward
extranet) across the Internet to its business partners? device is a:
A. Virtual private network A. router.
B. Client/server B. bridge.
C. Dial-in access C. repeater.
D. Network service provider D. gateway.
191. A hub is a device that connects: 200. In a client/server architecture, a domain name service
A. two LANs using different protocols. (DNS) is MOST important because it provides the:
B. a LAN with a WAN. A. address of the domain server.
C. a LAN with a MAN. B. resolution service for the name/address.
D. two segments of a single LAN. C. resolution on the Internet for the name/address.
192. Which of the following network configuration options, D. domain name system.
contains a direct link between any two host machines? 201. In a web server, a common gateway interface (CGI) is
A. Bus MOST often used as a(n):
B. Ring A. consistent way for data transfer to the application
C. Star program and back to the user.
D. Completely connected (mesh) B. computer graphics imaging method for movie and
193. Which of the following can a local area network (LAN) TV.
administrator use to protect against exposure to illegal C. graphic user interface for web design.
or unlicensed software usage by the network user? D. interface to access the private gateway domain.
A. Software metering 202. Which of the following exposures associated with the
B. Virus detection software spooling of sensitive reports for off-line printing would
C. Software encryption an IS auditor consider to be the MOST serious?
D. Software inventory programs A. Sensitive data may be read by operators.
194. Which of the following controls will MOST effectively B. Data can be amended without authorization.
detect the presence of bursts of errors in network C. Unauthorized report copies might be printed.
transmissions? D. Output would be lost in the event of system failure.
A. Parity check 203. Applying a retention date on a file will ensure that:
B. Echo check A. data cannot be read until the date is set.
C. Block sum check B. data will not be deleted before the date is set.
D. Cyclic redundancy check C. backup copies are not retained after that date.
195. Which of the following types of firewalls provide the D. datasets having the same name are differentiated.
GREATEST degree and granularity of control? 204. Which of the following would NOT be considered a
A. Screening router security threat to Internet web sites?
B. Packet-filter A. Hackers
C. Application-gateway B. Crackers
D. Circuit-gateway C. Virus writers
600 Questions Pg 15
D. Asynchronous attacks 211. Which of the following controls is LEAST likely to
205. An IS auditor is assigned to help design the data discover changes made online to important master
security, data integrity and business continuity aspects records?
of an application under development. Which of the A. Update access to master file is restricted to supervisor
following provides the MOST reasonable assurance that independent of data entry.
corporate assets are protected when the application is B. Clerks enter updates online, but these must be
certified for production? finalized by independent supervisor.
A. A certification review conducted by the internal C. Edit listing of all updates are produced daily and
auditor. reviewed by independent supervisor.
B. A certification review conducted by the assigned IS D. Update authorization form must be approved by
auditor. independent supervisor before clerks enter updates.
C. Specifications by the user on the depth and content of 212. Which of the following is the MOST effective control
the certification review. procedure for security of a stand-alone small business
D. An independent review conducted by another equally computer environment?
experienced IS auditor. A. Supervision of computer usage
206. The MOST effective method of preventing unauthorized B. Daily management review of the trouble log
use of data files is: C. Storage of computer media in a locked cabinet
A. automated file entry. D. Independent review of an application system design
B. tape librarian. 213. Which of the following logical access exposures involves
C. access control software. changing data before, or as it is entered into the
D. locked library. computer?
207. Which of the following would NOT be considered a A. Data diddling
terminal access control? B. Trojan horse
A. Use of dial-up lines only in the event of an emergency C. Worm
B. Disconnection of a terminal after it has been inactive D. Salami technique
for a period of time 214. When investigating a serious security access violation,
C. Validation of passwords and transaction codes by the the IS auditor should NOT:
access control software A. refer the violation to the security administrator since
D. Logging of authorized and unauthorized attempts to he/she may be a party to the violation.
access the computer systems B. contact law enforcement to determine if violations
208. Which of the following factors is LEAST likely to allow a have occurred elsewhere.
perpetrator to discover a valid password? C. recommend corrective measures since this is the role
A. The number of characters in the password of the Security Administrator.
B. The power of the computer used to break the D. perform a security access follow-up to determine if
password code other violations have occurred.
C. The number of incorrect access attempts allowed 215. Which of the following would be considered the BEST
before disconnect example of a proper password for use in system access?
D. The content of the character set from which the A. XWA3
password is composed B. LARRY2
209. Which of the following would be MOST effective in C. TWC2H
establishing access control through the use of sign-on D. YRC45OPB
procedures? 216. Data classification is important when identifying who
A. Authorization and authentication of the user should have access to:
B. Authentication and identification of the user A. test data and programs.
C. Authorization, authentication and location of the B. production data and programs.
user" C. production and test programs.
D. Authorization, authentication, identification and D. test and production data and programs.
location of the user" 217. Naming conventions for access controls are NOT:
210. Which of the following would BEST ensure the proper A. setup by the owners of the data or application.
updating of critical fields in a master record? B. dependent on the importance and level of security
A. Field checks that is needed.
B. Control totals C. established to promote the implementation of
C. Reasonableness checks efficient access rules.
D. Before and after maintenance report D. defined with the assistance of the database
administrator.
600 Questions Pg 16
218. Digital signatures provide data integrity since they 226. Which of the following is NOT an employee security
require the: responsibility?
A. signer to have a public key, and the receiver to have a A. Keeping Logon-IDs and passwords secret
private key. B. Helping other employees create passwords
B. signer to have a private key, and the receiver to have a C. Reading and understanding the security policy
public key. D. Questioning unfamiliar people who enter a secured
C. signer and receiver to have a public key. area
D. signer and receiver to have a private key. 227. Naming conventions for system resources are an
219. Automated teller machines (ATMs) are a specialized important prerequisite for access control because they
form of a point of sale terminal which: ensure that:
A. allow for cash withdrawal and financial deposits only. A. resource names are not ambiguous.
B. are usually located in populous areas to deter theft or B. users' access to resources is clearly and uniquely
vandalism. identified.
C. utilize protected telecommunication lines for data C. internationally recognized names are used to protect
transmissions. resources.
D. must provide high levels of logical and physical D. the number of rules required to adequately protect
security. resources is reduced.
220. Which of the following processes would be performed 228. Passwords should be:
FIRST by the system when logging-on to an online A. assigned by the security administrator.
system? B. changed every 30 days at the discretion of the user.
A. Initiation C. reused often to ensure the user does not forget the
B. Verification password.
C. Authorization D. displayed on the screen so that the user can ensure
D. Authentication that it has been properly entered.
221. Which of the following is a benefit of using callback 229. Logical access controls are used to protect:
devices? A. operator consoles.
A. Provide an audit trail B. computer storage facilities.
B. Can be used in a switchboard environment C. data classification and ownership.
C. Permit unlimited user mobility D. disks and tapes in the back-up library.
D. Allow call forwarding 230. Which of the following is NOT a valid reason for using
222. Having established an application's access control digital signatures to secure e-mail transmissions?
process, an IS auditor's next step is to ensure: A. The signature is unforgeable.
A. passwords are not shared. B. Keys can be used indefinitely.
B. password files are encrypted. C. Signatures cannot be reused.
C. redundant logon-IDs are deleted. D. A signed document cannot be altered.
D. allocation of logon-IDs is controlled. 231. When performing an audit of access rights, an IS auditor
223. In the ISO/OSI model, which of the following protocols is should be suspicious of which of the following if
the FIRST to perform security over the user application? allocated to a computer operator?
A. Session layer. A. READ access to data
B. Transport layer B. DELETE access to transaction data files
C. Network layer C. Logged READ/EXECUTE access to programs
D. Presentation layer D. UPDATE access to job control language/script files
224. A feature of a digital signature that ensures that the 232. An IS auditor who wishes to prevent unauthorized entry
claimed sender cannot later deny generating and to the data maintained in a dial-up fast response system
sending the message is: would recommend?
A. data integrity. A. Online terminals be placed in restricted areas.
B. authentication. B. Online terminals be equipped with key locks.
C. non-repudiation. C. ID cards be required to gain access to online
D. replay protection. terminals.
225. An IS auditor who intends to use penetration testing D. Online access be terminated after three unsuccessful
during an audit of Internet connections would: attempts.
A. evaluate configurations. 233. Which of the following controls would BEST serve to
B. examine security settings. effectively detect intrusion?
C. ensure virus-scanning software is in use. A. User creation and user privileges are granted through
D. use tools and techniques that are available to a authorized procedures.
hacker.
600 Questions Pg 17
B. Automatic logoff when a workstation is inactive for a 240. Which of the following access control functions is
particular period of time. LEAST likely to be performed by a database
C. Automatic logoff of the system after a specified management system (DBMS) software package?
number of unsuccessful attempts. A. User access to field data
D. Unsuccessful logon attempts are actively monitored B. User sign-on at the network level
by the security administrator. C. User authentication at the program level
234. Which of the following control weaknesses would an IS D. User authentication at the transaction level
auditor performing an access controls review be LEAST 241. An IS auditor reviewing operating system access
concerned with? discovers that the system is not properly secured. In this
A. Audit trails are not enabled. situation the IS auditor is LEAST likely to be concerned
B. Programmers have access to the live environment. that the user might:
C. Group logons are being used for critical functions. A. create new users.
D. The same user can initiate transactions and also B. delete database and log files.
change related parameters. C. access the system utility tools.
235. Which of the following audit procedures would an IS D. access the system writeable directories.
auditor be LEAST likely to include in a security audit? 242. An IS auditor conducting an access controls review in a
A. Review the effectiveness and utilization of assets. client/server environment discovers that all printing
B. Test to determine that access to assets is adequate. options are accessible by all users. In this situation the IS
C. Validate physical, environmental and logical access auditor is MOST likely to conclude that:
policies per job profiles. A. exposure is greater since information is available to
D. Evaluate asset safeguards and procedures that unauthorized users.
prevent unauthorized access to the assets. B. operating efficiency is enhanced since anyone can
236. A firewall access control list may filter access based on print any report, any time.
each of the following parameters EXCEPT: C. operating procedures are more effective since
A. port. information is easily available.
B. service type. D. user friendliness and flexibility is facilitated since
C. network interface card (NIC). there is a smooth flow of information among users.
D. internet protocol (IP) address. 243. An IS auditor discovers that programmers have update
237. Which of the following applet intrusion issues poses the access to the live environment. In this situation the IS
GREATEST risk of disruption to an organization? auditor is LEAST likely to be concerned that
A. A program that deposits a virus on a client machine. programmers can:
B. Applets recording keystrokes and, therefore, A. authorize transactions.
passwords. B. add transactions directly to the database.
C. Downloaded code that reads files on a client's hard C. make modifications to programs directly.
drive. D. access data from live environment and provide faster
D. Applets damaging machines on the network by maintenance.
opening connections from the client machine. 244. An IS auditor performing a telecommunication access
238. Which of the following BEST describes the impact that control review would focus the MOST attention on the:
effective firewall design and implementation strategies A. maintenance of access logs of usage of various system
have as an enabler for improved information security? resources.
A. A source of detailed information about network B. authorization and authentication of the user prior to
security. granting access to system resources.
B. A focal point for security auditing, both internal and C. adequate protection of stored data on servers by
external. encryption or other means.
C. A chance to significantly reduce the threat of internal D. accountability system and the ability to properly
hacking. identify any terminal accessing system resources.
D. A chance to root out undocumented connections and 245. An organization wants to introduce a new system to
bring all remote access into line with written policy. allow single-sign-on. Currently, there are five main
239. Which of the following information is LEAST likely to be application systems, and users must sign on to each one
contained in a digital certificate for the purposes of separately. It is proposed that under the single-sign-on
verification by a Trusted Third Party (TTP)/Certification system, users will only be required to enter one user-ID
Authority (CA)? and password for access to all application systems.
A. Name of the TTP/CA Under this type of single-sign-on system the risk of
B. Public key of the sender unauthorized access:
C. Name of the public key holder A. is less likely.
D. Time period for which the key is valid B. is more likely.
C. will have a greater impact.
600 Questions Pg 18
D. will have a smaller impact. C. LANs provide program integrity from unauthorized
246. Sign-on procedures include the creation of a unique changes.
user-ID and password. However, an IS auditor discovers D. LANs provide central storage for a group of users.
that in many cases the user name and password are the 253. Creation of an electronic signature:
same. The BEST control to mitigate this risk is to: A. encrypts the message.
A. change the company's security policy. B. verifies where the message came from.
B. educate users about the risk of weak passwords. C. cannot be compromised when using a private key.
C. build in validations to prevent this during user D. cannot be used with e-mail systems.
creation and password change. 254. Which of the following is a strength of a client/server
D. require a periodic review of matching of user-ID and security system?
passwords for detection and correction. A. Change control and change management procedures
247. The PRIMARY objective of a logical access controls are inherently strong.
review assignment is to: B. User can manipulate data without controlling
A. review access controls provided through software. resources on the mainframe.
B. ensure access is granted per the organization's C. Network components seldom become obsolete.
authorities. D. Access to confidential data or data manipulation is
C. walkthrough and assess access provided in the IT strongly controlled.
environment. 255. Which of the following automated reports measure
D. provide assurance that computer hardware is telecommunication transmissions and determines
adequately protected against abuse. whether transmissions are accurately completed?
248. The scope of a logical access controls review would A. Online monitors
include the evaluation of: B. Down time reports
A. effectiveness and efficiency of IT security and related C. Help desk reports
controls. D. Response time reports
B. confidentiality, integrity and availability of 256. Which of the following statements pertaining to Internet
information to authorized users. security is TRUE?
C. access to systems software and application software to A. Firewalls cannot stop hackers from gaining access to
ensure compliance with the access policy. the corporate network.
D. access to user authorization levels, parameters and B. Firewalls should sit in the most commonly used
operational functions through application software. access point between a corporate network and the
249. Naming conventions for system resources are an Internet.
important prerequisite for access control because they: C. Encrypted corporate data is secure as it transports
A. ensure that resource names are not ambiguous. across the Internet.
B. reduce the number of rules required to adequately D. Not all corporate networks connected to the Internet
protect resources. are subject to attack.
C. ensure that user access to resources is clearly and 257. An Internet secured gateway's domain name service:
uniquely identified. A. prevents users outside a secure network from seeing
D. ensure that internationally recognized names are addresses of secure hosts.
used to protect resources. B. asks a user for the name of the host, and authenticates
250. When a PC that has been used for the storage of it before making contact.
confidential data is sold on the open market, the: C. offers a way to limit user access into or out of a secure
A. hard disk should be demagnetized. network.
B. hard disk should be mid-level formatted. D. provides the ability to administer user names on a
C. data on the hard disk should be deleted. network.
D. data on the hard disk should be defragmented. 258. Which of the following statements is TRUE relating to
251. Which of the following exposures could be caused by a the use of public key encryption to secure data while it is
line-grabbing technique? being transmitted across a network?
A. Unauthorized data access A. Under public key encryption both the key used to
B. Excessive CPU cycle usage encrypt and decrypt the data are made public.
C. Lockout of terminal polling B. Under public key encryption the key used to encrypt
D. Multiplexor control dysfunction is kept private but the key used to decrypt the data is
252. Which of the following is an advantage of using a local made public.
area network (LAN)? C. Under public key encryption the key used to encrypt
A. LANs protect against virus infection. is made public but the key used to decrypt the data is
B. LANs protect against improper disclosure of data. kept private.
D. Under public key encryption both the key used to
encrypt and decrypt the data are kept private.
600 Questions Pg 19
259. Which of the following would NOT protect a system 266. Use of data encryption is applicable to all of the
from computer viruses? following OSI layers EXCEPT:
A. Write-protect all diskettes, once they have been virus- A. physical layer.
checked. B. data link layer.
B. Scan any new software before it is installed. C. application layer.
C. Boot only from diskettes that were initially checked D. network and transport layer.
for viruses. 267. Which of the following is MOST affected by network
D. Do not allow vendors to run demonstrations on performance monitoring tools?
company owned machines. A. Integrity
260. During the audit of a telecommunications system the IS B. Availability
auditor finds that the risk of data interception for C. Completeness
communications with remote sites is very high. The D. Confidentiality
MOST effective control that would reduce this exposure 268. Java applets and ActiveX controls are distributed
is: executable programs that execute in background of a
A. encryption. web browser client. This is a reasonably controlled
B. call-back modems. practice when:
C. message authentication. A. a firewall exists.
D. dedicated leased lines. B. a secure web connection is used.
261. An Internet-based attack on commercial systems using C. the source of the executable is certain.
password sniffing can: D. the host website is part of your organization.
A. enable one party to act as if they are another party. 269. Your organization has been an active Internet user for
B. cause modification to the contents of certain several years and your business plan now calls for
transactions. initiating e-commerce via web-based transactions. You
C. be used to gain access to systems containing have decided to accept payment transactions by
proprietary information. implementing agreements with the major credit card
D. result in major problems with billing systems and companies. They have suggested certain parameters for
transaction processing agreements. your firewall installation. Which of the following
262. Which of the following controls would be MOST parameters will LEAST impact transactions in e-
comprehensive in a remote access network with multiple commerce?
and diverse sub-systems? A. Encryption is required
A. Proxy server B. Timed authentication is required
B. Firewall installation C. Firewall architecture hides the internal network
C. Network administrator D. Traffic is exchanged through the firewall at the
D. Password implementation and administration application layer only
263. Which of the following is NOT a principle applied in 270. Which of the following encrypt/decrypt steps provides
deriving the OSI layers? the GREATEST assurance in achieving confidentiality,
A. Each layer should provide a well-defined function. message integrity and non-repudiation by either sender
B. The integrity of data at each layer should be assured. or recipient?
C. A layer should be created only when a different level A. The recipient uses his/her private key to decrypt the
of abstraction is needed. secret key.
D. The layer boundaries should be chosen to minimize B. The encrypted pre-hash code and the message are
the information flow across layer interfaces. encrypted using a secret key.
264. Which of the following is NOT a common function of C. The encrypted pre-hash code is derived
application layer services? mathematically from the message to be sent.
A. Host to host data integrity D. The recipient uses the sender's public key, verified
B. Application programming interfaces (APIs) with a certificate authority, to decrypt the pre-hash
C. Global directory services to locate resources on a code.
network 271. Which of the following controls would provide the
D. A uniform way of handling a variety of system GREATEST assurance over database integrity?
monitors and devices A. Audit log procedures
265. A decrease in amplitude as a signal propagates along a B. Table link/reference checks
transmission medium is known as: C. Query/table access time checks
A. noise. D. Roll-back and roll-forward database features
B. crosstalk. 272. Use of asymmetric encryption over an Internet e-
C. attenuation. commerce site, where there is one private key for the
D. delay distortion. hosting server and the public key is widely distributed to
the customers, is MOST likely to provide comfort to the:
600 Questions Pg 20
A. customer over the authenticity of the hosting D. protect hardware against long-term power
organization. fluctuation.
B. hosting organization over the authenticity of the 278. Electromagnetic emissions from a terminal represent an
customer. exposure because they:
C. customer over the confidentiality of messages from A. affect noise pollution.
the hosting organization. B. disrupt processor functions.
D. hosting organization over the confidentiality of C. produce dangerous levels of electric current.
messages passed to the customer. D. can be detected and displayed.
273. The database administrator (DBA) has recently 279. Which of the following statements relating to power-off
informed you of his decision to disable certain switches is FALSE?
normalization controls in the database management A. They may need to immediately shut off power to the
system (DBMS) software in order to provide users with computer and peripheral devices.
increased query performance. This will MOST likely B. Two emergency power switches should be installed
increase the risk of: inside the computer room adjacent to exits.
A. loss of audit trails. C. Emergency power-off switches should be clearly
B. redundancy of data. labeled.
C. loss of data integrity. D. Emergency power-off switches should be shielded
D. unauthorized access to data. against accidental activation.
274. Which of the following techniques provides the BEST 280. Which of the following methods of suppressing a fire in
protection of e-mail message authenticity and a data center is the MOST effective and environmentally
confidentiality? friendly?
A. Signing the message using the sender's private key A. Halon gas
and encrypting the message using the receiver's B. Wet-pipe sprinklers
public key. C. Dry-pipe sprinklers
B. Signing the message using the sender's public key and D. Carbon dioxide gas
encrypting the message using the receiver's private
281. Which of the following environmental controls is
key.
appropriate to protect computer equipment against
C. Signing the message using the receiver's private key
short-term reductions in electrical power?
and encrypting the message using the sender's public
A. Power line conditioners
key.
B. A surge protective device
D. Signing the message using the receiver's public key
C. An alternative power supply
and encrypting the message using the sender's private
D. An interruptible power supply
key.
282. Which of the following would be the LEAST important
275. Which of the following is the MOST fundamental step in
item in a business continuity plan?
effectively preventing a virus attack?
A. Redundant facilities
A. Executing the updated anti-virus software in the
B. Relocation procedures
background on a periodic basis.
C. Adequate insurance coverage
B. Buying an effective standard anti-virus software,
D. Current and available business continuity manual
which is installed on all servers and workstations with
hard disks. 283. Which of the following physical access controls would
C. Ensuring that all new software through all media is provide the highest degree of security over unauthorized
first checked for a virus in a separate PC before being access?
loaded into the production environment. A. Bolting door lock
D. Adopting a comprehensive anti-virus policy to B. Cipher lock
protect the organization's computing facilities from C. Electronic door lock
virus attacks and communicating it to all users. D. Fingerprint scanner
276. Confidential PC data is BEST protected by: 284. Which of the following is LEAST likely to be classified as
A. a password. a physical access control?
B. file encryption. A. Access to the work area is restricted through a swipe
C. removable diskettes. card.
D. a key operated power source. B. All physical assets have an identification tag and are
properly recorded.
277. When auditing the security of a data center, an IS
C. Access to the premises is restricted and all visitors
auditor would look for the presence of a voltage
authorized for entry.
regulator to:
D. Visitors are issued a pass and escorted in and out by a
A. protect hardware against power surges.
concerned employee.
B. maintain integrity if the main power is interrupted.
C. maintain immediate power if the main power is lost.
600 Questions Pg 21
285. During the course of a physical verification of assets an C. program security controls.
IS auditor discovered discrepancies in properly "D. computer operations controls.
identifying and recording assets which could be 293. Which of the following is the MOST effective technique
attributed to a lack of related procedures and policies. for providing security during data transmission?
Which of the following would NOT be a resultant A. Communication log
exposure caused by this situation? B. Systems software log
A. Assets do not have an adequate identification tag. C. Encryption
B. Incorrect identification may affect warranty claims. D. Standard protocol
C. Incorrect identification may affect insurance claims.
294. Which of the following is the MOST effective control
D. Assets wrongly recorded may lead to
over visitor access to a data center?
misappropriation.
A. Visitors are escorted
286. Which of the following procedures can a biometric B. Visitor badges are required
system perform? C. Visitors sign in
A. Measure airborne contamination. D. Visitors are spot-checked by operators
B. Provide security over physical access.
295. Which of the following is a technique that could illegally
C. Monitor temperature and humidity levels.
capture network user passwords?
D. Detect hazardous electromagnetic fields in an area.
A. Encryption
287. Which of the following concerns associated with the B. Sniffing
World Wide Web would be addressed by a firewall? C. Spoofing
A. Unauthorized access from outside the organization D. Data destruction
B. Unauthorized access from within the organization
296. All of the following are elements of a security
C. Delay in Internet connectivity
infrastructure EXCEPT:
D. Delay in downloading using file transfer protocol
A. management commitment and support.
288. A digital signature contains a message digest to: B. defined and documented security awareness training
A. show if the message has been altered after programs.
transmission. C. legal notice banners displayed on terminals with
B. define the encryption algorithm. Internet connectivity.
C. confirm the identity of the originator. D. defined and documented security policies and
D. enable message transmission in a digital format. procedures.
289. Which of the following fire suppressant systems would 297. Which of the following is the BEST audit procedure
an IS auditor expect to find when conducting an audit of when examining if a firewall is configured in compliance
an unmanned computer center? with the organization's security policy?
A. Carbon dioxide A. Review the parameter settings
B. Halon B. Interview the firewall administrator
C. Dry-pipe sprinkler C. Review the actual procedures
D. Wet-pipe sprinkler D. Review the device's log file for recent attacks
290. The use of web site certificates achieve all of the 298. All of the following are significant Internet exposures
following objectives EXCEPT: EXCEPT:
A. authenticate the user. A. loss of integrity.
B. authenticate the web site. "B. denial of service.
C. warranty that the terms for transactions are properly C. insufficient resources to improve and maintain
revealed to the users. integrity.
D. ensure that the web site has effective controls to D. unauthorized access.
protect private users' information from entities that
299. When an organization's network is connected with an
are not related to the business.
external network in an Internet client/server model not
291. Which of the following types of transmission media under that organization's control, security becomes a
provide the BEST security against unauthorized access? concern. In providing adequate security in this
A. Copper wire environment, which of the following assurance levels is
B. Twisted pair LEAST important?
C. Fiber optic cables A. Server and client authentication
D. Coaxial cables B. Data integrity
292. Controls designed to ensure that unauthorized changes C. Data recovery
cannot be made to information once it resides in a file D. Data confidentiality
are known as: 300. Programs that can run independently and travel from
A. data security controls. machine to machine across network connections, which
B. implementation controls.
600 Questions Pg 22
may destroy data or utilize tremendous computer and B. password identification tables.
communication resources, are referred to as: C. user procedures.
A. trojan horses. D. edit criteria.
B. viruses. 308. Authentication is the process by which the:
C. worms. A. system verifies that the user is entitled to input the
D. logic bombs. transaction requested.
301. Which of the following would LEAST likely prevent an B. system verifies the identity of the user.
information security failure in a wide area network? C. user identifies himself to the system.
A. Conducting user training and awareness programs D. user indicates to the system that the transaction was
B. Avoiding a single point of failure processed correctly.
C. Developing systems that are free from vulnerabilities 309. The IS auditor has determined that protection of
D. Regular and rigorous monitoring the systems logs computer files is inadequate. Which of the following is
302. All of the following are common forms of Internet LEAST likely to have caused this problem?
attacks EXCEPT: A. Arrangements for compatible backup computer
A. exploitation of vulnerabilities in vendor programs. facilities
B. denial of service attacks. B. Procedures for release of files
C. sending hostile code and attack programs as mail C. Offsite storage procedures
attachments. D. Environmental controls
D. systematic hacker foot-printing of an organization. 310. If inadequate, which of the following would MOST likely
303. The management of an organization has encountered contribute to a denial of service attack?
several security incidents recently and has decided to A. Router configuration and rules
establish a security awareness program. Which of the B. Design of the internal network
following would be the LEAST effective in establishing a C. Updates to the router system software
successful security awareness program? D. Audit testing and review techniques
A. Reward employees who report suspicious events 311. Which of the following is the MOST effective type of
B. Provide training on a regular basis to new employees, anti-virus software?
support staff, users, and managers" A. Scanners
C. Stage mock incidents to see how well users and B. Active monitors
support staff respond C. Integrity checkers
D. Utilize an intrusion detection system to report on D. Vaccines
incidents that occur
312. The technique used to ensure security in virtual private
304. Password syntax rules should include all of the following networks (VPNs) is:
EXCEPT: A. encapsulation.
A. be five to eight characters in length. B. wrapping.
B. shadowed so they are not displayed. C. transform.
C. allow for a combination of alphanumeric characters. D. encryption.
D. not be particularly identifiable with any user.
313. A critical function of a firewall is to act as a:
305. Information for detecting unauthorized input from a A. special router that connects the Internet to a LAN.
terminal would be BEST provided by the: B. device for preventing authorized users from accessing
A. console log printout. the LAN.
B. transaction journal. C. server used to connect authorized users to private
C. automated suspense file listing. trusted network resources.
D. user error report. D. proxy server to increase the speed of access to
306. An IS auditor attempting to determine whether access to authorized users.
program documentation is restricted to authorized 314. During an audit of an enterprise that is dedicated to e-
persons would MOST likely: commerce in the modality of business-to-customer, the
A. evaluate the record retention plans for off-premises IS manager states that digital signatures are used in the
storage. establishment of its commercial relations. The auditor
B. interview programmers about the procedures must prove that which of the following is used?
currently being followed. A. A biometric, digitalized and encrypted parameter
C. compare utilization records to operations schedules. with the customer's public key"
D. review data file access records to test the librarian B. A hash of the data that is transmitted and encrypted
function. with the customer's private key
307. A systems analyst should have access to all of the C. A hash of the data that is transmitted and encrypted
following EXCEPT: with the customer's public key
A. source code.
600 Questions Pg 23
D. The customer's scanned signature, encrypted with the C. logging options.
customer's public key" D. user profiles.
315. Risk of hash compromise is BEST mitigated using: 323. Which of the following would an IS auditor consider a
A. digital signatures. MAJOR risk of using single sign-on?
B. message encryption. A. It enables access to single multiple applications
C. message authentication code. B. It represents a single point of failure
D. cryptoanalysis. C. It causes an administrative bottleneck
316. Secure socket layer (SSL) protocol addresses the D. It leads to a lockout of valid users
confidentiality of a message through: 324. Naming convention for access controls are usually set
A. symmetric encryption. by:
B. message authentication code. A. data owners with the help of the security officer.
C. hash function. B. programmers with the help of the security officer.
D. digital signature certificates. C. system analysts with the help of the security officer.
317. An organization is considering connecting a critical PC- D. librarian with the help of the security officer.
based system to the Internet. Which of the following 325. Which of the following is the MOST secure way to
would provide the BEST protection against hacking? connect a private network over the Internet in a small-to
A. Application level gateway medium-sized organization?
B. Remote access server A. Virtual private network
C. Proxy server B. Dedicated line
D. Port scanning C. Leased line
318. A “dry-pipe” fire extinguisher system is a system that D. Integrated services digital network
uses: 326. The potential for unauthorized system access, by way of
A. water, but in which water does not enter the pipes terminals or workstations within the organization's
until a fire has been detected. facility, is increased when:
B. water, but in which the pipes are coated with special A. connecting points are available in the facility to
watertight sealants. connect laptops to the network.
C. carbon dioxide instead of water. B. users do not write their system passwords on, or near,
D. halon instead of water. their work areas.
319. An enterprise is implementing a business-to-business C. terminals with password protection are located in
(B-to-B) network infrastructure to ensure efficient and unsecured locations.
effective communication and supply chain management D. terminals are located within the facility in small
with all international customers and suppliers. The clusters of a few terminals, each under direct charge
enterprise would like to utilize the network and supervision of an administrator.
infrastructure for secure communication, paperless 327. The BEST defense against eavesdropping into computer
negotiations and agreements and to ensure appropriate networks is:
evidence for all transactions. The MOST appropriate A. encryption.
solution is: B. moving the defense perimeter outward.
A. asymmetric encryption and digital signatures. C. reducing the amplitude of the communication signal.
B. symmetric encryption and digital signatures. D. masking the signal with noise.
C. public key infrastructure (PKI). 328. A virtual private network (VPN) performs which of the
D. message authentication code and digital signatures. following functions?
320. Electronic signatures can prevent messages from being: A. Hides information from sniffers on the net
A. suppressed. B. Enforces security policies
B. repudiated. C. Detects misuse or mistakes
C. disclosed. D. Regulates access
D. copied. 329. Within an e-Commerce transaction through the
321. Confidential data stored on a laptop is BEST protected Internet, the process of applying a digital signature to
by: the data that travels in the network, provides which of
A. storage on optical disks. the following?
B. log-on ID and password. A. Confidentiality and integrity
C. data encryption. B. Security and nonrepudiation
D. physical locks. C. Integrity and nonrepudiation
322. Security administration procedures require read-only D. Confidentiality and nonrepudiation
access to: 330. Which of the following would an IS auditor consider a
A. access control tables. weakness when performing an audit of an organization
B. security log files. that uses a public key infrastructure with digital
600 Questions Pg 24
certificates for its business-to-consumer transactions via D. policy management authority.
the Internet? 337. Which of the following is used to create Web pages on
A. Customers are widely dispersed geographically, but the Internet?
not the certificate authorities (CA). A. HTTP
B. Customers can make their transactions from any B. HTML
computer or mobile device. C. TCP/IP
C. The certificate authority has several data processing D. FTP
subcenters to administrate certificates.
338. Which of the following is a simple networking device
D. The organization is the owner of the CA.
that interconnects two or more local area networks
331. Which of the following implementation modes would (LANs)?
provide the GREATEST amount of security to outbound A. Router
data connecting to the Internet? B. Bridge
A. Transport mode with authentication header (AH) C. Gateway
plus encapsulating security payload (ESP) D. Brouter
B. SSL mode
339. Controls over electronic distribution of software would
C. Tunnel mode with AH plus ESP
not include
D. Triple-DES encryption mode
A. Checksum
332. Which of the following is the MOST reliable sender B. Digital signatures
authentication method? C. Virus scanners
A. Digital signatures D. Intrusion detectors
340. Analyzing data protection requirements for installing a
C. Digital certificates
LAN does not include:
D. Message authentication code
A. Uninterruptible power supply
333. In the Internet encryption process, which of the B. Back ups
following steps provides the GREATEST assurance in C. Fault tolerance
achieving authenticity of a message? D. Operating systems
A. The pre-hash code is derived mathematically from the
341. The most desirable metrics for system reliability,
message being sent.
availability and responsiveness include (MTBF is mean
B. The pre-hash code is encrypted using the sender's
time between failures, MTTR is mean time to repair,
private key.
EMRT is emergency response time, and MTTF is mean
C. Encryption of the pre-hash code and the message
time to failure):
using the secret key.
A. High MTBF, low MTTR, low EMRT and high MTTF"
D. Sender attains the recipient's public key and verifies
B. Low MTBF, high MTTR, low EMRT and low MTTF"
the authenticity of its digital certificate with a
C. Low MTBF, low MTTR, high EMRT and high MTTF"
certificate authority.
D. High MTBF, high MTTR, high EMRT and low MTTF"
334. An Internet security threat that could compromise
342. A videoconferencing product where individuals work
integrity is:
jointly on an electronic document is called a:
A. theft of data from the client.
A. Workflow application
B. exposure of network configuration information.
B. Multipoint application
C. a trojan horse browser.
C. Spreadsheet application
D. eavesdropping on the net.
D. Whiteboard application
335. An IS auditor performing a review of the implemented
343. In which of the following situations would a
security infrastructure of an organization that provides
checkpoint/restart procedure NOT enable recovery?
business-to-business activities, observes that PKI
A. Experiencing temporary failure of the hardware
services are being used. The auditor's conclusion would
B. Loading tapes out of sequence in a multi-volume file
be that they use:
C. Completing the run of an incorrect version of the
A. personal key information.
program
B. private key infrastructure.
D. Suffering temporary power loss to the Data Center
C. public key infrastructure.
during the run
D. practical kerberos implementation.
344. If a database is restored using before image dumps,
336. In a public key infrastructure (PKI), the authority which
where should the process be restarted following an
is responsible for the identification and authentication of
interruption?
an applicant for a digital certificate (i.e., certificate
A. Before the last transaction
subjects) is the:
B. After the last transaction
A. registration authority (RA).
C. The first transaction after the latest checkpoint
B. issuing certification authority.
D. The last transaction before the latest checkpoint
C. subject certification authority.
600 Questions Pg 25
345. Which of the following is an important consideration in D. need not have the same level of environmental
providing backup for online systems? monitoring as the originating site since this would be
A. Maintaining system software parameters cost prohibitive.
B. Ensuring periodic dumps of transaction logs 352. An advantage of the use of hot sites as a backup
C. Ensuring grandfather-father-son file backups alternative is:
D. Maintaining important data at an off-site location A. the costs associated with hot sites are low.
346. As updates to an online order entry system are B. that hot sites can be used for an extended amount of
processed, the updates are recorded on a transaction time.
tape and a hard copy transaction log. At the end of the C. that hot sites can be made ready for operation within
day, the order entry files are backed up onto tape. a short period of time.
During the backup procedure, the disk drive D. that hot sites do not require that equipment and
malfunctions and the order entry files are lost. Which of systems software be compatible with the primary
the following are necessary to restore these files? installation being backed up.
A. The previous day's backup file and the current 353. An IS auditor reviewing back-up procedures for software
transaction tape need only determine that:
B. The previous day's transaction file and the current A. object code libraries are backed up.
transaction tape B. source code libraries are backed up.
C. The current transaction tape and the current C. both object and source codes libraries are backed up.
hardcopy transaction log D. program patches are maintained at the originating
D. The current hardcopy transaction log and the site.
previous day's transaction file
354. Which of the following control concepts should be
347. Which of the following business recovery strategies included in a comprehensive test of disaster recovery
would require the least expenditure of funds? procedures?
A. Warm site facility A. Invite client participation.
B. Empty shell facility B. Involve all technical staff.
C. Hot site subscription C. Rotate recovery managers.
D. Reciprocal agreement D. Install locally stored backup.
348. Which of the following alternative business recovery 355. Which of the following tests would NOT apply to a
strategies would be LEAST appropriate in a large review of the data center disaster recovery plan?
database and online communications network A. Setting up alternative processing facilities
environment where the critical business continuity B. Testing full functionality of restored applications
period is 10 days? C. Installing key files from those stored in the Media
A. Hot site Library
B. Cold site D. Executing application programs from off site backup
C. Reciprocal agreement copies
D. Dual information processing facilities
356. Which of the following is the business continuity
349. For which of the following applications would rapid planning and reconstruction team that is responsible for
recovery be MOST crucial? updating the applications database working from
A. Point-of-sale terminals at the user recovery site during a
B. Corporate planning reconstruction?
C. Regulatory reporting A. Applications team
D. Departmental chargeback B. Network recovery team
350. An organization's disaster recovery plan should address C. Emergency operations team
early recovery of: D. Data preparation and records team
A. all information systems processes. 357. Which of the following procedures would an IS auditor
B. all financial processing applications. perform to BEST determine whether adequate
C. only those applications designated by the IS Manager. recovery/restart procedures exist?
D. processing in priority order, as defined by business A. Reviewing program code
management. B. Reviewing operations documentation
351. An off-site information processing facility: C. Turning off the UPS, then the power"
A. should have the same amount of physical access D. Reviewing program documentation
restrictions as the primary processing site. 358. A company performs full back-up of data and programs
B. should be easily identified from the outside so that in on a regular basis. The primary purpose of this practice
the event of an emergency it can be easily found. is to:
C. should be located in proximity to the originating site A. maintain data integrity in the applications.
so that it can quickly be made operational. B. restore application processing after a disruption.
600 Questions Pg 26
C. prevent unauthorized changes to programs and data. B. strategic long-range planning.
D. ensure recovery of data processing in case of a C. the probability that a disaster will occur.
disaster. D. alternative procedures to process transactions.
359. An IS auditor conducting a review of disaster recovery 362. The MAIN purpose for periodically testing off-site
planning at a financial processing organization has hardware back-up facilities is to:
discovered the following: A. ensure the integrity of the data in the database.
? The existing disaster recovery plan was compiled B. eliminate the need to develop detailed contingency
two years ago by a systems analyst in the organization's plans.
IT department using transaction flow projections from C. ensure the continued compatibility of the contingency
the operations department. facilities.
D. ensure that program and system documentation
? The plan was presented to the deputy CEO for remains current.
approval and formal issue, but it is still awaiting his
attention. 363. During a business continuity planning review, the IS
auditor discovered that software back-up is being kept
? The plan has never been updated, tested or only by the IT department and that senior management
circulated to key management and staff, though is not aware of where back-ups are being kept. Which of
interviews show that each would know what action to the following recommendations is an IS auditor LEAST
take for their area in the event of a disruptive incident. likely to make?
The IS auditor's report should recommend that: A. Validations in the application software should be
A. the deputy CEO be censured for his failure to approve made to prevent unauthorized access to data.
the plan. B. Off-site security and environmental protection
B. a board of senior managers be set up to review the systems should be similar to the production
existing plan. environment.
C. the existing plan be approved and circulated to all key C. There should be off-site storage of software company
management and staff. data, work product or deliverables in a protected
D. an experienced manager coordinate the creation of a vault for such period as specified.
new plan or revised plan within a defined time limit. D. A comprehensive business continuity plan should be
360. An IS auditor conducting a review of disaster recovery formulated to meet the business needs and provide
planning at a financial processing organization has required capabilities in the event of any failure of IT
discovered the following: systems.
? The existing disaster recovery plan was compiled two 364. A large chain of shops with electronic funds transfer
years ago by a systems analyst in the organization's IT (EFT) at point-of-sale devices has a central
department using transaction flow projections from communications processor for connecting with the
the operations department. banking network. Which of the following is the BEST
? The plan was presented to the deputy CEO for disaster recovery plan for the communications
approval and formal issue, but it is still awaiting his processor?
attention. A. Off-site storage of daily back-ups
? The plan has never been updated, tested or circulated B. Alternative standby processor onsite
to key management and staff, though interviews show C. Installation of duplex communication links
that each would know what action to take for their D. Alternative standby processor at another network
area in the event of a disruptive incident.</ul>The node
basis of the organization's disaster recovery plan is to 365. The following table lists the estimate of the probability of
re-establish live processing at an alternative site a computer system being destroyed in a natural disaster
where a similar, but not identical hardware and the corresponding overall business loss. Which
configuration is already established. system has the greatest exposure to loss?
The IS auditor should:
Likelihood :: Losses (in $)
A. take no action as the lack of a current plan is the only
A. 10% :: 6 million
significant finding.
B. 15% :: 5 million
B. recommend that the hardware configuration at each
C. 20% :: 2.5 million
site should be identical.
D. 25% :: 4 million
C. perform a review to verify that the second
configuration can support live processing. 366. Which of the following would an IS auditor consider to
D. report that the financial expenditure on the be the MOST important to review when conducting a
alternative site is wasted without an effective plan. business continuity audit?
A. A hot site is contracted for and available as needed.
361. Disaster recovery planning for a company's computer
B. A business continuity manual is available and current.
system usually focuses on:
C. Insurance coverage is adequate and premiums are
A. operations turnover procedures.
current.
600 Questions Pg 27
D. Media backups are performed on a timely basis and C. Certification relocation list
stored off-site. D. Certification practice statement
367. Which of the following methods of providing 375. An IS auditor performing a review of the back-up
telecommunication continuity involves routing traffic processing facilities would be MOST concerned that:
through split or duplicate cable facilities? A. adequate fire insurance exists.
A. Diverse routing B. regular hardware maintenance is performed.
B. Alternative routing C. offsite storage of transaction and master files exists.
C. Redundancy D. backup processing facilities are fully tested.
D. Long haul network diversity 376. Which of the following findings would an IS auditor be
368. Which of the following is NOT a feature of an MOST concerned about when performing an audit of
uninterruptible power supply (UPS)? backup and recovery and the offsite storage vault?
A. A UPS provides electrical power to a computer in the A. There are three individuals with a key to enter the
event of a power failure. area
B. A UPS system is an external piece of equipment or can B. Paper documents are also stored in the offsite vault
be built into the computer itself. C. Data files, which are stored in the vault, are
C. A UPS should function to permit an orderly computer synchronized"
shutdown. D. The offsite vault is located in a separate facility
D. A UPS uses a greater wattage into the computer to 377. Which of the following represents the GREATEST risk
ensure enough power is available. created by a reciprocal agreement for disaster recovery
369. Most business continuity tests should: made between two companies?
A. be conducted at the same time as normal business A. Developments may result in hardware and software
operations. incompatibility
B. address all system components. B. Resources may not be available when needed
C. evaluate the performance of personnel. C. The recovery plan cannot be tested
D. be monitored by the IS auditor. D. The security infrastructures in each company may be
370. Which of the following would BEST ensure continuity of different
a wide area network (WAN) across the organization? 378. All of the following are security andcontrol concerns
A. Built-in alternative routing associated with disaster recovery procedures EXCEPT:
B. Full system back-up taken daily A. loss of audit trail.
C. A repair contract with a service provider B. insufficient documentation of procedures.
D. A duplicate machine alongside each server C. inability to restart under control.
371. The MOST significant level of business continuity D. inability to resolve system deadlock.
planning program development effort is generally 379. Losses can be minimized MOST effectively by using
required during the: outside storage facilities to do which of the following?
A. testing stage. A. Include current, critical information in backup files"
B. evaluation stage. B. Ensure that current documentation is maintained at
C. Maintenance stage. the backup facility
D. early stages of planning. C. Test backup hardware
372. An IS auditor reviewing an organization's information D. Train personnel in backup procedures
systems disaster recovery plan should verify that it is: 380. Which of the following BEST describes the difference
A. tested every 6 months. between a disaster recovery plan and a business
B. regularly reviewed and updated. continuity plan?
C. approved by the chief executive officer (CEO). A. The disaster recovery plan works for natural disasters
D. communicated to every departmental head in the whereas the business continuity plan works for non-
organization. planned operating incidents such as technical
373. Which of the following implementations of digital failures.
encryption standard is the simplest implementation? B. The disaster recovery plan works for business process
A. Electronic code block (ECB) recovery and information systems whereas the
B. Cipher block chaining (CBC) business continuity plan works only for information
C. Cipher feedback (CFB) systems.
D. Output feedback (OFB) C. The disaster recovery plan defines all needed actions
to restore to normal operation after an un-planned
374. Which of the following manages the certificate life cycle
incident whereas the business continuity plan only
of public key pairs to ensure adequate security and
deals with critical operations needed to continue
controls exist in e-commerce applications?
working after an un-planned incident.
A. Registration authority
D. The disaster recovery plan is the awareness process
B. Certificate authority
for employees whereas the business continuity plan
600 Questions Pg 28
contains the procedures themselves to recover the D. Adequate feedback to management to assure that the
operation. business continuity plans are indeed workable and
381. Which of the following would warranty a quick that the procedures are current.
continuity of operations when the recovery time window 387. Which of the following principles must exist to ensure
is short? the viability of a duplicate information processing
A. A duplicated back-up in an alternate site facility?
B. Duplicated data in a remote site A. The site is near the primary site to ensure quick and
C. Transfer of data the moment a contingency occurs efficient recovery is achieved.
D. A manual contingency procedure B. The site contains the most advanced hardware
382. Which of the following is MOST important to have in a available from the chosen vendor.
disaster recovery plan? C. The workload of the primary site is monitored to
A. Backup of compiled object programs ensure adequate backup is complete.
B. Reciprocal processing agreement D. The hardware is tested when it is established to
C. Phone contact list ensure it is working properly.
D. Supply of special forms 388. There are several methods of providing
383. At the end of a simulation of an operational contingency telecommunications continuity. The method of routing
test, the IS auditor performed a review of the recovery traffic through split cable or duplicate cable facilities is:
process. The IS auditor concluded that the recovery was A. alternative routing.
more than the critical time frame that was necessary. B. diverse routing.
Which of the following actions would the auditor C. long haul network diversity.
recommend? D. last mile circuit protection.
A. Widen the physical capacity to accomplish better 389. Which of the following offsite information processing
mobility in a shorter time. facility conditions would cause an IS auditor the
B. Shorten the distance to reach the hot site. GREATEST concern?
C. Perform an integral review of the recovery tasks. A. The facility is clearly identified on the outside with the
D. Increase the number of human resources involved in company name.
the recovery process. B. The facility is located more than an hour driving
384. An IS auditor inspects an organization's offsite storage distance from the originating site.
and plans to sample the system and program C. The facility does not have any windows to let in
documentation. The IS auditor is MOST likely natural sunlight.
interested in reviewing: D. The facility entrance is located in the back of the
A. error conditions and user manuals. building rather than the front.
B. application run books. 390. Which of the following is a continuity plan test that uses
C. job stream control instructions. actual resources to simulate a system crash to cost-
D. exception processing instructions. effectively obtain evidence about the plan's
385. While reviewing the business continuity plan of an effectiveness?
organization, the IS auditor observed that the A. Paper test
organization's data and software files are backedup on a B. Post test
periodic basis. Which characteristic of an effective plan C. Preparedness test
does this demonstrate? D. Walkthrough
A. Deterrence 391. An offsite backup facility having electrical writing, air
B. Mitigation conditioning, flooring, etc., but no computer or
C. Recovery communications equipment, intended to operate an
D. Response information processing facility is better known as a:
386. Which of the following disaster recovery/continuity plan A. cold site.
components provides the GREATEST assurance for B. warm site.
recovery after a disaster? C. dial up site.
A. The requirement that the alternate facility be available D. duplicate processing facility.
until the original information processing facility is 392. Which of the following methods of results analysis,
restored. during the testing of the business continuity plan (BCP),
B. User management involvement in the identification of provides the BEST assurance that the plan is workable?
critical systems and their associated critical recovery A. Quantitatively measuring the results of the test
times and the specification of needed procedures. B. Measurement of accuracy
C. Copies of the plan kept at the homes of key decision C. Elapsed time for completion of prescribed tasks
making personnel. D. Evaluation of the observed test results
600 Questions Pg 29
393. A large organization with numerous applications B. the growth of user requirements was inaccurately
running on its mainframe system is experiencing a forecast.
growing backlog of undeveloped applications. As part of C. the hardware system limits the number of concurrent
a master plan to eliminate this backlog, end-user users.
computing with prototyping is being introduced, D. user participation in defining the system's
supported by the acquisition of an interactive requirements is inadequate.
application generator system. Which of the following 400. Which of the following are objectives of using a system
areas is MOST critical to the ultimate success of this development life cycle methodology?
venture? A. Ensuring that appropriate staffing is complete and
A. Data control providing a method of controlling costs and
B. Systems analysis schedules.
C. Systems programming B. Providing a method of controlling costs and schedules
D. Application programming and ensuring communication among users, IS
394. Which of the following general control items would NOT auditors, management and IS personnel.
normally be found in an audit of user programming C. Providing a method of controlling costs and schedules
procedures in an end-user computing environment? and an effective means of auditing project
A. Console log procedures development.
B. Change control procedures D. Ensuring communication among users, IS auditors,
C. Back-up and recovery procedures management and personnel and ensuring that
D. Documentation standards and procedures appropriate staffing is complete.
395. Which of the following represents a typical prototype of 401. A primary reason for an IS auditor's involvement in the
an interactive application? development of a new application system is to determine
A. Screens and process programs that:
B. Screens, interactive edits and sample reports" A. adequate controls are built into the system.
C. Interactive edits process programs and sample B. user requirements are satisfied by the system.
reports C. sufficient hardware is available to process the system.
D. Screens, interactive edits, process programs and D. data are being developed for pre-implementation
sample reports" testing of the system.
396. Which of the following statements relating to the use of 402. In which of the following phases of the system
spreadsheets is FALSE? development life cycle of a new application system is it
A. An essential control feature is the performance of the MOST important for the IS auditor to participate?
adequate testing. A. Design
B. It is important to develop complete and appropriate B. Testing
documentation. C. Programming
C. In the designing process, it is important that data be D. Implementation
limited to one spreadsheet. 403. During a detailed system design, the IS auditor would be
D. The reference area should include the file name, the LEAST concerned with:
version number, and the creation date and time. A. adequacy of audit trails.
397. Which of the following tasks would NOT be performed B. handling of rejected transactions.
by an IS auditor when reviewing systems development C. adequacy of hardware to handle the system.
controls in a specific application? D. procedures to ensure that all transactions are
A. Attend project progress meetings. received.
B. Review milestone documents for appropriate sign-off. 404. Which of the following groups/individuals assume
C. Compare development budgets with actual time and ownership of systems development life cycle projects
dollars spent. and the resulting system?
D. Design and execute testing procedures for use during A. User management
acceptance testing. B. Senior management
398. Which of the following represents the MOST pervasive C. Project steering committee
control over application development? D. Systems development management
A. IS auditors 405. Which of the following statements regarding the
B. Standard development methodologies function of a systems development life cycle steering
C. Extensive acceptance testing committee is FALSE?
D. Quality assurance groups A. Review project progress regularly.
399. A computerized information system frequently fails to B. Report only to senior management on project status.
meet the needs of users because: C. Serve as a coordinator and advisor to answer
A. user needs are constantly changing. questions about system and program design.
600 Questions Pg 30
D. Take corrective action regarding personnel changes A. The finished system normally has strong internal
on the project team. controls.
406. The responsibility of assuring that the systems B. Prototype systems can provide significant time and
development life cycle design adheres to corporate cost savings.
security policies and tests system security prior to C. Change control is often less complicated with
implementation is that of the: prototype systems.
A. security officer. D. It ensures that functions or extras are not added to
B. project manager. the intended system.
C. quality assurance. 413. The use of fourth generation languages (4GLs) should be
D. project steering committee. weighed carefully against using traditional languages
407. An IS auditor who is participating in a systems because 4GLs:
development life cycle project should: A. can lack lower level detail commands necessary to
A. recommend appropriate control mechanisms perform data intensive operations.
regardless of cost. B. cannot be implemented on both the mainframe
B. obtain and read project team meeting minutes to processors and microcomputers.
determine the status of the project. C. generally contain complex language subsets which
C. ensure that adequate and complete documentation must be used by skilled users.
exists for all project phases. D. cannot access database records and produce complex
D. not worry about his/her own ability to produce key Online outputs.
deliverables by the promised dates since work will 414. Which of the following is NOT a feature of structured
progress regardless. programming for defining applications?
408. The phases and deliverables of a systems development A. Programs are written using a bottom-up approach.
life cycle project should be determined: B. Programs are easy to develop and maintain.
A. during the early planning stages of the project. C. Design modules are independent of each other.
B. after early planning has been completed, but before D. Design is accomplished through a series of diagrams,
work has begun. showing relationships.
C. during the work stages as deliverables are determined 415. Which of the following computer aided software
based on risks and exposures. engineering (CASE) products is used for developing
D. only after all risks and exposures have been identified detailed designs, such as screen and report layouts?
and the IS auditor has recommended appropriate A. Super CASE
controls. B. Upper CASE
409. Where a systems development life cycle methodology is C. Middle CASE
inadequate, the MOST serious immediate risk is that the D. Lower CASE
new system will: 416. Which of the following is a characteristic of a decision
A. be completed late. support system (DSS)?
B. exceed the cost estimates. A. DSS is aimed at solving highly structured problems.
C. not meet business and user needs. B. DSS combines the use of models with non-traditional
D. be incompatible with existing systems. data access and retrieval functions.
410. Which of the following is a management technique that C. DSS emphasizes flexibility in the decision making
enables organizations to develop strategically important approach of users.
systems faster while reducing development costs and D. DSS supports only structured decision-making tasks.
maintaining quality? 417. Which of the following statements pertaining to data
A. Function point analysis warehouses is FALSE?
B. Critical path methodology A. A data warehouse is designed specifically for decision
C. Rapid application development support.
D. Program evaluation review technique B. The quality of the data in a data warehouse must be
411. Which of the following is NOT an advantage of using very high.
structured analysis (SA)? C. Data warehouses are made up of existing databases,
A. SA supports CASE tools. files and external information.
B. SA addresses users concerns quickly. D. A data warehouse is used by senior management only
C. SA is more applicable to problem-oriented analysis because of the sensitivity of the data.
than design. 418. The primary role of an IS auditor in the system design
D. SA addresses the issue of structuring systems into phase of an application development project is to:
concurrent tasks. A. advise on specific and detailed control procedures.
412. Which of the following is an advantage of prototyping? B. ensure the design accurately reflects the requirement.
C. ensure all necessary controls are included in the initial
design.
600 Questions Pg 31
D. advise the development manager on adherence to the A. unit testing is more comprehensive.
schedule. B. programmers are not involved in system testing.
419. Which of the following would be considered to be the C. system testing relates to interfaces between programs.
MOST serious disadvantage of prototyping systems D. system testing proves user requirements are
development? adequate.
A. The prototyping software is expensive. 426. Which of the following audit procedures would an IS
B. Prototyping demands excessive computer usage. auditor normally perform FIRST when auditing the
C. Users may perceive that the development is complete. current documented systems development life cycle?
D. The users' needs may not have been correctly A. Determine procedural adequacy.
assessed. B. Analyze procedural effectiveness.
420. An advantage of using sanitized live transactions in test C. Evaluate level of compliance with procedures.
data is that: D. Compare established standards to observed
A. all transaction types will be included. procedures.
B. every error condition is likely to be tested. 427. An IS auditor who has participated in the development
C. no special routines are required to assess the results. of an application system might have their independence
D. test transactions are representative of live processing. impaired if they:
421. An IS auditor's primary concern when application A. perform an application development review.
developers wish to use a copy of yesterday's transaction B. recommend control and other system enhancements.
file from the production process to show that the C. perform an independent evaluation of the application
development can cope accurately with the required after its implementation.
volume is that: D. are actively involved in the design and
A. users may prefer to use contrived data for testing. implementation of the application system.
B. unauthorized access to sensitive data may result. 428. Which of the following tools would NOT be used in
C. error handling and credibility checks may not be fully program debugging during system development?
proven. A. Compiler
D. full functionality of the new process is not necessarily B. Memory dump
tested. C. Output analyzer
422. Many IT projects experience problems because the D. Logic path monitor
development time and/or resource requirements are 429. Which of the following statements relating to structured
underestimated. Which of the following techniques query language (SQL) is TRUE?
would improve the estimation of the resources required A. SQL is harder to use than a programming language.
in system construction after the development of the B. A user must know where the information is located to
requirements specification? gain access.
A. PERT chart C. A user must know how the information is structured
B. Recalibration to gain access.
C. Cost-benefit analysis D. SQL serves as an interface between the client,
D. Function point estimation computer, and server.
423. Which of the following is the MOST important reason 430. A significant problem in planning and controlling a
for the IS auditor to be involved in the system software development project is determining:
development life cycle process? A. project slack times.
A. Evaluate the efficiency of resource utilization. B. a project's critical path.
B. Develop audit programs for subsequent audits of the C. time and resource requirements for individual tasks.
system. D. precedent relationships which preclude the start of
C. Evaluate the selection of hardware to be used by the certain activities until others are complete.
system. 431. Which of the following is NOT a role of a project sponsor
D. Ensure that adequate controls are built into the who is involved in a systems development project?
system during development. A. Provides funding for the project
424. Which of the following is a primary purpose for B. Responsible for data and application ownership
conducting parallel testing? C. Monitors and controls costs and project timetable
A. To determine if the system is more cost-effective. D. Works with the project manager to define success
B. To enable comprehensive unit and system testing. parameters
C. To highlight errors in the program interfaces with 432. Large scale systems development life cycle (SDLC)
files. efforts:
D. To ensure the new system meets all user A. are not affected by the use of prototyping tools.
requirements. B. can be carried out independent of other
425. Unit testing is different from system testing because: organizational practices.
600 Questions Pg 32
C. require that business requirements be defined before D. controls the coding and testing of the high-level
the project begins. functions of the program in the development process.
D. require that project phases and deliverables be 439. Peer reviews that detect software errors during each
defined during the duration of the project. program development cycle resulting in faster
433. Which of the following is a reason to involve an IS implementation, better documentation, easier
auditor in systems design activities? maintenance and higher programmer morale are called:
A. Post-application reviews do not need to be A. emulation techniques.
performed. B. structured walkthroughs.
B. Total budgeted system development costs can be C. modular program techniques.
reduced. D. top-down program construction.
C. It is extremely costly to institute controls after a 440. An IS auditor who plans on testing the connection of two
system becomes operational. or more system components that pass information from
D. The extent of user involvement in design activities is one area to another would use:
significantly reduced. A. pilot testing.
434. Which of the following would NOT normally be part of a B. parallel testing
feasibility study? C. interface testing.
A. Identifying the cost savings of a new system. D. regression testing.
B. Defining the major requirements of the new system. 441. An advantage in using a bottom-up versus a top-down
C. Determining the productivity gains of implementing a approach to software testing is that:
new system. A. interface errors are detected earlier.
D. Estimating a pay-back schedule for cost incurred in B. confidence in the system is achieved earlier.
implementing the system. C. errors in critical modules are detected earlier.
435. Detailed systems specifications do NOT normally D. major functions and processing are tested earlier.
include: 442. During which phase of a system development process
A. overviews of each program in the system. would an IS auditor first consider application controls?
B. program, operations and user documentation. A. Construction
C. a systems flowchart showing the system logic, data B. System design
files and reports of the system. C. Acceptance testing
D. a systems narrative depicting the systems objectives, D. Functional specification
the major functions to be performed and the
443. Which of the following quality mechanisms is MOST
relationships of the major functions.
likely to occur when a system development project is in
436. The purpose of the system development life cycle the middle of the construction stage?
program and procedure development phase is to: A. Unit tests
A. prepare, test and document all computer programs B. Stress tests
and manual procedures. C. Regression testing
B. document a business or system problem to a level at D. Acceptance testing
which management can select a system solution.
444. An IS auditor reviewing a system development project
C. prepare a high-level design of a proposed system
would be MOST concerned whether:
solution and present reasons for adopting a solution.
A. business objectives are achieved.
D. expand the general design of an approved system
B. security and control procedures are adequate.
solution so that programming and procedure writing
C. the system utilized the strategic technical
can begin.
infrastructure.
437. The knowledge base of an expert system that uses D. development will comply with the approved quality
questionnaires to lead the user through a series of management processes.
choices before a conclusion is reached is known as:
445. A large number of system failures are occurring when
A. rules.
corrections to previously detected faults are resubmitted
B. decision trees.
for acceptance testing. This would indicate that the
C. semantic nets.
development team is probably not adequately
D. data flow diagrams.
performing which of the following types of testing?
438. Structured programming is BEST described as a A. Unit testing
technique that: B. Integration testing
A. provides knowledge of program functions to other C. Design walkthroughs
programmers via peer reviews. D. Configuration management
B. reduces the maintenance time of programs by the
446. An organization is developing a new business system.
user of small-scale program modules.
Which of the following will provide the MOST assurance
C. makes the readable coding reflect as closely as
that the system provides the required functionality?
possible the dynamic execution of the program.
600 Questions Pg 33
A. Unit testing D. Post-implementation review
B. Regression testing 454. In the development of an important application affecting
C. Acceptance testing the entire organization, which of the following would be
D. Integration testing the MOST appropriate project sponsor?
447. Which of the following techniques would provide the A. The information systems manager
BEST assurance that the estimate of program B. A member of executive management
development effort is reliable? C. An independent management consultant
A. Function point analysis D. The manager of the key user department
B. Estimates by business area 455. Which of the following is LEAST likely to be included in
C. Computer based project schedule the feasibility study?
D. Estimate by experienced programmer A. Statutory requirements
448. An IS auditor reviewing an organization's test strategy B. Operating system implications
discovers that it is proposed that the test database be C. Control and audit specifications
refreshed weekly from a section of the production D. Hardware capacity considerations
database. Which of the following would MOST likely be 456. Which of the following development methods uses a
affected by this approach? prototype that can continually be updated to meet
A. Completeness of testing changing user or business requirements?
B. Test processing efficiency A. Data oriented development (DOD)
C. Documentation of test results B. Object oriented development (OOD)
D. Integrity of the production data C. Business process reengineering (BPR)
449. Which of the following would be a major D. Rapid application development (RAD)
DISADVANTAGE of using prototyping as a systems 457. Which of the following should be included in a feasibility
development methodology? study for a project to install electronic data interchange
A. User expectations of project timescales may be over- (EDI)?
optimistic. A. The encryption algorithm format
B. Effective change control and management is B. The detailed internal control procedures
impossible to implement. C. The necessary communication protocols
C. User participation in day-to-day project management D. The proposed trusted third-party agreement
may be too extensive.
458. When reviewing the quality of an IS department's
D. Users are not usually sufficiently knowledgeable to
development process, the IS auditor finds that they do
assist in system development.
not use any formal, documented methodology and
450. An IS auditor involved as a team member in the detailed standards. The IS auditor's MOST appropriate action
system design phase of a system under development would be to:
would be MOST concerned with: A. complete the audit and report the finding.
A. internal control procedures. B. investigate and recommend appropriate formal
B. user acceptance test schedules. standards.
C. adequacy of the user training program. C. document the informal standards and test for
D. clerical processes for resubmission of rejected items. compliance.
451. The PRIMARY reason for separating the test and D. withdraw and recommend a further audit when
development environments would be to: standards are implemented.
A. restrict access to systems under test. 459. Which of the following testing methods is MOST
B. segregate user and development staff. effective during the initial phases of prototyping?
C. control the stability of the test environment. A. System testing
D. secure access to systems under development. B. Parallel testing
452. The use of coding standards is encouraged by IS C. Volume testing
auditors because they: D. Top-down testing
A. define access control tables. 460. IS management has decided to rewrite a legacy customer
B. detail program documentation. relations system using fourth generation languages
C. standardize dataflow diagram methodology. (4GLs). Which of the following risks is MOST often
D. ensure compliance with field naming conventions. associated with system development using 4GLs?
453. During which of the following phases in systems A. Inadequate screen/report design facilities
development would user acceptance test plans normally B. Complex programming language subsets
be prepared? C. Lack of portability across operating systems
A. Feasibility study D. Inability to perform data intensive operations
B. Requirements definition
C. Implementation planning
600 Questions Pg 34
461. Which of the following audit procedures would MOST 468. Which of the following BEST describes the necessary
likely be used in an audit of a systems development documentation of an enterprise product reengineering
project? (EPR) software installation?
A. Develop test transactions A. Specific developments only
B. Use code comparison utilities B. Business requirements only
C. Develop audit software programs C. All phases of the installation must be documented
D. Review functional requirements documentation D. No need to develop a customer specific
462. When a new system is to be implemented within a short documentation
timeframe, it is MOST important to: 469. When auditing the requirements phase of a software
A. finish writing user manuals. acquisition, an IS auditor would:
B. perform user acceptance testing. A. assess the adequacy of audit trails.
C. add last-minute enhancements to functionalities. B. identify and determine the criticality of the need.
D. ensure that code has been documented and reviewed. C. verify cost justifications and anticipated benefits.
463. Which of the following should NOT be criteria related to D. ensure that control specifications have been defined.
the decision to acquire system software? 470. A company has contracted an external consulting firm to
A. Hard and soft costs implement a commercial financial system to replace its
B. Integration with the existing environment existing in-house developed system. In reviewing the
C. Similarity of the acquired system software to that proposed development approach, which of the following
currently in use would be of GREATEST concern?
D. Appropriateness of the proposed software to the A. Acceptance testing is to be managed by users.
desired computer environment B. A quality plan is not part of the contracted
464. Which of the following is NOT considered an advantage deliverables.
of packaged software? C. Not all business functions will be available on initial
A. Reduced development cost implementation.
B. Reduced risk of logic error D. Prototyping is being used to confirm that the system
C. Increased processing efficiencies meets business requirements.
D. Increased flexibility due to optional features 471. Which of the following should be in place to protect the
465. Which of the following would NOT be a reason for IS purchaser of an application package in the event that the
Audit involvement in information systems contractual vendor ceases to trade?
negotiations? A. Source code held in escrow.
A. Often hardware does not interface in an acceptable B. Object code held by a trusted third party.
manner. C. Contractual obligation for software maintenance.
B. Many information systems projects incur additional D. Adequate training for internal programming staff.
costs over the contract cost. 472. Change management procedures are established by IS
C. Vendors may go out of business and discontinue management to:
service support on their products. A. control the movement of applications from the test
D. Only the IS auditor can determine whether the environment to the production environment.
controls in the system are adequate. B. control the interruption of business operations from
466. If the decision has been made to acquire software rather lack of attention to unresolved problems.
than develop it internally, this decision is normally made C. ensure the uninterrupted operation of the business in
during the: the event of a disaster.
A. requirements definition phase of the project. D. verify that system changes are properly documented.
B. feasibility study phase of the project. 473. Which of the following system software elements
C. detailed design phase of the project. enables complex system maintenance?
D. programming phase of the project. A. System exits
467. Which of the following is NOT an advantage of B. Special system logon-IDs
concurrent software licensing? C. Network change controls
A. The license is based on the number of users that can D. Bypass label processing
access the software at one time. 474. Which of the following program change controls is NOT
B. Network administrators can identify the need to the responsibility of the user department?
purchase software based on need and use. A. Updating documentation to reflect all changes
C. It is a method that can be used to prevent illegal B. Initiating requests within its scope of authority
duplication of software. C. Approving changes before implementation, based on
D. Users must wait for access, if all concurrent access the results of testing"
sessions are in use. D. Approving changes before implementation, based on
review of changes to manual procedures"
600 Questions Pg 35
475. Which of the following is MOST effective in controlling D. Authoring of user procedure manuals and training
application maintenance? developed during the time that coding begins
A. Informing users of the status of changes 481. Which of the following would NOT represent a strong
B. Establishing priorities on program changes test approach for an organization attempting to solve a
C. Obtaining user approval of program changes year or date problem in a current operating system?
D. Requiring documented user specifications for A. A phased approach for testing and validation that
changes includes unit, integration, systems, and acceptance
476. Which of the following should be tested if an application testing.
program is modified in an authorized maintenance B. Use of a program logic analyzer to assess and identify
procedure? key data paths of critical applications in prioritizing
A. The integrity of the database conversion and testing efforts.
B. The segment of the program which has been amended C. A robust test facility separate from the production
C. The access controls for the applications programmer environment to avoid contamination or interference
D. The complete program, including any interface with the operation of the productions systems.
systems" D. Use of integrated power tools that support testing of
477. A post-implementation review of a new or extensively critical application prototypes and establishment of a
modified system is usually performed by: central repository for requirements coming out of this
A. end-users and IS auditor process.
B. IS auditor and project development team. 482. An advantage to setting a stop or freezing point on the
C. project steering committee and project development design of a new project is to:
team. A. prevent further changes to a project in process.
D. project development team and end-users. B. indicate the point when the design is to be completed.
478. In regard to moving an application program from the C. require changes after that point be reviewed and
test environment to the production environment, the evaluated for cost-effectiveness.
BEST control would be provided by having the: D. provide the project management team with more
A. application programmer copy the source program control over the project design.
and compiled object module to the production 483. All of the following system maintenance controls are the
libraries. responsibility of the user department EXCEPT:
B. application programmer copy the source program to A. initiating requests within its scope of authority.
the production libraries and then have the production B. updating systems documentation to reflect all
control group compile the program. changes.
C. production control group copy the source program C. approving changes before implementation, based on
and compile the object module to the production the results of testing.
libraries. D. approving changes before implementation, based on
D. production control group copy the source program to review of changes to manual procedures.
the production libraries and then compile the 484. If an application program is modified and proper system
program. maintenance procedures are in place, which of the
479. Utilizing audit software to provide code comparisons of following should be tested?
production programs is an audit technique used to test A. The integrity of the database.
program: B. The access controls for the applications programmer
A. logic. C. The complete program, including any interface
B. changes. systems"
C. efficiency. D. The segment of the program containing the revised
D. computations. code
480. Which of the following BEST describes the process used 485. An IS auditor performing an application maintenance
to solve a year or date problem in a current operating audit would review a manually prepared log of program
system? changes to determine the:
A. Development of a requirements definition document A. number of authorized program changes.
and performance of a feasibility study for all critical B. creation date of a current object module.
business functions C. number of program changes actually made.
B. Definition of detailed design specifications for D. creation date of a current source program.
applications based on the general design and user 486. Ideally, stress testing should only be carried out in a:
specifications A. test environment using test data.
C. Testing, verification, and validation of converted or B. production environment using live workloads.
replaced platforms, applications, databases, and C. test environment using live workloads.
utilities" D. production environment using test data.
600 Questions Pg 36
487. When auditing the proposed acquisition of a new 494. For the design and programming of an information
computer system, the IS auditor should FIRST establish system, which is the typical sequence in which
that: participation of these individuals should occur?
A. a clear business case has been approved by A. Technical analyst, functional analyst, programmer"
management. B. Technical analyst, programmer, computer operator"
B. corporate security standards will be met. C. Functional analyst, technical analyst, programmer"
C. users will be involved in the implementation plan. D. Technical analyst, technical support, programmer"
D. the new system will meet all required user 495. In the design of an application system, the IS auditor:
functionality. A. should participate to ensure appropriate controls are
488. Which of the following is an object-oriented technology included in the system.
characteristic that permits an enhanced degree of B. should not get involved because it would affect his/her
security over data? objectivity.
A. Inheritance C. should be able to code some of the control routines
B. Dynamic warehousing that should be included in the programs.
C. Encapsulation D. defines all the controls that need to be included in the
D. Polymorphism system.
489. The objective of software test designs is to provide the 496. Which of the following controls would be MOST effective
highest likelihood of finding most errors with a in ensuring that production source code and object code
minimum of time and effort. Which of the following are synchronized?
methods is LEAST likely to meet the design objective? A. Release-to-release source and object comparison
A. Black box tests which are used to determine that reports
software functions are operational. B. Library control software restricting changes to source
B. White box testing predicated on a close examination code
of procedural detail of all software logical paths. C. Restricted access to source code and object code
C. Regression testing in conducting previous tests to D. Date and time-stamp reviews of source and object
ensure that new errors have not been introduced. code
D. Software test design that provides for unit, 497. Following the development of an application system, it is
integration, systems, and acceptance testing. determined that several design objectives have not been
490. All of the following are used as cost estimating achieved. This is MOST likely to have been caused by:
techniques during the project planning stage EXCEPT: A. insufficient user involvement.
A. PERT charts. B. early dismissal of the project manager.
B. function points. C. inadequate quality assurance (QA) tools.
C. delphi technique. D. non-compliance with defined approval points.
D. expert judgment. 498. During a post-implementation review of an enterprise
491. Which of the following is a dynamic analysis tool for the resource management system an IS auditor would
purpose of testing of software modules? MOST likely:
A. Black box test A. review access control configuration.
B. Desk checking B. evaluate interface testing.
C. Structured walk-through C. review detailed design documentation.
D. Design and code D. evaluate system testing.
492. The primary purpose of a system test is to: 499. An executable module is about to be migrated from the
A. test the generation of the designed control totals. test environment to the production environment. Which
B. determine that the documentation of the system is of the following controls would MOST likely detect an
accurate. unauthorized modification to the module?
C. evaluate the system functionally. A. Object code comparison
D. ensure that the system operators get familiar with the B. Source code comparison
new system. C. Timestamps
493. When implementing an application software package, D. Manual inspection
which of the following presents the GREATEST risk? 500. The use of object-oriented design and development
A. Multiple software versions are not controlled techniques would MOST likely:
B. Source programs are not synchronized with object A. facilitate the ability to reuse modules.
code B. improve system performance.
C. Parameters are not set correctly C. enhance control effectiveness.
D. Programming errors D. speed up the system development life cycle.
501. Once an application's access control process has been
established, an IS auditor should verify that:
600 Questions Pg 37
A. passwords are not shared. B. It is most beneficial to find and quickly correct
B. files and passwords are encrypted. programming errors.
C. profile assignments are controlled by the IS manager. C. The amount of checking should be dictated by
D. there are no functions overlapping in the database available time and budget.
administration. D. Well-defined processes and structured reviews
502. Which of the following is a measure of the size of an should be applied throughout the project.
information system based on the number and 509. Which of the following groups/individuals assume
complexity of a system's inputs, outputs and files? overall direction and responsibility for costs and
A. Program evaluation review technique (PERT) timetables of systems development life cycle projects?
B. Rapid application development (RAD) A. User management
C. Function point analysis (FPA) B. Project steering committee
D. Critical path method (CPM) C. Senior management
503. The purpose for requiring source code escrow in a D. Systems development management
contractual agreement is to: 510. Failure to adequately define or manage the requirements
A. ensure the source code is available if the vendor for a system can result in a number of risks. The
ceases to exist. GREATEST risk is:
B. permit customization of the software to meet A. inadequate user involvement.
specified business requirements. B. inadequate allocation of resources.
C. review the source code for adequacy of controls. C. requirement change during development.
D. ensure vendor complies with legal requirements. D. inadequate estimation of the critical path.
504. Which of the following should be performed FIRST 511. Which of the following methodologies is appropriate for
when acquiring software? planning and control activities and resources in a system
A. Identify data processing requirements project?
B. Compare delivery schedules to requirements A. Critical path methodology (CPM)
C. Negotiate price B. Program evaluation review technique (PERT)
D. Establish business needs C. Gantt charts
505. An IS auditor participating in new software development D. Function point analysis
projects will provide an increased contribution and the 512. One of fourth generation language's (4GL)
organization will experience increased efficiency if: distinguishing features is portability which means?
A. procedures to identify and document needs and A. Environmental independence
requirements of the users are established. B. Workbench concepts (temporary storage, text editing,
B. procedures to store the developed software are etc.)"
defined in the systems development life cycle phases. C. Ability to design screen formats and develop graphical
C. development, test and production environments are outputs
defined separately from each other. D. Ability to execute online operations
D. procedures and formal guidelines are established that 513. An organization has contracted with a vendor for a
identify each system development life cycle phase. turnkey solution for their electronic toll collection
506. The purpose of debugging programs is to: system (ETCS). The vendor has provided its proprietary
A. generate random data that can be used to test application software as part of the solution. The vendor
programs before implementing them. contract should have a clause for:
B. protect valid changes from being overwritten by other A. a backup server to be available to run all ETCS
changes during the programming. operations with up-to-date data in the event of failure
C. define the program development and maintenance of the original ETCS server.
costs to be include in the feasibility study. B. a backup server of a similar configuration as the ETCS
D. ensure that abnormal terminations and coding flaws server and be loaded with all the relevant software
are detected and corrected. and data.
507. The difference between white-box testing and black-box C. systems staff of the organization to be trained to
testing is that white-box testing: handle any eventualities.
A. involves the IS auditor. D. source code of ETCS application software to be kept
B. Is performed by an independent programmer team. under an escrow agreement.
C. examines the program internal logical structure. 514. An IS auditor reviewing systems development in
D. uses the bottom-up approach. Internet determines that the BEST reason why the
508. Which of the following is the BEST way to achieve good system developer is using applets is because:
quality software? A. it is sent over the network from the web server.
A. The primary means is through thorough testing. B. the server does not run the program and the output is
not sent over the network.
600 Questions Pg 38
C. they improve the performance of both the web server C. where applications, transactions and trading partners
and network. supported remain static over time.
D. it is a JAVA program downloaded through the web D. that transmits transactions using sophisticated
browser run on the client machine from the web formats and file definitions.
server. 521. An IS auditor evaluates the test results of a major
515. An enterprise has established a steering committee to modification to a production system module that deals
oversee its e-business program. The steering committee with payments computation. The IS auditor finds that
would MOST likely be involved in the: 50% of the calculations do not match predetermined
A. documentation of software requirements. totals. Which of the following would MOST likely be the
B. escalation of project issues. next step in the audit?
C. design of interface controls between systems. A. Designing further tests of the calculations that are in
D. specification of management reports. error
516. Which of the following is a control to detect an B. Identifying other variables that may render the test
unauthorized change in a production environment? results inaccurate
A. Deny programmer access to production data. C. Examining some of the cases with incorrect
B. Require change requests to include information about calculations to confirm the results
dates, descriptions, cost analysis and anticipated D. Documenting the results and preparing a report of
effects. findings, conclusions, and recommendations"
C. Run a source comparison program between control 522. The use of expert systems:
and current source periodically. A. facilitates consistent and efficient quality decisions.
D. Establish procedures for emergency changes. B. captures the knowledge and experience of industry
517. An IS auditor reviewing the design phase of the program experts.
development life cycle would seek to determine that: C. cannot be used by IS auditors since they deal with
A. program documentation provides little evidence system specific controls.
about the quality of the design approach used during D. improves system efficiency and effectiveness, not
software development. personal productivity and performance.
B. programmers specify the structure and operations of 523. A strength of an implemented quality system based on
a program that will satisfy a requirement's ISO 9001 is that it:
specification. A. guarantees quality solutions to business problems.
C. an object-oriented approach to design is employed B. enhances improvements in software life cycle
when low-level programming languages are used to activities.
develop programs. C. provides clear answers to questions concerning cost-
D. a formal approach to design is not followed when effectiveness.
high-level languages are used to develop programs. D. does not depend on the maturity of the implemented
518. Which of the following statements pertaining to quality system.
business process reengineering (BPR) is TRUE? 524. As a business process reengineering project takes hold it
A. BPR projects cause concern since they often lead to an is expected that:
increased number of people using technology. A. business priorities will remain stable.
B. Significant cost savings are achieved through reduced B. information technologies will not change.
complexity and volatility in information technology. C. the process will improve product, service and
C. BPR leads to weaker organizational structures and profitability.
less accountability. D. input from clients and customers will no longer be
D. Information protection (IP) is a greater risk as it is necessary.
more likely to be in conflict with BPR. 525. Functionality is a characteristic associated with
519. Which of the following is the FIRST point at which evaluating the quality of software products throughout
control totals should be implemented in order to prevent their lifecycle, and is BEST described as the set of
the loss of data during the processing cycle? attributes that bear on the:
A. During data preparation A. existence of a set of functions and their specified
B. In transit to the computer properties.
C. Between related computer runs B. ability of the software to be transferred from one
D. During the return of the data to the user department environment to another.
520. Electronic data interchange (EDI) is an application C. capability of software to maintain its level of
system: performance under stated conditions.
A. that performs based on business needs and activities. D. relationship between the level of performance of the
B. that provides utility programs for a limited number of software and the amount of resources used.
application systems. 526. Which of the following statements relating to business
process reengineering (BPR) is FALSE?
600 Questions Pg 39
A. A key factor in a successful BPR is to define the areas A. Parity bits
to be reviewed and to develop a project plan. B. Check digits
B. An IS auditor is concerned with the key controls that C. Batch headers
exist in the new business process and not those that D. Trailer records
once existed. 535. Which of the following would an IS auditor do FIRST
C. Management is responsible for implementing and after the discovery of a Trojan Horse program in the
monitoring the new process. computer system?
D. Advantages of BPR are usually realized when the A. Investigate the author.
reengineering process appropriately suits the B. Remove any underlying threats.
business and risk. C. Establish compensating controls.
527. Compensating controls are intended to: D. Have the offending code removed.
A. reduce the risk of an existing or potential control 536. Which of the following database administrator activities
weakness. is unlikely to be recorded on detective control logs?
B. predict potential problems before they occur. A. Deletion of a record
C. remedy problems discovered by detective controls. B. Change of a password
D. report errors or omissions. C. Disclosure of a password
528. Anti-virus software should be used as a: D. Changes to access rights
A. detective control. 537. The editing/validation of data entered from a remote site
B. preventive control. would be MOST effectively performed at the:
C. corrective control. A. central processing site after application program
D. compensating control. processing.
529. Which of the following types of data validation and B. central processing site during application program
editing are used to determine if a field contains data, and processing.
not zeros or blanks? C. remote processing site after transmission to the
A. Check digit central processing site.
B. Existence check D. remote processing site prior to transmission to the
C. Completeness check central processing site.
D. Reasonableness check 538. Application controls are NOT designed to control the:
530. Edit controls are considered to be: A. error log.
A. preventive controls. B. user.
B. detective controls. C. transmittal control.
C. corrective controls. D. data processing environment.
D. compensating controls. 539. A basic control in a real-time application system is a(n):
531. Which of the following provides the ability to verify data A. audit log.
values through the stages of application processing? B. console log.
A. Programmed controls C. terminal log.
B. Run-to-run totals D. transaction log.
C. Limit checks on calculated amounts 540. A system user wrote a routine into a payroll application
D. Exception reports that searched his own payroll number. As a result, if this
532. Which of the following is intended to reduce the amount payroll number should ever fail to appear during the
of lost or duplicated input? payroll application run, a special routine would generate
A. Hash totals random numbers that would be placed onto every
B. Check digits paycheck. This routine is known as:
C. Echo checks A. scavenging.
D. Transaction codes B. data leakage.
533. Software that maintains audit trails for an application C. piggybacking.
system may pose control concerns if: D. a Trojan Horse.
A. user-IDs are recorded in the audit trail. 541. Which of the following is NOT an objective of
B. the details cannot be amended by the security application controls?
administrator. A. Detection of the cause of exposure
C. date time stamps are recorded indicating when B. Analysis of the cause of exposure
actions occurred. C. Correction of the cause of exposure
D. users can amend audit trail records when correcting D. Prevention of the cause of exposure
system errors. 542. In order to prevent the loss of data during the processing
534. Which of the following would NOT be used as a cycle, the FIRST point at which control totals should be
completeness check? implemented would be:
600 Questions Pg 40
A. during data preparation. 550. Procedures for controls over processing include:
B. in transit to the computer. A. hash totals.
C. between related computer runs. B. reasonableness checks.
D. during the return of the data to the user department. C. online access controls.
543. A user connected to a LAN has introduced a newly D. before and after image reporting.
released virus to the network while copying files from a 551. A tax calculation program maintains several hundred
floppy disk. Which of the following would be the MOST tax rates. The BEST control to ensure that tax rates
effective control in detecting the existence of the virus? entered into the program are accurate is:
A. Scan of all floppy disks before use A. independent review of the transaction listing.
B. Virus monitor on the network file server B. programmed edit check to prevent entry of invalid
C. Scheduled daily scan of all network drives. data.
D. Virus monitor on user's personal computer C. programmed reasonableness checks with 20% data
544. When installing new anti-virus software it is NOT entry range.
necessary to: D. visual verification of data entered by the processing
A. periodically update the software. department.
B. uninstall older versions of the software. 552. During an audit of the tape management system at a
C. install the new software on subsequently purchased data center an IS auditor discovered that some
machines. parameters are set to bypass or ignore the labels written
D. install the new software on every machine in the same on tape header records. However, the IS auditor did note
configuration. that there were effective staging and job set-up
545. Functional acknowledgements are used: procedures. In this situation the IS auditor would
A. as an audit trail for EDI transactions. conclude that the:
B. to functionally describe the IS department. A. tape header should be manually logged and checked
C. to document user roles and responsibilities. by the operators.
D. as a functional description of application software. B. staging and job set-up procedures are not appropriate
compensating controls.
546. An IS auditor who has discovered unauthorized
C. staging and job set-up procedures compensate for the
transactions and fraud during a review of EDI
tape label control weakness.
transactions is likely to recommend improving:
D. tape management system is putting processing at risk
A. EDI trading partner agreements.
and that the parameters must be set correctly.
B. environmental controls and a tested business
continuity plan. 553. An IS auditor reviewing database controls discovered
C. authentication techniques over sending and receiving that normal processing changes to the database were
messages. handled through a standard set of procedures. However,
D. general program change, operations and systems changes made after normal hours required only an
support controls. abbreviated number of steps. In this situation what
would be considered an adequate set of compensating
547. Which of the following is NOT an application control
controls?
likely to be found in an EDI interface?
A. Use of DBA user account to make the change.
A. Hash totals
B. Use of normal user account with access to make
B. Echo checks
changes to the database.
C. Record counts
C. Use of DBA user account to make changes, logging of
D. Validity checks
changes, as well as before and after image with the
548. Which of the following statements regarding the impact changes being reviewed the following day.
of EDI on internal controls is FALSE? D. Use of normal user account to make changes, logging
A. Security will be increasingly important. of change, as well as before and after image changes
B. Errors must be identified and followed up more being reviewed the following day.
quickly.
554. During a review of the accounts payable (A/P)
C. Fewer opportunities for review and authorization will
department the IS auditor discovered that user
exist.
departments failed to review all invoices prior to
D. IPF management will have increased responsibilities
submitting them for processing. This occurred because
over data center controls.
user departments were required to submit invoices to
549. A company disposing of personal computers that once A/P within three business days in order to take
were used to store confidential data should first: advantage of vendor discounts. Given this fact, which of
A. demagnetize the hard disk. the following control reviews should the IS auditor
B. low level format the hard disk. recommend to ensure that invoices were entered
C. delete all data contained on the hard disk. correctly and that discounts were correctly taken?
D. defragment the data contained on the hard disk. A. Ensure that invoices were reviewed by A/P.
600 Questions Pg 41
B. Ensure invoice copies are reviewed after they had methods is MOST effective to detect these unauthorized
been submitted to A/P. changes?
C. Ensure that invoice copies were compared to edit A. Source code comparison
reports that show invoice detail and discount B. Executable code comparison
information. C. Integrated Test Facilities (ITF)
D. Ensure that invoice copies were compared to edit D. Periodic review of transaction log files
reports that show invoice detail and discount 561. Following a recent reorganization of the company's
information prior to releasing the payment. legacy database, it was discovered that certain records
555. IS management has recently informed the IS auditor of were accidentally deleted. Which of the following
its decision to disable certain referential integrity controls would have MOST effectively detected this
controls in the payroll system to provide users with a occurrence?
faster report generator. This will MOST likely increase A. Range check
the risk of: B. Table look-ups
A. data entry by unauthorized users. C. Run-to-run totals
B. a non-existent employee being paid. D. One-for-one checking
C. an employee receiving an illegal raise. 562. A company has recently upgraded its legacy purchase
D. duplicate data entry by authorized users. system, enabling EDI transmissions. Which of the
556. Which of the following message services provides the following controls should be implemented in the EDI
strongest protection that a specific action has occurred? interface in order to provide for efficient data mapping?
A. Proof of delivery A. Key verification
B. Non-repudiation B. One-for-one checking
C. Proof of submission C. Manual recalculations
D. Message origin authentication D. Functional acknowledgements
557. The primary reason for replacing checks (cheques) with 563. Which of the following would NOT be a specific control
electronic funds transfer (EFT) systems in the accounts aspect in an ongoing applications review of an enterprise
payable area is to: resource planning (ERP) package?
A. make the payment process more efficient. A. Authorization of change management procedures
B. comply with international EFT banking standards. B. ERP functional authorizations match user
C. decrease the number of paper-based payment forms. organizational tasks and responsibilities
D. reduce the risk of unauthorized changes to payment C. Risks associated to the implemented authorizations
transactions. from an internal control point of view
558. An IS auditor recommends that an initial validation D. Appropriate mapping of the organization's business
control should be programmed into a credit card process controls with the ERP package
transaction capture application. The initial validation 564. Sales orders are automatically numbered sequentially at
process would MOST likely: each of a retailer's multiple outlets. Small orders are
A. check that the type of transaction is valid for that card processed directly at the outlets, with large orders sent to
type. a central production facility. The MOST appropriate
B. verify the format of the number entered then locate it control to ensure that all orders transmitted to
on the database. production are received accurately would be to:
C. ensure that the transaction entered is within the A. send and reconcile transaction counts and totals.
cardholder's credit limit. B. have data transmitted back to the local site for
D. confirm that the card was not shown as lost or stolen comparison.
on the master file. C. compare data communications protocols with parity
559. A proposed transaction processing application is highly checking.
complex with many sources of data capture and many D. track and account for the numerical sequence of sales
different routes for output, in both paper and electronic orders at the production facility.
form. To ensure that transactions are not lost during 565. Which of the following is a compensating control to a
processing, the IS auditor is MOST likely to recommend programmer having access to accounts payable
the inclusion of: production data?
A. validation controls. A. Processing controls such as range checks and logic
B. internal credibility checks. edits
C. clerical control procedures. B. Reviewing accounts payable output reports by data
D. automated systems balancing. entry
560. A programmer managed to gain access to the production C. Reviewing system-produced reports for checks
library, modified a program that was then used to (cheques) over a stated amount
update a sensitive table in the payroll database and D. Having the accounts payable supervisor match all
restored the original program. Which of the following checks (cheques) to approved invoices
600 Questions Pg 42
566. Which of the following was NOT a critical or complete C. Data redundancy
step used to solve an organization's Year 2000 (Y2k) D. Data inaccuracy
problem? 572. Which of the following information valuation methods is
A. The Y2k problem must have been brought to the LEAST likely to be used during a security review?
attention and addressed by executive management. A. Processing cost
B. Y2k solutions should have solved internal problems B. Replacement cost
that would have occurred if software supporting C. Unavailability cost
major business applications were not corrected. D. Disclosure cost.
C. Testing to determine which applications would have
573. A sequence of bits appended to a digital document that
been affected and the changes that were needed were
is used to secure an e-mail sent through the Internet is
critical to solving the Y2k problem.
called a:
D. The IS auditor should have taken an aggressive
A. digest signature.
approach to reviewing management's Y2k strategic
B. electronic signature.
goals and planning to ensure the problem has been
C. digital signature.
addressed.
D. hash signature.
567. The use of a GANTT chart can:
574. Application controls ensure that when inaccurate data is
A. assist in project control.
entered into the system, the data is:
B. highlight project checkpoints.
A. accepted and processed.
C. ensure documentation standards.
B. accepted and not processed.
D. direct the post-implementation review.
C. not accepted and not processed.
568. Which of the following tests performed by an IS auditor D. not accepted and processed.
would be the MOST effective in determining compliance
575. The BEST method of proving the accuracy of an
with an organization's change control procedures?
electronically produced tax calculation is by:
A. Review software migration records and verify
A. detailed visual review and analysis of the source code
approvals.
of the calculation programs.
B. Identify changes that have occurred and verify
B. recreating program logic using generalized audit
approvals.
software to calculate monthly totals.
C. Review change control documentation and verify
C. preparing simulated transactions for processing and
approvals.
comparing to predetermined results.
D. Ensure that only appropriate staff can migrate
D. automatic flowcharting and analysis of the source
changes into production.
code of the calculation programs.
569. Which of the following statements pertaining to
576. An IS auditor performing a review of application
program evaluation review technique (PERT) is FALSE?
controls would evaluate the:
A. The initial step in designing a PERT network is to
A. efficiency of the application in meeting the business
define project activities and their relative sequence.
processes.
B. An analyst may prepare many diagrams before the
B. impact of any control weakness discovered.
PERT network is complete.
C. business processes served by the application.
C. PERT assumes a perfect knowledge of the times of
D. optimization in the use of the applications.
individual activities.
D. PERT assumes that activities can be started and 577. In integrated systems, input/output controls must be
stopped independently. reviewed in:
A. systems receiving output from other systems.
570. Given the typical risk ratings below, an IS auditor
B. systems sending output to other systems.
performing an independent risk rating of critical
C. systems sending and receiving data.
systems would rate a situation where functions could be
D. interfaces between the two systems.
performed manually, at a tolerable cost, for an extended
period of time as: 578. During a business process reengineering (BPR) of a
A. critical. financial institution's teller transaction activities an IS
B. vital. auditor should evaluate:
C. sensitive. A. the impact of removed controls.
D. non-critical. B. the cost of new controls.
C. BPR project plans.
571. A retail company recently installed data warehousing
D. continuous improvement and monitoring plans.
client software in multiple, geographically diverse sites.
Due to time zone differences between the sites, updates 579. Data quality in a data warehouse is achieved by:
to the warehouse are not synchronized. This will affect A. cleansing.
which of the following the MOST? B. restructuring.
A. Data availability C. ensuring the credibility of source data.
B. Data incompleteness D. transformation.
600 Questions Pg 43
580. A characteristic of a data warehouse is: A. All amounts are displayed back to the data entry
A. object orientation. clerk, who must verify them visually.
B. subject orientation. B. Prices outside the normal range should be entered
C. departmental specific. twice to verify data entry accuracy.
D. volatile databases. C. The system 'beeps' when price exceptions are entered
581. Which of the following is an implementation risk within and prints such occurrences on a report.
the process of decision support systems? D. A second-level password must be entered before a
A. Management control price exception can be processed.
B. Semi-structured dimensions 588. A general hardware control that helps to detect data
C. Inability to specify purpose and usage patterns errors when data are communicated from one computer
D. Changes in decision processes to another is known as a:
582. Once an organization has finished the business process A. duplicate check.
reengineering (BPR) of all its critical operations, the IS B. table look up.
auditor would MOST likely focus on a review of: C. validity check.
A. pre-BPR process flowcharts. D. parity check.
B. post-BPR process flowcharts. 589. An independent software program that connects two
C. BPR project plans. otherwise separate applications to share computing
D. continuous improvement and monitoring plans. resources across heterogeneous technologies is known
583. All of the following are input controls EXCEPT: as:
A. batch totals. A. middleware.
B. monetary totals. B. firmware.
C. run-to-run totals. C. software.
D. hash totals. D. embedded systems.
584. An IS auditor performing a review of the electronic 590. Using test data as part of a comprehensive test of
funds transfer (EFT) operations of a retailing company program controls in a continuous online manner is
would verify that the customers credit limit is verified called:
before funds are transferred by reviewing the EFT: A. test data/deck.
A. system's interface. B. base case system evaluation.
B. switch facility. C. integrated test facility (ITF).
C. personal identification number generating procedure. D. parallel simulation.
D. operation back-up procedures. 591. Which of the following ensures completeness and
585. A manufacturer has been purchasing materials and accuracy of accumulated data?
supplies for its business through an e-commerce A. Processing control procedures
application. Which of the following should this B. Data file control procedures
manufacturer rely on to prove that the transactions were C. Output controls
actually made? D. Application controls
A. Reputation 592. Access rules and logic are normally included in which of
B. Authentication the following documents?
C. Encryption A. Technical reference documentation
D. Non-Repudiation B. User manuals
586. A company uses a bank to process its weekly payroll. C. Functional design specifications
Time sheets and payroll adjustment forms (e.g., hourly D. System development methodology documents
rate changes, terminations) are filled in and delivered to 593. Which of the following represents the GREATEST
the bank, which prepares checks (cheques) and reports potential risk in an EDI environment?
for distribution. To BEST ensure payroll data accuracy: A. Transaction authorization
A. payroll reports should be compared to input forms. B. Loss or duplication of EDI transmissions
B. gross payroll should be recalculated manually. C. Transmission delay
C. checks (cheques) should be compared to input forms. D. Deletion or manipulation of transactions prior to or
D. checks (cheques) should be reconciled with output after establishment of application controls
reports. 594. The need for the modification of validation and editing
587. Prices are charged on the basis of a standard master file routines to improve efficiency is normally indicated by:
rate that changes as volume increases. Any exceptions A. excess overrides.
must be manually approved. What is the MOST effective B. an override activity report.
automated control to help ensure that all price C. error control and correction.
exceptions are approved? D. separation of duties.
600 Questions Pg 44
595. Which of the following application controls indicate 598. A control that detects transmission errors by appending
failures in input or processing controls? calculated bits onto the end of each segment of data is
A. Process control procedures known as a:
B. Data file control procedures A. reasonableness check.
C. Output control procedures B. parity check.
D. Data integrity tests C. redundancy check.
596. Which of the following translates e-mail formats from D. check digits.
one network to another so that the message can travel 599. Which of the following substantive tests examine the
through all the networks? accuracy, completeness, consistency and authorization
A. Gateway of data?
B. Protocol converter A. Data integrity test
C. Front-end communication processor B. Relational integrity test
D. Concentrator/multiplexor C. Domain integrity test
597. In an EDI process, the device which transmits and D. Referential integrity test
receives electronic documents is the: 600. Which of the following data validation edits is effective
A. communications handler. in detecting transposition and transcription errors?
B. EDI translator. A. Range check
C. application interface. B. Check digit
D. EDI interface. C. Validity check
D. Duplicate check
600 Questions Pg 45
Answers
1 D 56 B 111 C 166 B 221 A 276 B 331 C 386 A 441 C 496 D 551 A
2 D 57 A 112 C 167 D 222 B 277 A 332 C 387 C 442 D 497 A 552 C
3 D 58 A 113 D 168 B 223 A 278 D 333 B 388 B 443 A 498 A 553 C
4 C 59 A 114 D 169 A 224 C 279 B 334 C 389 A 444 A 499 A 554 D
5 C 60 D 115 C 170 C 225 D 280 C 335 C 390 C 445 B 500 A 555 B
6 C 61 A 116 C 171 A 226 B 281 A 336 A 391 A 446 C 501 B 556 B
7 D 62 D 117 B 172 B 227 D 282 C 337 B 392 A 447 A 502 C 557 A
8 A 63 D 118 B 173 D 228 A 283 D 338 B 393 B 448 B 503 A 558 B
9 D 64 C 119 D 174 A 229 C 284 B 339 D 394 A 449 A 504 A 559 D
10 A 65 B 120 B 175 D 230 B 285 A 340 D 395 B 450 A 505 D 560 D
11 C 66 B 121 A 176 A 231 B 286 B 341 A 396 C 451 C 506 D 561 C
12 B 67 B 122 D 177 D 232 D 287 A 342 D 397 D 452 D 507 C 562 D
13 A 68 C 123 A 178 B 233 D 288 A 343 C 398 B 453 B 508 D 563 D
14 A 69 A 124 B 179 A 234 A 289 A 344 A 399 D 454 B 509 B 564 A
15 B 70 C 125 B 180 C 235 A 290 A 345 B 400 B 455 C 510 C 565 D
16 C 71 B 126 D 181 A 236 C 291 C 346 A 401 A 456 D 511 B 566 B
17 A 72 A 127 A 182 A 237 D 292 A 347 D 402 A 457 C 512 A 567 A
18 C 73 D 128 C 183 A 238 C 293 C 348 C 403 C 458 C 513 D 568 B
19 B 74 A 129 C 184 D 239 C 294 A 349 A 404 A 459 D 514 C 569 C
20 B 75 B 130 C 185 A 240 B 295 B 350 D 405 B 460 D 515 B 570 C
21 C 76 C 131 A 186 D 241 A 296 C 351 A 406 A 461 D 516 C 571 B
22 B 77 B 132 A 187 B 242 A 297 A 352 C 407 C 462 B 517 B 572 A
23 C 78 C 133 D 188 D 243 A 298 C 353 C 408 A 463 C 518 A 573 C
24 A 79 D 134 B 189 B 244 B 299 C 354 C 409 C 464 C 519 A 574 C
25 D 80 D 135 C 190 A 245 C 300 C 355 C 410 C 465 D 520 A 575 C
26 B 81 A 136 C 191 D 246 C 301 C 356 D 411 D 466 B 521 C 576 B
27 C 82 A 137 C 192 D 247 B 302 D 357 B 412 B 467 D 522 A 577 C
28 B 83 B 138 C 193 D 248 C 303 D 358 B 413 A 468 C 523 B 578 A
29 D 84 C 139 B 194 D 249 B 304 B 359 D 414 A 469 D 524 C 579 C
30 C 85 D 140 C 195 C 250 A 305 B 360 C 415 C 470 B 525 A 580 B
31 B 86 B 141 A 196 B 251 A 306 B 361 D 416 C 471 A 526 B 581 C
32 A 87 D 142 C 197 A 252 D 307 B 362 C 417 D 472 A 527 A 582 A
33 A 88 A 143 C 198 A 253 B 308 B 363 A 418 C 473 A 528 B 583 C
34 C 89 B 144 D 199 B 254 B 309 A 364 D 419 C 474 A 529 C 584 A
35 C 90 C 145 C 200 C 255 A 310 A 365 D 420 D 475 C 530 A 585 D
36 A 91 C 146 B 201 A 256 C 311 C 366 D 421 B 476 D 531 B 586 A
37 B 92 B 147 A 202 C 257 A 312 A 367 A 422 D 477 D 532 A 587 D
38 C 93 D 148 B 203 B 258 C 313 C 368 D 423 D 478 D 533 D 588 D
39 B 94 C 149 C 204 D 259 C 314 C 369 C 424 D 479 B 534 B 589 A
40 D 95 D 150 A 205 D 260 A 315 A 370 A 425 C 480 C 535 D 590 B
41 C 96 D 151 D 206 C 261 C 316 A 371 D 426 D 481 D 536 C 591 A
42 A 97 A 152 C 207 A 262 D 317 A 372 B 427 D 482 C 537 D 592 A
43 D 98 C 153 C 208 B 263 B 318 A 373 A 428 A 483 B 538 D 593 A
44 D 99 B 154 A 209 D 264 A 319 A 374 A 429 D 484 C 539 D 594 A
45 A 100 B 155 D 210 D 265 C 320 B 375 C 430 C 485 A 540 D 595 D
46 A 101 D 156 C 211 D 266 A 321 C 376 C 431 C 486 C 541 B 596 A
47 B 102 D 157 C 212 A 267 B 322 B 377 A 432 C 487 A 542 A 597 A
48 B 103 D 158 D 213 A 268 C 323 A 378 D 433 C 488 C 543 C 598 C
49 C 104 A 159 A 214 B 269 C 324 A 379 A 434 B 489 B 544 B 599 A
50 C 105 B 160 D 215 C 270 D 325 A 380 C 435 B 490 A 545 A 600 B
51 A 106 A 161 C 216 D 271 B 326 A 381 D 436 A 491 A 546 C
52 D 107 B 162 C 217 D 272 A 327 A 382 A 437 B 492 C 547 B
53 C 108 D 163 B 218 B 273 B 328 A 383 C 438 B 493 C 548 D
54 A 109 C 164 C 219 D 274 A 329 C 384 A 439 B 494 C 549 A
55 A 110 A 165 B 220 D 275 D 330 D 385 B 440 C 495 A 550 B
600 Questions Pg 46

Combined - Out Icai MCQ

Uploaded by

Copyright:

Available Formats

Combined - Out Icai MCQ

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Combined - Out Icai MCQ

Uploaded by

Copyright:

Available Formats

Module: 1, Primer on Information Technology – Facilitated e-Learning

1.3 IT ASSURANCE SERVICES AND ROLE OF CA IN BPO-KPO

1 Why do Chartered Accountants need to embrace IT?

2 Which of the following is an advantage of Outsourced services?

3 While auditing an Outsourced agreement, an IS auditor would be most concerned with

1.4 Business Intelligence

2 A Data Warehouse is which of the following?

4 Which of the following is false?

5 Which of the following is Challenge in ERP?

1.5 Cloud Computing

1 Which of the following is not a service model for cloud

2 Which of the following would not be a reason to move to cloud computing?

3 Which is not a benefit of cloud computing?

4 Which is not an advantage of Mobile Computing?

1.6 Emerging Technologies

1 Which of the following is not a concern of BYOD:-

2 Which of the following facilitates data exchange & defining of tags:-

3 In which of the following content is managed & supplied by user:-

4 Social Media benefits both users and marketers because:

5 Which is not an advantage of XBRL:-

1.7 Business Information Systems

1 This System can process Semi-structured problems:-

3 A technology that manages Huge amount of data from diverse sources:-

4. A computer program that embodies specialized knowledge in a specific domain is called?

1.8 emerging technologies risk control & audit

1 Which of the following is not a Green IT Practice?-

2 Which of the following is not a reason to adopt Green IT?

3 Which of the following is a characteristic of Web 2.0 applications?

4 Which of the following is not a use of Web 2.0 applications?

5 Which of the following is not a Security Concern of Web 2.0 applications?

2. Which of the following is to be reviewed first by an IS Auditor in audit of application software is to

3. Arrange the following in chronological order

A. Establishing the expected degree of reliance to be placed on internal control

5. The best definition which fits ‘COBIT 5’ is that it is a:

Answers and Explanations

3. B As per SA 00 SA 200 on “OVERALL OBJECTIVES OF THE INDEPENDENT AUDITOR AND

A. Application controls are a subset of internal controls.

A. Source Data Preparation and Authorisation:

A. Source Data Preparation and Authorisation:

This defines which control lapse as per COBIT.

A. Source Data Collection and Entry

A. Inquiry and confirmation

8. Non – repudiation relates to all terms except one:

A. Right to deny withdrawn.

Answers and Explanations

10. D. is the answer as this is a duplicate check.

A. Integrated test facility (ITF)

A. access security controls

A. Hire a replacement employee.

Answers and Explanations

2. The MOST important benefit of implementing Governance of Enterprise IT is:

3. The primary objective of Corporate Governance is:

4. The ultimate objective Governance of Enterprise IT is to ensure that IT activities in an

5. Which of the following is a key components of Corporate Governance?

6. Enterprise governance and Governance of Enterprise IT governance requires a balance

D. conformance and performance goals as directed by the board.

9. Which of the following is one of the key benefits of GEIT?

Answers and Explanations

6. C. Enterprise governance and Governance of Enterprise IT governance requires a balance