IT Governance Past Paper PDF, Institute of Chartered Accountants of Bangladesh

Summary

This is a sample question paper for IT Governance of Professional Level from the Institute of Chartered Accountants of Bangladesh. It contains multiple-choice questions on various IT governance topics, including IS audit, risk assessment, and ISO standards. The paper is intended to be used for practice.

Full Transcript

The Institute of Chartered Accountants of Bangladesh
IT Governance
Professional Level
Sample Question Paper
Time allowed: 04 Hours
Full Marks: 100
(This sample paper consists of 150 MCQ questions each worth equal marks)

Question: 1
IS audit has changed dramatically over the last ten years in terms of:
A. The relationship between IS and financial audit
B. The focus of the IS audit
C. Technologies employed
D. All of the above

Question: 2
An IS auditor is reviewing a project risk assessment and notices that the overall risk level is
high due to confidentiality requirements. Which of the following types of risk is normally high
due to the number of users and business areas the project may affect?
A. Control risk
B. Compliance risk
C. Inherent risk
D. Residual risk

Question: 3
The IS auditor is to obtain ________________ evidence to achieve the audit objectives
effectively.
A. solid, hard and conclusive
B. sufficient, relevant and useful
C. direct, to the point and persuasive
D. All of the above

Question: 4
Key elements of ISO -
A. High level structure
B. Identical core text
C. Common terms and core definitions
D. All the above

Page 1 of 33
Question: 5
Auditing Standards provide minimum guidance for the auditor that helps determine the extent
of audit steps and procedures that should be applied to fulfill -
A. Audit specifications
B. Guidelines
C. Audit guidelines
D. Audit Objectives

Question: 6
What is the title of ISO 27001:2013?
A. Information Security Management
B. Auditing Information Security
C. Information Technology Security
D. None

Question: 7
IS Audit process collects and evaluates evidence to determine whether the information systems
and related resources
A. can bring threats for organization which may lead to financial loss.
B. adequately safeguard assets.
C. restrict the rights of run, distribute, study and improve to user of the software.
D. protect organization from any loss from reduced sales revenue.

Question: 8
Which of the following outlines the overall authority to perform an IS audit?
A. The audit scope, with goals and objectives
B. A request from management to perform an audit
C. The approved audit charter
D. The approved audit schedule

Question: 9
To which domain can ITIL and ISO 20000 be applied?
A. Activity management
B. IT component management
C. IT governance
D. IT service management

Page 2 of 33
Question: 10
Which framework advises to make sure the IT objectives and the business objectives are
aligned and control the effective implementation of joined decisions
A. CobiT
B. eSCM
C. ITIL
D. VALIT

Question: 11
What is an important advantage of ISO 27001 accreditation?
A. To show compliance to legislation and regulations
B. To show control of suppliers
C. To show customer orientation
D. To show financial liability

Question: 12
COBIT stands for Control Objectives for Information and Related ___________
A. Tools
B. Terminology
C. Terms
D. Technology

Question: 13
Which method covers the following areas: value governance, portfolio management and
investment governance?
A. ISO 14001
B. ISO 9001
C. ITIL
D. Val IT

Question: 14
Where does the P in the PDCA cycle stand for?
A. Plan
B. Procedure
C. Process
D. Project

Page 3 of 33
Question: 15
An IS auditor has been asked to review the security controls for a critical web-based order
system shortly before the scheduled go live date. The IS auditor conducts a penetration test
which produces inconclusive results and additional testing cannot be concluded by the
completion date agreed on for the audit. Which of the following is the BEST option for the IS
auditor?
A. Publish a report based on the available information, highlighting the potential security
weaknesses and the requirement for follow-up audit testing.
B. Publish a report omitting the areas where the evidence obtained from testing was
inconclusive.
C. Request a delay of the go live date until additional security testing can be completed and
evidence of appropriate controls can be obtained.
D. Inform management that audit work cannot be completed within the agreed time frame and
recommend that the audit be postponed.

Question: 16
An IS auditor is conducting a compliance audit of a health care organization operating an online
system that contains sensitive health care information. Which of the following should an IS
auditor FIRST review?
A. Network diagram and firewall rules surrounding the online system
B. IT infrastructure and IS department organizational chart
C. Legal and regulatory requirements regarding data privacy
D. Adherence to organizational policies and procedures

Question: 17
A financial services company has a web site used by its independent agents to administer their
customer accounts. During a review of logical access to the system, an IS auditor notices that
user IDs are shared among agents. The MOST appropriate action for an IS auditor to take is to:
A. Inform the audit committee that there is a potential issue.
B. Request a detailed review of audit logs for the IDs in question.
C. Document the finding and explain the risk of using shared lDs.
D. Contact the security manager to request that the IDs be removed from the system.

Question: 18
An auditor should serve in the interest of _________ in a lawful manner, while maintaining
high standards of conduct and character and not discrediting their profession or the Association.
A. Stakeholders
B. Shareholders
C. Public
D. Auditors

Page 4 of 33
Question: 19
How does Laws and Regulations effect IS Audit process?
A. Legal requirements (laws, regulatory and contractual agreements) placed on audit.
B. Legal requirements placed on the auditee and its systems, data management, reporting etc.
C. All of the above
D. None of the above

Question: 20
Software audits may be conducted for a number of reasons, including
A. Verifying licensing compliance.
B. Monitoring for quality assurance (QA).
C. Compliance with industry standards.
D. All of the above

Question: 21
Increasing regulation of organizations significantly hinders the IS auditor’s ability to verify the
adequacy of internal controls through the use of sampling techniques.
A. True
B. False

Question: 22
A standard is a document that provides ___________, ____________, ___________ or
characteristics that can be used consistently to ensure that materials, products, processes and
services are fit for their purpose.
A. Requirements, Specifications, Guidelines
B. Guidelines, Requirements, Products
C. Characteristics, Requirements, Materials
D. Requirements, Guidelines, Process

Question: 23
In which of the following model regression testing is a major part of the life cycle?
A. Waterfall Model
B. V Model
C. Code and Fix Model
D. Iterative Model

Page 5 of 33
Question: 24
Successful SDLC projects are measured three ways though majority of SDLC projects fails to
achieve even two of these goals. Which of the following is NOT one of the three goals?
A. Creating a quality product
B. Creating contract terms
C. Completing at budgeted cost
D. Completing on approved time table

Question: 25
Which one of the following statements of testing SDLC projects is NOT correct?
A. Unit testing completed for each system element
B. Integrated testing completed for each system element
C. System testing completed for online performance and data storage/retrieval
D. Stress testing completed for overall system and related interfaces.

Question: 26
The ___ is the duration of time and a service level within which a business process must be
restored after a disaster (or disruption) in order to avoid unacceptable consequences associated
with a break in business continuity.
A. RPO
B. RTO
C. CDD
D. IDS

Question: 27
The ___ is the point in time to which you must recover data as defined by your organization.
This is generally a definition of what an organization determines is an "acceptable loss" in a
disaster situation.
A. RPO
B. RTO
C. CDD
D. IDS

Page 6 of 33
Question: 28
If the recovery point objective (RPO) is low, which of the following techniques would be the
most appropriate solutions?
A. Clustering
B. Database shadowing
C. Remote journaling
D. Tape backup

Question: 29
Software validation is responsibility of
A. Developer
B. Designer
C. Tester
D. QA Team

Question: 30
Hot Site is a term used in disaster recovery to describe a location that an organization can move
to after a disaster occurs. What does a Hot Site actually mean?
A. A location that can resume some essential operations but obviously not all
B. A location that does not have the capacity to resume all operations but has the potential to
give enough time
C. A location fully equipped to resume operations
D. All of the above

Question: 31
Which of the following BEST defines Business Continuity?
A. The ability to recover all your IT systems within 24 hours.
B. The ability to continue delivering agreed products and services during disruption.
C. An organizational cultural discipline for best practice.
D. A method for preventing disruption to all products and services.

Question: 32
The FIRST step in preparing a new BCP or in updating an existing one _________________
of those key processes that are responsible for both the permanent growth of the business and
for the fulfilment of the business goals.
A. is directly proportional to the impact on the organization

Page 7 of 33
B. is to identify the business processes of strategic importance
C. is generally followed by the business and supporting units
D. is a critical component

Question: 33
Which of the risk analysis methods is generally performed during a business impact analysis
(BIA)?
A. A quantitative risk analysis
B. A qualitative risk analysis
C. A semi quantitative risk analysis
D. None of the above

Question: 34
Business Continuity Planning Life Cycle is
A. Analysis, Solution Design, Implementation, Testing & Acceptance, Maintenance.
B. Risk Assessment, Business Impact Analysis, Strategy & Plan Development, Test Train &
Maintain.
C. Measure, Identify, Analyze, Design, Execute.
D. All of the above.

Question: 35
Digital dashboard, also known as
A. Artificial intelligence tool
B. Business intelligence tool.
C. Augmented reality tool
D. Security tool

Question: 36
Incidents that cause a negative material impact on business processes and may affect other
systems, departments or even outside clients should be classified as;
A. Negligible
B. Minor
C. Major
D. Crisis

Page 8 of 33
Question: 37
An IS auditor is auditing Business Continuity Plan of an entity, his MOST important task
should be:
A. Understanding and evaluating business continuity strategy and its connection to business
objectives
B. Reviewing the BIA findings to ensure that they reflect current business priorities and
current controls
C. Reviewing the results from previous tests performed
D. Evaluating cloud-based mechanisms

Question: 38
A paper walk-through of BCP, involving major players in the plan's execution who reason out
what might happen in a particular type of service disruption and where IS auditor may walk
through the entire plan or just a portion. This is the description of:
A. Full operational test
B. Preparedness test
C. Desk-based evaluation
D. None of the above

Question: 39
Which of the following is a characteristic of Agile development?
A. Test-driven development
B. Implement the simplest solution to meet today's problem
C. Continual feedback from customer
D. All of the above

Question: 40
Which of the following does not refer Business application? Business application refers to any
application:
A. Important to running business.
B. Business applications can range from large line-of-business systems to specialized tools.
C. Could be commercial off-the-shelf products or customized third-party systems or internally
developed systems.
D. Consider all the applications that run only client computers not servers

Question: 41
A backup rotation scheme is a system of backing up data to computer media (such as tapes)
that_____________.

Page 9 of 33
A. requires developing a strategic plan
B. designs the IT function to match the organization's needs
C. minimizes, by re-use, the number of media used
D. complies with external regulations, laws, and contracts

Question: 42
E-commerce is often seen as simply buying and selling using the internet but do the following
perspectives also apply to e-commerce?
A. A service perspective
B. A communications perspective
C. A business process perspective
D. All of the above

Question: 43
During the SDLC, several risks can become real problems. Which of the following is the
greatest concern to the auditor?
A. User acceptance testing lasted only 1 hour.
B. The depth and breadth of user operation manuals is not sufficient.
C. The project exceeded a 14 percent cost overrun from the original budget.
D. User requirements and objectives were not met.

Question: 44
Which of the following is the function of an eCommerce software?
A. Product configuration
B. Web traffic data analysis
C. All of the above
D. None of the above

Question: 45
Which of the following is the GREATEST benefit of B2C eCommerce?
A. Elimination of intermediate organizations between the producer and the consumer.
B. Enterprises can sell to a global market.
C. Reduce the use of newspapers advertisement and sell personal items.
D. Many goods and services are cheaper when purchased via the Web.

Page 10 of 33
Question: 46
Which of the following would be included in an IS strategic plan?
A. Brochures for future hardware purchases
B. At least a six-month list of goals from the IT manager
C. Target dates for development projects
D. Plans and directives from senior non-IT managers

Question: 47
Why is the knowledge of IT governance of an enterprise fundamental to the work of the IS
auditor? It helps to understand the enterprise’s:
A. IT strategy and objectives.
B. identify risks.
C. establish an audit timeline.
D. discuss audit deliverables.

Question: 48
What is the primary purpose of the IT steering committee?
A. Make technical recommendations
B. Identify business issues and objectives
C. Review vendor contracts
D. Specify the IT organizational structure

Question: 49
Which of the following functions should be separated from the others if segregation of duties
cannot be achieved in an automated system?
A. Origination
B. Authorization
C. Correction
D. Reprocessing

Question: 50
The Software Engineering Institute’s Capability Maturity Model (CMM) is best described by
which of the following statements?
A. Measurement of resources necessary to ensure a reduction in coding defects
B. Documentation of accomplishments achieved during program development
C. Relationship of application performance to the user’s stated requirement
D. Baseline of the current progress or regression

Page 11 of 33
Question: 51
Which of the following is the MOST critical control over database administration?
A. Approval of DBA activities
B. Segregation of duties
C. Review of access logs and activities
D. Review of the use of database tools.

Question: 52
Governance of Enterprise IT (GEIT) is the responsibility of the:
A. shareholders and board of directors.
B. board of directors.
C. board of directors and executive management.
D. management.

Question: 53
Which of the following statements is TRUE concerning the steering committee?
A. Steering committee membership is composed of directors from each department.
B. The steering committee focuses the agenda on IT issues.
C. Absence of a formal charter indicates a lack of controls.
D. The steering committee conducts formal management oversight reviews.

Question: 54
The Capability Maturity Model (CMM) contains five levels of achievement. Which of the
following answers contains three of the levels in proper sequence?
CMM: Initial, Managed, Repeatable, Optimized, Defined (not in order)
A. Initial, Managed, Repeatable
B. Initial, Managed, Defined
C. Defined, Managed, Optimized
D. Managed, Defined, Repeatable

Question: 55
An IS auditor should ensure that IT governance performance measures:
A. evaluate the activities of IT oversight committees.
B. provide strategic IT drivers.
C. adhere to regulatory reporting standards and definitions
D. evaluate the IT department.

Page 12 of 33
Question: 56
An IS auditor is auditing the controls related to employee termination. Which of the following
is the most important aspect to be reviewed?
A. Company staff members are notified about the termination.
B. All login accounts of the employee are terminated.
C. The details of the employee have been removed from active payroll files.
D. Company property provided to the employee has been returned.

Question: 57
Which of the following is NOT TRUE concerning the process of terminating personnel?
A. The company must follow HR termination procedures.
B. Any company property in possession of the employee must be returned.
C. The employee must be allowed to copy any personal files from their computer.
D. The employee’s recent history of login account activity should be reviewed in the audit
log.

Question: 58
Which of the following represents the best explanation of the balanced scorecard?
A. Provides IT benchmarking against standards
B. Ensures that the IT strategy supports the business strategy
C. Measures IT help desk performance
D. Specifies procedures for equal opportunity employment

Question: 59
What is the purpose of job descriptions and the change control review board?
A. Provide optimum allocation of IT resources
B. Eliminate disputes over who has the authority
C. Identify the hierarchy of personnel seniority
D. Provide guidance to the IT steering committee

Question: 60
While auditing Cloud which of the following the IS auditor should be additionally aware of?
A. Added consultancy opportunity
B. Legal requirements
C. Intimidation
D. Cyber threat

Page 13 of 33
Question: 61
What is the primary purpose of employee contracts?
A. Define the relationship as work for hire
B. Prevent individuals from ever working for competitors
C. Enforce the requirement to join a union
D. Specify the terms of employee benefits

Question: 62
The organization that outsources is effectively reconfiguring its __________by identifying
those activities that are core to its business, retaining them and making noncore activities
candidates for outsourcing:
A. Key performance indicators.
B. Processes.
C. Value chain.
D. Organogram.

Question: 63
What is the simple definition of strategy?
A. Ethical behavior of the executive management team to follow an iterative process of
development
B. Using best practices in a uniform application
C. Implementing standards and procedures in a multilayered approach to accomplish the
business requirements
D. Fundamental change in the way we do business

Question: 64
Intruders is a most common security threat which referred to as
A. Account Access.
B. Data Access.
C. Hacker or Cracker.
D. Computer Access.

Question: 65
The National Institute of Standards and Technology (NIST) reports that 64% of software
vulnerabilities stem from programming errors and not a lack of security features.
A. True
B. False

Page 14 of 33
Question: 66
Many developers believe that their embedded devices are not targets for hackers because their
software isn’t used by as many people as, say, an operating system such as Windows. How do
you consider this belief?
A. Wrong
B. Right
C. Partially wrong
D. Partially right

Question: 67
Which of the following is a governance problem that may occur when projects are funded under
the “sponsor pays” method?
A. Deliverables are determined by the sponsor.
B. The definition of quality may be insufficient.
C. The sponsor may not implement the proper controls.
D. The sponsor may not have enough funding.

Question: 68
One of the main objectives of the outsourcing governance process, as defined in the outsourcing
contract, is to ensure continuity of service at the appropriate levels and profitability and added
value to sustain the commercial viability of both parties.
A. True
B. False

Question: 69
Which of the following is not a reason cited in the text that the balanced scorecard (BSC)
could fail?
A. Politics of losing the department budget
B. Top management provides full support
C. Lack of BSC training and awareness
D. Empire building by the department head

Question: 70
Which one of these is not a good reason for an organization to decide to reverse its outsourcing
decision and bring the work back to be performed in-house?
A. Realizing a loss of control
B. Recognizing added delays in the overall delivery of service to their customers
C. Recognizing added expense after considering the total cost of long-distance supervision
and price to make changes
D. Wanting to copy a competitor without doing the hard research

Page 15 of 33
Question: 71
Which statement about the Capability Maturity Model is not true?
A. Level 3 provides quantitative measurement of the process output.
B. Level 3 processes have published objectives, measurements, and standards that are in effect
across departmental boundaries.
C. Level 5 provides maximum control in outsourcing because the definition of requirements
is very specific.
D. Level 5 maturity converts a product into a commodity and allows a company to pay less
and demand unquestionable adherence to management’s authority.

Question: 72
Which of the following statements has the best correlation to the definition of strategy?
A. Defines the supporting techniques to be used in support of the business objective
B. Defines the necessary procedures to accomplish the goal
C. Defines guidelines to follow in a recipe for success
D. Defines what business we are in for the next three years

Question: 73
Why is change control considered a governance issue?
A. It forces separation of duties to ensure that at least two people agree with the decision.
B. Change control increases the number of people employed and therefore provides a valuable
economic advantage.
C. It allows management to hire less-skilled personnel and still get the same results.
D. Proper implementation of governance saves money by reducing the need for change
control.

Question: 74
In order for management to effectively monitor the compliance of processes and applications,
which of the following would be the MOST ideal?
A. A central document repository
B. A knowledge management system
C. A dashboard
D. Benchmarking

Question: 75
The policy that includes information for all information resources (hardware, software,
networks, Internet, etc.) and describes the organizational permissions for the usage of IT and
information-related resources is:

Page 16 of 33
A. Access Control Policies
B. Information Security Policy
C. End-user Computing Policy
D. Acceptable Use Policy

Question: 76
Which one of the following should be used as a first step to IT security?
A. Full security evaluation
B. Audit plan
C. Follow-up access violations
D. Security baseline

Question: 77
An IS auditor is auditing password encryption policy of an organization where passwords are
stored in an encrypted form called a “hash”. She was testing the security strength against
attacker’s attempt to steal the file of hashed passwords and then break the hashed passwords
using a precomputed table for reversing cryptographic hash functions. Which of the following
attacks she was referring?
A. CrackStation
B. Rainbow tables
C. Dictionary attack
D. Hash cracking

Question: 78
Encryption plays a key role in the protection of sensitive and valuable information but key
exchange between sender and recipient of information must occur over a secure channel. It is
the MAIN challenge of which of the cryptographic systems?
A. Public Key Infrastructures
B. Public Key Cryptosystems
C. Private Key Cryptosystems
D. Digital Signatures

Question: 79
Which of these would refer to the exploration of the apt, ethical behaviors that are related to
the digital media platform and online environment?
A. Cyber-safety
B. Cybersecurity
C. Cyberlaw
D. Cyber-ethics

Page 17 of 33
Question: 80
An IS auditor is auditing all defined and documented responsibilities and accountabilities that
are established in the organization and communicated to all relevant personnel and
management. When he reads that roles & responsibilities of the committee is to discuss security
issues, and establish and approve security practices it is the ____
A. IS/IT Security Advisory Group
B. Information Security Steering Committee
C. IS/IT Steering Committee
D. IS/IT Risk Management Committee

Question: 81
What is the FIRST and most important security planning steps to Manage enterprise IT
environment?
A. Consider availability, compatibility, reliability, scalability, performance and security.
B. Report the finding to management as a deficiency.
C. Consider the overall control structure of the security solution desired by the management.
D. Possibility that a threat event or potential exposure can occur.

Question: 82
There is an increasing reliance on external service providers as partners in achieving the
growth targets and as ________________.
A. a means of protecting your own firm
B. relinquishing control
C. effective cost alternatives
D. they save time and money

Question: 83
An IS auditor is auditing adoption of digital signature by the CFO of an FI as a measure of cost
savings through workflow efficiencies in the accounting department. What is the MAIN
purpose of digital signature?
A. to improve internal control and the authenticity of data
B. to share data without the fear of disclosing sensitive information
C. to authenticate a message and to guarantee its integrity
D. to identify and validate each transaction paperless

Page 18 of 33
Question: 84
When Safeguards for protecting data and data collections based on their classification is
additional, unsupervised remote access by 3rd party for technical support not allowed; it
indicates the information asset classified as
A. Classified
B. Top secret
C. Restricted
D. Critical

Question: 85
The FIRST Feature for 2FA (Factor authentications):
A. Clock synchronization between a token generator and an authentication server.
B. New resources will be added for new applications in a timely manner.
C. PIN assigned to user.
D. Token automatically generated in hardware every 30 seconds

Question: 86
It is very difficult to ensure the return or destruction of confidential information disclosed to a
third party at the end of the agreement. Which of the following is the MOST effective control
when addressing security in engaging 3rd party vendors?
A. Vendor access corresponds to the service level agreement (SLA).
B. Vendor to have certified compliance with recognized security standards, e.g., ISO 27001.
C. Administrator access is provided for a limited period.
D. Digital Rights Management (DRM).

Question: 87
Network infrastructure refers to hardware, software, and services that enable network
connectivity, communication, operation, and management. If your network is not secure, it
presents a significant vulnerability to various attacks such as denial-of-service, malware, spam,
and unauthorized access. Which of the following is the MOST significant to ensure network
security?
A. Malware protection
B. Passwords
C. Monitoring and logging
D. All of the above

Page 19 of 33
Question: 88
Electromagnetic emissions from a terminal represent an exposure because they:
A. affect noise pollution.
B. disrupt processor functions.
C. produce dangerous levels of electric current.
D. can be detected and displayed.

Question: 89
A MAJOR risk of using single sign-on (SSO) is that it:
A. has a single authentication point.
B. represents a single point of failure.
C. causes an administrative bottleneck.
D. leads to a lockout of valid users.

Question: 90
Which one of the following is the MOST important use of data encryption for protecting
messages from disclosure?
A. Data access rules
B. Data mining
C. Data migration
D. Data transmission

Question: 91
A hacker could obtain passwords without the use of computer tools or programs through the
technique of:
A. social engineering.
B. sniffers.
C. back doors.
D. Trojan horses.

Question: 92
An IS Auditor is conducting audit of Network Infrastructure Security of a large corporate,
which of the following does she consider critical?
Network control functions should be performed by an operator who is
A. having proper audit skill
B. cyber security expert
C. technically qualified
D. part of senior management

Page 20 of 33
Question: 93
IS Auditor should assess that whether before appointing an outsourcing service provider the
organization has carried out proper due diligence and also has a process to evaluate activities
of the service provider based on following ______________.
A. Objective behind Outsourcing
B. Economic viability
C. Risks and security concerns
D. All of the above

Question: 94
Which of the following would BEST maintain the confidentiality of data transmitted over a
network?
A. Cables are secured.
B. A hash is appended to all messages.
C. Network devices are hardened.
D. Data are encrypted before transmission.

Question: 95
Managing the services provided to the customer is a critical piece of the IS organization
business, because it is the point from which the relationship is managed. Which of the following
is the MOST critical to manage relationship between organization and outsourced service
provider?
A. Due diligence
B. Periodic evaluation
C. SLA
D. Contingency plan

Question: 96
To ensure that 3rd party contractors understand their responsibilities and are suitable for the
roles for which they are considered is
A. Screening
B. Management responsibilities
C. Employee responsibilities
D. None of the above

Page 21 of 33
Question: 97
To detect software licensing violations, the IS auditor should FIRST review:
A. Obtain copies of all software contracts to determine the nature of license agreements.
B. Scan the entire network to produce a list of installed software.
C. The listing of all standard, used and licensed application and system software.
D. Compare the license agreements with installed software, noting any violations.

Question: 98
An IS Auditor is carrying out audit of software licensing and digital rights of an NGO where
he found that the NGO uses software which are free initially but to be purchased after a brief
trial period having limited functionality compared to the full commercial version. He
understands that the organization acquired __________
A. Open source software
B. Freeware software
C. Shareware software
D. None of the above

Question: 99
Logical access control filters used to validate access credentials that cannot be controlled or
modified by normal users or data owners are in fact
A. Discretionary Access Controls
B. Mandatory Access Controls
C. Role-Based Access Control
D. Rule-Based Access Control

Question: 100
When an IS auditor is reviewing the access control system of a telco that prevents unauthorized
access and modification to the company’s sensitive data and the use of system critical functions
he will look for that the ACS is capable of:
A. identification, authentication and access authorization
B. unnecessary bypass security features are deactivated
C. logging and reporting of user activities
D. all of the above

Question: 101
An IS auditor is reviewing IT security of an Oil Company, when he found evidence of stealing
user data, such as internet usage, credit card, and bank account details. Which of the following
that collects personal and sensitive information that it sends to advertisers, data collection
firms, or malicious actors for a profit?

Page 22 of 33
A. Adware
B. Spyware
C. Malware
D. VMware

Question: 102
Which of the following user profiles should be of MOST concern to the IS auditor, when
performing an audit of an EFT system?
A. Three users with the ability to capture and verify their own messages
B. Five users with the ability to capture and send their own messages
C. Five users with the ability to verify other users and to send their own messages
D. Three users with the ability to capture and verify the messages of other users and to send
their own messages

Question: 103
In information technology, logical access controls are tools and protocols used for:
A. Appropriate, feasible, admissible and applicable standards.
B. Identification, accountability, development and implementation.
C. Identification, authentication, authorization, access, auditing and accountability.
D. Confidentiality, integrity, availability and reputation.

Question: 104
An IS auditor is auditing system availability, i.e. whether the information is accessible and
modifiable in a timely fashion by those authorized to do so. Which one is MOST significant
to ensure high availability of information assets?
A. Eliminate single points of failure
B. Design for reliability
C. Detect failures as they occur
D. Authentication server for network
Question: 105
All Institutional Information Assets should be classified into one of three sensitivity tiers, or
classifications.
A. Tier 1: Public Information, Tier 2: Internal Information, Tier 3: Restricted Information
B. Tier 1: Company only Information, Tier 2: Unclassified Information, Tier 3: Restricted
Information
C. Tier 1: Public Information, Tier 2: Internal Information, Tier 3: Regulator Information
D. Tier 1: Classified Information, Tier 2: Unclassified Information, Tier 3: Top Secret
Information

Page 23 of 33
Question: 106
IS auditors should determine that all remote access capabilities used by an organization provide
for effective security of the organization’s information resources where remote access security
controls should be ________________for authorized users operating outside of the trusted
network environment.
A. assessed for remote access points of entry
B. documented and implemented
C. evaluated for cost effectiveness
D. as per service level agreements (SLAs)

Question: 107
Which of the following controls the Auditor should investigate while auditing the Mobile
device (laptops, tablets, and smart phones) that are also known as Bring Your Own
Device (BYOD)?
A. Alignment with organization strategy.
B. Risk assessment of mobile device.
C. Policies governing the use of devices.
D. All of the above.

Question: 108
What is the First an IS auditor should review while auditing remote access into a computer
facility?
A. All users are connected through secure remote secure VPN service, e.g. PPTP VPN, SSL
VPN etc.
B. Free internet based remote access support is forbidden, e.g. TeamViewer, Radmin etc.
C. Whether configuration of VPN service is on Cisco router, Cisco ASA firewall, Linux box
and appliances.
D. Activity logs.
Question: 109
To determine who has been given permission to use a particular system resource, the IS auditor
should review?
A. Activity lists
B. Access control lists
C. Logon ID lists
D. Password lists

Page 24 of 33
Question: 110
While conducting VA/PT an IS Auditor found that web application firewall was not installed
on the business organization’s infrastructure. How will he evaluate the finding?

A. SIEM solution should be installed
B. Installation depends on the size of the organization
C. Not appropriate as per good practice
D. Create common action rules in the case of security breaches.

Question: 111
An IS auditor is auditing environmental exposure control of Backup Media, which one of the
following is MOST appropriate? To ensure protection for ___
A. physical exposure only
B. logical exposure only
C. physical and logical exposures at same level
D. mainly physical exposure and some level of logical exposure

Question: 112
An IS Auditor has been carrying out VA/PT found Cross site script vulnerabilities arise when
user-input is not validated or sanitized into database or application server. An attacker can
supply crafted input to break out of the data context in which their input appears and interfere
with the structure of the surrounding query. What should be his recommendation?
A. Error banner should not reflect critical information
B. Use stored procedures
C. All of the above
D. None of the above

Question: 113
There are six categories of Fraud and Misconduct mentioned in Imran’s presentation. Which
one of the following is not included?
A. Fraudulent financial reporting.
B. Misappropriation of assets.
C. Over acquisition of revenues or assets.
D. Improper expenditures or liabilities.

Question: 114
Prior to the start of fieldwork, Internal Audit meets with client management to FIRST:
A. determine preliminary audit objectives.

Page 25 of 33
B. identify risks.
C. establish an audit timeline.
D. discuss audit deliverables.

Question: 115
After detecting an IT incident or suspected incident there are three phases of follow-up action
and response. Which one comes First?
A. Collection and analysis of digital evidence
B. Incident containment and damage assessment
C. Determine the objective of the fraud investigation
D. Incident recovery and resumption of normal operations

Question: 116
An IS auditor performing a review of an application's controls finds a weakness in system
software that could materially impact the application. The IS auditor should:

A. disregard these control weaknesses since a system software review is beyond the scope of
this review.
B. conduct a detailed system software review and report the control weaknesses.
C. include in the report a statement that the audit was limited to a review of the application's
controls.
D. review the system software controls as relevant and recommend a detailed system
software review.

Question: 117
Forensic analysis involves a thorough review of various aspects of the hard drive including
logical file structure and unused file space.
A. True
B. False

Question: 118
Which of the following BEST describes the early stages of an IS audit?
A. Observing key organizational facilities
B. Assessing the IS environment
C. Understanding the business process and environment applicable to the review
D. Reviewing prior IS audit reports

Page 26 of 33
Question: 119
The PRIMARY reason an IS auditor performs a functional walk-through during the
preliminary phase of an audit assignment is to:
A. understand the business process.
B. comply with auditing standards.
C. identify control weakness.
D. plan substantive testing.

Question: 120
Which of the following would an IS auditor use to determine if unauthorized modifications
were made to production programs?
A. System log analysis
B. Compliance testing
C. Forensic analysis
D. Analytical review

Question: 121
An IS auditor interviewing a payroll clerk finds that the answers do not support job descriptions
and documented procedures. Under these circumstances, the IS auditor should:
A. conclude that the controls are inadequate.
B. expand the scope to include substantive testing.
C. place greater reliance on previous audits.
D. suspend the audit.

Question: 122
Using a GAS such as ACL means the auditor does not review a sample of the data, but rather
reviews or examines ______ of the data and transactions.
A. 50%
B. 80%
C. 100%
D. 60%

Question: 123
When testing program change requests for a remote system, an IS auditor finds that the number
of changes available for sampling was too small to provide a reasonable level of assurance.
What is the MOST appropriate action for the IS auditor to take?

Page 27 of 33
A. Develop an alternate testing procedure.
B. Report the finding to management as a deficiency.
C. Perform a walk-through of the change management process.
D. Create additional sample changes to programs.

Question: 124
The decisions and actions of an IS auditor are MOST likely to affect which of the following
types of risk?
A. Inherent
B. Detection
C. Control
D. Business

Question: 125
When reviewing, a network used for Intermit communications, an IS auditor will FIRST
examine the:
A. validity of password change occurrences.
B. architecture of the client-server application.
C. network architecture and design.
D. firewall protection and proxy servers.

Question: 126
The classification based on criticality of a software application as part of an IS business
continuity plan is determined by the:
A. nature of the business and the value of the application to the business.
B. replacement cost of the application.
C. vendor support available for the application.
D. associated threats and vulnerabilities of the application.

Question: 127
The PRIMARY benefit of database normalization is the:
A. ability to satisfy more queries.
B. maximization of database integrity by providing information in more than one table.
C. minimization of redundancy of information in tables required to satisfy users’ needs.
D. minimization of response time through faster processing of information.

Page 28 of 33
Question: 128
Which of the following is the MOST effective method for an IS auditor to use in testing the
program change management process?
A. Trace from system-generated information to the change management documentation
B. Examine change management documentation for evidence of accuracy
C. Trace from the change management documentation to a system-generated audit trail
D. Examine change management documentation for evidence of completeness

Question: 129
For mission critical systems with a low tolerance to interruption and a high cost of recovery,
the IS auditor would, in principle, recommend the use of which of the following recovery
options?
A. Mobile site
B. Warm site
C. Cold site
D. Hot site

Question: 130
The key objective of capacity planning procedures is to ensure that:
A. available resources are fully utilized.
B. new resources will be added for new applications in a timely manner.
C. available resources are used efficiently and effectively.
D. utilization of resources does not drop below 85 percent.

Question: 131
‘Understand changes in business environment of the auditee’ is a part of:
A. Preliminary Engagements.
B. Audit Planning.
C. Reporting.
D. All of the above.

Question: 132
Which of the following tool is required for an Audit Trail?
A. SCARF/EAM
B. Snapshot
C. Audit Hooks
D. CIS

Page 29 of 33
Question: 133
While performing a Hardware Review which of the following task does not cover the purview
of the IS Auditor?
A. Acquisition plan
B. Capacity Management
C. Problem logs
D. System software security

Question: 134
Which of the following is MOST important to audit whether effective application controls are
maintained?
A. Exception reporting
B. Manager involvement
C. Control self-assessment (CSA)
D. Peer review

Question: 135
Which of the following situations would increase the likelihood of fraud?
A. Application programmers are implementing changes to production programs
B. Administrators are implementing vendor patches to vendor-supplied software without
following change control procedures
C. Operations support staff members are implementing changes to batch schedules
D. Database administrators are implementing changes to data structures

Question: 136
The BEST time for an IS auditor to assess the control specifications of a new application
software package which is being considered for acquisition is during:
A. The internal lab testing phase
B. Testing and prior to user acceptance
C. The requirements gathering process
D. The implementation phase

Question: 137
An IS auditor reviewing a proposed application software acquisition should ensure that the:
A. Operating system (OS) being used is compatible with the existing hardware platform
B. Planned OS updates have been scheduled to minimize negative impacts on company needs
C. OS has the latest versions and updates
D. Product is compatible with the current or planned OS

Page 30 of 33
Question: 138
Which of the following network components is PRIMARILY set up to serve as a security
measure by preventing unauthorized traffic between different segments of the network?
A. Firewalls
B. Routers
C. Layer 2 switches
D. Virtual local area networks (VLANs)

Question: 139
An IS auditor is conducting a post-implementation review of an enterprise's network. Which
of the following findings would be of MOST concern?
A. Wireless mobile devices are not password-protected
B. Default passwords are not changed when installing network devices
C. An outbound web proxy does not exist
D. All communication links do not utilize encryption

Question: 140
Which audit technique provides the BEST evidence of the segregation of duties in an IS
department?
A. Discussion with management
B. Review of the organization chart
C. Observation and interviews
D. Testing of user access rights

Question: 141
An IS auditor is carrying out a system configuration review. Which of the following would be
the BEST evidence in support of the current system configuration settings?
A. System configuration values imported to a spreadsheet by the system administrator
B. Standard report with configuration values retrieved from the system by the IS auditor
C. Dated screenshot of the system configuration settings made available by the system
administrator
D. Annual review of approved system configuration values by the business owner

Question: 142
In the course of performing a risk analysis, an IS auditor has identified threats and potential
impacts. Next, an IS auditor should?
A. identify information assets and the underlying systems.
B. identify and assess the risk assessment process used by management

Page 31 of 33
C. identify and evaluate the existing controls.
D. disclose the threats and impacts to management.

Question: 143
Which of the following is the GREATEST challenge in using test data?
A. Ensuring the program version tested is the same as the production program
B. Creating test data that covers all possible valid and invalid conditions
C. Minimizing the impact of additional transactions on the application being tested
D. Creating test data that covers all possible valid and invalid conditions

Question: 144
During a security audit of IT processes, an IS auditor found that there were no documented
security procedures. The IS auditor should:
A. plan and carry out an independent review of computer operations
B. conduct compliance testing.
C. identify and evaluate existing practices.
D. create the procedures document.

Question: 145
The vice president of human resources has requested an audit to identify payroll overpayments
for the previous year. Which would be the BEST audit technique to use in this situation?
A. Test data
B. Generalized audit software
C. Integrated test facility
D. Embedded audit module

Question: 146
An IS auditor has imported data from the client's database. The next step—confirming whether
the imported data are complete—is performed by:
A. matching control totals of the imported data to control totals of the original data.
B. sorting the data to confirm whether the data are in the same order as the original data.
C. reviewing the printout of the first 100 records of original data with the first 100 records of
imported data.
D. filtering data for different categories and matching them to the original data.

Question: 147
Which of the following is the PRIMARY advantage of using computer forensic software for
investigations?

Page 32 of 33
A. Time and cost savings
B. The preservation of the chain of custody for electronic evidence
C. Efficiency and effectiveness
D. Ability to search for violations of intellectual property rights

Question: 148
In a critical server, an IS auditor discovers a Trojan horse that was produced by a known virus
that exploits a vulnerability of an operating system. Which of the following should an IS auditor
do FIRST?
A. Investigate the virus's author.
B. Analyze the operating system log.
C. Ensure that the malicious code is removed.
D. Install the patch that eliminates the vulnerability.

Question: 149
An IS auditor is evaluating a corporate network for a possible penetration by employees. Which
of the following findings should give the IS auditor the GREATEST concern?
A. Users can install software on their desktops.
B. Network monitoring is very limited.
C. There are a number of external modems connected to the network.
D. Many user IDs have identical passwords.

Question: 150
The risk of an error which could occur in an audit area, and which could be material,
individually or in combination with other errors, will not be prevented or detected and corrected
on a timely basis by the internal control system is known as:
A. Inherent Risk
B. Control Risk
C. Detection Risk
D. Prevention Risk

Page 33 of 33