Text-DISA_Review_Questions.docx

i
DISA Review Questions,Answers
Manual – Module
The Institute of Chartered Accountants of India
(Set up by an Act of Parliament)
New Delhi

DISCLAIMER
The views expressed in this material are those of author(s). The Institute of
Chartered Accountants of India (ICAI) may not necessarily subscribe to the views
expressed by the author(s).
The information in this material has been contributed by various authors based
on their expertise and research. While every effort have been made to keep
the information cited in this material error free, the Institute or its officers do not
take the responsibility for any typographical or clerical error which may have
crept in while compiling the information provided in this material. There are no
warranties/claims for ready use of this material as this material is for educational
purpose. The information provided in this material are subject to changes in
technology, business and regulatory environment. Hence, members are advised
to apply this using professional judgement. Please visit CIT portal for the latest
updates. All copyrights are acknowledged. Use ofspecific hardware/software in
the material is not an endorsement by ICAI.
© The Institute of Chartered Accountants of India
All rights reserved. No part of this publication may be reproduced, stored in
a retrieval system, or transmitted, in any form, or by any means, electronic
mechanical, photocopying, recording, or otherwise, without prior permission, in
writing, from the publisher.
Edition : October, 2015
Committee/Department: Committee of Information Technology
E-mail : cit@icai.in
Website : www.icai.org/http://cit.icai.org
Price : ` /-
ISBN : 978-81-8441-
Published by : The Publication Department on behalf of the Institute
of Chartered Accountants of India, ICAI Bhawan, Post
Box No. 7100, Indraprastha Marg, New Delhi-110 002.
Printed by : Sahitya Bhawan Publications, Hospital Road, Agra-03
October/2015/P0000 (New)
ii

Contents
DISA Review Questions, Answers Manual – Module Page Nos.
1. Module – 1 1-119
2. Module – 2 120-178
3. Module – 3 179-290
4. Module – 4 291-404
5. Module – 5 405-461
6. Module – 6 462-557
7. Module – 7 558-611
iii

1
DISA Review Questions, Answers Manual – Module 1
Module 1 Questions
Q1. The primary function of the CPU is to take care of
Input, Output and arithmetic-logic activities
Control and Output activities
Control and arithmetic-logic activities
Input and Control activities
Q2. Which of the following would be classified as a corrective control?
Business continuity planning
Transaction authorisation
Terminal security
Passwords
Q3. A major design consideration for local area networks that replaces stand
alone computing in an organisation include:
Ensuring sophisticated and state-of-the-art recovery mechanism
Ensuring concurrent access control
Ensuring seamless integration
Allowing distribution processing
Q4 Which one would be a material irregularity?
Programmers forgot to indicate file retention periods
Operation personnel did not follow a procedure due to an
oversight
Librarian forgot to log tape movement
Knowingly, an IS Manager, approved a payment for his uncles IS
software firm for a job not done by them.

Q5. With respect to AI, a heuristic refers to :
Rule of thumb
Known fact
Known procedure
Guaranteed procedure
Q6. Which of the following usually is a purpose ofa modem:
increase line errors caused by noise
produce encrypted messages
increase the speed ofdata transmission
dynamically share a smaller number of output channels
Q7. The most appropriate concurrent audit tool whose complexity is very
high and useful when regular processing cannot be interrupted is :
SCARF/EAM
ITF
Snapshot
Audit hooks
Q8. A large organization with numerous applications running on its
mainframe system is experiencing a growing backlog of undeveloped
applications. As part of a master plan to eliminate this backlog, end-user
computing with prototyping is being introduced, sup
Data Control
Systems Analysis
Systems Programming
Application Programming
2

3
Q9. Which of the following converts digital pulses from the computer into
frequencies within the audio signals
multiplexor
protocol converter
modem
concentrator
Q10. Introduction ofcomputer-based informationsystemhas affected auditing.
Which of the following is NOT an effect of IS on auditing?
To identify a control weakness and trace its effects has become
harder
Collection evidence process has been rendered more difficult
Introduction of newer technology by the day has made their
understanding a difficult task for the auditor
The basic objectives ofauditing have undergone change
Q11. While conducting the audit, the auditor shall allocate the audit resources
to
Sequentially selected areas
Prioritised areas
Randomly selected areas
All areas subject to audit
Q12. In data processing, which of the following causes the maximum losses
poor computer centre design
theft of machine time
errors and omissions
machine room fires

Q13. An MIS Manager has only enough resources to install either a new
payroll system or a new data security system, but not both. Which of
the following actions is most appropriate?
Giving priority to the security system
Leaving the decision to the MIS manager
Increasing MIS staff output in order for both systems to be installed
Having the information systems steering committee setthe priority
Q14. As an IS auditor, which would you consider the MOST CRITICAL
CONTROL over an employee performing a function.
Supervisory Control
Periodic rotation of duties
Keep them motivated
Continuous training
Q15. Which of the following types of subversive attacks on a communication
network is not an active attack:
message modification
denial of message services
traffic analysis
message deletion
Q16. Which of the following utilities can be used to directly examine the
quality of data in the database:
Pointer validation utility
HIPO charter
Terminal simulator
Decision- table preprocessor

5
Q17. Which one ofthe following controls would protect the production libraries
without compromising the efficiency of open access?
Restrict updating and read access to one position
Permit updating and read access for everyone in IS
Permit updating for everyone in IS but restrict read access to
source code to one position
Restrict updating to one position butpermit read acccess tosource
code for everyone in IS
Q18. An apparent error in input data describing an inventory item was
detected and the issue was referred back to the originating department
for correction. A few days later, the department complained that the
inventory in question was not correct. EDP could n
Input edit checks
missing data validity checks
transmittal control
error log
Q19. Hardware controls are important to IS auditors for they:
Ensure correct programming of operating system functions
Assure that the vendors support current versions ofthe software.
Assure the correct execution of machine instructions
Ensure that run-to-run totals in application systems are consistent
Q20. Use of public key infrastructure by an eCommerce site, where public
key is widely distributed and the private key is for the hosting server, is
MOST likely to provide comfortto the:
customer over the confidentiality of messages received from the
hosting site
hosting site over the confidentiality of message sentto thecustomer
hosting site over the authenticity of the customer
customer over the authenticity of the hosting site

6
Q 21. Which of the following is considered potential benefits of Electronic Data
Interchange (EDI)?
improving a vendors response time to buyer orders
increasing data integrity by defining standards for retrieving paper
based information
enabling use of a multiplicity of formats and coding standards
increasing inventory by reducing order lead-time
Q22. A company has entered into a contract with a service provider to
outsource network and desktop support, and the relationship has
been quite successful. To mitigate some risks, which remain due to
connectivity issues, which of the following controls should
adequate reporting between the company and the serviceprovider
install secured sockets layer (SSL)
adequate definition in contractual relationship
network defence program
Q23. A system has adequate set of preventive controls. The installation of
detective controls:
Since they address the same exposures, itis redundant
It is necessary to provide information on the effectiveness ofthe
preventive controls
To provide an audit trail
Would be needed in a manual system.
Q24. Which of the following statistical selection technique is least desirable
for use by the IS auditor.
Systematic sampling selection technique
Stratified sampling selection technique
Cluster sampling selection technique
Sequential sampling selection technique

7
Q25. In an organisation, Integrated Test Facility (ITF) is not used in:
Maintenance
Automatic testing
Quantity control
Quality control
Q26. Which one of the following is not a substantive test?
Determining program changes are approved
Performing aging analysis
Performing system activity analysis
Performing job activity analysis
Q27. The audit trails are useful to
Auditors
Management
Users
All of the above
Q28. ___________ is an estimate of the degree of certainty that the
population average will be within the precision level selected
Standard deviation
Confidence level
Precision
Range
Q29. Which of the following functions SHOULD NOT BE combined with
Systems Analyst
Control Group
DBA
Data Entry
Application programmer

8
Q30. Of the following, the most critical component in a LAN is likely to be the:
LAN cables
parallel port
file server
user workstations
Q31. Possible errors related to a security issue during application
development can be identified by reviewing-
System logs
Security policies
Code reviews
System configuration files
Q32. The IS Control Group is NOT responsible for performing
Logging of data input
Review and scrutiny of error listing.
Rectification of errors
Managing distribution of outputs.
Q33. The auditor plans to select a sample of transactions to assess the
extent that purchase cash discounts may have been lost by the
company. After assessing the risks associated with lost purchase
discounts, the auditor was most likely to select a sample fro
Open purchase orders
Paid EDI invoices
Paid non-EDI invoices
Paid EDI and non-EDI invoices

9
Q34. The following message service provides the strongest protection about
the occurrence of a specific action:
delivery proof
submission proof
authentication messages origin
non-repudiation
Q35. The primary consideration for a System Auditor , regarding internal
control policies, procedures, and standards available in the IS
department, is whether they are:
Approved
Documented
Implemented
Distributed
Q36. The success of Control Self Assessment (CS depends on culture of the
organisation, project leader and the skills of the people involved in CSA.
While implementing, the pitfall to be avoided is
Generalisation of the planning process
Implementation on small projects
Management support
Broadening the focus of CSA s effectiveness
Q37. Which of the following requires the creation of a dummy entity for
Concurrent Auditing Techniques?
Snapshot/ Extended Record
Continuous and Intermittent Simulation (CIS)
Integrated Test Facility (ITF)
System Control Audit Review File (SCARF)

10
Q38. A firewall ruleset should not block
Inbound traffic without Internet Control Message Protocol
Inbound traffic from a non-authenticated source
Inbound traffic without the source address of the local host
Inbound traffic from an authenticated source having SimpleNetwork
Management Protocol SNMP).
Q39. Access may be filtered by a firewall access control list based on each
of the following EXCEPT:
network interface card (NIC)
port
service type
Internet Protocol (IP) address
Q40. The media that is rarely used in present day LANs is:
Fibre optics cable
Twisted-pair (shielded) cable
Twisted-pair (unshielded) cable
Coaxial cable
Q41. While appointing an auditor to conduct the IS audit the company need
not look into of the auditor?
Legal capability
Experience
Proficiency in different computer languages
Secrecy bond, ifpenetration test is to be done

1
1
Q42. You are planning to use monetary-unit sampling for testing the rupee
value of a large inventory population. The advantages of using
monetary-unit sampling include all of the following except
It is an efficient model for establishing that low error rate population
is not materially misstated
It does notrequire the normal distribution approximation requiredby
variable sampling
Since the sampling units are homogenous itcan be applied to agroup
of accounts
As errors increase, it results in a smaller sample size than that
required when using classical sampling.
Q43. Which one of the following is not a compliance test ?
Reconciling accounts
Determining whether security policy is available
Determining whether access controls are in place
Determining whether system specification documents are
available
Q44. An audit technique used to select items from a population for audit
testing purposes based on the characteristics is termed as
Continuous Sampling
Discrete Sampling
Attribute Sampling
Statistical Sampling
Q45. The class of control used to minimise the impact of a threat is :
Preventive
Detective
Corrective
Suggestive

12
Q46. Which of the following is FALSE with regard to a symmetric key
cryptosystem?
the encryption and decryption process is fast
two different keys are used for the encryption and decryption
Data Encyption Standard (DES) is a typical type of private key
cryptosystem
For the decryption, the decryption key should be equivalentto the
encryption key
Q47. Which one of the following standards is relevant for a company dealing
with inspection and final testing?-
ISO 9000
ISO 9001
ISO 9002
ISO 9003
Q48. A Systems Analyst’s duties and roles comprises of:
Scheduling of computer resources.
Testing and evaluating programmer and optimisation tools.
Ascertaining user needs for application programming.
Corporate database definition.
Q49. An advantage of outsourcing data processing activities in a company is
obtained by:
Requirement of more user involvement in communicating user
needs.
Establishment and enforcement of processing priorities internally.
Best IS expertise from the outside source.
Exercising direct control over computer operations.

1
3
Q50. A sampling technique that estimates the amount of overstatement in an
account balance is termed as :
Variable Sampling
Monetary Unit Sampling
Attribute Sampling
Q51. Which one of the following audit techniques would likely provide an
Systems Auditor assurance about the effectiveness and efficiency of a
system operators work?
Interviewing the system operator
Reading the operators manual
Observing the system operators work
Interviewing the system operators supervisor
Q52. An on line bookseller decides to accept online payment from customers
after implementing agreements with major credit card companies. Which
ofthe following parameters will LEASTimpact such online transactions?
firewall architecture hides the internal network
encryption is required
timed authentication is required
traffic is exchanged through the firewall at the application layer
only
Q53. Assuming some irregularities exist in a population, the sampling plan to
identify at least one irregularity, and then to discontinue sampling when
one irregularity is found is called :
Stop-or-go sampling
Variables sampling
Discovery sampling
Attributes sampling

14
Q54. At what stage the risk assessment should be included in the security
program in event of new system additions or modification of the old
system?
When the new system is added or old system is modified
At the end of the year along with all other additions or
modifications during the year
Need not be done
After a defined period say every 3 months
Q55. In a situation where a public key cryptosystem is in use, the message
sent by the sender is signed by the:
senders private key
receivers public key
senders public key
receivers private key
Q56. Penetration testers in an attempt to penetrate into the system or the
network use different techniques to break in. Which of the following
techniques do they employ to obtain critical information for the
company’s employees?
Password cracking
Social engineering
Physical security
Logical security
Q57. Which of the following is not a characteristic of audit evidence?
Relevance
Reliability
Sufficiency
Consistency

15
Q58. A LAN policy should define which of the following persons should be
made responsible for reporting maintenance problems or disk errors
Network administrator
Users
Security officer
Systems administrator
Q59. A well written and concise job description is IRRELEVANT to
Providing a little indication of segregation ofduties.
Assisting in defining the relationship between various job
functions.
Often being used as tool in evaluation of performance.
An important means of discouraging illegal acts.
Q60. While conducting the audit of security in an organisation, the procedure
of LEAST concern to the IS auditor is:
Validation of environmental, logical and physical access policies
for each of the job profiles.
Conduct sample tests to ensure that access to assets is
adequate.
Evaluation of procedures for safeguarding and prevention of
unauthorised access to assets.
Reviewing the effectiveness in utilisation of the assets.
Q61. “In its truest sense, which of the following applications is a real time
application ?
Missile launching system
Railway Reservation System
Banking application
Financial Accounting system

16
Q62. SQL is an example for
1GL
2GL
3GL
4GL
Q63. Which of the following is NOT an element of a LAN environment?
Packet switching technology
Baseband
Ring or short bus topology
Public circuit switching technology
Q64. Which of the following is not a substantive test:
Confirmation of data with outside sources
A test to access the quality of data.
A test to compare data with an output source
A test to evaluate the validation controls in an input program.
Q65. Which of the following is NOT an advantage of continuous auditing
approach ?
Cumulative effects for the year is tested
Findings are generally more material to the organisation
Audit resources are more effectively directed.
Current decisions can be based on audited information.
Q66. Which of the following is NOT TRUE about a database management
system application environment?
Multiple users use data concurrently
Data are shared by passing files between programs or systems

17
The physical structure of the data is independent of user needs
Each request for data made by an application program must be
analysed by DBMS.
Q67. “If a program is written using mnemonics and op-codes then the
program is in
Machine language
Assembly Level Language
Procedural Language
Non-procedural language
Q68. “An agreement between two computer systems related to methods of
data transmission that is packed and interpreted is called
Communications channel
Communications protocol
Synchronous mode of transmission
Asynchronous mode of transmission
Q69. “A service provided to businesses by telecommunication companies
or long distance carriers that provides a permanent direct connection
between two geographically separate local area networks is called a:
Point-to-point link
Message switching
Distributed network
Packet switching
Q70. “A transmission technique in which a complete message is sent to a
concentration point for storage and routing to the destination point when
a communication path is available is called:
Circuit Switching
Message Switching

18
Packet Switching
Junction Switching
Q71. “In Internet architecture, a domain name service (DNS) is MOST
important because it provides the:
Address ofthe domain server.
Address ofthe naming client.
Resolution of the name to the IP address on the Internet.
Domain name characteristics
Q72. “In an Internet URL,†http://www.infosys.co, what does the†.co signify?
Identifies the protocol being used
Identifies that the site is on the Internet
It is an additional information and is not needed
Identifies the purpose ofthe site. It stands for commercial.
Q73. Which of the following actions provides the IS Auditor with the greatest
assurance that certain weaknesses in internal control procedures have
been corrected by the management?
Discussing with the management the corrective procedures that were
implemented to strengthen the internal controls.
Obtaining a letter of representation from management stating that the
weakness has been corrected.
Performing compliance tests and evaluating the adequacy of
procedures that were implemented by the management to correct
the weaknesses.
Reviewing management’s response to the weaknesses in theirformal
report to the Board of Director’s audit committee.
Q74. Which of the following device is a random access media?
Magnetic Tape
DAT

19
CD-ROM
None of the above
Q75. “Which of the following transmission media would NOT be affected by
cross talk or interference?
Fiber optic systems
Twisted pair circuits
Microwave radio systems
Satellite radio-link systems
Q76. Which type of cable uses a BNC connector
Twisted pair
UTP
STP
Coaxial cable
Q77. “Which of the following is not provided by a public key infrastructure
(PKI)?
Access control
Network Reliability
Authentication
Non-Repudiation
Q78. Which of the following is not a method of Control Self Assessment
(CSA?
Delphi technique
Interview technique
Interactive workshop
Control guide

20
Q79. Which of the following is NOT included in the digital certficate:
The private key of the sender
Name of the TTP/CA
Public key of the sender
Time period for which the key is valid
Q80. Which of the following is not the objective of the establishment of
security management structure?
Organisation management structure is identified
Security management has the required independence
There exists an optimal coordination and communication betweenthe
IT and the security structure
Security management has the overall responsibility ofsecurity
Q81. While evaluating the IT control environment for obtaining an
understanding of the management’
The functions of the IT steering committee
The Security policy
The IT strategy of the management
The user’s perception ofIT
Q82. While reviewing the outsourcing agreementwith an external agency, the
IS auditor would be LEAST interested in verifying the clause containing
:
Continuity of service by the agency in case of a happening of a
disaster.
Statement of due care and confidentiality.
Detailed specifications ofthe vendor’s hardware.
The ownership rights for the programs and files.

21
Q83. Project management is considered a separate division on the basis of:
Interdependencies among departments
Sharing of resources
Size of the project
All the above
Q84. An Invitation to Tender (ITT) does not address which of the following?
Availability of service personnel
Application portfolio and transaction volumes
Budget for the project
Compatibility of the new systems with the existing ones
Q85. The process ofdatabase tuning is carried out by
Data Administrator
Database Administrator
Application Programmer
Systems Programmer
Q86. Middleware is implemented by :
Server Monitor
Transaction Processing Monitor
CPU utilisation monitor
Network connectivity monitor
Q87. “An organization is about to implement a computer network in a new
office building. The company has 200 users located in the same
physical area. No external network connections will be required. Which
of the following network configurations would be the MO”
Bus
Ring

22
Star
Mesh
Q88. “Which of the following can a local area network (LAN) administrator
use to protect against exposure to illegal or unlicensed software usage
by the network user?
Software metering
Virus detection software
Software encryption
Software decryption
Q89. Machine maintenance engineers pose some difficult control programs
because:
they possess very high level of computing skills
they are prone to changing jobs frequently. This may lead to theloss
of experience about a particular machine
they have available special hardware/software tools that enablethem
to breach data integrity
for them to carry out their work, normally the application system
controls have to be relaxed
Q90. Which of the following provide complete information about a database?
Database model
The internal schema of the database
Data Dictionary
Database Views
Q91. “Which of the following is NOT considered as a method for data
representation in a DBMS?
Hierarchical model
Indexed Sequential model

23
Network model
Relational model
Q92. “Which of the following translates e-mail formats from one network to
another so that the message can travel through all the networks?
Gateway
Protocol converter
Front-end communication processor
Concentrator/multiplexer
Q93. “An IS auditor who intends to use penetration testing during an audit of
Internet connections would:
Evaluate configurations.
Examine security settings.
Censure virus-scanning software is in use.
Use tools and techniques that are available to a hacker
Q94. Which activity is taken up during post-test phase ofpenetration testing?
Cleaning up
Vulnerability detection
Preparation of legal documents
Penetration attempt
Q95. Preventive controls are usually preferred to detective controls because:
Easier to design and operate
Requires elaborate performance measurement systems
Are intended to stop losses before they occur
No performance standard

24
Q96. Which of the following is deemed as good system design practice?
High cohesion of modules, low coupling of modules, and high
modularity of programs
Low cohesion of modules, high coupling of modules, and high
High cohesion of modules, high coupling of modules, and high
Low cohesion ofmodules, low coupling ofmodules, and lowmodularity
of programs
Q97. Which of the following is not a database model :
Hierarchical structure
Batched sequential structure
Network structure
Relational structure
Q98. The network ofthe company mustbe protected from remote access that
may damage the company’
All employees
Vendors
Contractors
All the above
Q99. Which of the following is FALSE with respect to Systems Software?
Provides facilities for debugging systems
Provides facilities to optimally use the resources of the system
Provides software for cryptographic purpose
Provides facilities to manage users connected to the system

25
Q100. Which network typically demands more knowledgeable users?
Server-based network
Peer-to-peer network
Local area network
Wide area network
Q101. “Which of the following functions cannot be performed using a
communications network control terminal?
Resetting queue lengths
Starting and terminating line processes
Generating a control total for a point of sale device
Correcting a hardware error in a modem
Q102. “Which of the following would typically be considered the fastest to
restore?
Normal backup
Incremental backup
Differential backup
Copy backup
Q103. All of the following are significant Internet exposures EXCEPT:
Loss of integrity
Denial of Service attacks.
Insufficient resources to improve and maintain integrity
Unauthorized access
Q104. When a store uses a point of sale device to record the sale of an item,
which of the following sequences of activities best describes the input
process:
data preparation, data capture, data input
data capture, data preparation, data input

26
data preparation, data input
data capture, data preparation, data capture, data input
Q105. Which of the following controls may not be associated with point-of-sale
equipment?
edit
data validation
batch
access
Q106. “As an IS auditor, what precautionary method would you suggest to
the company when old computers that held confidential data are being
disposed off:
Dispose it off to reliable people
Format the hard disk
Delete all files in the hard disk
Demagnetize the hard disk
Q107. A session can be defined as
A link between two network nodes
Series of transmission without any disconnection
A specific place in a system
Bi-directional data flow between two network nodes.
Q108. All of the following are true relating to the use of fiber optics EXCEPT:
Data is transmitted rapidly
Fiber optic cable is small and flexible
They are unaffected by electrical interference
They provide the highest level of signal attenuation

27
Q109. “When an organizatio⁮ Section 1s network is connected with an external
network in an Internet client-server model not under that organization’s
control, security becomes a concern. In providing adequate security in
this environment, which of the following assurance”
Server and client authentication
Data integrity
Data recovery
Data confidentiality
Q110. Penetration testing helps in identifying the vulnerabilities in a network
security. Which of the following is not a reason for conducting the test?
Make the top management aware of the security issues
Test intrusion detection and response capabilities
Help in decision making process
Identifying the systems to be tested
Q111. Which of the following is a substantive audit test?
Verifying that a management check has been regularly performed
Observing that user Ids and passwords are required to sign onto the
computer
Reviewing reports listing short shipments of goods received
Reviewing an aged trial balance of accounts receivable
Q112. Which ofthe following is NOT a proper responsibility offunctional users.
Establishing data ownership guidelines
Establishing data custodianship outlines
Establishing data usage guidelines
Establishing data disclosure guidelines

28
Q113. Which of the following statements about automated operations facility
parameters is not true?
operating system will identify an inaccuracy
they need to be maintained in a secure file
standards should be prepared to guide their maintenance
an offsite back copy should be maintained
Q114. Which of the following is NOT addressed in data and capacity
management?
Rapid growth of volumes of data
Rapid growth in the number ofcomputer systems in the
organisation
Effective data backup schemes
Ensuring 24 X 7 availability
Q115. “Which of the following is the best option with regard to an Information
Processing Facility (IPF)?
High MTBF and Low MTTR
Low MTBF and High MTTR
Low MTBF and Low MTTR
High MTBF and High MTTR
Q116. A hub is a device that connects:
Two LANs using different protocols.
A LAN with a WAN.
A LAN with a MAN.
Two segments of a single LAN.

29
Q117. “It is essential to monitor elecommunication processes and ensure that
data transmission is complete and accurate. Which of the following
automated processes / reports measure this?
Turnaround time reports
Help Desk response monitoring reports
Breakdowns/downtime reports
Online monitoring tools
Q118. “All of the following are considered characteristics of N-Tier computing
architecture EXCEPT:
Distributed computing
Open Industry standards
Thin Client interfaces
Monolithic architecture
Q119. “In which of the following, tags are placed within text to accomplish
document formatting, visual features such as font size, italics and bold,
and the creation of links:
FTP
HTTP
Telnet
ActiveX
Q120. One main reason for using Redundant Array of Inexpensive Disks
(RAID) is :
all data can still be reconstructed even if one drive fails
all data are split evenly across pairs of drives
snap shots of all transactions are taken
write time is minimised to avoid concurrency conflicts

30
Q121. Output controls ensure that output is accurate, complete and produced
when required. The auditor during the course of his audit of output
controls does not look into which of the following:
All pages of the report are numbered consecutively
Comparison between the actual data totals and totals of record
counts is done at regular interval
Proper procedure for classification of output exists
Output of test runs and procedure runs are kept separately
Q122. “Which of the following tool would be used when program coding has
to be done?
Compiler
Editor
Loader
Linker
Q123. Which of the following statements about a DBMS is INCORRECT?
Data redundancy is minimised
Applications share data
Provides the logic to solve a problem in an application
Provides facilities to access & store data which is accessed byusers
Q124. “The database administrator is NOT responsible for which one of the
following functions?
Physical design of a database
Security of a database
Coordinate and resolve conflicting needs and desires ofusers Iin
their diverse application areas
Logical design ofa database

31
Q125. Which ofthe following OSI layers communicates with the user
programs?
Physical
Application
Presentation
Session
Q126. “Measuring utilization of all important network resources so that
individual or group uses on the network can be regulated appropriately
is called:
Performance management
Security management
Accounting management
Configuration management
Q127. “Which of the following controls would be MOST comprehensive in a
remote access network with multiple and diverse sub-systems?
Proxy server
Firewall installation
Password implementation and administration
Q128. “A reasonably controlled practice in the distributed executable programs
that execute in background of a web browser client, like Java applets
and Active X controls, is:
Installation of a firewall
Usage of a secure web connection
“Acceptance of executable only from the established and trusted
source“
Hosting the website as part of your organization

32
Q129. Which of the following is FALSE with regard to a public key
cryptosystem?
the encryption key can be known to all communication users
the processing time required in private key cryptosystem is fasterthan
that of public key cryptosystem
the decryption key should be kept a secret
the decryption key is the same as the encryption key
Q130. Which of the following is not true with regard to the establishment of a
security management structure?
Security management should have authority in accordance withthe
responsibility
Security management should have the overall responsibility of
security
Security management structure should be approved by all the
employees
Security management should have the required independence
Q131. “When the computer is switched on, the system performs some tasks
before loading the operating system. Such ROM chips can be classifed
as:
Hardware
Software
Firmware
None of the above
Q132. “Which of the following media would be MOST secure in a
telecommunication network? “
Dedicated lines
Base band network
Dial up
Broadband network digital transmission

33
Q133. “Which of the following transmission media is MOST resistant to a
sniffing attack?“
Optical fiber
Satellite microwave
Twisted-pair wire
Infrared
Q134. “An electronic device that combines data from several low speed
communication lines into a single high speed line is called “
Modem
Multiplexer
Channel
Link Editor
Q135. Monetary-unit sampling is most useful when:
in testing the accounts receivable balance
Cannot cumulatively arrange the population items
Expects to find several material errors in the sample
One is concerned with over-statements
Q136. When an accounting application is processed by computer, an auditor
cannot verify the reliable operation of programmed controls by
Manually comparing detail transaction files used by an edit program
with the programs generated error listings to determine that
errors were properly identified by the edit program
Constructing a processing system for accounting applications and
processing actual data from throughout the period through both
the clients program and the auditors program
Manually reperforming, as of a moment in time, the processing of
input data and comparing the simulated results with the actual
results
Periodically submitting auditor prepared test data to the same computer
process and evaluating the results

34
Q137. Which of the following actions should be undertaken when plastic debit/
credit cards are issued:
mail the cards in an envelope that identifies the name of the
issuing institution
make the same groups responsible for the mailing of cards andthe
investigation of returned cards
communicate the PIN to the cardholder over phone
mail the card and PIN mailer separately in registered envelopes
Q138. “Which one of the following is the most essential activity for effective
computer capacity planning? “
“Doing the process ofliaison with the management and hardware
suppliers “
“Talking to security administrator for incorporating securityprocedures “
“To perform the process ofDisaster Recovery Planning andBusiness
Continuity Planning “
Determining the workload of applications
Q139. “Which of the following is NOT a key concept of object-oriented
technology? “
Encapsulation
Cohesion and Coupling
Polymorphism
Inheritance
Q140. “Which of the following would typically be considered a LAN?”
10 computers in your office connected together and hooked up
to a printer
A connection of one computer in Mumbai to another in Delhi
The city-wide connection between ATMs
The 3 stand-alone PCs in your home

35
Q141. “Which of the following allow users on the Internet to communicate with
each other by typing text mode in real time:”
IM
RFC
FYI
FAQ
Q142. “Secure socket layer (SSL) protocol addresses the confidentiality of a
message through: “
Symmetric encryption
Message authentication code
Hash function
Digital signature certificates
Q143. “A manufacturer has been purchasing materials and supplies for its
business through an e-commerce application. Which of the following
should this manufacturer rely on to prove that the transactions were
actually made? “
Reputation
Authentication
Encryption
Non-Repudiation
Q144. In Wide Area Networks (WANs):
Data flow must be half duplex
Communication lines must be dedicated.
Circuit structure can be operated only over a fixed distance.
The selection ofcommunication lines will affect reliability.

36
Q145. “An IS auditor performing a telecommunication access control review
would focus his / her attention MOST on the: “
Maintenance of usage logs of various system resources
“Authorization and authentication of the user prior to granting
access to system resources”
“Adequate protection of stored data on servers by encryption or
other means.”
“Accountability system and the ability to properly identify any
terminal accessing system resources.”
Q146. Which among the following components is of PRIMARY concern for
evolving a recovery plan after a communication failure?
Software
Documentation
Telecommunication
Hard disk free space
Q147. Which ofthe following a company need notprepare or decide upon after
appointing an IS auditor?
Documents related to processes or procedures
Area of surprise audit
Letter foregoing legal course ofaction related to penetrationtesting
Number of days the audit should be carried out
Q148. Which of the following best describes feature of statistical sampling?
It allows the auditors to have the same degree of confidence as
with judgement sampling
It allows the auditor to substitute sampling technique for his judgement.
It provides a means for measuring the actual misstatementstatement
in assertions

37
It provides a means for assessing the risk that the sample resultswill
not accurately represent the population characteristics.
Q149. Which of the following step forms part of an approach to IT audit
Review of systems
User controls
Compliance testing
All of the above
Q150. is not a component of the network security policy
Encryption policy
HR policy
Authentication policy
Access control policy
Q151. Which of the following persons is not a member of the IT steering
committee?
Senior managers
User departments
The control group
The information system department
Q152. The auditor of an IS can exercise control over
Desired audit risk
Inherent risk
Control risk
Detection risk
Q153. Data in a PC is represented by
ASCII Code
EBCDIC Code

38
Gray Code
Excess - 3 Code
Q154. “One feature provided by the OS is to store all the data and program in
the auxiliary memory and bring only selective and needed portions into
the main memory for processing. This feature is termed as:”
Spooling
Multiplexing
Caching
Paging
Q155. “DBMS is a software package used to create, access and maintain a
database. The sub-language of a DBMS that defines a database is:”
Data Description Language
Data Manipulation Language
Data Control Language
Data Access Language
Q156. DSS addresses which of the following?
Structured problems
Semi-Structured problems
Un-Structured problems
Problems that focus on exceptional reporting
Q157. “With regard to a DSS, which of the following statements are TRUE: i) It
deals with semi-structured problems ii) It tackles problems dealing with
uncertainity iii) Permits ‘What-if” analysis “
i & ii
ii & iii
i & iii
i & ii & iii

39
Q158. “The device primarily used to extend the network that must have the
ability to act as a storage and forwarding device is a: “
Router
Bridge
Repeater
Gateway
Q159. “All the following are phases in the establishment of a Switched Virtual
Circuit EXCEPT “
Circuit termination
Data transfer
Circuit expansion
Circuit establishment
Q160. “A sequence of bits appended to a digital document that is used to
authenticate an e-mail sent through the Internet is called a: “
Digest signature
Encrypted message
Digital signature
Hash signature
Q161. Software that translates a program in 2GL to 1GL is:
Compiler
Interpreter
Assembler
Editor

40
Q162. “An organisation decides to migrate from conventional file system
to a DBMS. Which of the following will increase on account of such
migration? “
Programming errors
Data Entry Errors
Improper file access
Loss of parity
Q163. The advantage of a Ring topology is that
It is easy to install
It is easy to add or replace computers to the network
It minimizes network traffic congestion
It uses a number of high speed hubs and switches
Q164. “A major problem in networking is the slow rate of data transfer. Which
of the following would help counter this problem? “
Data formatting
Allocating adequate bandwidth
Centralized control
All of the above
Q165. Which of the following is NOT a function of the kernel of the OS?
To determine which processes are to be executed
To prepare the access matrix for accessing resources.
To allocate quantum of main memory for each and every user.
To overcome the problem ofdeadlock
Q166. Which of the following is not a job scheduling algorithm?
Round Robin
Demand Paging

41
Shortest Setup time
Jobs with a Red Tag
Q167. “An organization is considering installing a local area network (LAN) in a
site under construction. If system availability is the main concern, which
of the following topologies is MOST appropriate? “
Ring
Line
Star
Bus
Q168. “Which of the following devices connects two or more dissimilar
computer systems by interpreting and translating the different protocols
that are used? “
Router
Repeater
Gateway
Firewall
Q169. “A firewall access control list may filter access based on each of the
following parameters EXCEPT: “
Port
Service type
Network interface card (NIC)
Internet protocol (IP) address
Q170. “Electromagnetic emissions from a terminal represent an exposure
because they: “
Affect noise pollution.
disrupt processor functions.
Produce dangerous levels ofelectric current.
Can be detected and displayed

42
Q171. “Which of the following would an IS auditor consider a MAJOR risk of
using single sign-on in a networked environment?”
It enables access to multiple applications
It represents a single point of failure
It causes an administrative bottleneck
It leads to a lockout of valid users
Q172. Which of the following activities is NOT within the scope ofa DBA?
Defining the conceptual schema
Performing the task of database tuning
Determining the storage capacity for applications
Granting and revoking rights of users
Q173. In a TCP/IP based network, an IP address specifies a:
Network connection.
Router/gateway.
Computer in the network.
Device on the network such as a gateway/router, host, server etc
Q174. “Which of the following is most often used for collecting statistical
and configuration information about network devices such as
computers,hubs, switches, routers, etc.? “
Simple Network Management Protocol
Online reports
Downtime reports
Help desk reports
Q175. “Which of the following provides the GREATEST assurance in achieving
message integrity and non-repudiation ? “
“The recipient uses the sende Section 1s public key, verified witha
certificate authority, to decrypt the message digest “
The recipient uses his private key to decrypt the secret key

43
“The encrypted message digest and the message are encryptedusing
a secret key “
“The encrypted message digest is derived mathematically fromthe
message to be sent “
Q176. Networks are growing day-by-day. Which one of the following
component of such growth is most difficult to predict?
Modifications to physical and facilities
Network utilization by the existing users
Increased business activity and revenue
Extension of the network to new users
Q177. A normally expected outcome ofa business process re-engineering is
that:
Information technologies will remain unaltered.
It improves the product, service and profitability.
Information from clients and customers will not be required.
Business priorities will not be modified.
Q178. The IS activity that is IRRELEVANT to information processing is:
Systems Programming
Librarian functions
Computer Operations
System analysis.
Q179. Which sampling plan will be used to find evidence of at least one
improper transaction in the population?
Discovery sampling
Acceptance sampling
Dollar unit sampling
Attribute sampling

44
Q180. Audit risk is a negative representation of an audit
Process
Analysis
Objective
Software
Q181. Network performance monitoring tools will MOST affect which of the
following?
accuracy
completeness
secrecy
availability
Q182. An IS auditor performing a telecommunication access control review
would focus the MOST attention on the:
whether access logs are maintained of use of various system
resources
whether data stored on servers are adequately protected bymeans of
encryption or any other means
accountability system and the ability to properly identify any terminal
accessing system resources
whether users are authorised and authenticated prior to granting
access to system resources
Q183. In System Development Life Cycle (SDLC) the functional specification
are translated into the logical and physical design during
stage
Functional specification
Program specification
Detailed design specification
Business requirement specification

45
Q184. The auditor during the course of audit takes into consideration the
materiality of the transaction. Which of the following would not be
considered by the auditor to assess the materiality in case of non-
financial transaction
Cost of system or operations
Cost of errors
Activities supported by system or operations
Cost of providing physical access controls to the system
Q185. The difference between SCARF and Continuous and Intermittence
Simulation (CIS) is :
CIS can not collect data for performance monitoring purposes
CIS requires modification of the database management system
used by the application
Only targeted transactions can be examined using CIS.
CIS is can not write exceptions identified to a log file
Q186. The first step the IS Internal Audit manager should take, when preparing
the Annual audit plan is to:
Meet the audit committee members to discuss the IS audit plan
Ensure that the audit staff is competent in the areas to auditedand
wherever required to provide for appropriate training.
Priorities the audit area by performing risk analysis.
Begin with previous year‘s IS audit plan and carry over any ISaudit
that had not been accomplishe
Q187. Due to an important work, the senior computer operator has gone on a
leave for ten days. In his place, the security officer has been asked to
officiate. In this scenario, as an IS auditor which of the following would
be the most appropriate.
Inform the top managementof the complexities and risks in doingso.
Develop a small program that will give a picture of what is happening
during the absence of the operator

46
Examine the accounting data recorded in the system for any
irregularities
Appoint a qualified computer operator on a temporary basis.
Q188. Internal controls are not designed to provide reasonable assurance that:
Irregularities will be eliminated
logical access is permitted only in accordance with authorization
Segregation of duties is maintained
IS operations are performed in accordance with appropriate
authorizations
Q189. System Auditor primarily uses, the information provided by a detailed,
understanding of the Information system controls and risk assessment
,to determine the nature, timing, and extent of the:
Substantive tests
Attribute sample tests
Variable sample tests
Compliance tests
Q190. The class of control used to overcome problems before they acquire
gigantic proportions is :
Preventive
Detective
Corrective
Suggestive
Q191. A general guideline ofa security policy does not
Identify and determine what is to be protected
Identify acceptable activities
Update the policy
Keep the policy a secret

47
Q192. To conduct a System audit the IS auditor should:
Be technically at par with clients technical staff
Be able to understand the system that is being audited
Possess knowledge in the area of current technical words.
Only possess a knowledge ofauditing
Q193. Which of the following activities is undertaken during data preparation:
errors identified during the input validation phase are corrected
captured data are converted into machine readable form
economic events that are relevant to the ongoing operations of
an organisation are identified and recorded
data are recorded on source documents so it can be keyed tosome
type of magnetic medium
Q194. Which ofthe following applet intrusion issues poses the GREATESTrisk
of disruption to an organisation?
applets damaging machines on the network by opening
connections from the client machine
a program that deposits a virus on a client
applets recording keystrokes made by the client and, therefore
passwords
downloaded codes reading files on the client’s hard disk
Q195. Which of the following is true with regard to a computerised
environment?
Separation of duties is not possible
A clear line of authority and responsibility exists
Highly skilled persons are not required to develop, modify and
operate the system
Audit trails are not available by default on all software

48
Q196. The class of control used to monitor inputs and operation is :
Preventive
Detective
Corrective
Suggestive
Q197. Which of the following steps provide the highest assurance in achieving
confidentiality, message integrity and non-repudiation by either sender
or recipient?
the recipient uses his/her private key to decrypt the secret key.
the recipient uses the senders public key, verified with a
certificate authority, to decrypt the pre-hash code
the encrypted pre-hash code and the message are encrypted using a
secret key
the encrypted pre-hash code is derived mathematically from the
message to be sent
Q198. Several risk are inherent in the evaluation of evidence that has been
obtained through the use of statistical sampling .A beta or type II error
related to sampling risk is the failure to :
Properly define the population
Draw a random sample from the population.
Reject the statistical hypothesis that value is not misstated when the
true value is materially misstated.
Accept the statistical hypothesis that value is not materially misstated
when the true value is not materially misstate
Q199. The following statement about controls over computer operators is true:
segregation ofoperator duties is not a very effective control
If operators are given access to the system documentation, theymay
help in tracing the cause of a potential error

49
a malicious operator can undermine a disaster recovery operation
by corrupting backup files progressively over time
operators do notneed to rely on documentation during a disaster
recovery operation
Q200. Corporate guidelines to download anti-virus software from the official
site help to
Detect virus
Prevent virus
Correct virus
Contain virus
Q201. The installation of a database management system (DBMS) does not
have any direct impact on :
Data redundancy within files
Sharing of common data
The internal control of data accuracy and access and
inconsistencies within common data fields
The logic needed to solve a problem in an application program
Q202. The risk that the conclusion based on a sample might be different from
the conclusion based on examination of the entire population is called
Confidence risk
Sampling risk
Statistical sampling
Tolerable rate and the expected deviation rate.
Q203. The LAN policy is framed by
The IT steering committee
The Top management
A business analyst
A project manager

50
Q204. Which of the following represents a typical prototype of an interactive
application?
Screens and process programs
Screens, interactive edits, and sample reports
Interactive edits, process programs and sample reports
Screens, interactive edits, process programs and sample reports
Q205. A function NOT possible ofbeing accomplished using CAATs is :
Calculating the age-wise outstandings of Receivables and
Payables.
Checking and reconciling ofpostings done in the General Ledger.
Calculation of Foot Totals
Selection of testing sample data
Q206. A sampling technique used to estimate the average or total value of a
population based on a sample is termed as :
Variable Sampling
Discrete Sampling
Attribute Sampling
Q207. In selecting the applications to be audited, which criteria is LEAST likely
to be used:
Technological complexity
Inherent Risk
Sensitivity of transactions
Legal requirements
Q208. Which one of the following is ideally suited for multimedia applications?
Integrated services digital network (ISDN) and broadband ISDN
Broadband ISDN, fiber optics, and ATM

51
Narrowband ISDN, central office switches, Voice Mail system
ISDN LAN Bridges, fiber optics, and asynchronous transfer mode
(ATM)
Q209. During an audit of the tape management system at a data center, an
IS auditor discovered that some parameters are set to bypass or ignore
the labels written on tape header records. However, the IS auditor did
not e that there were effective staging and jo
tape header should be manually logged and checked by theoperators
staging and jo set-up procedures are not appropriate
compensating controls
staging and job set-up procedures compensate for the tape label
control weakness
tape management system is putting processing at risk and thatthe
parameters must be set correctly.
Q210. For electronic-Commerce deals through web-based transactions
involving acceptance of payment through credit cards, installation
of firewall with strict parameters is required, having impact on the
transaction itself. State the parameter having the LEAST i
Encryption of all transactions
Authentication of all transaction in time
Architecture of the firewall hiding the internal network
Exchange of traffic through the firewall at the application layer
only
Q211. In which phase Rapid prototyping is used in Waterfall life cycle
development model?
Requirements
Design
Coding
Testing

52
Q212. The following estimates the probability of a computer system being
destroyed in a natural disaster and the corresponding overall business
loss. Which system has the greatest exposure to loss?
System A - Likelihood 10%, Losses in ($) 6 million
System B - Likelihood 15%, Losses in ($) 5 million
System C - Likelihood 20%, Losses in ($) 2.5 million
System D - Likelihood 25%, Losses in ($) 4 million
Q213. When implementing local area networks, the major implementation
choices involve decisions about all of the following except:
Repeaters
File servers
Routers
Terminal controllers
Q214. Which of the following functions SHOULD NOT BE combined with
Control Group.
Systems Analyst
DBA
Security Administration
QA
Q215. Which of the following are considered while determining the sensitivity
of information-
Availability and integrity
Integrity and Confidentiality
Availability and Confidentiality
Availability, Integrity and Confidentiality

53
Q216. A control is NOT designed and implemented to:
reduce the enormity of the loss when a threat materializes
reduce the probability of the threat materializing
reduce the expected loss from a threat
control the normality of the distribution curve of the loss from thethreat
Q217. An example for a concurrent audit tool whose complexity is low is :
SCARF/EAM
ITF
Snapshot
Audit hooks
Q218. The initial validation control for a credit card transaction capture
application would MOST like be to:
check that the transaction is not invalid for that card type
ensure that the transaction amount entered is within the
cardholders credit limit
verify the format of the number entered and then locate it on the
database
confirm that the card is not listed as hot
Q219. Which of the following utilities can be used to directly examine the ability
of the program to maintain data integrity?
Data dictionary
Macro
Output analyser
Code optimiser

54
Q220. Due diligence ofthird party service providers need not cover
Evaluation of testimonials
Evaluation of infrastructure
Evaluation of experience
Evaluation of ownership
Q221. tests individual programs.
Unit testing
System testing
Acceptance testing
Parallel testing
Q222. “Which of the computer assisted audit techniques and tools help the
auditor to identify the impact of delays and rescheduling audit plans”
Planning and scheduling
Project management and audit tracking
Inventory of the audit universe
Risk analysis
Q223. Which of the following is NOT TRUE with regard to network reliability
enhancement:
Redundant switching equipment
Parallel physical circuits
Licensed software
Standby power supplies
Q224. A LAN administrator is forbidden from:
Having programming responsibilities.
Reporting to the end use manager.

55
Being responsible for LAN security administration.
Having end user responsibilities.
Q225. Custom Software Agreement should include a pre-acceptance
performance standard to measure the software’
Unit Testing
Regression Testing
Load Testing
Acceptance testing
Q226. A procedure to have an overall environmental review which is NOT
performed by an IS auditor during pre audit planning is
Understanding of business risks by interviewing management’skey
personnel.
Determining adherence ofregulatory requirements by conducting
compliance tests.
Reviewing audit reports of the previous years.
Touring key activities of the organisation.
Q227. Which of the following would be an appropriate compensating control
when an IS auditor notices that after normal office hours, changes are
made with a shorter number of steps than complying with the normal
set standard procedures.
Using the of regular account of the user with access to make
changes to the database.
Using the DBA’s account to make changes, logging of changes,and
the following day reviewing the before and after image.
Using the normal user account to make changes, logging of change,
and the following day reviewing the before and after image.
Using the account of the DBA and make the changes.

56
Q228. An acceptable situation when IS product selection and purchase are
done internally is when:
A thorough cost benefit analysis is done by the managers before
ensuring what is to be purchased.
The purchases are done in line with the company’s long andshort
term technology plans.
The exchange data is done on casual basis in the local offices
which are independent.
The company uses a similar database management system
throughout.
Q229. While conducting an audit, the auditor should
Insist that a security policy exists
Not insist for a security policy
Insist that a security policy exists, and accept the existing policy
Insist that a security policy exists. However he may not acceptthe
existing policy
Q230. Which of the following would NOT be a reason for IS Audit involvement
in information systems contractual negotiations?
Often hardware does notinterface in an acceptable manner
Many information systems projects incur additional costs over the
contract cost
Vendors may go out of business and discontinue service supporton
their products
Only the IS Auditor can determine whether the controls in the
system are adequate
Q231. Compliance auditing is used to do?
Complete audit under accepted auditing standards
Eliminate the need for substantive auditing

57
Verify specifi balance-sheet and Profit and loss account values
Determine the degree to which substantive auditing may be limite
Q232. Each of the following is a general control concern EXCEPT:
Security policy
Environmental control within the IS department.
Daily control totals.
Physicals and logical access controls.
Q233. To measure variability the most useful sampling technique is the:
Median
Range
Standard deviation
Mean
Q234. To examine the existence of the entities described by the data , which
of the functional capabilities in the generilise audit software would be
used:
File assess capabilities
Analytical review capability
Stratification and frequency analysis capability
Statistical sampling capabilities
Q235. Which of the following is a responsibility of computer operations
department?
analysing system degradation
analysing user specifications
reviewing software quality
troubleshooting electrical connections failure

58
Q236. Which of the following need not be emphasised while choosing
technology insurance policy?
Evaluation of the company
Reading the terms and conditions of the policy carefully
Not making any assumptions and obtaining clarifications where
required
Focussing on purchasing a general insurance policy
Q237. A detailed policy on firewalls should not
Include log reports
Include guidelines for assessment of logs
Ensue that it is physically secured
Ensure that it is logically secured
Q238. The feasibility study is conducted after phase
Business requirement
Need/ user request
Design specification
Program specification
Q239. Which of the following is not a component of audit risk?
Inherent risk
Control risk
Detection risk
Restrictive risk
Q240. The HR policy ofa company should state that
Employees should take leave
If the employee has not taken leave, he should be given an
incentive

59
Employees should be forced to go on leave for a few days
Employees should take leave only when they have some important
personal work
Q241. The primary advantage of a derived Personal Identification Number
(PIN) is that :
it is easy to remember
new account numbers must be issued to customers if their PINsare
lost or compromised
it does nothave to be stored. Hence preserving privacy is easier
changing the cryptographic key has no implications for existingPINs
Q242. In which phase of a system development life cycle would you perform
Mutation analysis?
Requirements
Design
Implementation
Maintenance
Q243. Accuracy of data is important most likely to a
Decision Support System (DSS)
Strategic Planning System
Expert system
Management control system
Q244. The complete information about all data in a database is found in :
Database schema
Data dictionary
Data encryptor
Decision table

60
Q245. The auditor should ensure that the policy has been formulated and
communicated by
Asks employees for related documents that they have in hand
Identifies areas where relevant information has not been
communicated
Assesses the commitment of the management
Identifies its misuse
Q246. To ensure the operating system integrity the web server configuration
should be monitored. Which of the following is not necessary to achieve
this objective?
Baseline for the configuration
Periodical review of the web configuration and where needed a
secondary review of the same
Internal web sites are inside the company
All internal communication must be digitally signed
Q247. Which of the following does NOT need to be considered in determining
statistical sample sizes?
Desired precision
Size of the population
Nature of the population
Standard deviation of the population
Q248. Which of the following statement is FALSE for Equipment mean-time-
between-failure (MTBF)?
It is the average length of time the hardware is functional
Low MTBF values imply good reliability
It is the total functioning life of an item divided by the totalnumber of
failures during the measurement interval
High MTBF values imply good reliability

61
Q249. User controls are designed to ensure that data collected and entered
into the system is
Authorised
Accurate
Complete
All of the above
Q250. Which of the following techniques ensure an e-mail messages,
authenticity, confidentiality, integrity and non-repudiation?
encrypt the message with the senders public key, and sign the
message with the receivers private key
encrypt the message with the senders private key and sign the
message with the receivers public key
encrypt the message with the receivers public key and sign the
message with the senders private key
encrypt the message with the receivers private key and sign the
message with the senders public key
Q251. Echo Check belongs to hardware controls, which usually are those built
into the equipment. Echo Check is best described as:
a component that signals the control unit that an operation hasbeen
performed
two units that provide read-after-write and dual-read capabilities
double wiring of the CPU and peripheral equipment to prevent
malfunctioning
validations logic to fields and records based o their
interrelationships with controls established for the batch.
Q252. Incompatible functions may be performed by the same individual either
in the Information System department or in the User department. One
compensating control for this situation is the use of:
A log
Check digit

62
Batch control totals
Range check
Q253. Intentional Standards Organisation (ISO) has defined risk as “the
potential that a given threat will exploit vulnerability of an asset or group
of assets to cause loss or damage to the assets”. This means , risk has
all of the following elements EXCEPT:
Vulnerabilities of assets
Probabilities of occurrence of threats
Exposure based on threats and vulnerabilities
Controls to contain the threat.
Q254. An auditor performing a statistical sampling ofthe financial transactions
in a financial MIS would BEST use :
Generalised Audit Software
Regression Testing
Spreadsheets
Paralled simulation
Q255. You as an IS Auditor observed that technical support personnel have
unlimited access to all data and program files in the computer. Such
access authority is:
appropriate, but all access should be logged
appropriate, because technical support personnel need to access
all data and program files
inappropriate, since access should be limited to a need-to-know basis,
regardless of position
inappropriate, because technical support personnel are capable of
running the system

63
Q256. An Information System Auditor observed that technical support
personnel have unlimited access to all data and program files in the
computer. Such access authority is:
appropriate, but all access should be logged
appropriate, because technical support personnel need to access
all data and program files
inappropriate, since access should be limited to a need-to-know basis,
regardless of position
inappropriate, because technical support personnel are capableof
running the system
Q257. In a data processing environment, which one of the following is not
Compliance review?
Security policies are available
Performing analysis of system storage media
Review of system logs
Review of System errors
Q258. In order to prevent the loss ofdata during the processing cycle, the First
point at which control totals should be implemented?
in transit to the computer
during the return of the data to the user department
during the data preparation
between related computer runs
Q259. In the System Development life Cycle (SDLC) the user should be
involved in (1) design (2) development (3) implementation of new
system and changes to the existing system. Which of the following is
true?
A. 1, 2
B. 2, 3

64
C. 1, 3
D. 1, 2, 3
Q260. If fraud or errors are suspected in the population , the auditor would
use:
Attribute sampling
Discover sampling
Dollar – unit sampling
Ratio and difference estimation.
Q261. The functions of operations managementrelating to the microcomputers
in organisations where microcomputers are used extensively should be:
formulated by the person who develops the application systemfor
the microcomputers
performed by the operations manager responsible for the
mainframe computer
determined by and the individuals who use the microcomputers
formulated by the operations manager and promulgated as a
standard through-out the organisation
Q262. The primary objective in testing the integrity of information is to ensure
that:
Confidential information is protected
Data are complete, accurate and valid
Information for making decisions
Data are used for achieving business objectives.
Q263. Which of the following is a common security practice in a LAN.
Matching user ID and name with password
Principle of highest privilege should be implemented to perform
the file backup function

65
Limiting access to local drives and directories
Controlling file-transfer rights
Q264. The auditor during the course of his audit of IT steering committee
interviews the members of the committee. This process helps the
auditor to ascertain
Members ofthe committee are the persons who have more number of
years of experience in the company
Members are appointed by the IS project sponsor
Committee is in charge of allocation of resources and prioritisingthe
projects
The organisation culture is in no way influencing the committee
and its management practices
Q265. To obtain competent evidential matter aboutcontrol risk, an Information
Systems Auditor uses a variety of techniques, including:
Re performance
Statistical Analysis
Code Comparisons
Expert system
Q266. In the LAN environment, _____________officer is responsible for
prevention and detection of virus
Web administrator
Security officer
A project manager

66
Q267. When the Auditor uses generalised audit software to access a data
maintained by a database management system, which file structure is
most likely to be difficult to assess:
A tree structure
A sequential file structure
A random structured
A index sequential
Q268. Which is the primary reason for replacing cheques with Electronic Funds
Transfer (EFT) systems in the accounts payable area?
to ensure compliance with international EFT standard
to decrease the number of paper-based forms
to increase the efficiency of the payment process
to eliminate the risk that unauthorised changes may be made tothe
payment transactions
Q269. Which of the following statement is true about a mandatory access
control policy?
it is not possible for users to change their classification level,
though they can change their clearance levels
it must be enforced by a more complex access control
mechanism compared with a discretionary access control policy
it is less likely to be used in a business systems environmentthan
a discretionary access control policy
an audit trail is not required with a mandatory access controlpolicy
Q270. An Integrated Test Facility (ITF) is BEST described as:
Tagging and extending master records.
Programming options permitting printout of specific transactions.
Technique enabling to enter test data into a live computer for
processing verification.
Utilisation details of hardware and software for reviewing
functioning of the system.

67
Q271. An IS auditor came across an instance of a security administrator
working occasionally as a senior computer operator. The BEST followup
action to be taken by the IS auditor is to :
Continue to work along with the Security Officer on such
occasions as a precautionary preventive control.
Inform and advise the Senior Management of the high risksinvolved in
it.
Develop CAATs in detecting such instances.
Review system logs on such occasions to identify irregularities
encountered if any.
Q272. Insecure information, which could threaten the existence of an
organisation is classified under:
Low sensitivity
Average sensitivity
Medium sensitivity
High sensitivity
Q273. Which one of the following poses a major threat in using remote
workstations?
Standard software packages
Response time
Data transfer speed
Security
Q274. The main objective ofseparation of duties is to ensure that:
The workload in the organisation is shared
Controls exist over efficient usage of hardware
a single person do not have the complete control over a
transaction from start to finish
none of the above

68
Q275. The objective ofcompliance testing is to find :
Whether statutory regulations are complied with
Whether assets are properly valued.
Whether appropriate controls have been incorporated.
The time and cost parameters for software projects are within
schedule and comply with the estimated ones.
Q276. The snapshot technique involves:
Selecting transaction that must pass through input program
Capturing the working of an application at a point in time.
Taking the afterimages ofall data items changed for accuracy and
completeness.
Taking picture of transaction as it flows through a system
Q277. A network security policy need not include
A security matrix table
Penetration testing
Risk analysis
Network assets
Q278. An insurance company is planning to implement new standard software
in all its local offices. The new software has a fast response time, is
very user friendly, and was developed with extensive user involvement.
The new software captures, consolidates, edi
Increased workloads
Lengthy retraining
More accountability
Less computer equipment

69
Q279 The best method to detect and correct errors is before the data are
entered into an application system. But this is not always possible. In
that case the best alternative approach for ensuring data integrity?
Test data generator
Having monitoring modules
Use of generalised audit software
Expert systems
Q280. Which of the following is:
The auditor should take into consideration the subsequentevents
The auditor should issue the report to all interested parties
The report need nottouch upon standards and the internal controlofthe
organisation
The auditor should state in his report that all his
recommendations should be implemented
Q281. In an IPF (Information processing facility) is typically a large computer
centre, which of the following has the primary consideration for selecting
of a site.
minimise the distance that data control personnel must travel to
deliver data and reports
provide security
be easily accessible by a majority of company personnel
be in the top floor
Q282. In determining the sample size for a test of control using attribute
sampling, a System Auditor would be least concern with the
Expected rate of occurrence
Precision limit
Result of substantive audit procedure
Assessing control risk too high

70
Q283. The basic purpose of an IS audit is :
To identify control objectives
To suggest the best possible hardware for the company
To help the top management in assessing the capabilities ofpersonnel.
To ensure that no statutory regulations are violated using
networks.
Q284. The IT auditor considers the controls that are present for the evaluation
of the internal controls. Which of the following controls cuts across the
hierarchical line and follow the data as it flows in the organisation?
Corrective controls
Management controls
Application controls
Detective controls
Q285. There are various techniques for telecommunication controls.
Confidentiality of data is BEST maintained by
parallel simulation technique
data encryption technique
password encryption technique
maintaining a test deck
Q286. A decision table is used for testing the test data. The purpose of the
results stub in the decision table:
Exhibits the expected and actual results
Document the conditions that lead to a particular action.
Exhibits the rules for different conditional value
Indicates the action to be taken when a rules is saisfie

71
Q287. A good email policy should state that:
All mails sent and received should be monitored
All messages should be encrypted
Emails should be used only for official purpose
All personal mail should be labelled
Q288. The risk in auditing an information system is dependent on various other
risks. Which of the following results in decrease of the achieved audit
risk?
A decrease in desired audit risk
A decrease in detection risk
An increase in inherent risk
An increase in control risk
Q289. The weakness that the IS auditor would be LEASTconcerned with while
reviewing an access control review in an organisation is:
The application programmers have the access rights to the livedata
environment.
There is no provision for enabling the audit trails in the package.
Initiating transactions and changing the related parameters couldbe
done by a single user.
Group login access is being used for accessing critical functions.
Q290. The work schedule of a clerk in a Control Group is of
Authorising all the transactions.
Carrying out corrections in the master file.
Maintaining the error log.
Custody and control over the non IS assets.

72
Q291. To enforce the email policy, the management in order need not:
Educate employees
Educate third parties
Take prompt action in case of misuse or complaints
Prohibit subscription to e-newspapers and e-groups
Q292. To ensure proper separation ofduties, the function NOT to be performed
by the Scheduling and Operations personnel is :
Code Correction
Job submission
Resource management
Output distribution
Q293. When an organisation outsources its activities, it also provides data to
the service provider. In such cases, the ownership of data ‘
Is transferred to the service provider
Is with the client/organisation that outsources services
Is shared by both parties
Is not transferred
Q294. When the company acquires custom made software it enters into a
custom software agreement with the vendor. What should company not
consider before entering into such agreement?
Present and future demands of the company
Contingency plan of the vendor
Frequency at which the vendor updates the software
Number of users of the software

73
Q295. Which among the following statements about information systems
personnel is NOT true?
IS personnel have always lacked ethics
There has been a dearth of IS personnel from the initial days
Generally, the tasks performed by IS personnel are more complex than
those in manual systems
IS personnel do not enjoy the as much power and clout in
organizations as manual systems personnel do like the HR
personnel
Q296. Which of the below is a TRUE statement concerning Test Data
Techniques.
Requires the usage of a Test Data Generator.
Tests only pre-conceived situations
Requires the minimum computer usage and manual personnel.
High Level of IS expertise is essential.
Q297. Which of the comments about Business Process Re-engineering (BPR)
is NOT false?
A. Lesser accountability and Weaker Organisational structures are
the outcome of a BPR.
B. Information protection has a high risk and always deviates from
with BPR.
C. Decrease in complexity and volatility in IT leads to considerable
decrease in costs.
D. Increased number of people using the technology causes a
serious concern for BPR projects.
Q298. Which of the following areas would an IS auditor NOT do while
conducting a review of an organisation’s IS Strategies.
A. Interviewing concerned Corporate Management personnel.
B. Consideration of external environment likely to benefit / affect the
organisation.

74
C. Assessing the required Security procedures for the IS
environment.
D. Review of Short and Long term IS strategies.
Q299. Which of the following functions, if combined, would provide the
GREATEST risk to an organisation.
A. Systems analyst and Database administrator.
B. Quality assurance and computer operator.
C. Computer Operator and Tape Librarian.
D. Application Programmer and Data entry clerk
Q300. Which of the following is not true (with regard passwords)?
A. It should be communicated to the top management
B. It should not be written anywhere
C. It should not be written in plain text
D. Users should not be allowed to use the previous password
Q301. Which of the following statements about controls is FALSE?
A. A threat materializing can be prevented by implementing more
than one control
B. Controls are focussed primarily at unlawful events or threats
C. Controls can be implemented to prevent all unlawful events
D. Controls are subsystems in an IS consisting of interacting
components
Q302. An IS auditor came across instances where the users failed to review
the invoices prior to submitting them for processing since discounts
from vendors could be availed only within three business days of the
invoicing. Which of the following should the IS
A. Confirm that copies of invoices are compared with edit reports
with detail of invoice value and discount prior to releasing the
payment.

75
B. Confirm that copies of invoices are compared with edit reports
with detail of invoice value and discount.
C. Confirm copies of invoices are reviewed on submission to
Accounts payable department.
D. Confirm that invoices are reviewed by accounts payable
department.
Q303. An organisation’s strategic plan would normally comprise of the
organisation’s goal of:
A. Implementation a new project planning system during the
forthcoming year.
B. Testing of control in the new accounting package to be
implemented.
C. Growing to become the unanimous supplier of choice among the
buyers in a given period of time for the product / service to be
offered by the organisation.
D. Performing an evaluation of information technology needs of the
organisation.
Q304. As compared with other Information Systems, Executive Information
Systems does NOT have the characteristic of
A. Ease to use compared with other systems
B. User friendly features built in.
C. Focusing on broad problems to a specific view.
D. Including other features of word processing, spreadsheets and
e-mails.
Q305. Can an IS auditor of a company outsourcing its operations insist to
review the vendor’s Business Continuity plan document?
A. No, since the BCP is a personal document of the vendor.
B. Yes, because it helps the IS auditor to evaluate the vendor’s
financial stability and capacity to abide to the contract.

76
C. Yes, since the vendor’s plan could be adequately evaluated for
preparing a complementary plan for the outsourcing company.
D. No, since this backup provision is adequately provided for in the
agreement.
Q306. Control ofemployeeactivities ina computerized environmentis, vis-à-vis
manual systems,
A. more difficult as the IS personnel resent being supervised at
every step
B. more difficult because employees access the system remotely
and perform duties electronically
C. less difficult because audit trails can be looked upon for tracing
out unauthorized activities
D. less difficult because monitoring the employee activities
electronically is feasible
Q307. Due Professional Care” requires an IS auditor to possess which of the
following quality
A. Good amount of programming skills in the required software.
B. Arriving at an correct conclusion based on the facts and figures
available.
C. Evaluating methodology ofthe audit test results.
D. Skills and judgement that are commonly possessed by IS
practitioners of that speciality.
Q308. During the audit of automated Information systems, responsibility and
reporting lines CANNOT be established since :
A. In sharing of resources, ownership is difficult to be established.
B. In the rapid development of technology, the duties change very
frequently.
C. The staff change the jobs with high frequency.
D. Ownership is irrelevant on account of diversified control.

77
Q309. Employees are compulsorily asked to proceed on a week long vacation
in many organisations to
A. Remove possible disruption caused when going on leave for a
day at a time.
B. Cross train with another employee ofanother department.
C. Diminish chances of committing improper / illegal acts by the
employee.
D. Ensure a standard quality of life is lead by the employee which
could enhance productivity.
Q310. Evaluation ofwhich ofthe following functional areas CANNOT be carried
out by risk assessment techniques.
A. Time and cost involved and resources utilised in conducting an
audit.
B. Audit programs and audit procedures.
C. Recommendations and conclusions based on the findings from
the audit.
D. Functional business areas under audit.
Q311. Information that must be provided in the register is part of the
guideline ofthe server security policy
A. Ownership and responsibility
B. Monitoring
C. General configuration
D. Compliance
Q312. For a company carrying on the business of leasing of computers, the
GREATEST threat would be:
A. The issues concerning licensing ofsoftware running on the leased
out machines.
B. The accounting control of peripherals being shared.

78
C. The leased out machines becoming obsolete prior to termination
of the lease contract.
D. The re-assignment of the hardware quite frequently.
Q313. For an effective implementation of a continuous monitoring system,
which of the following is identified as the FIRST and FOREMOST step
by an IS auditor.
A. The input and output process ofdata entry and reports
generated.
B. The higher the Return on Investment by the application.
C. The Organisation’s critical and high risk business areas
D. Availability ofadequate manpowerfor the effective implementation
of the system.
Q314. For consideration of outsourcing of computer operations which is the
factor that would LEAST indicate the same.
A. There is a delay ofmore than 36 months in application
development.
B. System maintenance constitutes about 65% of the programming
costs.
C. Concurrent / parallel existence of Duplicate Information system
functions.
D. Development time ofa high priority system is more than 12
months.
Q315. For eliminating data loss in processing, control totals are to be
INITIALLY introduced:
A. During the return of data to the user department.
B. In transit to the computer.
C. During data preparation.
D. Between related computer runs.

79
Q316. Generalised Audit Software (GAS) are NOT used for:
A. Selecting unusual data as per the auditor’s choice.
B. Performing intricate and complex calculations
C. Preparation of multiple reports and output files.
D. Calculation verifications.
Q317. Implementation and maintenance of new and existing systems with the
aid of programmers and analysts is the responsibility of the:
A. Database administrator.
B. Systems development manager.
C. Operations Manager.
D. Quality assurance manager.
Q318. Improper segregation of duties amongst programmers and computer
operators may lead to the threat of :
A. Unauthorised program changes.
B. Loss of data while executing a program.
C. Oversight omissions ofdat
D. Inadequate volume testing.
Q319. In a network security policy, a statement on methods ofdata
communication will be listed under
A. Identification and authentication
B. Accountability and audit
C. Data exchange
D. Access control
Q320. In an audit of the outsourcing process, the IS auditor would LAST
perform the task of:
A. Control Risk assessment.
B. Contract reviews with the legal counsel.

80
C. Assumptions and analysis of costs and benefits.
D. Assessing the organisation’s business needs.
Q321. In determining good preventive and detective security measures
practised by an employee, the IS auditor places the HIGHEST reliance
on :
A. Compliance Testing
B. Risk Assessment
C. Observation
D. Detailed Testing
Q322. In evaluating and reviewing the effectiveness of the management’s
communication of IS policies to concerned personnel, the IS auditor
would be LEAST interested in reviewing / conducting
A. Systems and procedure manuals of the user department.
B. Interviews with the IS personnel and the end users.
C. Working Notes of the IS audit staff of the minutes of the IS
Steering committee meetings.
D. Information processing facilities operations and procedures
manuals.
Q323. In evaluation of an organisation’s IS strategy, which of the following
would an IS auditor consider to be the MOST important criteri
A. Adequately supporting the business objectives ofthe organisation.
B. Consistent with the IS department’s preliminary budget
C. Procurement procedures are complied with.
D. Improvement done by the line management.
Q324. In the absence of full segregation of duties in an on-line system, the
distinct activity not to be combined with the other IS activities is:
A. Authorising
B. Originating

81
C. Correcting
D. Recording
Q325. In resolving legal complications, e-mail systems act as an important
medium of evidence since:
A. Classification of data is frequently used to control the information
to be communicated through e-mails.
B. The evidences are clear since there are defined policies for using
e-mail within the enterprise.
C. Excessive cycles of backup files remain due to availability of poor
housekeeping.
D. Accountability of the activities on the e-mail system is well
established due to strong access controls.
Q326. In segregation of duties, the organisation will exposed to a very HIGH
risk if the duties of
A. Computer Operator and Quality Assurance are combined.
B. The work of a Data entry clerk is also done by a Tape Librarian.
C. A tape librarian are carried out by an application programmer.
D. Systems analyst and database administrator are done by the
same person.
Q327. In the case of Business Process re-engineering which of the following
is NOT true ?
A. Development of a project plan and defining the key areas to be
reviewed is a key factor for the success of a BPR.
B. Implementation and monitoring of the new process is the
management’s responsibility.
C. The Success of a BPR is reached when the business and the risk
suits the re-engineering process.
D. The IS auditor is not concerned with the key controls that once
existed but with the one which exists in the new business
process.

82
Q328. ISO stands for -
A. International Statement of Organisation
B. International Organisation for Standardisation
C. International Standards Organisation
D. International Organisation for Stability
Q329. Intrusion can BEST be detected by:
A. Monitoring of all unsuccessful logon attempts by the security
administrator.
B. If on reaching the specified number of unsuccessful logon
attempts, the system is automatically logged off.
C. Authorised procedures are followed for user creation and user
privileges.
D. Automatic logoff if workstation is inactive for a specific period of
time.
Q330. IS activities can be outsourced to a third party. To evaluate the
performance of the service provider the auditor should
A. Benchmark the services
B. Identify the risk associated with outsourced activity
C. Determine the duration of the contract with the service provider
D. Determine the frequency at which the payment will be made for
services
Q331. ISO 9000:2000 standards are based on eight quality management
principles. One of the principles follows the systems approach to
management, which has various advantages. Which of the following
comes within the purview of this approach?
A. Defining different activities and their working within the system
B. Segregation of duties
C. Continuous monitoring
D. All of the above

83
Q332. IT operational efficiency is measured in terms of:
A. Technological value added to the organisation.
B. Its impact on other business processes and business units.
C. Decreased costs and increased revenue.
D. All the above
Q333. Maintenance of adequate security measures over IS assets and
accountability for the same rests with the:
A. Database administrator
B. Data and System owners
C. Data entry operators
D. Data Librarian
Q334. Many organisations are outsourcing specific activities to Service
Providers (SPs). Which is the least probable reason for such a move?
A. High security
B. Low cost
C. Reduced operational risk
D. Better service
Q335. Reconciliation of transactions in an application system is generally
carried out by the:
A. Application programmers
B. Systems design personnel
C. Employee in Computer operations.
D. End users in the respective business units
Q336. Segregation of duties is the procedure of dividing the critical functions
among different individuals so that no two critical aspects of a function

84
are performed by the same individual. Which of the following is not a
benefit of segregation of duties:
A. It reduces the possibility offrauds and misconducts
B. It increases the opportunity for someone to perpetuate misdeeds
and conceal errors
C. It makes the individual accountable for any unauthorised access
D. It reduces the dependency on one individual
Q337. Segregation of duties is TRUE in which of the following cases ?
A. Improvement of an organistion’s efficiency and communication
can be achieved through a restrictive separation of duties.
B. Policies on segregation of duties in IS must highlight the
variations between the logical and physical access to assets.
C. While evaluating an organisation’s policy of segregation of duty,
the competancy of the employees are of no relevance.
D. An organisation chart provides a precise definition of the
segregation of duties among the employees.
Q338. Service level agreements ensure that effective and efficient computer
services are provided to users. Which of the following is correct with
respect to service level agreements:
A. They are limited to certain IT resources
B. They are static agreements
C. They are arrangements between users and computer operation
facilities
D. It is the responsibility ofuser department to provide a framework
for each service level agreement
Q339. Shareware software acquired by a company can be used
A. Only by the company
B. By its employees for their personal purpose also

Text-DISA_Review_Questions.docx

Text-DISA_Review_Questions.docx

Recommended

Recommended

More Related Content

Similar to Text-DISA_Review_Questions.docx

Similar to Text-DISA_Review_Questions.docx (20)

More from CAVEDPRAKASHPALIWAL

More from CAVEDPRAKASHPALIWAL (10)

Recently uploaded

Recently uploaded (20)

Text-DISA_Review_Questions.docx