Answers to Practice Exam Questions
Answers at a Glance to Practice Exam
Answers with Explanations
1. B. Variable sampling is best when dealing with population characteristics such as dollar amounts and weights. Variable sampling provides conclusions related to deviations from the norm. Answer A is incorrect because attribute sampling is generally applied to compliance testing. Answer C is incorrect because stop-and-go sampling is used to prevent excessive sampling and allows an audit to be stopped quickly. Answer D is incorrect because discovery sampling is used to seek out or discover fraud. For more information, see Chapter 1.
2. A. Attribute sampling is generally applied to compliance testing. Answer B is incorrect because variable sampling is best when dealing with population characteristics such as dollar amounts and weights. Answer C is incorrect because stop-and-go sampling is used to prevent excessive sampling and allows an audit to be stopped quickly. Answer D is incorrect because discovery sampling is used to seek out or discover fraud. For more information, see Chapter 1.
3. C. It is best if sensitive information is not removed from the owners’ property. Answer A is incorrect because legal counsel should be contacted concerning the confidentiality and laws concerning disclosure to authorities. Answer B is incorrect because all records and the safe retention of the records are the sole responsibility of the client. Answer D is incorrect because although backing up all your work is very important, it is not the primary guarantee of confidentiality. For more information, see Chapter 1.
4. D. Materiality is the auditing concept that examines the importance of an item of information in regard to the impact or effect on the entity being audited. Answer A is incorrect because it does not properly describe materiality. Materiality is not the evaluation for the need of an audit. Answer B is incorrect because it describes accountability. Answer C is incorrect because it describes independence. For more information, see Chapter 1.
5. C. Stop-and-go sampling prevents excessive sampling and allows an audit to be stopped quickly. Answer A is incorrect because attribute sampling is generally applied to compliance testing. Answer B is incorrect because variable sampling is best when dealing with population characteristics such as dollar amounts and weights. Answer D is incorrect because discovery sampling is used to seek out or discover fraud. For more information, see Chapter 1.
6. D. Answer D is correct because no professional relationship between the external auditor and client must exist, and the auditor must not be financially interested in the organization. Answers A, B, and C are incorrect because auditors cannot be independent if their interest involves any financial or personal outcomes to the client. Objectivity is required of an auditor. Giving design or control advice can result in a serious conflict. For more information, see Chapter 1.
7. B. Control self-assessment can be described as a process that ensures that stakeholders, employees, and others are part of the audit process. The primary objective of the control self-assessment process is to leverage the internal audit function by placing responsibility of control and monitoring on the functional areas. Answer A is incorrect because integrated auditing describes a technique used to apply audit disciplines to assess key controls over operations and processes. Answer C is incorrect because automated work papers are software packages designed to automate the auditor’s daily tasks. Answer D is incorrect because continuous auditing uses embedded audit controls to reduce the amount of time between items to be audited and the collection and reporting of evidence. For more information, see Chapter 1.
8. D. Discovery sampling can be used when the expected discovery rate is very low. Discovery sampling can also be used to uncover fraud. Answer A is incorrect because attribute sampling is generally applied to compliance testing. Answer B is incorrect because variable sampling is best when dealing with population characteristics such as dollar amounts and weights. Answer C is incorrect because stop-and-go sampling is used to prevent excessive sampling and allows an audit to be stopped quickly. For more information, see Chapter 1.
9. D. Procedures offer how-to information. Answers A, B, and C are incorrect because standards are mandatory, policies provide a high level of control, and guidelines provide guidance. For more information, see Chapter 1.
10. A. A control risk is the risk that might not be detected by a system of internal controls. Answer B is incorrect because the audit risk is the risk an auditor will accept. Answer C is incorrect because the detection risk is the risk that an improper test is performed that will not detect a material error. Answer D is incorrect because inherent risk is the risk that a material error will occur because of weak or no controls. For more information, see Chapter 1.
11. A. CAAT tests are specialized tests that can evaluate system configurations, analyze network traffic, count software licenses, and inspect password conformity, to name only a few. These tests are much more accurate and precise than when performed manually. Answers B, C and D are incorrect because CAAT tools require specialized training to perform and are much more detailed and faster for compiling evidence. For more information, see Chapter 1.
12. D. An inherent risk is the risk that a material error will occur because of weak controls or no controls. Answer A is incorrect because a control risk is the risk that might not be detected by a system of internal controls. Answer B is incorrect because the audit risk is the risk an auditor will accept. Answer C is incorrect because the detection risk is the risk that an improper test is performed that will not detect a material error. For more information, see Chapter 1.
13. B. Hash totals are generated by choosing a selected number of fields in a series of transactions. These values are computed again at a later time to see if the numbers match. An incorrect value indicates that something has been lost, entered incorrectly, or corrupted somehow. Answer A is incorrect because total dollar amounts verify that each item totals up to the correct batched total amount. Answer C is incorrect because item total counts verify that the total counts match. Answer D is incorrect because a data checksum is a value sent along with the contents of a packet. For more information, see Chapter 4.
14. B. Generalized audit software is the best tool to extract data that is relevant to the audit. Answer A is incorrect because integrated auditing describes a technique used to apply audit disciplines to assess key controls over operations and processes. Answer C is incorrect because automated work papers are software packages designed to automate the auditor’s daily tasks. Answer D is incorrect because continuous auditing uses embedded audit controls to reduce the amount of time between items to be audited and the collection and reporting of evidence. For more information, see Chapter 1.
15. D. Statistical samples are examples of substantive audits. During this type of audit, the auditor must determine how closely the sample should represent the population. Answers A, B, and C are incorrect because they do not describe statistical techniques. For more information, see Chapter 1.
16. C. ISACA lists the steps as: 1) Gather information and plan, 2) determine internal controls and review their functionality, 3) perform compliance tests, 4) perform substantive tests, and 5) conclude the audit. For more information, see Chapter 1.
17. D. Procedures that provide reasonable assurance to control and manage data processing operations map to logical security policies designed to support proper transactions. Answer A is incorrect because business continuity and disaster-recovery procedures provide reasonable assurance that the organization is secure against disasters. Answer B is incorrect because procedures that provide reasonable assurance for the control of database administration map to internal accounting controls used to safeguard financial records. Answer C is incorrect because system-development methodologies and change-control procedures implemented to protect the organization and maintain compliance map to administrative controls designed for corporate compliance. For more information, see Chapter 1.
18. D. Examples of detective controls include internal audit functions, hashing algorithms, and variance reports. Answers A and B are incorrect because they are examples of preventive controls. Answer C is incorrect because it is an example of a corrective control. For more information, see Chapter 1.
19. A. For fraud to be present, four items must exist. These include a material false statement, knowledge that the statement was false, reliance on the false statement, and resulting damages or losses. For more information, see Chapter 1.
20. C. The first step in continuous monitoring is to identify areas of high risk within the organization. Next, an assessment of potential impact of applications with high payback can be identified. Then tests can be performed to determine reasonable thresholds. With targeted thresholds determined, the development and format of monitoring programs can be defined. For more information, see Chapter 1.
21. B. The first step in the process should be to develop a policy statement. Changes to access control, internal review by auditors, and policy standards should not occur until this first step is completed. Therefore answers A, C, and D are incorrect. For more information, see Chapter 2.
22. C. Referred to as an IT steering committee or an IT strategy committee, this committee is tasked with ensuring that the IT department is properly aligned with the goals of the business. This is accomplished by using the committee as a conduit to move information and objectives from senior business management to IT management. The committee consists of members of high-level management from within the company. For more information, see Chapter 2.
23. A. Traditionally, financial results have been the sole indicator of performance. In the early 1990s, Robert Kaplen and David Norton developed a new method named the balanced score card. The balanced score card differs from historic measurement schemes, in that it looks at more than just the financial perspective. It balances this perspective by gathering input from four perspectives, including the customer, internal operations, innovation and learning, and financial data. Answers B, C, and D are incorrect. For more information, see Chapter 2.
24. D. The primary purpose of using EA is to ensure that business strategy and IT investments are aligned. Enterprise architecture (EA) is the practice within information technology of organizing and documenting a company’s IT assets so that planning, management, and expansion can be enhanced. Answers A, B, and C do not adequately define EA. For more information, see Chapter 2.
25. D. A company that is involved in planning activities three to five years out is involved in strategic planning. Organizations need sufficient time to evolve long-term strategic goals and to map them to the organization. Answers A, B, and C are incorrect because those types of planning phases look at a closer time completion window of one to three years for long-term planning and one year or less for operational planning. For more information, see Chapter 2.
26. C. An existence check verifies that all required data is entered. Answers A, B, and D are incorrect because a validity check verifies the validity of the information. A reasonableness check verifies the reasonableness of the data. For example, if an order is usually for no more than 20 items and the order is for 2,000 items, an alert would be generated. A range check verifies that the entered range is valid. As an example, an item ordered column should not denote a negative amount. For more information, see Chapter 4.
27. C. The chargeback system is known as a “pay as you go” system. As such, individual departments are directly charged for the services they use. Answers A, B, and D are incorrect. A single-cost system is not considered a “pay as you go” system. Shared-cost systems share costs among all departments of the organization. This method is relatively easy to implement and for accounting to handle. A sponsor pays system works by having the project sponsors pay all costs. For more information, see Chapter 2.
28. B. Direct observation is the best way to identify problems between procedure and activity. Therefore answers A, C, and D are incorrect. For more information, see Chapter 2.
29. C. Risk analysis can be performed in one of two basic methods. The first of these is quantitative risk assessment, which deals with dollar amounts. It attempts to assign a cost (monetary value) to the elements of risk assessment and the assets and threats of a risk analysis. Next is a qualitative risk assessment, which ranks threats by nondollar values and is based more on scenario, intuition, and gut feeling. If a team is having a hard time determining a potential dollar loss to something such as a brand name, the team should use a qualitative approach. Answers A, B, and D are incorrect because they all deal with quantitative methods. For more information, see Chapter 2.
30. B. A hard change requires the old system to be shut down at a specific date. The new system then will be brought online and powered up. This can be very risky because the new system might not operate properly, just as the old system might not restart easily if it is needed. There’s considerable risk in productivity and the potential of loss of revenue, which could cripple an organization. Answers A, C, and D are incorrect because a parallel operation involves operating both the old and new systems simultaneously to compare differences in the systems. Phased or pilot operations involve bringing the new system up one interval or phase at a time to test reliability and functionality. For more information, see Chapter 9.
31. C. Rotation of assignment can be useful because it requires more than one person to perform a specific task. A side effect of this might be to provide backup in case an employee is not available, but its primary purpose is to reduce fraud or misuse by giving the company the means of rotating people to prevent an individual from having too much control over an area. Therefore, answers A, B, and D are incorrect. For more information, see Chapter 2.
32. A. The balanced score card balances its perspective by gathering input from four perspectives, including the customer, internal operations, innovation and learning, and financial data. Answers B, C, and D are incorrect. For more information, see Chapter 2.
33. C. FPA is based on the number of inputs, outputs, interfaces, files, and queries. FPA can be used to budget application development costs, estimate productivity after project completion, and determine annual maintenance costs. Answers A, B, and D are incorrect. Both black-box and white-box techniques are not used to estimate software development size. Source lines of code can be used but does not give an accurate picture and is considered a dated technique. For more information, see Chapter 3.
34. A. Program Evaluation and Review Technique (PERT) is the preferred tool for estimating time when a degree of uncertainty exists. PERT uses a critical path method that applies a weighted average duration estimate. PERT uses a three-point time estimate to develop best, worst, and most likely time estimates. Answers B, C, and D are incorrect. SLOC refers to the size of software. The Gantt chart was developed in the early 1900s as a tool to schedule activities and monitor progress. The COCOMO model specifically deals with software development and the cost, time, and effort in the software-development cycle. For more information, see Chapter 3.
35. C. Critical path methodology (CPM) is used to determine what activities are critical and what the dependencies are among the various tasks. CPM is accomplished by compiling a list of each task required to complete the project, determining the time that each task will take from start to finish, and examining the dependencies among the tasks. For more information, see Chapter 3.
36. A. The waterfall model is considered a traditional system development lifecycle model. The advantage of this model is that it is well known and extremely stable when used if requirements are not expected to change and the architecture is well known. Answer B is incorrect because the spiral model is based on the concept that software development is evolutionary. The spiral model begins by creating a series of prototypes to develop a solution. Answer C is incorrect because prototyping uses high-level code to quickly turn design requirements into application screens and reports that the users can review. Answer D is incorrect because the incremental model defines an approach that develops systems in stages so that development is performed one step at a time. For more information, see Chapter 3.
37. B. During the requirements phase of the system development lifecycle (SDLC), team members are responsible for fully defining the need and then mapping how the proposed solution meets the need. Answer A is incorrect because during the feasibility phase, a payback analysis must be performed. Answer C is incorrect because during the design phase, the design is finalized and test plans are developed. Answer D is incorrect because during the development phase, developers become deeply involved in their work. For more information, see Chapter 3.
38. B. Output controls include logging, security signatures, report distribution, and balancing and reconciliation. Batch controls are an example of an input control. For more information, see Chapter 4.
39. D. Item A references the primary key. The primary key of a relational table uniquely identifies each record in the table. Answers A, B, and C are incorrect because they do not reference primary keys. For more information, see Chapter 4.
40. D. Data mining makes it possible to query very large databases to satisfy a hypothesis, such as whether a credit card is stolen or legitimate. Answer A is incorrect because decision support systems (DSS) are used to solve common problems that managers face. Answer B is incorrect because expert systems are used to solve complex problems. Answer C is incorrect because intrusion-prevention systems are used to detect and prevent attacks or outbreaks of malware. For more information, see Chapter 4.
41. A. Control totals can be used as a recalculation control and offer an easy way to implement an audit trail. Answer B is incorrect because a check digit is used to verify accuracy. A check digit is a sum of a value appended to the data. Answer C is incorrect because a completeness check is used to ensure that all required data has been added and that no fields contain null values. Answer D is incorrect because a limit check is used to set bounds on what are reasonable amounts. For more information, see Chapter 4.
42. C. Decision support systems (DSS) are used to solve problems that managers face. DSS uses models and mathematical techniques. They are usually designed by fourth-generation programming (4GL) tools. This makes the systems flexible and adaptable, yet these tools are not always as efficient as lower-level programming tools might be. Answers A, B, and D are incorrect. For more information, see Chapter 4.
43. A. A payback analysis must be performed during the feasibility phase. Answer B is incorrect because during the requirements phase of the system development lifecycle (SDLC), team members are responsible for fully defining the need and then mapping how the proposed solution meets the need. Answer C is incorrect because during the design phase, the design is finalized and test plans are developed. Answer D is incorrect because during the development phase, developers become deeply involved in their work. For more information, see Chapter 3.
44. B. Time service factor is the percentage of help-desk or response calls answered within a given time. Answer A is incorrect because uptime agreements are one of the most well-known types of SLAs, detailing the agreed-on amount of uptime. Answer C is incorrect because the abandon rate is the number of callers who hang up while waiting for a service representative to answer. Answer D is incorrect because first call resolution is the number of resolutions that are made on the first call and that do not require the user to call the help desk to follow up or seek additional measures for resolution. For more information, see Chapter 5.
45. A. Lights-out operations are those that can take place without human interaction. These can include job scheduling, report generation, report balancing, and backup. Answers B, C, and D are incorrect because they do not describe lights-out operations. For more information, see Chapter 5.
46. B. Assembly is an example of a 2GL language. Answer A is incorrect because SQL is an example of a 4GL language. Answer C is incorrect because FORTRAN is an example of a 3GL language. Answer D is incorrect because Prolog is an example of a 5GL language. For more information, see Chapter 5.
47. C. Proxies provide several services, including load balancing and caching. Most important, the proxy stands in place of the real client and acts as an interface to the private domain, thereby preventing direct access. Answer A is incorrect because the proxy is not used to reduce the load of a client. Answer B is incorrect because proxies prevent direct access. Answer D is incorrect because although proxy servers provide some level of security, they do not allow high-level security such as an application or kernel firewall. For more information, see Chapter 5.
48. B. Programmers should strive to develop modules that have high cohesion and low coupling. Cohesion addresses the fact that a module can perform a single task with little input from other modules. Coupling is the measurement of the interconnection between modules. Low coupling means that a change to one module should not affect another. For more information, see Chapter 3.
49. D. Class 1 Bluetooth supports up to 100 m of range and 100 mW of power. Answer A is not a valid selection, answer B specifies Bluetooth class 3, and answer C specifies Bluetooth class 2. For more information, see Chapter 6.
50. C. EDI systems are used to transfer data between different companies using private networks or the Internet. Communications handlers are the devices responsible for transmitting and receiving data. Answers A, B, and D are incorrect. VANs are the networks or communications networks used to move information. X12 is a common EDI communication protocol. EDIFACT is an international EDI standard. For more information, see Chapter 6.
51. C. SANs are storage area networks that are used to connect multiple servers to a centralized pool of disk storage. SANs improve system administration by allowing centralized storage instead of having to manage hundreds of servers, each with their own disks. PANs are personal area networks. LANs are local area networks, and MANs are metropolitan area networks. For more information, see Chapter 6.
52. C. Item C defines an attribute. An attribute is a component of a databases; in this case, the attribute references the sales rep field. Answers A, B, and D are incorrect because they do not describe an attribute. For more information, see Chapter 4.
53. D. The OSI model defines networking into a seven-layer process. Within the OSI model, the data is passed down from layer to layer. It begins at the application layer and ends at the physical layer. The network layer is tied to routers and routing, and is responsible for the movement of data from network A to network B. The network layer is the home of the Internet Protocol (IP). Answers A, B, and C are incorrect. For more information, see Chapter 6.
54. A. Final acceptance testing is usually performed at the implementation phase, when the project staff is satisfied with all other tests and the application is ready to be deployed. Answer B is incorrect because system testing is a series of tests that can include recovery testing, security testing, stress testing, volume testing, and performance testing. Answer C is incorrect because interface testing examines hardware or software to evaluate how well data can be passed from one entity to another. Answer D is incorrect because unit testing examines an individual program or module. For more information, see Chapter 3.
55. C. A router is an OSI Layer 3 device that also can work as a packet filter through the use of access control lists (ACLs). Answers A, B, and D are incorrect because they do not meet that criteria. For more information, see Chapter 6.
56. A. The data link layer is most closely associated with MAC addresses. MAC addresses are 48-bit hardware addresses that identify the specific physical device. Answer B is incorrect because the network layer is associated with IP addresses. Answers C and D are not associated with MAC addresses. For more information, see Chapter 6.
57. B. Class A addresses range from 1 to 126. Class B addresses range from 128 to 191. Class C addresses range from 192 to 223. Class D addresses are considered multicast addresses. Therefore, an address of 128.12.3.15 is a Class B address. For more information, see Chapter 6.
58. C. Routing Information Protocol (RIP) is the most common distance-vector routing protocol in use. Although RIP is a routing protocol, answer A is not the most specific; therefore, it is incorrect. Answer B is incorrect because RIP is not a routable protocol. An example of a routable protocol is IP. Answer D is incorrect because RIP is not a link-state routing protocol. For more information, see Chapter 6.
59. A. Regression is used after a change to verify that inputs and outputs are correct. Answer B is incorrect because system testing is a series of tests that can include recovery testing, security testing, stress testing, volume testing, and performance testing. Answer C is incorrect because interface testing examines hardware or software to evaluate how well data can be passed from one entity to another. Answer D is incorrect because pilot testing is used as an evaluation to verify functionality of the application. For more information, see Chapter 3.
60. D. Prolog is an example of a 5GL language. Answer A is incorrect because SQL is an example of a 4GL language. Answer B is incorrect because Assembly is an example of a 2GL language. Answer C is incorrect because FORTRAN is an example of a 3GL language. For more information, see Chapter 5.
61. A. A bus network is hard to expand, and one break can disable the entire segment. This is not true of star, ring, or mesh topologies. For more information, see Chapter 6.
62. D. The only valid answer is fire-retardant coating. Guarding the health and safety of employees is always a concern. Therefore, plenum-grade cable is designed for use in the crawl spaces of a building. Plenum-grade cable does not give off toxic gasses and smoke as it burns. For more information, see Chapter 6.
63. C. The switched network using Cat 5e cabling is the most secure. It would require an attacker to use ARP poisoning or flooding to be able to see all of the traffic. Although fiber might be more secure overall, it is not a copper cable standard. For more information, see Chapter 6.
64. A. Scrum is typically used with object-oriented technology, requires strong leadership, and requires the team to meet each day for a short meeting. Scrum is an iterative development method in which repetitions are referred to as sprints and typically last 30 days. Answer B is incorrect because extreme programming (XP) requires that teams include business managers, programmers, and end users. These teams are responsible for developing useable applications in short periods of time. Answer C is incorrect because RAD uses an evolving prototype and requires heavy user involvement. Answer D is incorrect because the spiral model is based on the concept that software development is evolutionary. The spiral model begins by creating a series of prototypes to develop a solution. As the project continues, it spirals out, becoming more detailed. For more information, see Chapter 3.
65. A. Figure E.5 describes a relational database. A relational database is considered a collection of tables that are linked by their primary keys. Answers B, C, and D are incorrect because a network or hierarchical database is not shown. Floating flat is not a valid database type. For more information, see Chapter 5.
66. D. The printing of confidential reports represents a real risk because although an operator might not be able to directly read this information, he or she can print it and remove it from the facility. Although answers A, B, and C, are important they are not the most important concern. For more information, see Chapter 6.
67. D. Adding RAID 1 is the best example of how to protect against loss from component loss or errors. JBOD offers no fault tolerance, and redundant WAN links would provide protection against loss of connectivity but would not protect against component failures such as hard drives. RAID 0 offers improvement in speed, but no fault tolerance. For more information, see Chapter 6.
68. B. Reviewing the configuration would offer the best evidence of how the firewall is actually configured. Answers A, C, and D do not offer as strong audit evidence and, therefore, are incorrect. For more information, see Chapter 6.
69. D. ATM is a packet-switching technology; DSL, POTS, and T1 are all examples of circuit-switching technologies. For more information, see Chapter 6.
70. B. Web-based application development (WBAD) uses a process to standardize code modules to allow for cross-platform operation and program integration. WBAD offers the capability of standardized integration through the uses of application development technologies such as Extensible Markup Language (XLM). Answer A is incorrect because component-based development (CBD) uses a process of enabling objects to communicate with each other. Answer C is incorrect because OOSD uses a process of solution specifications and models in which items are grouped as objects. Answer D is incorrect because data-oriented system development (DOSD) uses a process that examines software requirements by focusing on data and its structure. For more information, see Chapter 3.
71. A. Data warehouses are subject oriented, integrate data from the various operational systems, and are typically loaded from these systems at regular intervals. Answers B, C, and D are incorrect. For more information, see Chapter 4.
72. B. The discretionary access control (DAC) model is titled because access control is left to the owner’s discretion. DAC allows owners to activate security controls as they see fit. Answer A is incorrect because the mandatory access control (MAC) model is static and based on a predetermined list of access privileges. Answer C is incorrect because role-based access control (RBAC) allows a user to have certain preestablished rights to objects. These rights are assigned to users based on their roles in the organization. Answer D is incorrect because an access control list (ACL) is used by a router for packet filtering. For more information, see Chapter 7.
73. C. Two-factor authentication is considered the strongest because it combines two single factor methods, such as biometrics and tokens. Therefore, answers A, B, and D are incorrect. For more information, see Chapter 7.
74. B. The EER is a measurement that indicates the point at which FRR equals FAR. Its primary usage is in measuring the overall effectiveness of a biometric device. For more information, see Chapter 7.
75. B. Flowcharts are one of the first things an auditor should examine when evaluating business application systems. Answers A, C, and D are incorrect. Although interviewing users, evaluating controls, and determining critical areas are important, they are not the first item that should be completed. For more information, see Chapter 4.
76. B. Closed-circuit TV (CCTV) systems don’t prevent security breaches; they just alert the guard to a potential problem after it occurs. Therefore, these are considered a detective control. Answers A, C, and D are incorrect. For more information, see Chapter 8.
77. D. According to ISACA, the BCP steps include: 1) project management and initiation, 2) business impact analysis, 3) recovery strategy, 4) plan design and development, 5) training and awareness, 6) implementation and testing, and 7) monitoring and maintenance. For more information, see Chapter 9.
78. B. Figure E.6 describes a network database. A network database was developed to be more flexible than a hierarchical database. The network database model is considered a lattice structure because each record can have multiple parent and child records. Although this design can work well in stable environments, it can be extremely complex. Answers A, C, and D are incorrect because a relational or hierarchical database is not shown, and floating flat is not a valid database type. For more information, see Chapter 5.
79. A. The Kerberos authentication service issues ticket-granting tickets (TGTs) that are good for admission to the ticket-granting service (TGS). Answers B, C, and D are incorrect. The Kerberos ticket-granting service receives tickets created to authenticate specific target services. There is no valid RADIUS authentication service or ticket-granting service. For more information, see Chapter 7.
80. C. It’s important for everyone involved to understand that the BCP is the most important corrective control that the organization has an opportunity to shape. Therefore answers A, B, and D are incorrect. For more information, see Chapter 9.
81. C. Application system testing techniques include snapshots, mapping, and base case system evaluation. Integrated test facilities are an example of a continuous online auditing technique. For more information, see Chapter 4.
82. A. The RPO defines how current the data must be or how much data an organization can afford to lose. The greater the RPO, the more tolerant the process is to interruption. The RTO specifies the maximum elapsed time to recover an application at an alternate site. The greater the RTO, the longer the process can take to be restored. For more information, see Chapter 9.
83. B. The service delivery objective (SDO) defines the level of service provided by alternate processes while primary processing is offline. Answer A is incorrect because it defines the maximum tolerable outage. Answer C is incorrect because it defines the maximum acceptable outage. Answer D is incorrect because it defines the recovery time objective (RTO). For more information, see Chapter 9.
84. D. A risk assessment is performed during the business impact analysis phase. According to ISACA, the BCP steps include: 1) project management and initiation, 2) business impact analysis, 3) recovery strategy, 4) plan design and development, 5) training and awareness, 6) implementation and testing, and 7) monitoring and maintenance. For more information, see Chapter 9.
85. A. The generator is a longer-term device. When the UPS signals the generator, it can power up and assume power responsibilities. Most standby generators work on diesel fuel or natural gas. For more information, see Chapter 8.
86. D. Integrated test facilities are considered the most complex type of continuous audit technique, followed by continuous and intermittent simulation (CIS), snapshots, and audit hooks. For more information, see Chapter 4.
87. C. FM-100 is not a replacement for Halon. Valid replacements include FM-200, NAF-S-3, and argon. For more information, see Chapter 8.
88. D. Type 1 errors are also known as the false rejection rate (FRR); they measure the percentage of legitimate users who are denied access. Answer A defines the equal error rate (EER). Answer B also defines the EER. Answer C defines Type 2 errors. For more information, see Chapter 7.
89. B. Class A fires are comprised of paper or wood. Answers A, C, and D are incorrect. For more information, see Chapter 8.
90. A. Locks of this type fail open. Employees can easily leave if power is disrupted, but intruders can also easily enter. Answers B, C, and D are incorrect. For more information, see Chapter 8.
91. C. Figure E.7 describes a hierarchical database. A hierarchical database takes the form of a parent child structure. These are considered 1:N (one to many) mappings. Each record can have only one owner, so hierarchical databases often can’t be used to relate to structures in the real world; however, they are easy to implement, modify, and search. Answers A, B, and D are incorrect because a relational or network database is not shown, and floating flat is not a valid database type. For more information, see Chapter 5.
92. B. Continuous online auditing gives auditors the tools needed to perform ongoing monitoring. Continuous online auditing produces audit results at either real-time intervals or after a short period of time. This method actually can reduce costs because the need for conventional audits might be reduced or eliminated. Therefore answers A, C, and D are incorrect. For more information, see Chapter 4.
93. A. A mandatory access control (MAC) model is static and based on a predetermined list of access privileges; therefore, in a MAC-based system, access is determined by the system rather than the user. The MAC model is typically used by organizations that handle highly sensitive data, such as the DoD, NSA, CIA, and FBI. Systems based on the MAC model use sensitivity labels and are prohibitive in nature, just as anything that is not explicitly allowed is also denied. Therefore answers B, C, and D are incorrect. For more information, see Chapter 7.
94. B. All data must be protected from unauthorized access by initiating internal and output controls to protect confidentiality and data assets. Answers A, C, and D are incorrect because users should not be allowed to copy any data without proper authorization by management. Furthermore, internal controls need to be as restrictive as all output controls for data control. For more information, see Chapter 7.
95. D. A privacy impact analysis (PIA) should determine the risks and effects of collecting, maintaining, and distributing personal information in electronic-based systems. A PIA is tied to technology, processes, and people. For more information, see Chapter 7.
96. C. Executive management is ultimately responsible for the security practices of the organization. Answers A, B, and D are incorrect. The security advisory group is responsible for reviewing security issues with the chief security officer and also is responsible for reviewing security plans and procedures. The chief security officer is responsible for the day-to-day security of the organization and its critical assets. The security auditor is responsible for examining the organization’s security procedures and mechanisms. For more information, see Chapter 7.
97. B. Referential integrity guarantees that all foreign keys reference existing primary keys. Answer A is incorrect because relational integrity ensures that validation routines exist to test data before it is entered into a database and that any modification can be detected. Answer C is incorrect because entity integrity ensures that each tuple contains a primary key. Answer D is incorrect because tagging is used to mark selected transactions, while tracing allows these tagged transactions to be monitored. For more information, see Chapter 4.
98. C. The extranet is an extension of the organization’s private network that uses the public telecommunication system to securely share part of a business’s information or operations with suppliers or business partners. Therefore, answers A, B, and D are incorrect. For more information, see Chapter 6.
99. B. Latency is the delay that information will experience from the source to the destination. Latency can be caused because data must travel great distances or because of high volumes of network traffic and inadequate bandwidth. Latency is commonly measured with the ping command. For more information, see Chapter 6.
100. B. Both 802.11a and 802.11b use the Wired Equivalent Privacy (WEP) protocol. 802.11g devices use WPA, and 802.11i devices use WPA2 and TKIP. For more information, see Chapter 6.
101. B. ISDN is considered a circuit-switching technology, while X.25, Frame Rely, and ATM are all considered packet-switching technologies. For more information, see Chapter 6.
102. C. Layers 4 and 5 correspond to the transport and session layer. Between these two layers, services such as TLS are located. Answer A is incorrect because Layers 2 and 3 are the data link and network layers. Answer B is incorrect because Layers 3 and 4 are the network and transport layers. Answer D is incorrect because Layers 5 and 6 are the session and presentation layers. For more information, see Chapter 6.
103. B. DNS is used to resolve domain names to IP addresses. Answer A is incorrect because providing the address of a domain server is not the primary purpose of DNS. Answer C is incorrect because determination of an IP address is not the most correct answer. DNS performs a resolution of FQDN to IP address. Answer D is incorrect because ARP resolves IP addresses to MAC addresses. For more information, see Chapter 6.
104. A. A 10BASE5 network uses a bus topology. Answers B, C, and D are incorrect because they describe a ring, star, and mesh topology. For more information, see Chapter 6.
105. A. Terminal-emulation software (TES) is a category of network service that allows users to access remote hosts. These hosts then appear as local devices. An example of TES is Telnet, which allows a client at one site to establish a session with a host at another site. Answer B is incorrect because FTP is the File Transfer Protocol. Answer C is incorrect because SNMP is the Simple Network Management Protocol and is used for network management. Answer D is incorrect because SMTP is the Simple Mail Transfer Protocol and is used for electronic mail. For more information, see Chapter 6.
106. B. File Transfer Protocol (FTP) operates on ports 20 and 21. Telnet operates on port 23. SMTP operates on port 25, and DHCP operates on ports 67 and 68. For more information, see Chapter 6.
107. C. The transport layer is responsible for reliable data delivery. Protocols such as TCP that are found at this layer feature flow-control, session-startup, and session-shutdown procedures to provide for reliable delivery of data. The data link layer is not the correct answer because this layer deals with physical frames. The session layer does not directly provide this functionality. The network layer is responsible for routing data packets. For more information, see Chapter 6.
108. A. Conducting certification tests is part of the implementation phase. Answers B, C, and D are incorrect. Determining user requirements is part of the user requirements phase. Assessing the project to see if expected benefits were achieved is part of the post implementation phase. Reviewing audit trails is part of the design phase. For more information, see Chapter 3.
109. A. An exception report is a processing control that should be generated when transactions appear to be incorrect. Answers B, C and D are incorrect because they all describe processing edit controls. For more information, see Chapter 4.
110. C. The data link layer is responsible for formatting and organizing the data before sending it to the physical layer. Layer 2 devices include bridges and switches. Hubs and repeaters are found at the physical layer, whereas routers are found at the network layer. For more information, see Chapter 6.
111. C. Run-to-run totals provide the capability to ensure the validity of data through various stages of processing. Answer A is incorrect because manual recalculations are used to ensure that processing is operating correctly. Answer B is incorrect because programming controls are software based and are used to flag problems and initiate corrective action. Answer D is incorrect because reasonableness verification is used to ensure the reasonableness of data. For more information, see Chapter 4.
112. A. Normalization is the process of optimizing a relational database to minimize redundancy. This process reduces repeating data and decreases the potential for anomalies during data operations. Answers B, C, and D are incorrect. For more information, see Chapter 3.
113. B. A PERT chart is used to depict the most cost-effective scenario for the task. Each chart begins with the first task that branches out to a connecting line that contains three estimates: The most optimistic time the task can be completed in, the most likely time the task will be completed in, and the worst-case scenario or longest time the task can take. For more information, see Chapter 3.
114. B. Verifications such as existence checks can best be described as a validation edit control that is considered preventive. Answers A, C, and D are therefore incorrect. For more information, see Chapter 4.
115. C. Every tuple in a table that references a foreign key should be a tuple in the foreign table that is referenced. This ensures referential integrity and prevents dangling tuples. Answers A, B, and D are incorrect and are simply misleading. For more information, see Chapter 5.
116. C. Certification tests a system’s internal controls for correct functionality against a known reference. Certification is a technical review of the system. Before systems are placed into operation, they must undergo certification. When certification testing is complete, management will review the compiled results and decide on the location and use of the system. This is known as accreditation; it is management’s decision of acceptance. For more information, see Chapter 3.
117. B. The screened subnet sets up a type of DMZ. Screened subnet and DMZs are the basis for most modern network designs. Answer A is incorrect because a packet filter sets up a single-tier packet filter design and has one packet-filtering router installed between the trusted and untrusted networks. Answer C is incorrect because the screened host adds a router. The router is typically configured to see only one host computer on the intranet network. Users on the intranet must connect to the Internet through this host computer, and external users cannot directly access other computers on the intranet. Answer D is incorrect because dual-homed hosts are comprised of a bastion host that has two network interfaces. For more information, see Chapter 6.
118. C. The network database-management systems were created in 1971 and are based on mathematical set theory. This type of database was developed to be more flexible than a hierarchical database. The network database model is considered a lattice structure because each record can have multiple parent and child records. Although this design can work well in stable environments it can be extremely complex. Therefore answers A, B, and D are incorrect. For more information, see Chapter 5.
119. D. FPA does not examine the number of expected users. Five functional point values exist: number of user inputs, number of user outputs, number of user inquires, number of files, and number of external interfaces. For more information, see Chapter 3.
120. C. Basic is an example of an interpreted programming language. An interpreted language does not assemble or compile the program; it takes an alternate approach by translating the program line by line. Interpreters fetch and execute. Answers A, B, and D are examples of compiled programs. For more information, see Chapter 5.
121. A. SQL is an example of a 4GL language. Answer B is incorrect because Assembly is an example of a 2GL language. Answer C is incorrect because FORTRAN is an example of a 3GL language. Answer D is incorrect because Prolog is an example of a 5GL language. For more information, see Chapter 5.
122. A. With hierarchical database-management systems, the database takes the form of a parent/child structure. These are considered 1:N (one to many) mappings. Each record can have only one owner, so hierarchical databases often can’t be used to relate to structures in the real world; however, they are easy to implement, modify, and search. Therefore, answers B, C, and D are incorrect. For more information, see Chapter 5.
123. B. Supervisor state allows the execution of all instructions, including privileged instructions. Any user allowed to run programs in supervisory mode can bypass any kind of security mechanisms and gain complete control of the system. Answers A, C, and D are incorrect. System utilities that run in supervisory mode should be strictly controlled. Supervisory mode is used to gain access to the kernel, not block it. Rings are arranged in a hierarchy from most privileged, lowest numbered ring to least privileged, highest numbered ring. For more information, see Chapter 5.
124. D. Sequence numbers are used to make sure that all data falls within a given range. Answer A is incorrect because a limit check is used to verify that the data to be processed does not exceed a predetermined limit. Answer B is incorrect because a range check is used to ensure that a date is within a predetermined range. Answer C is incorrect because a validity check is used to check the validity of a data. For more information, see Chapter 4.
125. B. The time between when a incident occurs and when it is addressed is called the delay window. Incident handling should look at ways to reduce the delay window to as small of a value as possible. For more information, see Chapter 5.
126. C. System errors are the type of information you would expect to find in a console log. You would not find names and passwords, backup times, or data edit errors. Therefore, answers A, B, and D are incorrect. For more information, see Chapter 5.
127. D. Auditors might be asked to verify existing source code at some point. If so, the auditor might want to use source code comparison software. This software enables the auditor to compare a previously obtained copy of the source code to a current copy. The software runs a comparison and can identify any changes. Answer A is incorrect because function point analysis is used to determine the complexity of a software build project. Answer B is incorrect because although a manual review might work, it would be unrealistic for large software projects. Answer C is incorrect because variation tools are not used to measure software changes. For more information, see Chapter 5.
128. A. Processing controls include processing, validation, and editing controls. Authorization is an example of an input control. For more information, see Chapter 4.
129. C. Projects are constrained by their scope, time, and cost. Many approaches and standards exist for meeting this triple constraint. The most well-known is PMBOK. Resources are not part of this triangle. For more information, see Chapter 3.
130. B. The proper order is clustering, remote replication, online restore, and tape restore. Answers A, C, and D are incorrect. For more information, see Chapter 9.
131. B. The project steering committee is ultimately responsible and must ensure that stakeholders’ needs are met. Answer A is incorrect because stakeholders are anyone involved or affected by the project activities. Answer C is incorrect because the project manager is responsible for day-to-day management of the project team. Answer D is incorrect because quality assurance is responsible for reviewing the activities of the project-management team and ensuring that output meets quality standards. For more information, see Chapter 3.
132. D. In the influence project management style, the project manager has no real authority and the functional manager remains in charge. Answer A is incorrect because the weak matrix style is characterized by a project manager who has little or no authority and is part of the functional organization. Answer B is incorrect because in a pure project, the project manager has formal authority. Answer C is incorrect because a balanced matrix is characterized by a project manager who has some functional authority and management duties that are shared with functional managers. For more information, see Chapter 2.
133. A. COCOMO specifically deals with software development and the cost, time, and effort in the software-development cycle. Answers B, C and D are incorrect because COCOMO is not associated with hardware, consumer products, or construction. For more information, see Chapter 3.
134. D. Traditional software sizing has been done by counting source lines of code (SLOC). This method does not work as well in modern development programs because additional factors will affect the overall cost. This method determines cost solely on length of code. Answer A is incorrect because FRAP is a risk-assessment method. Answer B is incorrect because Gantt is a project-management technique. Answer C is incorrect because FPA is a newer software cost method that the ISO has approved as a standard to estimate the complexity of software. For more information, see Chapter 3.
135. C. Actuarial tables display statistical values that can be used to determine the probability of risks. These tables are based on mathematical models that examine the cause of specific events and the timing of the events. Actuarial tables can be used in quantitative risk-assessment calculations. Answers A, C, and D are incorrect because the Delphi technique, facilitated risk-assessment process (FRAP), and risk ratings such as high, medium, or low are all examples of qualitative risk-assessment techniques. For more information, see Chapter 2.