IT Controls and Audit Practices, Exams of Information and Communications Technology (ICT)

Various it controls and audit practices that are important for ensuring the integrity, security, and reliability of information systems. It covers topics such as input controls, database commits and rollbacks, portfolio management, transaction logs, backup and recovery strategies, change management, and automated auditing solutions. Insights into best practices for identifying and evaluating existing controls, as well as recommendations for improving control mechanisms to address risks and vulnerabilities. The content is likely relevant for university-level courses in information systems, cybersecurity, and it audit and governance.

Typology: Exams

2023/2024

Available from 07/27/2024

paul-kamau-2
paul-kamau-2 🇺🇸

4

(7)

5.4K documents

1 / 244

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CISA Practice Exam 208 Questions with Verified Answers
In a public key infrastructure (PKI), which of the following may be relied upon to
prove that an online transaction was authorized by a specific customer?
Correct A. Nonrepudiation
B. Encryption
C. Authentication
D. Integrity
. - CORRECT ANSWER You are correct, the answer is A.
A. Nonrepudiation, achieved through the use of digital signatures, prevents the
senders from later denying that they generated and sent the message.
B. Encryption may protect the data transmitted over the Internet, but may not
prove that the transactions were made.
C. Authentication is necessary to establish the identification of all parties to a
communication.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download IT Controls and Audit Practices and more Exams Information and Communications Technology (ICT) in PDF only on Docsity!

CISA Practice Exam 208 Questions with Verified Answers

In a public key infrastructure (PKI), which of the following may be relied upon to prove that an online transaction was authorized by a specific customer? Correct A. Nonrepudiation B. Encryption C. Authentication D. Integrity

. - CORRECT ANSWER You are correct, the answer is A. A. Nonrepudiation, achieved through the use of digital signatures, prevents the senders from later denying that they generated and sent the message. B. Encryption may protect the data transmitted over the Internet, but may not prove that the transactions were made. C. Authentication is necessary to establish the identification of all parties to a communication.

D. Integrity ensures that transactions are accurate but does not provide the identification of the customer Which of the following BEST ensures the integrity of a server's operating system (OS)? A. Protecting the server in a secure location B. Setting a boot password Correct C. Hardening the server configuration D. Implementing activity logging - CORRECT ANSWER You are correct, the answer is C. A. Protecting the server in a secure location is a good practice, but does not ensure that a user will not try to exploit logical vulnerabilities and compromise the operating system (OS). B. Setting a boot password is a good practice, but does not ensure that a user will not try to exploit logical vulnerabilities and compromise the OS. C. Hardening a system means to configure it in the most secure manner (install latest security patches, properly define access authorization for users and

A. Digital signatures are used for authentication and nonrepudiation, and are not commonly used in databases. As a result, this is not an area in which the IS auditor should investigate. B. A nonce is defined as a "parameter that changes over time" and is similar to a number generated to authenticate one specific user session. Nonces are not related to database security (they are commonly used in encryption schemes). C. A media access control (MAC) address is the hardware address of a network interface. MAC address authentication is sometimes used with wireless local area network (WLAN) technology, but is not related to database security. D. When a database is opened, many of its configuration options are governed by initialization parameters. These parameters are usually governed by a file ("init.ora" in the case of Oracle DBMS), which contains many settings. The system initialization parameters address many "global" database settings, including authentication, remote access and other critical security areas. To effectively audit a database implementation, the IS auditor must examine the database initialization parameters. Which of the following processes will be MOST effective in reducing the risk that unauthorized software on a backup server is distributed to the production server? A. Manually copy files to accomplish replication. B. Review changes in the software version control system.

Incorrect C. Ensure that developers do not have access to the backup server. D. Review the access control log of the backup server. - CORRECT ANSWER You answered C. The correct answer is B. A. Even if replication is be conducted manually with due care, there still remains a risk to copying unauthorized software from one server to another. B. It is common practice for software changes to be tracked and controlled using version control software. An IS auditor should review reports or logs from this system to identify the software that is promoted to production. Only moving the versions on the version control system (VCS) program will prevent the transfer of development or earlier versions. C. If unauthorized code was introduced onto the backup server by developers, controls on the production server and the software version control system should mitigate this risk. D. Review of the access log will identify staff access or the operations performed; however, it may not provide enough information to detect the release of unauthorized software. A consulting firm has created a File Transfer Protocol (FTP) site for the purpose of receiving financial data and has communicated the site's address, user ID and

D. Tracing accountability is of minimal concern compared to the compromise of sensitive data. In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should: A. identify and assess the risk assessment process used by management. B. identify information assets and the underlying systems. C. disclose the threats and impacts to management. Correct D. identify and evaluate the existing controls. - CORRECT ANSWER You are correct, the answer is D. A. The review of the risk assessment process should be done at the start of the risk analysis. Because the threats and impact have already been determined, there must already be a risk assessment process in place. B. It would be impossible to determine impact without first having identified the assets affected; therefore, this must already have been completed. C. Upon completion of a risk assessment, an IS auditor should describe and discuss with management the threats and potential impacts on the assets as well

as recommendations for addressing the risk. However, this cannot be done until the controls have been identified and the likelihood of the threat has been calculated. D. It is important for an IS auditor to identify and evaluate the existence and effectiveness of existing and planned controls so that the risk level can be calculated after the potential threats and possible impacts are identified. The PRIMARY purpose of an IT forensic audit is: A. to participate in investigations related to corporate fraud. B. the systematic collection and analysis of evidence after a system irregularity. C. to assess the correctness of an organization's financial statements. Incorrect D. to preserve evidence of criminal activity. - CORRECT ANSWER You answered D. The correct answer is B. A. Forensic audits are not limited to corporate fraud. B. The systematic collection and analysis of evidence best describes a forensic audit. The evidence collected could then be analyzed and used in judicial proceedings.

C. A digital certificate is an electronic document that declares a public key holder is who the holder claims to be. The certificates do handle data authentication as they are used to determine who sent a particular message. D. The sender's public key cannot be opened by any key except the sender's private key. When performing a review of a business process reengineering (BPR) effort, which of the following choices would be the PRIMARY concern? A. Controls are eliminated as part of the BPR effort. Incorrect B. Resources are not adequate to support the BPR process. C. The audit department is not involved in the BPR effort. D. The BPR effort includes employees with limited knowledge of the process area.

  • CORRECT ANSWER You answered B. The correct answer is A. A. A primary risk of business process reengineering (BPR) is that controls are eliminated as part of the reengineering effort. This would be the primary concern.

B. The BPR process can be a resource-intensive initiative; however, the more important issue is whether critical controls are eliminated as a result of the BPR effort. C. While BPR efforts often involve many different business functions, it would not be a significant concern if audit were not involved, and, in most cases, it would not be appropriate for audit to be involved in such an effort. D. A recommended best practice for BPR is to include individuals from all parts of the enterprise, even those with limited knowledge of the process area. Therefore, this would not be a concern. An IS auditor suspects an incident (attack) is occurring while an audit is being performed on a financial system. What should the IS auditor do FIRST? A. Request that the system be shut down to preserve evidence. B. Report the incident to management. C. Ask for immediate suspension of the suspect accounts. Incorrect D. Immediately investigate the source and nature of the incident. - CORRECT ANSWER You answered D. The correct answer is B.

Correct D. database commits and rollbacks. - CORRECT ANSWER You are correct, the answer is D. A. Database integrity checks are important to ensure database consistency and accuracy. These include isolation, concurrency and durability controls, but the most important issue here is atomicity—the requirement for transactions to complete entirely and commit or else roll back to the last known good point. B. Validation checks will prevent introduction of corrupt data, but will not address system failure. C. Input controls are important to protect the integrity of input data, but will not address system failure. D. Database commits ensure that the data are saved after the transaction processing is completed. Rollback ensures that the processing that has been partially completed as part of the transaction is reversed back and not saved if the entire transaction does not complete successfully. Which of the following would be evaluated as a preventive control by an IS auditor performing an audit? A. Transaction logs

B. Before and after image reporting Correct C. Table lookups D. Tracing and tagging - CORRECT ANSWER You are correct, the answer is C. A. Transaction logs are a detective control and provide audit trails. B. Before and after image reporting makes it possible to trace the impact that transactions have on computer records. This is a detective control. C. Table lookups are preventive controls; input data are checked against predefined tables, which prevent any undefined data to be entered. D. Tracing and tagging is used to test application systems and controls, but is not a preventive control in itself. As a driver of IT governance, transparency of IT's cost, value and risk is primarily achieved through: Correct A. performance measurement. B. strategic alignment.

data in the human resource management system (HRMS) and among interfacing applications to the HRMS? A. Two-factor authentication B. A digital certificate Correct C. Audit trails D. Single sign-on authentication - CORRECT ANSWER You are correct, the answer is C. A. Two-factor authentication would enhance security while logging into the human resource management system (HRMS) application; however, it will not establish accountability for actions taken subsequent to login. B. A digital certificate will also enhance login security to conclusively authenticate users logging into the application. However, it will not establish accountability because user ID and transaction details will not be captured without an audit trail. C. Audit trails capture which user, at what time, and date, along with other details, has performed the transaction and this helps in establishing accountability among application users.

D. Single sign-on authentication allows users to log in seamlessly to the application, thus easing the authentication process. However, this would also not establish accountability. A decision support system (DSS) is used to help high-level management: A. solve highly structured problems. B. combine the use of decision models with predetermined criteria. Correct C. make decisions based on data analysis and interactive models. D. support only structured decision-making tasks. - CORRECT ANSWER You are correct, the answer is C. A. A decision support system (DSS) is aimed at solving less structured problems. B. A DSS combines the use of models and analytic techniques with traditional data access and retrieval functions, but is not limited by predetermined criteria. C. A DSS emphasizes flexibility in the decision-making approach of management through data analysis and the use of interactive models, not fixed criteria.

C. That RFID tags may not be removable is a concern of less importance than the violation of privacy. D. RFID eliminates line-of-sight reading. This is a benefit of RFID, not a concern. An IS auditor discovers that developers have operator access to the command line of a production environment operating system. Which of the following controls would BEST mitigate the risk of undetected and unauthorized program changes to the production environment? A. Commands typed on the command line are logged. Correct B. Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs. C. Access to the operating system command line is granted through an access restriction tool with preapproved rights. D. Software development tools and compilers have been removed from the production environment. - CORRECT ANSWER You are correct, the answer is B. A. Having a log is not a control; reviewing the log is a control.

B. The matching of hash keys over time would allow detection of changes to files. C. Because the access was already granted at the command line level, it will be possible for the developers to bypass the control. D. Removing the tools from the production environment will not mitigate the risk of unauthorized activity by the developers. An IS auditor is reviewing a manufacturing company and finds that mainframe users at a remote site connect to the mainframe at headquarters over the Internet via Telnet. Which of the following is the BEST recommendation to ensure proper security controls? Correct A. Use of a point-to-point leased line B. Use of a firewall rule to allow only the Internet protocol (IP) address of the remote site C. Use of two-factor authentication D. Use of a nonstandard port for Telnet - CORRECT ANSWER You are correct, the answer is A.