Domain 3 4
Domain 3: Questions
1. An IS auditor is planning an audit project and needs to know which areas represent the highest risk. What is the best approach for identifying these risk areas?
A. Perform the audit; control failures will identify the areas of highest risk.
B. Perform the audit and then perform a risk assessment.
C. Perform a risk assessment first, and then concentrate control tests in high-risk areas identified in the risk assessment.
D. Increase sampling rates in high-risk areas.
2. An auditor has detected potential fraud while testing a control objective. What should the auditor do next?
A. Notify the audit committee.
B. Conduct a formal investigation.
C. Report the fraud to law enforcement.
D. Report the suspected fraud to management.
3. The possibility that a process or procedure will be unable to prevent or detect serious errors and wrongdoing is known as
A. Detection risk
B. Inherent risk
C. Sampling risk
D. Control risk
4. The categories of risk treatment are
A. Risk reduction, risk transfer, risk avoidance, and risk acceptance
B. Risk avoidance, risk transfer, and risk mitigation
C. Risk avoidance, risk reduction, risk transfer, risk mitigation, and risk acceptance
D. Risk avoidance, risk treatment, risk mitigation, and risk acceptance
5. An IS auditor needs to perform an audit of a financial system and needs to trace individual transactions through the system. What type of testing should the auditor perform?
A. Discovery testing
B. Statistical testing
C. Compliance testing
D. Substantive testing
6. An IS auditor is auditing the change management process for a financial application. The auditor has two primary pieces of evidence: change logs and a written analysis of the change logs performed by a business analyst. Which evidence is best and why?
A. The change log is best because it is subjective.
B. The written analysis is best because it interprets the change log.
C. The change log is best because it is objective and unbiased.
D. The written analysis is best because it is objective.
7. Under which circumstances should an auditor use subjective sampling?
A. When the population size is low
B. When the auditor believes that specific transactions represent higher risk than most others
C. When the risk of exceptions is low
D. When statistical sampling cannot be performed
8. An IS auditor has discovered a high-risk exception during control testing. What is the best course of action for the IS auditor to take?
A. Immediately perform mitigation.
B. Include the exception in the report and mark the test as a control failure.
C. Immediately inform the auditee of the situation.
D. Immediately inform the audit committee of the situation.
9. What is the appropriate role of an IS auditor in a control self-assessment?
A. The IS auditor should participate as a subject matter expert.
B. The IS auditor should act as facilitator.
C. The IS auditor should not be involved.
D. The IS auditor should design the control self-assessment.
10. Which of the following would not be useful evidence in an IS audit?
A. Personnel handbook
B. Organization mission statement and objectives
C. Organization chart
D. Organization history
11. An auditor has discovered that automated work papers were configured with read/write permissions for database administrators. What actions should the auditor take?
A. Simply continue to rely on the automated work papers.
B. Note an exception and continue to rely on these automated work papers.
C. Recommend that permissions on automated work papers be changed so that no personnel have write access and so that this data may be relied upon in the future.
D. Notify the board of directors or the audit committee.
12. During an audit, an auditor has discovered a process that is being performed consistently and effectively, but the process lacks procedure documentation. What action should the auditor take?
A. Document the process.
B. Find that the process is effective but recommend that it be documented.
C. Write the procedure document for the auditee and include it in audit evidence.
D. Find that the process is ineffective.
13. During audit planning, an auditor has discovered that a key business process in the auditee organization has been outsourced to an external service provider. Which option should the auditor consider?
A. Audit the external service provider or rely on an SSAE 16 audit report if one is available.
B. Audit the external service provider.
C. Determine that the business process is not effective.
D. Request that the external service provider submit its internal audit work papers.
14. Why should an auditor prefer bank statements over a department’s own business records that list bank transactions?
A. Bank statements can be provided in electronic format.
B. Bank statements contain data not found in internal records.
C. Bank statements are usually easier to obtain.
D. Bank statements are independent and objective.
15. Which of the following statements is true about ISACA audit standards and guidelines?
A. ISACA audit standards are mandatory, while ISACA audit guidelines are optional.
B. ISACA audit standards are optional, while ISACA audit guidelines are mandatory.
C. ISACA audit standards and guidelines are mandatory.
D. ISACA audit standards and guidelines are optional.
Domain 4: Questions
1. What testing activities should developers perform during the development phase?
A. Security testing
B. Integration testing
C. Unit testing
D. Developers should not perform any testing
2. The purpose of function point analysis (FPA) is to
A. Estimate the effort required to develop a software program.
B. Identify risks in a software program.
C. Estimate task dependencies in a project plan.
D. Inventory inputs and outputs in a software program.
3. A project manager needs to identify the tasks that are responsible for project delays. What approach should the project manager use?
A. Function point analysis
B. Gantt analysis
C. Project evaluation and review technique
D. Critical path methodology
4. A software developer has informed the project manager that a portion of the application development is going to take five additional days to complete. The project manager should
A. Inform the other project participants of the schedule change.
B. Change the project schedule to reflect the new completion time.
C. Create a project change request.
D. Adjust the resource budget to account for the schedule change.
5. The phases and their order in the systems development life cycle are
A. Requirements definition, feasibility study, design, development, testing, implementation, post-implementation
B. Feasibility study, requirements definition, design, development, testing, implementation, post-implementation
C. Feasibility study, requirements definition, design, development, testing, implementation
D. Requirements definition, feasibility study, development, testing, implementation, post-implementation
6. What personnel should be involved in the requirements phase of a software development project?
A. Systems administrators, network administrators, and software developers
B. Developers, analysts, architects, and users
C. Security, privacy, and legal analysts
D. Representatives from each software vendor
7. The primary source for test plans in a software development project is
A. Requirements
B. Developers
C. End users
D. Vendors
8. The primary purpose of a change management process is to
A. Record changes made to systems and infrastructure.
B. Review and approve proposed changes to systems and infrastructure.
C. Review and approve changes to a project schedule.
D. Review and approve changes to application source code.
9. What is the purpose of a capability maturity model?
A. To assess the experience of software developers
B. To assess the experience of project managers
C. To assess the integrity of application software
D. To assess the maturity of business processes
10. The purpose of input validation checking is to
A. Ensure that input values are within acceptable ranges.
B. Ensure that input data contains the correct type of characters.
C. Ensure that input data is free of hostile or harmful content.
D. Ensure all of the above.
11. An organization is considering the acquisition of enterprise software that will be hosted by a cloud services provider. What additional requirements need to be considered for the cloud environment?
A. Logging
B. Access control
C. Data segregation
D. Performance
12. System operators have to make an emergency change in order to keep an application server running. To satisfy change management requirements, the systems operators should
A. Document the steps taken.
B. Fill out an emergency change request form.
C. Seek approval from management before making the change.
D. Do all of the above.
13. A global organization is planning the migration of a business process to a new application. What cutover methods can be considered?
A. Parallel, geographic, module by module, or all at once
B. Parallel, geographic, or module by module
C. Parallel, module by module, or all at once
D. Parallel, geographic, or all at once
14. The purpose of developing risk tiers in third-party management is to
A. Determine whether to perform penetration tests.
B. Satisfy regulatory requirements.
C. Determine the appropriate level of due diligence.
D. Determine data classification requirements.
15. The reason that functional requirements need to be measurable is
A. Developers need to know how to test functional requirements
B. Functional tests are derived directly from functional requirements
C. To verify correct system operation
D. To measure system performance
Domain 4 Answers
1. C. During the development phase, developers should perform only unit testing to verify that the individual sections of code they have written are performing properly.
2. A. Function point analysis (FPA) is used to estimate the effort required to develop a software program.
3. D. Critical path methodology helps a project manager determine which activities are on a project’s “critical path.”
4. C. When any significant change needs to occur in a project plan, a project change request should be created to document the reason for the change.
5. B. The phases of the systems development life cycle are feasibility study, requirements definition, design, development, testing, implementation, and post-implementation.
6. B. Requirements need to be developed by several parties, including developers, analysts, architects, and users.
7. A. The requirements that are developed for a project should be the primary source for detailed tests.
8. B. The main purpose of change management is to review and approve proposed changes to systems and infrastructure. This helps to reduce the risk of unintended events and unplanned downtime.
9. D. A capability maturity model helps an organization to assess the maturity of its business processes, which is an important first step to any large-scale process improvement efforts.
10. D. Input validation checking is used to ensure that input values are within established ranges, of the correct character types, and free of harmful content.
11. C. In addition to business, functional, security, and privacy requirements, an organization considering cloud-based services needs to understand how the cloud services provider segregates the organization’s data from that of its other customers.
12. D. When making an emergency change, personnel should first seek management approval, document the details of the change, and initiate an emergency change management procedure.
13. A. The migration to a new application can be done in several ways: parallel (running old and new systems side by side); geographic (migrating users in each geographic region separately); module by module (migrating individual modules of the application); or migrate all users, locations, and modules at the same time.
14. C. Developing risk tiers in third-party management helps an organization determine the level of due diligence for third parties at each risk tier. Because the level of risk varies, some third parties warrant extensive due diligence, while a lighter touch is warranted for low-risk parties.
15. B. Functional requirements should be measurable, because test cases should be developed directly from functional requirements. The same can be said about security and privacy requirements—all must be measurable because all should be tested.