 What are the four Important clauses in outsourcing

agreements (SLA)?
 clause with respect to ownership of intellectual property
rights -clause with respect to data confidentiality and privacy.
-clause with respect to BCP & DRP
-clause with respect to right to audit.

 IT governance is PRIMARILY the responsibility of the:

 board of directors Or (b) IT steering committee

 User management assumes ownership of the project and

resulting system.
 *** Compensating controls Which of the following controls
would an IS auditor look for in an environment where duties
cannot be appropriately segregated?

 An IS steering committee should:

 (a)ensure that IS security policies and procedures have been
executed properly. Or (b)have formal terms of reference and
maintain minutes of its meetings.
 have formal terms of reference and maintain minutes of its
meetings.

 PDCA is a iterative four step method used for continuous

improvements. What are the 4 steps of PDCA cycle ? Plan-Do-
Check-Act

 Which of the following is the GREATEST risk of an inadequate

policy definition for
ownership of data and systems?
 Specific user accountability cannot be established Or
(b)Unauthorized users may have access to originate, modify or
delete data.
 o An IS auditor is reviewing an organization’s IS strategy.
Which is the most important criteria for such review?
o It supports the business objectives.
 In any given scenario, if service provider is in other country,
then main concern of IS Auditor will be legal jurisdiction

 When an information security policy has been designed, it is

MOST important that the information security policy be:
 circulated to users. Or (b) updated frequently.

 The PRIMARY objective of an audit of IT security policies is to

ensure that:
 (a)they are distributed and available to all staff Or
 (b)security and control policies support business and IT
objectives.
 When developing a risk management program, the FIRST

activity to be performed is

a(n):

 criticality analysis Or
 (b) inventory of asset

 -Which of the following reduces the potential impact of social

engineering attacks?
 (a)Effective performance incentives Or
 (b) Security awareness programs
- is a systematic approach to compare enterprise
performance against peers and competitors in a
effort to learn the best way of conducting business.
Benchmarking
 __________ arrangement ensures that the purchasing company
will have the opportunity to modify the software should the
vendor cease to be in business
 Escrow

 Which team should assume overall responsibility for system

development projects? Project steering committee

 Benchmarking __________ is a systematic approach to compare

enterprise performance against peers and competitors in a
effort to learn the best way of conducting business.

 What are the three indicators of IT balanced scorecard ?

 customer satisfaction
 internal processes and
 ability to innovate.
 In case of purchase of proprietary application software, MOST
important consideration should be: Escrow Arrangement
 _Project steering committee_________ is ultimately responsible
for total project management for IT related projects. They
provide direction and monitors costs and project schedules
 Which team should assume overall responsibility for system
development projects? Project steering committee
 Who provides technical support for the hardware and software
environments by developing, installing and operating the
requested system ?
 System development management
 Authority ultimately responsible for the development of an IS
security policy:
 The board of directors.
 Which team should assume overall responsibility for system
development projects? Project steering committee
 Which of the following controls would an IS auditor look for in
an environment where duties cannot be appropriately
segregated?
 Compensating controls
 ***IT governance is PRIMARILY the responsibility of the:
 board of directors
 IT steering committee.
 ****The PRIMARY objective of an audit of IT security policies is
to ensure that:
 (a)they are distributed and available to all staff Or
 (b)security and control policies support business and IT
objectives.

 When developing a risk management program, the FIRST

activity to be performed is
a(n):
 criticality analysis
 inventory of assets
 *** Which of the following controls would an IS auditor look for
in an environment where duties cannot be appropriately
segregated?
 Compensating controls
 Which of the following is the GREATEST risk of an inadequate
policy definition for
ownership of data and systems?
 Specific user accountability cannot be established
 (b)Unauthorized users may have access to originate, modify or
delete data.

 When an organization is outsourcing their information security

function, which of the
following should be kept in the organization?
 (a)Accountability for the corporate security policy
 Defining the corporate security policy
 The lack of adequate security controls represents a(n):
 threat
 vulnerability.

 A local area network (LAN) administrator normally would be

restricted from:
 having end-user responsibilities.
 having programming responsibilities.
 ****Which statement is correct:
 (a)enterprise requirements should form the basis of security
requirements or
 security requirements should form the basis of enterprise
requirements
 Which of the following is a check (control) for completeness?
 (a)Check digits
 (b)Parity bits

Parity bits are used to check for completeness of data
transmissions.
 Check digit is incorrect check digits are a control check for
accuracy.
 Which testing is done by external user?
 Alpha testing
 Beta Testing
 **** An organization planning to purchase a software package
asks the IS auditor for a risk assessment. Which of the
following is the MAJOR risk?
 (a)Unavailability of the source code
 (b)Lack of a vendor-quality certification

 **** Following are the characteristics of which software

development methodology? Agile Development
 -Dictionary meaning is ‘able to move quickly and easily’.
 -It allows the programmer to just start writing a program
without spending much time on preplanning documentation.
 -Less importance is placed on formal paper-based deliverables,
with the preference being to produce releasable software in
short iterations, typically ranging from 4 to 8 weeks.
 -At the end of each iteration, the team considers and
documents what worked well and what could have worked
better, and identifies improvements to be implemented in
subsequent iterations.
 *** Identify the type of data validation edits for each statement
below:
(i) The control number follows sequentially and any sequence
or duplicated control numbers are rejected or noted on an
exception report for follow-up purposes – Sequence Check
 (ii) Data should not exceed a predetermined amount.-Limit
Check
 (iii) Data should be within a predetermined range of values-
Range Check
 (iv) Programmed checking of the data validity in accordance
with predetermined criteria. For example, a payroll record
contains a field for marital status and the acceptable status
codes are M or S. If any other code is entered, the record
should be rejected- Validity Check
 Re-engineering__________ is a tool in which an existing system is
being extensively enhanced by extracting and reusing design
and program components
 ****During unit testing, the test strategy applied is:
 black box
 white box.

 Advantages of top-down:
- Interface error can be detected earlier
- confidence in the system is achieved earlier
 Top-Down Approach test starts from broader level and then
gradually moves towards individual programs and modules.
What are the advantages of top down

 Which of the following is used to ensure that batch data is

completely and accurately transferred between two systems?
 control total
 (b)check digit
 (c)checksum
 Accountability for the maintenance of appropriate security
measures over information assets resides with the:
 Data/system owner
 IT governance is PRIMARILY the responsibility of the:
 board of directors
 IT steering committee.

 Run to run totals_______ provide the ability to verify data values

through stages of application processing. They ensures that
data read into the computer were accepted and then applied to
the updating process.
 Parallel testing is the process of comparing results of the old
and new system.
 _ testing is the process of comparing results of the old and new
system.
 Re-engineering__________ is a tool in which an existing system is
being extensively enhanced by extracting and reusing design
and program components
 __________approach is most suitable when requirements are well
defined and understood. Waterfall approach is not successful
when requirements are changing frequently.
 Waterfall Or (b)Agile
 Which of the SDLC testing involves testing of individual
program or module ?
 Unit testing

 ****In which online audit technique fictitious entity is created

in live production ? ITF
 **** Which SDLC testing is done to ensure that new or modified
system can work in the specified environment without adversely
impacting existing system ?
 Sociability Test
 __Rapid Application Development (RAD)________ uses a
prototype approach that can be updated continually to meet
changing user or business requirements.
(a)RAD Or (b)Agile
 *** Ideally, stress testing should be carried out in a
__________environment using l__________workloads.
 Ideally, stress testing should be carried out in a test
environment using live workloads.
 **** Function Point Analysis (FPA)_____ is an indirect method of
measuring the size of an application by considering the number
and complexity of its inputs, outputs and files
 Which of the SDLC testing involves testing of connection of two
or more module or components that pass information from one
area to another ? Integrated testing

 In Agile approach reviews are done to identify lessons learned

for future use in the project.
 (a)RAD Or (b)Agile
 *** Major risk associated with agile development is _ lack of
documentation
 ***Which SDLC testing is done to ensure that new or modified
system can work in the specified environment without adversely
impacting existing system ? Sociability Test
 **** Prototyping
 Following are the characteristics of which software
development methodology?
-Process of creating systems through controlled trial and error.
 -It is an early sample or model to test a concept or process. It is
a small scaleworking system used to test the assumptions.
 Assumptions may be about user requirements, program design
or internal logic.-This method of system development can
provide the organization with significant time and cost savings.
– By focusing mainly on what the user wants and
sees, developers may miss some of the controls
that come from the traditional systems
development approach; therefore, a potential
risk is that the
finished system will have poor controls.

 **In which online audit technique fictitious entity is created in

live production ? ITF
 *** lack of documentation. Major risk associated with agile
development
 **** Unit test involves testing of individual program or module.

 *** What are the steps of benchmarking process.

 (1)Plan (for what processes benchmarking is to be done)
(2)Research (from where and with whom benchmarking is to be
done)
(3)Observe (visit and observe processes of benchmarking
partners)
 (4)Analyse (analyzing the gap between organisation’s processes
and benchmarking partner’s processes)
(5)Adopt (implement the best practises followed by
 benchmarking partner)
(6)Improve (continuous improvement)
 *** Logic path monitors report on the sequence of steps
executed by a program. This provides the programmer with
clues to logic errors, if any, in the program.

 The major risk of combining quality assurance testing and user

acceptance testing is :
 improper documentation of testing
 (b)inadequate functional testing.
 The control number follows sequentially and any sequence or
duplicated control numbers are rejected or noted on an
exception report for follow-up purposes – Sequence Check
 Data should not exceed a predetermined amount.-Limit Check
 Data should be within a predetermined range of values-Range
Check
 Programmed checking of the data validity in accordance with
predetermined criteria. For example, a payroll record contains
a field for marital status and the acceptable status codes are M
or S. If any other code is entered, the record should be
rejected- Validity Check
 ( In white box testing, program logic is tested.
 In black box, only functionality is tested.)

 Which is the best online audit technique to identify

transactions as per pre-defined criteria ? CIS
 Top-Down Approach test starts from broader level and then
gradually moves towards individual programs and modules.
What are the advantages of top down Advantages of top-down:
 Interface error can be detected earlier
 (ii) confidence in the system is achieved earlier.
 Which testing is done by external user? (a) Alpha testing or (b)
Beta Testing
 Beta Testing

 ____ unit______ tests ensure that individual programs are

working correctly.
 An existing system is being extensively enhanced by extracting
and reusing design and program components. This is an
example of:
 (a)reverse engineering Or (b) reengineering.
 _ Parallel testing is the process of comparing results of the old
and new system
 *** Identify the type of data validation edits for each statement
below:
 A numeric value that has been calculated mathematically is
added to data to ensure that the original data have not been
altered or an incorrect, but valid, value substituted. This
control is effective in detecting transposition and transcription
errors- Check Digit
 A field should always contain data rather than zeros or blanks.
A check of each byte of that field should be performed to
determine that some form of data, not blanks or zeros, is
present-Completeness Check
 New transactions are matched to those previously input to
ensure that they have not already been entered-Duplicate
Check
 Which testing is done by internal user ?
o Alpha testing
o Beta Testing
 Logic path monitors____ report on the sequence of steps
executed by a program. This provides the programmer with
clues to logic errors, if any, in the program.
 Advantages of bottom-up:
- Test can be started even before all programs are
complete
 (ii) Errors in critical modules can be found early.
 **** When objective is to ensure that a transaction must either
fully happen, or not happens at all, which control should be
used ? Atomicity
 ***The major risk of combining quality assurance testing and
user acceptance testing is :
o improper documentation of testing
 (b)inadequate functional testing.

 Automated systems balancing would be the best way to ensure

that no transactions are lost as any imbalance between total
 inputs and total outputs would be reported for investigation
and
correction.
 Identify the type of data validation edits for each statement
below:
 The control number follows sequentially and any sequence or
duplicated control numbers are rejected or noted on an
exception report for follow-up purposes – Sequence Check
 (ii) Data should not exceed a predetermined amount.-Limit
Check
 Data should be within a predetermined range of values-Range
Check
 (iv) Programmed checking of the data validity in accordance
with predetermined criteria. For example, a payroll record
contains a field for marital status and the acceptable status
codes are M or S. If any other code is entered, the record
should be rejected- Validity Check

 Which of the SDLC testing involves testing of individual

program or module ? Unit testing
- Which of the following approach is used for unit
testing ?
- (a)White box approach or (b) Black box approach.
- (a)White box approach (i.e. testing of internal
program logic)

 When objective is to monitor the project or track any

milestone, answer should be
 PERT or (b)Gantt Chart
 Detailed program logic is tested in:
 White Box Testing or (b) Black box testing

 --- User Acceptance testing (UAT) is performed by:

 IS department or (b) User department
 ----Major risk associated with agile development is….lack of
documentation.


(i) Data integrity testing examines the accuracy, completeness,
consistency and authorization of
data.
 (ii)Relational integrity testing detects modification to sensitive
data by the use of control totals.
 (iii)Domain integrity testing verifies that data conforms to
specifications.
 (iv)Referential integrity testing ensures that data exists in its
parent or original file before it exists in the child or another
file.
 ___Application controls_____ are controls over input, processing
and output functions. They include method for ensuring that:
-Only complete, accurate and valid data are entered and
updated in computer systems.
-Processing accomplishes the correct task
-Processing results meet the expectations
-Data are maintained
 When objective is to ensure that a transaction must either fully
happen, or not happens at all, which control should be used ?
Snapshot
 _Automated systems balancing___ would be the best way to
ensure that no transactions are lost as any imbalance between
total inputs and total outputs would be reported for
investigation and
correction.

 A major benefit of __________ is the ability to reuse objects.

(a)RAD Or (b)OOSD

 object-oriented system development (OOSD)

 Identify the type of data validation edits for each statement
below:
 The control number follows sequentially and any sequence or
duplicated control numbers are rejected or noted on an
exception report for follow-up purposes – Sequence Check

 Data should not exceed a predetermined amount.-Limit Check

 Data should be within a predetermined range of values-Range

Check

 Programmed checking of the data validity in accordance with

predetermined criteria. For example, a payroll record contains
a field for marital status and the acceptable status codes are M
or S. If any other code is entered, the record should be
rejected- Validity Check