Appendix A. Answers to the “Do I Know This Already” Quizzes and Review Questions

2. A

3. B

4. C

5. B

6. D

7. C

8. D

9. B

10. D

2. C

3. B

4. A

5. D

6. D

7. C

8. C

9. A

10. D

11. C

12. A

2. B

3. A

4. C

5. A

6. A

7. D

8. C

9. B

10. C

2. A

3. B

4. C

5. B

6. D

7. C

8. D

9. B

10. D

2. D

3. B

4. C

5. B

6. A

7. C

8. D

9. B

10. D

2. D

3. B

4. A

5. C

6. B

7. D

8. B

9. A

10. D

2. D

3. D

4. B

5. C

6. B

7. A

8. A

9. A

10. C

2. D

3. A

4. B

5. D

6. B

7. D

8. A

9. B

10. A

2. B. Qualified audit opinion is correct here because (1) testing was limited to if the control existed and as stated did not include substantive testing, and (2) the control failure was not pervasive, occurring in 3 of the 1,300 sites, or .0023% of the population. Answer A is incorrect because the lack of a substantive test is a qualifier. Answer C is incorrect because there is no pervasive control weakness. Answer D is incorrect because compliance test–obtained evidence was sufficient to demonstrate instances of control weakness.

3. B. Integrated auditing is a methodology that combines the operational audit function, the financial audit function, and the IS audit function. Therefore, Answers C and D are incorrect because they do not list all three types of functions to be integrated. Answer A is incorrect because it describes control self-assessment (CSA), which is used to verify the reliability of internal controls and places internal controls in the hands of management.

4. D. The best choice would be a locked cabinet on the department floor with only one key, in the possession of the auditor. With only one key in the auditor’s possession, there is clear accountability, and access is limited to one person. Answer A is incorrect because multiple individuals may still have access to the safe. Answer B is incorrect because it would call into question the security of the home and the ability to restrict access to family members. Answer C is incorrect because third-party access cannot be verified in a third-party site, given the way the facts were presented.

5. D. A control risk is risk caused by failure of internal controls; it can result in a material error. Answer A is incorrect because residual risk is the amount of risk the organization is willing to accept. Answer B is incorrect because inherent risk is the risk that can occur because of the lack of compensating controls. Combined, inherent risks can create a material risk. Answer C is incorrect because detection risk is the risk if an auditor does not design tests in such a way as to detect a material risk.

6. A. Attending board meetings is not one of the best ways to gather evidence during an audit. The best ways to gather evidence include observing employee activity, examining and reviewing procedures and processes, verifying employee security awareness training and knowledge, and examining reporting relationships to verify segregation of duties.

7. B. CSA is not an audit function replacement. Answers A, C, and D are all advantages of CSA.

8. D. A disclaimer is used when an auditor cannot obtain appropriate evidence to base an opinion.

9. A. Internal accounting controls used to safeguard financial records are an example of a general control procedure. Answers B, C, and D all describe information system control procedures.

10. B. The word material describes a significant level of risk that the organization is unwilling to accept. Answers A, C, and D do not define the term.

11. B. An integrated test facility is a type of substantive test that uses data represented by fake entities, such as products, items, or departments. Answer A is incorrect because a parallel test compares real results to those generated by the auditor to compare the control function. Answer C is incorrect because embedded audit modules identify and report specific transactions or other information, based on predetermined criteria. Answer D is incorrect because test data uses theoretical transactions to validate program logic and control mechanisms.

12. D. Variable sampling would be the best sampling technique to review an organization’s balance sheet for material transactions. It is also known as dollar estimation. Answer A is incorrect because attribute sampling is used to determine the rate of occurrence. Answer B is incorrect because frequency sampling is another name for attribute sampling; both terms describe the same sampling technique. Answer C is incorrect because stop-and-go sampling is used when an auditor believes that only a few errors will be found in a population.

13. A. Task statements describe how to apply knowledge statements. Answers B and D are types of audits, not domain question types. Answer C is incorrect because knowledge statements questions are the facts you are expected to know.

14. D. Regulatory audits are not impacted by a CSA program. Answers A, B, and C are all potential benefits of CSA.

15. C. Regulatory requirements are not optional and must be given priority due to the impact on the organization. Answers A, B, and D are important, but unlike regulatory mandates, they are under the control of the organization in terms of timing and scope of implementation.

2. C. A network administrator should not have programming responsibilities. Answers A, B, and D are all duties that an administrator can hold, and a network administrator might have end-user responsibilities, aid in the system administration, and help in the early phases of design.

3. C. Key verification would provide the highest level of confidence. Answer A is incorrect because audit trails would provide details of the entered activities but would not improve accuracy. Answer B is incorrect because separating job roles would be an additional control but would not add any accuracy to the information that was entered incorrectly. Answer D is incorrect because the supervisory review is a detective and compensating control but is not the best answer.

4. B. Any time you are inspecting unfamiliar records, you need to understand what type of data is stored. Metadata describes the type of data. Answers A and D are not the best answers because they primarily provide insights but only after you understand the type of data contained in the records. Answer C is incorrect because while it allows you to understand who can access the information, it does not help to understand the data.

5. D. Bottom-up policy development addresses the concerns of operational employees because it starts with their input and concerns and examines risk. Answers A, B, and C are incorrect because all these items are tied to top-down policy development. A top-down approach aligns with company policy, is a slow process, and might not fully address the concerns of employees.

6. C. A balanced scorecard is used to match the organization’s information technology to the strategy of the organization. Answer A is incorrect because it is not used for benchmarking, Answer B is incorrect because it is not used to measure effectiveness, and Answer D is incorrect because it is not used to evaluate help desk employees.

7. A. Any time an outsourcing provider will provide a time-sensitive process, such as ISP services, an SLA can be used to obtain a guarantee of the level of service the outsourcing partner is agreeing to provide. The SLA should specify the uptime, response time, and maximum outage time they are agreeing to. Answer B is incorrect because although physical security is important, it is not the most important in this case. Answers C and D are incorrect because neither would serve as an adequate measure for an independent evaluation of the ISP’s service capability.

8. B. Custody is related to access to cash, merchandise, or inventories. Answer A is incorrect because authorization describes verifying cash, approving purchases, and approving changes. Answer C is incorrect because record keeping deals with preparing receipts, maintaining records, and posting payments. Answer D is incorrect because reconciliation deals with comparing monetary amounts, counts, reports, and payroll summaries.

9. D. Database administrator and systems analyst are two roles that ISACA believes can be combined. Answers A, B, and C are incorrect because none of these positions should be combined. An auditor should understand how the combination of certain roles increases risk. For example, a systems analyst should be discouraged from performing the duties of someone in a quality assurance role. If these roles are combined, quality assurance levels could be compromised if strong compensating controls are not being used.

10. D. Before auditors can begin any technical duties, they must understand the environment in which they are working. The best way to do that is to review the business plan, which details the goals of the organization. Only after the business plan has been reviewed should the other items listed be reviewed. Therefore, Answers A, B, and C are incorrect.

2. D. Although hot sites are an expensive alternative, they are ready for service. Answer A is incorrect because a hot site cannot be used for long-term processing. Answer B is incorrect because a hot site is a subscription service. Answer C is incorrect because there are additional fees; the organization must pay a variety of fees for use, testing, and access.

3. A. JBOD allows users to combine multiple drives into one large drive. JBOD’s only advantage is that, in case of drive failure, only the data on the affected drive is lost. Answers B, C, and D are incorrect because JBOD is not superior to disk mirroring, is not faster than RAID, and offers no fault tolerance.

4. C. Critical processes that produce revenue are considered a core activity. Answer A is incorrect because discretionary processes are considered nonessential. Answer B is incorrect because supporting processes require only minimum BCP services. Answer D does not specify a process; critical is a term used to describe how important the service or process is.

5. D. Business continuity planning is an ongoing process that should be revisited each time there is a change to the environment. Therefore, Answers A, B, and C are incorrect.

6. D. The most critical concern is keeping the copies of critical information current at an offsite location. Answers A, B, and C are important but are not the most important.

7. B. BIA is an important part of the BCP process. The purpose of BIA is to document the impact of outages, identify critical systems, prioritize critical systems, analyze outage impact, and determine recovery times needed to keep critical systems running. Answers A, C, and D are incorrect because they do not specify steps performed during BIA.

8. B. There is no BCP test known as a structured walk-through. Valid types are listed in Answers A, C, and D: paper test, full operation test, and preparedness test.

9. C. Diverse routing is the practice of routing traffic through different cable facilities. Answer A is incorrect because alternate routing is the ability to use another transmission line if the regular line is busy or unavailable. Answer B is incorrect because long-haul diversity is the practice of having different long-distance communication carriers. Answer D is incorrect because last-mile protection provides a second local loop connection.

10. A. Vital meets the description of functions that are important and can be performed by a manual backup process but not for a long period of time. Answer B is incorrect because it describes tasks that are important but can be performed manually at a reasonable cost. Answer C is incorrect because critical refers to extremely important functions. Answer D is incorrect because demand driven does not describe a valid functional label.

2. B. The critical path is the sequence of activities that must be completed on time for the project to stay on schedule. Delays of any items on the critical path will slow the entire project. Answers A, C, and D are incorrect because, although the budget, team skills, and individual tasks are all items to consider, the critical path should be examined first because that will affect all other items.

3. A. Following implementation, a cost–benefit analysis or ROI calculation should be performed. Answer B is incorrect because the audit trail should be designed during the design phase. Answer C is incorrect because an ERD should be performed during the requirements phase. Answer D is incorrect because final acceptance testing should be performed during the implementation phase.

4. D. Sociability testing is performed to confirm that a new or modified system will work in its intended environment. Answer A is incorrect because regression testing verifies that changes have not introduced errors. Answer B is incorrect because function testing verifies that systems meet specifications. Answer C is incorrect because pilot testing is used for limited evaluations.

5. D. Extreme programming does not work well for large project teams. Extreme programming requires that teams include business managers, programmers, and end users. These teams are responsible for developing usable applications in short periods of time. Answer A is incorrect because the spiral model is based on the concept that software development is evolutionary. The spiral model begins by creating a series of prototypes to develop a solution. As the project continues, it spirals out, becoming more detailed. Each step passes through planning, requirements, risks, and development phases. Answer B is incorrect because RAD requires well-trained development teams that use integrated power tools for modeling and prototyping. Answer C is incorrect because scrum uses short cycles referred to as sprints and is focused on object-oriented technology.

6. C. Fourth-generation languages (4GL) are most commonly used for databases. Examples of 4GLs include FOCUS, Natural, and dBase. Answer A is incorrect because 2GL is assembly language. Answer B is incorrect because 3GL includes languages such as FORTRAN, Pascal, and C. Answer D is incorrect because 5GLs are very high-level languages such as Prolog.

7. C. PERT is used to schedule, organize, and coordinate tasks. The PERT weighted average examines the shortest time, average time, and longest time a task is scheduled to be completed. Therefore, Answers A, B, and D are incorrect.

8. B. A direct changeover requires the establishment of a cut-off date so that all users must switch to the new system by then. Answer A is incorrect because a pilot scenario is used when an entire new system is used at one location. Answer C is incorrect because a phased changeover is gradual. Answer D is incorrect because a parallel changeover brings the new system online while the old is still in operation.

9. C. Entity relationship diagrams are built using two essential components that include entities and relationships. Therefore, Answers A, B, and D are incorrect.

10. C. Scrum uses short cycles referred to as sprints and is focused on object-oriented technology. Answer A is incorrect because the spiral model is based on the concept that software development is evolutionary. The spiral model involves creating a series of prototypes to develop a solution. As the project continues, it spirals out, becoming more detailed. Each step passes through planning, requirements, risks, and development phases. Answer B is incorrect because RAD requires well-trained development teams that use integrated power tools for modeling and prototyping. Answer D is incorrect because extreme programming requires that teams include business managers, programmers, and end users. These teams are responsible for developing useable applications in short periods of time.

11. A. Dropbox is an example of a public cloud service. A private cloud model is based on the concept that the cloud is owned and operated by a private entity. A community cloud model can be used by several entities. A hybrid cloud model can be a combination of any of the other cloud models. Therefore, Answers B, C, and D are incorrect.

12. B. Tokenization randomly generates a value for plain text and stores the corresponding value in a database. Answers A, C, and D are incorrect because random numbers, cookies, and user IDs are not used as a replacement for encryption.

13. B. Type 2 hypervisors are those that require an underlying OS. Examples of Type 2 systems include VirtualBox and VMware Workstation. Answers C and D are incorrect as there are no Type 3 or 4 hypervisors. Virtualization systems fall into two categories: Type 1 and Type 2. Answer A is incorrect because a Type 1 hypervisor resides directly on hardware.

14. D. The most common implementation of n-tier is the three-tier approach. A three-tier architecture is typically composed of a presentation tier, a domain logic tier, and a data storage tier such as a workstation, server, and database. Answer A is incorrect because a workstation and a server is not the most common implementation of n-tier. Answer B is incorrect because the LAMP stack is Linux, Apache, MySQL, and PHP/Python/Perl. Answer C is incorrect because a workstation and cloud is not considered n-tier.

15. D. An SAS 70 report verifies that the outsourcing or business partner has had its control objectives and activities examined by an independent accounting and auditing firm. Answer A is incorrect because privacy shield is used for EU protection of data. Answer B is incorrect because COBIT is a good-practice framework created by international professional association ISACA for information technology (IT) management and IT governance. Answer C is incorrect because ITIL is a set of detailed practices for IT service management that seeks to align IT services with the needs of the business.

2. A. Audit hooks detect items that meet specific criteria. Answer B is incorrect because snapshots require an audit trail. Answer C is incorrect because integrated test facilities should not be used with test data. Answer D is incorrect because continuous and intermittent simulation requires examination of transactions that meet specified criteria.

3. D. Decision support systems (DSSs) are software-based applications that help analyze data to answer less structured problems. DSS typically uses knowledge databases, models, and analytical techniques to make decisions. Answer A is incorrect because a DSS does not use structured models to solve complex problems. Answer B is incorrect because a DSS is designed to support traditional decision-making activities. Answer C is incorrect because a DSS is designed to support unstructured problems.

4. C. A reasonableness check verifies the reasonableness of the data. Answer A is incorrect because a validity check is usually used with dates. Answer B is incorrect because range checks are typically used to verify that data is within a specified range. Answer D is incorrect because a limit check is used to verify that sales do not exceed a specified limit (for example, limiting one per customer).

5. C. Decision support systems are typically developed with 4GL programming languages. Answers A, B, and D are incorrect.

6. C. A data lake always contains raw data. A data warehouse stores data in files and database tables that are highly structured and searchable.

7. B. The impact of EDI on internal controls is that there are fewer opportunities for review and authorization. Answers A, C, and D are, therefore, incorrect.

8. B. An edit control is used with data that has been entered but not yet processed. A sequence check is an example of an edit control. Answers A, C, and D are incorrect because they are all examples of processing controls, which ensure that data remains unchanged until it is processed by an authorized process.

9. A. Audit hooks are considered the least complex technique because they use embedded hooks that act as red flags if certain conditions are met. Answer B is incorrect because using systems control audit review files and embedded audit modules requires embedded audit software and is considered one of the most complex techniques. Answer C is incorrect because snapshots are considered moderately complex. Answer D is incorrect because the continuous and intermittent simulation is also considered moderately complex; it simulates the transaction run.

10. B. The examination of proposed test plans is part of the testing phase. Items to be addressed during the design and development phase include studying flowcharts; evaluating input, output, and process controls; examining proposed audit trails; and reviewing how the system will deal with erroneous input.

2. B. The proper order for the OSI model layers from the bottom up is physical, data link, network, transport, session, presentation, application. Therefore, Answers A, C, and D are incorrect.

3. B. Network traffic on a LAN can be addressed to one device, many devices, or all devices on a network. Sending information to a group is known as multicasting. Answer A describes one device; answer C describes a technique used in IPv6, which is a directed broadcast; and answer D describes the transmission to everyone.

4. B. ARP resolves known IP addresses to unknown MAC addresses. This two-step process is performed by first sending a message to all devices on the LAN requesting the receiver’s physical address. If a device recognizes the address as its own, it issues an ARP reply to the sender of the ARP request. Answers A, C, and D are incorrect because they do not properly describe the ARP process.

5. D. Frame Relay controls bandwidth usage with a committed information rate (CIR) that specifies the maximum guaranteed bandwidth that the customer is guaranteed. Although higher rates might be possible, the CIR represents the level the service provider is committed to providing. Answer A, T1, does not use a CIR and is not packet switching. Answer B, ATM, does not use a CIR. Answer C, X.25, does not use a CIR.

6. B. Some of the standards for optical fiber cabling include 10BASE-F, 100BASE-FX, and 1000BASE-LX. Answers A, C, and D are all copper cabling standards.

7. D. Reviewing network diagrams is usually the best place for an auditor to start. The diagrams give the auditor a foundational understanding of the network. Although Answers A, B, and C are all items that can be performed, they should not be the starting point of an audit.

8. D. A mesh offers the highest level of redundancy. Answers A, B, and C are incorrect.

9. A. A switch is best suited for reducing the number of collisions on a LAN. Switches segment physical networks. Answer B is incorrect because a hub provides only physical connectivity. Answer C is incorrect because a bridge is inferior to a switch. Bridges are software based and are much slower. Answer D is incorrect because a router is an OSI Layer 3 device.

10. C. Packet switching allows a telecommunications vendor to determine the best path. The vendor is free to route the packetized traffic through the network as it sees fit. Answer A is incorrect because the customer does not determine the path. Answer B is incorrect because packet switching does not use a dedicated path. Answer D is incorrect because the client does not set a dedicated path for packet-switched traffic.

11. B. One of the biggest drawbacks to SNMP is that Versions 1 and 2 send data via cleartext. Answers A, C, and D are incorrect because SNMP is not hard to configure, is not considered obsolete, and can be used with many types of devices, not just printers.

12. B. For Wireshark to see all the traffic that is at the network interface, the device must be placed in promiscuous mode. Therefore, Answers A, C, and D are incorrect.

13. A. Network traffic on a LAN is visible only when the switch is configured to forward that traffic to the monitoring port. That activity is referred to as mirroring. Answer B describes the activity that occurs on the device; answer C is incorrect as the NIC is not modified; and answer D is incorrect as switches segment traffic so one port sees only its traffic by default.

14. B. 802.11ac operates at 150/200/600Mbps. Answers A, C, and D are incorrect because 802.11a, 802.11i, and 802.11g do not properly operate at the stated speeds in the question.

15. D. TKIP was first added to WPA. TKIP was designed to provide more secure encryption than the weak and outdated WEP standard. Answers A, B, and C were not the first to add TKIP and are, therefore, incorrect.

2. D. One of the big advantages of symmetric encryption is that it is fast. Answer A is incorrect because symmetric encryption does not offer easy key exchange and must be done out of band. Answer B is incorrect because as the number of participants grows, so does the number of keys. Answer C is incorrect because symmetric encryption does not provide integrity.

3. B. Intrusion detection is the best method of monitoring and detecting break-ins or attempts to attack via the Internet. Answer A is incorrect because packet filtering is a type of stateless inspection and can make a decision on only a set of static rules. Answer C is incorrect because stateful inspection is not specifically designed to detect and report hacking activities. Answer D is incorrect because encryption does not meet any of the company’s stated goals.

4. D. CIPA requires that schools and libraries use Internet filters and implement other measures to protect children from harmful online content. Answer A is incorrect because FERPA protects the privacy of student education records. Answer B is incorrect because FISMA addresses federal agencies. Answer C is incorrect because PCI-DSS covers the protection of credit card data.

5. C. While it is true that the RA cannot generate a certificate, it does play a useful role in PKI. Answer A is incorrect because the RA does reduce the load on the CA. Answer B is incorrect because the RA can accept requests. Answer D is incorrect because the RA can verify an owner’s identity.

6. C. Data security is one of the primary duties of an auditor. This task is achieved by controlling and monitoring data security policies. Answer A is incorrect because auditors are usually not the individuals responsible for implementing security controls. Answer B is incorrect because an auditor is concerned not just with new policies but with all policies. Answer D is incorrect because the IT security group usually handles day-to-day activities of the IDS and the firewall.

7. A. Kerberos is an example of single sign-on. Answers B, C, and D all describe methods of centralized authentication.

8. B. The lowest level of the military data classification is unclassified. Answers A, C, and D are incorrect because public, sensitive, and available are not the lowest data classification.

9. B. A mantrap is a system of doors that is arranged so that when one opens, the others remain locked. Mantraps are typically used in high-security facilities. Answers A, C, and D are incorrect because a honeypot describes a system used to lure in an attacker, a turnstile is used to control access, and a DMZ is used in networking, not physical security.

10. D. Asymmetric encryption offers easy key exchange. Answer A is incorrect because it is not as efficient as symmetric encryption. Answer B is incorrect because it is not a part of a hashing algorithm. Answer C is incorrect because asymmetric encryption is not used for bulk data.

2. B. One thing that should not be done is to click on the link, which could lead to malware. Answers A, C, and D are all activities that would be acceptable when dealing with a malicious link.

3. D. Change management should dictate a structured controlled process that has preventive controls built in. For example, developers would typically have access to source code. Answer A is incorrect because access controls would be used to prevent access to items such as the production application. Answer B is incorrect because there would be controls in the development environment. For example, individuals responsible for writing the code would not test the code. Although there may be controls in the development process, these must be reviewed by the auditor to verify they are present and implemented correctly; therefore, Answer C is incorrect.

4. B. Penetration testing typically follows a structured approach, such as the stages outlined in NIST 800-42. Answer A is incorrect because SOX deals with financial records. Answer C is incorrect because PCI-DSS covers the protection of credit card data. Answer D is incorrect because SSAE-16 is an auditing standard and is not used for penetration testing.

5. C. While it is true that any of these activities could be carried out on a weekly basis, the most likely activity would be vulnerability scanning. Answer A is incorrect because penetration testing might be performed once a year. Answer B is incorrect because change management occurs when change occurs, which can be at any time. Answer D is incorrect because rotation of duties might be performed monthly or yearly.

6. C. Planning and preparation is the first step of the incident response process. This task should be accomplished before any incident ever occurs. Answers A, B, and D are incorrect because these are not the first steps of the incident response process.

7. A. The question describes a double-blind penetration test. Answers B, C, and D do not describe a double-blind penetration test. Blind would describe the situation where only one party knows, and the other options, zero proof and unknown, are not valid choices.

8. B. An XSRF attack can occur when a victim is connected to both a legitimate site and a malicious site at the same time. Answers A, C, and D are incorrect because they do not describe an XSRF attack. XSS does not require a connection to both the legitimate site and the malicious site at the same time. A buffer overflow occurs when too much data is placed in the buffer. A TOCTOU attack exploits the time between when something is read and when it is used.

9. A. Answer A is correct because fuzzing is a form of black box testing that is carried out when the source code is not available. Answers A, C, and D are incorrect because a code review is performed when the code is available. Reverse engineering is used to tear apart existing code. A decompiler is used to examine the internal operation of an application.

10. C. Trend variance detection tools are best used to scan for deviations from normal activity. All other answers are incorrect because bypass label processing can be used to bypass the normal process of reading a file security label. Attack detection tools look for known attack signatures. Audit reduction tools reduce the volume of information to be reviewed.