Compensating controls are intended to: A. reduce the risk of an existing or potential control weakness. B. predict potential problems before they occur. C. remedy problems discovered by detective controls. D. report errors or omissions.

A distinction that can be made between compliance testing and substantive testing is that compliance testing tests: A. details, while substantive testing tests procedures. B. controls, while substantive testing tests details. C. plans, while substantive testing tests procedures. D. for regulatory requirements, while substantive testing tests validations.

When an IS auditor obtains a list of current users with access to a WAN/LAN and verifies that those listed are active associates, the IS auditor is performing a: A. compliance test. B. substantive test. C. statistical sample. D. risk assessment.

The use of coding standards is encouraged by IS auditors because they: A. define access control tables. B. detail program documentation. C. standardize dataflow diagram methodology. D. ensure compliance with field naming conventions.

During a review of a large data center an IS auditor observed computer operators acting as backup tape librarians and security administrators. Which of these situations would be MOST critical to report? A. Computer operators acting as tape librarians B. Computer operators acting as security administrators C. Computer operators acting as a tape librarian and security administrator D. It is not necessary to report any of these situations.

Which of the following is widely accepted as one of the critical components in networking management? A. Configuration management B. Topological mappings C. Application of monitoring tools D. Proxy server trouble shooting

Connection-oriented protocols in the TCP/IP suite are implemented in the: A. transport layer. B. application layer. C. physical layer. D. network layer.

Which of the following should be in place to protect the purchaser of an application package in the event that the vendor ceases to trade? A. Source code held in escrow. B. Object code held by a trusted third party. C. Contractual obligation for software maintenance. D. Adequate training for internal programming staff.

Requiring passwords to be changed on a regular basis, assigning a new one-time password when a user forgets his/hers, and requiring users not to write down their passwords are all examples of: A. audit objectives. B. audit procedures. C. controls objectives. D. control procedures.

The BEST time to perform a control self-assessment involving line management, line staff and the audit department is at the time of: A. compliance testing. B. the preliminary survey. C. substantive testing. D. the preparation of the audit report.

In which of the following phases of the system development life cycle (SDLC) is it the MOST important for the IS auditor to participate? A. Design B. Testing C. Programming D. Implementation

Creation of an electronic signature: A. encrypts the message. B. verifies where the message came from. C. cannot be compromised when using a private key. D. cannot be used with e-mail systems.

A PRIMARY benefit derived from an organization employing control self-assessment (CSA) techniques is that it: A. can identify high-risk areas that might need a detailed review later. B. allows IS auditors to independently assess risk. C. can be used as a replacement for traditional audits. D. allows management to relinquish responsibility for control.

The FIRST step in data classification is to: A. establish ownership. B. perform a criticality analysis. C. define access rules. D. create a data dictionary.

Which of the following logical access exposures involves changing data before, or as it is entered into the computer? A. Data diddling B. Trojan horse C. Worm D. Salami technique