Wiley.com
Get technical support for this product Print this page Share

The CISA Prep Guide: Mastering the Certified Information Systems Auditor Exam

John Kramer
ISBN: 978-0-471-25032-6
Paperback
570 pages
March 2003
The CISA Prep Guide: Mastering the Certified Information Systems Auditor Exam (0471250325) cover image
This product is not currently available for purchase from this website.
For customer care, special sales, or to find your rep, please visit our Contact Us page.

Do you think you've discovered an error in this book? Please check the list of errata below to see if we've already addressed the error. If not, please submit the error via our Errata Form. We will attempt to verify your error; if you're right, we will post a correction below.

ChapterPageDetailsDatePrint Run
CD ID#4 CD Question ID#4
Question: Which of the following is not part of the IS auditor's code of ethics?

Answer 1: Serve the interest of the employers in a diligent loyal and honest manner.
Answer 2: Maintain the standards of conduct and the appearance of independence through the use of audit information for personal gain.
Answer 3: Maintain competency in the interrelated fields of audit and information systems.
Answer 4: Use due care to document factual client information on which to base conclusions and recommendations.

Explanation: The correct answer is C. Use of client information is unethical and a cause for revocation of your certification. The other three are tenants of the code of ethics.

Errata: The correct answer should be B. 		5/2/03
CD ID#17 CD Question ID#17
Question: Some audit managements choose to use the element of surprise to ensure that the policies and procedures documents line up with actual practices.
A: Scare the auditees and to see if there are procedures that can be used as a back up
B: Ensure that staffing is sufficient to manage an audit and daily processing simultaneously
C: Ensure that supervision is appropriate during surprise inspections
D: Ensure that policies and procedures coincide with the actual practices in place

Explanation: The correct answer is A. Some of the other answers are nonsensical but the real reason for using the element of surprise is to ensure that the policies and procedures documents line up with actual practices.

Errata: The correct answer should be D. 		3/19/03
CD ID#57 CD Question ID#57
Question: Which of the following should an IS auditor review when performing an assessment of a PBX?

I. Ensure that the dial-in numbers enabling toll-free outbound access are turned off.
II. Ensure that voicemail systems do not enable access to phone lines through hijacking.
III. Ensure that the access codes for the maintenance ports have been changed from the default.
IV. Ensure that outbound toll numbers, such as 900 numbers, are restricted.
V. Ensure that excessive phone usage is flagged and investigated for fraud.


Answer 1: I, II, III, and IV only
Answer 2: II, III, and IV only
Answer 3: II, III, IV, and V only
Answer 4: I, II, III, IV, and V

Explanation: The correct answer is C. All of these answers except (I) are necessary activities for a PBX review. Voice mail systems (II) need to be contained to voice mail traffic only and the ability to use these access points to the system to get a dial tone should be controlled and not allow hijacking to occur. Access codes for maintenance ports (III) should be strictly controlled and not only changed from their vendor given defaults but changed periodically. 900 numbers and other outbound toll scenarios (IV) should be controlled, and the business decisions should support any allowance for these costs to be incurred. Any excessive call tolls (V) outside of a predetermined boundary should be immediately flagged as potentially fraudulent and investigated if not shut down until an investigation can occur. The ability of obtaining an outbound toll-free line from a dial in number (I) is a business decision and may be turned off, but that is a risk and business decision that should be made by management not the IS auditor. The audit should verify that this is a conscious decision of the business, however.

Errata: The 900 numbers referred to in Selection IV are 1-900 numbers that are charged calls, not free and does not refer to 900 numbers without the 1- prefix which includes the 911 (emergency) number. Those would not be restricted.

5/1/03
CD ID#125 CD Question ID#125
Question: In a systems development life cycle, the following process steps occur:

I. Systems Design
II. Feasibility Analysis
III. Systems Testing and Acceptance
IV. Systems Specification Documentation
V. Functional Requirements Definition
VI. Systems Development

What is the natural order of the processes in an SDLC methodology?

Answer 1: V, IV, II, I, VI, III
Answer 2: V, II, IV, I, VI, III
Answer 3: II, IV, V, VI, I, III
Answer 4: II, V, I, VI, III, IV

Explanation: The correct answer is A. Classic Systems Development Life Cycle (SDLC) methodologies begin by understanding the business or functional requirements and then a feasibility analysis is performed on the solution options. Systems specifications then are further defined based on the accepted solution and approach from which a design is created. That design is developed into an application and that application is tested and finally accepted by the business.
Errata: The correct answer should be B, not A.

5/9/03

Related Titles

Security

Secrets and Lies: Digital Security in a Networked World
by Bruce Schneier
The CISM Prep Guide: Mastering the Five Domains of Information Security Management
by Ronald L. Krutz, Russell Dean Vines
Implementing SSH: Strategies for Optimizing the Secure Shell
by Himanshu Dwivedi
Bulletproofing TCP/IP-Based Windows NT/2000 Networks
by Gilbert Held
Network Security: Current Status and Future Directions
by Christos Douligeris, Dimitrios N. Serpanos
Information Security: A Strategic Approach
by Vincent LeVeque
Security for Wireless Ad Hoc Networks
by Farooq Anjum, Petros Mouchtaris
Back to Top