Thursday, June 18, 2026

MCQ questions with answer on BASIC COST CONCEPTS

MCQ questions with answer on BASIC COST CONCEPTS

MCQ questions with answer on BASIC COST CONCEPTS:(Answers provided at the end, first solve then check yourself)

Cost Concepts, Cost Behavior, Cost Accounting Basics, Manufacturing vs Merchandising vs Service Organizations, Relevant Range, Factors of Production, Short Run, High-Low Method, Cost Drivers, Cost Pools, and Activity-Based Costing (ABC) relevant for ACCA Foundation Management Accounting (FMA) and US CMA Part 1.

COST CONCEPTS & TYPES OF COSTS (1-25)

1. Cost is best defined as:
A. Revenue earned
B. Sacrifice of resources to achieve an objective
C. Profit earned
D. Assets owned

Answer: 

2. Direct material cost is:
A. Indirect labor
B. Cost traceable to product
C. Selling expense
D. Administrative expense

Answer: 

3. Factory rent is usually a:
A. Direct cost
B. Prime cost
C. Manufacturing overhead
D. Selling cost

Answer: 

4. Prime cost consists of:
A. DM + DL       B. DL + OH         C. DM + OH     D. DL + Selling

Answer: 


5. Conversion cost consists of:
A. DM + DL
B. DL + MOH
C. DM + MOH
D. Selling + Admin

Answer: 


6. Indirect materials are classified as:
A. Prime cost
B. Product cost
C. Manufacturing overhead
D. Period cost

Answer: 


7. Product costs are:
A. Selling costs
B. Administrative costs
C. Manufacturing costs
D. Financing costs

Answer: 


8. Period costs are expensed when:
A. Product sold
B. Incurred
C. Produced
D. Purchased

Answer: 


9. Depreciation of factory equipment is:
A. Selling expense  B. Manufacturing overhead  C. Direct labor   D. Prime cost

Answer: 


10. Salary of sales manager is:
A. Product cost
B. Direct labor
C. Selling expense
D. Manufacturing overhead

Answer: 


11. Sunk cost is:
A. Future cost
B. Avoidable cost
C. Past cost
D. Relevant cost

Answer: 


12. Opportunity cost means:
A. Actual cash paid
B. Cost of next best alternative forgone
C. Fixed cost
D. Variable cost

Answer: 


13. Differential cost is:
A. Historical cost   B. Difference between alternatives
C. Fixed cost   D. Sunk cost

Answer: 


14. Relevant costs are:
A. Past costs    B. Future costs affecting decisions
C. Sunk costs   D. Book values

Answer: 


15. Avoidable costs can be:
A. Eliminated by decision
B. Past costs
C. Sunk costs
D. Committed costs

Answer: 


16. Fixed cost per unit:
A. Constant
B. Increases with volume
C. Decreases as activity increases
D. Variable

Answer: 


17. Variable cost per unit is:
A. Constant
B. Increasing
C. Decreasing
D. Unknown

Answer: 


18. Total fixed cost:
A. Changes with units
B. Constant within relevant range
C. Variable
D. Mixed

Answer: 


19. Total variable cost:
A. Constant   B. Changes proportionately with activity  C. Fixed  D. Semi-fixed

Answer: 


20. Mixed cost contains:
A. Only fixed cost
B. Only variable cost
C. Fixed and variable elements
D. Product cost only

Answer: 


21. Step cost remains fixed until:
A. Certain activity level reached
B. Revenue changes
C. Profit changes
D. Sales decrease

Answer: 


22. Discretionary fixed cost example:
A. Factory rent
B. Advertising
C. Property tax
D. Insurance

Answer: 


23. Committed fixed cost example:
A. Advertising    B. Training
C. Building depreciation    D. Research

Answer: 


24. Incremental cost means:
A. Additional cost from a decision  B. Past cost
C. Fixed cost                                   D. Sunk cost

Answer: 


25. Marginal cost usually refers to:
A. Fixed cost
B. Variable cost of one more unit
C. Sunk cost
D. Period cost

Answer: 


MANUFACTURING, MERCHANDISING & SERVICE ORGANIZATIONS (26-40)

26. A manufacturing company:
A. Sells services
B. Produces goods
C. Trades securities
D. Lends money

Answer: 


27. A merchandising company:
A. Manufactures products
B. Buys and resells goods
C. Provides consulting
D. Produces services

Answer: 


28. Example of manufacturing company:
A. Hospital
B. Toyota
C. Bank
D. School

Answer: 


29. Example of merchandising company:
A. Walmart
B. Factory
C. Hospital
D. Audit firm

Answer: 


30. Example of service company:
A. Factory
B. Retailer
C. CPA Firm
D. Distributor

Answer: 


31. Raw materials inventory exists mainly in:
A. Service firms
B. Manufacturing firms
C. Banks
D. Schools

 

Answer: 


32. Work-in-process inventory exists in:
A. Manufacturing firms
B. Retail stores
C. Service firms
D. Banks

Answer: 


33. Finished goods inventory exists in:
A. Manufacturing firms    B. Audit firms  C. Hospitals  D. Banks

Answer: 


34. Merchandising firms usually have:
A. Raw materials inventory
B. WIP inventory
C. Merchandise inventory
D. None

Answer: 


35. Service firms generally have:
A. No inventory
B. WIP inventory
C. Raw materials
D. Finished goods

Answer: 


36. Cost of Goods Manufactured applies to:
A. Service firms
B. Manufacturing firms
C. Banks
D. Retailers

Answer: 


37. Cost of Goods Sold is found in:
A. Manufacturing only  B. Merchandising and manufacturing
C. Service only  D. None

Answer: 


38. Inventory sequence in manufacturing:
A. FG → RM → WIP
B. RM → WIP → FG
C. WIP → RM → FG
D. FG → WIP → RM

Answer: 


39. Merchandising company purchases:
A. Raw materials
B. Finished goods
C. Labor
D. Overhead

Answer: 


40. Main output of service company is:
A. Goods
B. Services
C. Inventory
D. Raw material

Answer: 


RELEVANT RANGE & COST BEHAVIOR (41-60)

41. Relevant range means:
A. Expected activity range
B. Revenue range
C. Profit range
D. Sales range

Answer: 

42. Fixed costs remain constant within:
A. Relevant range  B. Entire universe
C. Any activity   D. None

Answer: 

43. Outside relevant range fixed cost may:
A. Remain same always  B. Change
C. Become variable   D. Disappear

Answer: 

44. Cost behavior studies relationship between:
A. Cost and activity
B. Cost and profit
C. Assets and liabilities
D. Debt and equity

 

Answer: 

45. Variable cost changes with:
A. Activity level
B. Time only
C. Interest rate
D. Inflation only

Answer: 

46. Fixed cost per unit decreases when:
A. Output increases
B. Output decreases
C. Cost increases
D. Revenue decreases

Answer: 

47. Example of variable cost:
A. Direct materials
B. Rent
C. Insurance
D. Salary

Answer: 

48. Example of fixed cost:
A. Direct material  B. Sales commission
C. Factory rent  D. Freight on units

Answer: 

49. Sales commission is usually:
A. Fixed  B. Variable  C. Sunk  D. Opportunity

Answer: 

50. Utility bill often represents:
A. Mixed cost
B. Fixed cost
C. Product cost
D. Sunk cost

Answer: 

FACTORS OF PRODUCTION & SHORT RUN (61-70)

61. Factors of production include:
A. Land
B. Labor
C. Capital
D. All of these

Answer: 

62. Human effort in production is:
A. Capital
B. Labor
C. Land
D. Entrepreneurship

Answer: 

63. Machinery is an example of:
A. Labor
B. Capital
C. Land
D. Revenue

Answer: 

64. Entrepreneur earns:
A. Rent  B. Interest  C. Profit  D. Wages

Answer: 

65. In short run at least one factor is:
A. Variable  B. Fixed
C. Revenue  D. Profit

Answer: 

66. Factory building in short run is generally:
A. Fixed input
B. Variable input
C. Revenue
D. Expense

Answer: 

67. Labor is often considered:
A. Fixed input
B. Variable input
C. Asset
D. Liability

Answer: 

68. Short run period means:
A. One month
B. One year
C. At least one fixed input
D. No fixed input

Answer: 

69. Long run means:
A. All inputs variable
B. All inputs fixed
C. One fixed input
D. No production

Answer: 

70. Marginal product refers to:
A. Additional output from additional input
B. Revenue
C. Cost
D. Profit

Answer: 


HIGH-LOW METHOD, COST DRIVER, COST POOL, ABC (71-100)

71. High-low method estimates:
A. Fixed and variable costs
B. Profit
C. Revenue
D. Assets

Answer: 

72. High-low method uses:
A. Highest and lowest activity levels
B. Highest costs only
C. Lowest costs only
D. Average costs

Answer: 

73. Variable cost per unit =
A. Cost difference ÷ Activity difference
B. Revenue difference
C. Profit difference
D. Fixed cost

Answer: 

74. Cost driver causes:
A. Revenue
B. Cost to occur
C. Profit
D. Assets

Answer: 

75. Machine hours are often a:
A. Cost driver
B. Revenue driver
C. Liability
D. Asset

Answer: 

76. Number of setups may be a:
A. Cost driver
B. Product cost
C. Sunk cost
D. Opportunity cost

Answer: 

77. Cost pool is:
A. Collection of related costs
B. Revenue account
C. Profit center
D. Asset account

Answer: 

78. ABC stands for:
A. Activity Based Costing
B. Annual Budget Costing
C. Accounting Budget Control
D. None

Answer

79. ABC allocates overhead using:
A. Cost drivers
B. Sales
C. Profit
D. Assets

Answer: 

80. ABC improves:
A. Cost accuracy
B. Inflation
C. Revenue
D. Tax

Answer: 

81. Unit-level activity occurs for:
A. Each unit produced
B. Each factory
C. Each company
D. Each year

Answer: 

82. Batch-level activity example:
A. Machine setup
B. Direct material
C. Factory rent
D. CEO salary

Answer: 

83. Product-level activity example:
A. Product design
B. Direct labor
C. Materials
D. Packaging

Answer: 

84. Facility-level activity example:
A. Factory security
B. Direct labor
C. Direct material
D. Packaging

Answer: 

86. Direct labor hours may be used as:
A. Cost driver
B. Revenue driver
C. Asset
D. Liability

Answer: 

87. Traditional costing often uses:
A. One cost driver
B. Many drivers
C. No driver
D. Revenue

Answer: 

88. ABC generally uses:
A. Multiple drivers  B. One driver
C. No drivers  D. Profit

Answer: 

89. Overhead allocation aims to:
A. Assign indirect costs  B. Increase profit
C. Reduce assets  D. Increase sales

Answer: 

90. Cost driver rate =
A. Cost pool ÷ Driver units
B. Revenue ÷ Units
C. Profit ÷ Units
D. Sales ÷ Units

Answer: 

Types of Cost…..

1.

Direct materials are:
A. Indirect costs
B. Prime costs
C. Period costs
D. Selling costs

Answer: 


2.

Prime cost consists of:
A. Direct materials + Direct labor
B. Direct labor + Overhead
C. Materials + Overhead
D. Fixed + Variable costs

Answer: 


3.

Conversion cost consists of:
A. Direct materials + Direct labor
B. Direct labor + Manufacturing overhead
C. Direct materials + Overhead
D. Selling + Administrative costs

Answer: 


4.

Factory supervisor salary is:
A. Direct labor
B. Manufacturing overhead
C. Selling expense
D. Direct material

Answer: 


5.

Which is a direct cost?
A. Factory rent
B. Lubricating oil
C. Direct material
D. Security salary

Answer: 


6.

Indirect materials are classified as:
A. Prime costs
B. Manufacturing overhead
C. Selling expenses
D. Administrative expenses

Answer: 


7.

The depreciation of factory equipment is:
A. Direct labor
B. Product cost
C. Selling expense
D. Administrative expense

Answer: 


8.

Product costs include:
A. Manufacturing costs
B. Selling costs
C. Interest costs
D. Marketing costs

Answer: 


9.

Period costs are expensed:
A. When incurred
B. When produced
C. When purchased
D. When materials are used

Answer: 


10.

Which is a period cost?
A. Direct materials
B. Factory insurance
C. Sales commission
D. Direct labor

Answer: 


11.

A variable cost:
A. Remains constant in total
B. Changes in total with activity
C. Never changes
D. Is always indirect

Answer: 


12.

An example of variable cost is:
A. Direct material
B. Factory rent
C. Property tax
D. Factory manager salary

Answer: 


13.

Total fixed cost:
A. Changes with production volume
B. Remains constant within relevant range
C. Is always zero
D. Is variable per unit

Answer: 


14.

Fixed cost per unit:
A. Remains constant
B. Increases with output
C. Decreases as output increases
D. Is irrelevant

Answer: 


15.

A mixed cost contains:
A. Only fixed cost
B. Only variable cost
C. Fixed and variable components
D. Product and period costs

Answer: 


16.

An example of mixed cost is:
A. Electricity bill
B. Direct materials
C. Factory rent
D. Property tax

Answer: 


17.

A step cost:
A. Changes continuously
B. Remains fixed over a range then jumps
C. Is variable per unit
D. Is irrelevant

Answer: 


18.

Which cost is relevant to decision making?
A. Sunk cost
B. Historical cost
C. Future cost differing between alternatives
D. Book value

Answer: 


19.

A sunk cost is:
A. Future cost
B. Cost already incurred
C. Opportunity cost
D. Avoidable cost

Answer: 


20.

Sunk costs are:
A. Relevant
B. Avoidable
C. Irrelevant for decisions
D. Variable

Answer: 


21.

Opportunity cost is:
A. Actual cash paid
B. Cost of forgone alternative
C. Fixed cost
D. Product cost

Answer: 


22.

Differential cost means:
A. Historical cost
B. Difference in cost between alternatives
C. Sunk cost
D. Fixed cost

Answer: 


23.

Incremental cost is:
A. Additional cost from a decision
B. Sunk cost
C. Fixed cost
D. Product cost

Answer: 


24.

Avoidable costs:
A. Cannot be eliminated
B. Can be eliminated by a decision
C. Are sunk costs
D. Are historical costs

Answer: 


25.

Unavoidable costs:
A. Can be eliminated
B. Continue regardless of decision
C. Are opportunity costs
D. Are variable costs

Answer: 


26.

Direct labor cost is:
A. Prime cost
B. Period cost
C. Selling cost
D. Administrative cost

Answer: 


27.

Factory insurance is:
A. Direct material
B. Manufacturing overhead
C. Selling expense
D. Opportunity cost

Answer: 


28.

Sales manager salary is:
A. Product cost
B. Selling expense
C. Direct labor
D. Manufacturing overhead

Answer: 


29.

Office rent is generally:
A. Administrative expense
B. Direct material
C. Manufacturing overhead
D. Prime cost

Answer: 


30.

Research and development cost is usually:
A. Period cost
B. Direct cost
C. Prime cost
D. Conversion cost

Answer: 


31.

Marginal cost generally refers to:
A. Fixed cost
B. Additional variable cost of one unit
C. Sunk cost
D. Opportunity cost

Answer: 


32.

Controllable costs are:
A. Managed by a responsible manager
B. Always fixed
C. Always variable
D. Never relevant

Answer: 


33.

Non-controllable costs:
A. Can be directly influenced
B. Cannot be significantly influenced
C. Are always sunk
D. Are always avoidable

Answer: 


34.

Committed fixed costs include:
A. Advertising
B. Factory building depreciation
C. Training costs
D. Promotion costs

Answer: 


35.

Discretionary fixed costs include:
A. Factory lease
B. Property tax
C. Advertising
D. Insurance

Answer: 


36.

The cost of idle capacity is generally:
A. Direct material
B. Fixed cost
C. Selling cost
D. Prime cost

Answer: 


37.Joint costs arise:
A. After split-off point
B. Before split-off point
C. During selling process
D. During marketing

Answer: 


38.

Further processing costs incurred after split-off are:
A. Joint costs
B. Sunk costs
C. Separable costs
D. Fixed costs

Answer: 


39.

By-product revenue is often:
A. Ignored completely
B. Treated as reduction of production cost
C. Treated as direct material
D. Treated as overhead

Answer: 


40.

Which is NOT a product cost?
A. Direct materials
B. Direct labor
C. Manufacturing overhead
D. Sales commission

Answer: 


41.

Which cost is most likely variable?
A. Factory rent
B. Direct materials
C. Property taxes
D. Factory insurance

Answer: 


42.

Which cost is most likely fixed?
A. Direct materials
B. Direct labor paid per unit
C. Factory rent
D. Sales commission

Answer: 


43.

Opportunity costs are:
A. Recorded in accounting records
B. Not recorded in accounting records
C. Historical costs
D. Product costs

Answer: 


44.

Relevant costs must be:
A. Past and unavoidable
B. Future and different between alternatives
C. Historical and fixed
D. Sunk and variable

Answer: 


45.

The salary of factory maintenance staff is:
A. Direct labor
B. Manufacturing overhead
C. Selling expense
D. Administrative expense

Answer: 


46.

Freight paid on raw materials purchased is generally:
A. Product cost
B. Selling cost
C. Administrative cost
D. Opportunity cost

Answer: 


47.

Advertising expense is:
A. Product cost
B. Prime cost
C. Selling expense
D. Conversion cost

Answer: 


48.

A cost traceable to a cost object is:
A. Direct cost
B. Indirect cost
C. Opportunity cost
D. Sunk cost

Answer: 


49.

Cost that cannot be conveniently traced is:
A. Prime cost
B. Direct cost
C. Indirect cost
D. Marginal cost

Answer: 


50.

Which cost is most relevant in a special order decision?
A. Sunk cost
B. Historical cost
C. Incremental cost
D. Book value

Answer: 

xam Tip (ACCA FMA & US CMA Part 1)

The most frequently tested cost classifications are:

  1. Direct vs Indirect Cost
  2. Product vs Period Cost
  3. Prime vs Conversion Cost
  4. Fixed vs Variable vs Mixed Cost
  5. Relevant vs Irrelevant Cost
  6. Sunk Cost
  7. Opportunity Cost
  8. Differential / Incremental Cost
  9. Avoidable vs Unavoidable Cost
  10. Committed vs Discretionary Fixed Cost

www.gmsisuccess.in

Wednesday, June 17, 2026

Domain 5: Protection of Information Assets..Why it’s the toughest + highest weight in CISA:

 


Domain 5: Protection of Information Assets..Why it’s the toughest + highest weight in CISA:

1. *Highest weight*: 27% of the exam = 41-43 questions out of 150. No other domain is heavier

2. *Most technical*: Covers cryptography, access controls, network security, endpoints, cloud, IoT, mobile security, data privacy, security monitoring. Needs both audit + IT sec depth

3. *Hardest to score*: ISACA’s pass-rate data + candidate surveys consistently rank Domain 5 as lowest scoring because:

   - Concepts overlap → access control vs network security vs crypto gets confusing

   - Scenario-heavy questions → “Auditor observes X, what’s the biggest risk?” not definitions

   - Requires hands-on knowledge, not just audit theory


Domain weight breakdown for CISA Jan 2024 syllabus:

Domain Name Weight Qs approx

**Domain 5** Protection of Information Assets **27%** 41-43

Domain 4 IS Ops & Business Resilience 23% 34-36

Domain 1 IS Auditing Process 21% 31-33

Domain 2 Governance & Mgmt of IT 17% 25-27

Domain 3 IS Acquisition/Dev/Impl 12% 18-20

Why candidates struggle most with Domain 5:

- *Breadth*: Crypto algorithms, PKI, firewalls, IDS/IPS, VPN, IAM, DLP, cloud security models all in 1 domain

- *Audit angle*: ISACA doesn’t test “how to configure firewall”. They test “what control objective, what test, what risk if missing”

- *Tricky distractors*: All options sound like good controls. You need “most effective for auditor” mindset


*Pro tip for CISA*: If you master Domain 5 + Domain 4 together = 50% of exam. Most people who fail miss passing marks due to these 2 domains.


 *Top 15 high-yield topics + tricky ISACA patterns from Domain 5: Protection of Information Assets* 👇  

Master these = you cover ∼70% of Domain 5 questions


*Top 15 High-Yield Topics for CISA Domain 5*


*1. Access Controls - IAM*

- High yield: Least privilege, segregation of duties, user provisioning/de-provisioning, role-based vs rule-based access

- Trick: ISACA asks “biggest risk” → Orphaned accounts, shared accounts, excessive privileges beat weak passwords


*2. Cryptography Basics*

- High yield: Symmetric vs Asymmetric, hashing, digital signatures, PKI, certificates, key management

- Trick: “Non-repudiation” = digital signature + PKI. “Integrity” = hashing. “Confidentiality” = encryption


*3. Network Security Controls*

- High yield: Firewall types, IDS vs IPS, VPN, VLAN, DMZ, proxy, NAC

- Trick: IPS = prevention + blocks traffic. IDS = detection + alerts only. DMZ = place public servers between 2 firewalls


*4. Security Incident & Monitoring*

- High yield: SIEM, log review, incident response phases, forensic chain of custody

- Trick: “First step after incident” = Containment, not eradication. “Best evidence” = write-blocker + hash


*5. Cloud Security - CSA CCM*

- High yield: Shared responsibility model, IaaS vs PaaS vs SaaS controls, CSP vs customer responsibilities

- Trick: Customer always responsible for data, identity, access mgmt. CSP responsible for physical + host OS


*6. Data Loss Prevention DLP*

- High yield: Network DLP vs Endpoint DLP, data classification, encryption at rest vs in transit

- Trick: Biggest risk for data leakage = misconfigured cloud storage bucket, not hackers


*7. Mobile & IoT Security*

- High yield: BYOD controls, MDM, jailbreaking risk, IoT default passwords, firmware updates

- Trick: ISACA focus = lack of centralized management is biggest risk


*8. Physical & Environmental Security*

- High yield: Mantrap, CCTV retention, fire suppression types, UPS vs generator

- Trick: Halon/CO2 = data center. Water sprinklers = office. Biggest risk = tailgating


*9. Change & Patch Management*

- High yield: Emergency changes, segregation in change mgmt, patch testing

- Trick: “Best control for unauthorized changes” = version control + code review, not just logging


*10. BCP/DRP - RTO/RPO*

- High yield: BIA, RTO, RPO, MTD, alternate sites: cold, warm, hot

- Trick: RPO = max data loss. RTO = max downtime. If RPO < backup frequency = control gap


*11. Database Security*

- High yield: SQL injection, database auditing, privileged user mgmt, encryption

- Trick: Biggest risk = SA/admin accounts not segregated from DBA duties


*12. End User Computing - Excel risk*

- High yield: EUC controls, spreadsheet risk, data input validation

- Trick: ISACA loves: “No audit trail + formula errors” = highest risk in EUC


*13. OS & Endpoint Security*

- High yield: Hardening, anti-malware, patch mgmt, endpoint detection EDR

- Trick: “Most effective control” = disable unused services/ports, not antivirus alone


*14. Data Privacy & Regulations*

- High yield: GDPR, PII, data residency, right to be forgotten, data retention

- Trick: Auditor’s role = check compliance, not define legal interpretation


*15. Vulnerability Mgmt*

- High yield: Vulnerability scan vs penetration test, risk rating CVSS, remediation prioritization

- Trick: “First step after scan” = Validate false positives. “Highest priority” = high CVSS + exposed to internet


*5 Tricky ISACA Question Patterns in Domain 5*


1. *“Most effective control from auditor view”*  

   They want preventive > detective > corrective. Least privilege > password policy > monitoring


2. *“Biggest risk” scenarios*  

   Always choose: Shared accounts > Weak password. Missing encryption > weak encryption. Orphaned account > no password expiry


3. *“First step / next step” in incident/BCP*  

   Incident: Identify → Contain → Eradicate → Recover → Lessons learned  

   BCP: BIA first, then strategy, then plan


4. *“Best evidence for court”*  

   Hash + write-blocker + chain of custody. Screenshots/logs alone = weak


5. *Cloud responsibility traps*  

   Option with “CSP ensures data encryption” is wrong. Customer ensures data encryption. CSP ensures infra encryption


*How to score 80%+ in Domain 5*

1. Think like auditor, not security admin → “What test proves control works?”

2. Memorize RTO/RPO definitions + crypto purposes 

3. Do 200+ Domain 5 practice Qs. ISACA question style > knowledge



here are *20 CISA Domain 5 case-based MCQs* with ISACA-style distractors. Do them first, then check the *Answer Key + Auditor Logic* below 👇


*Part A: 20 Practice Questions*


*1. Access Control*  

Auditor finds 20 terminated employees still have VPN access after 30 days. Biggest risk?  

A. Weak password policy  

B. Orphaned accounts  

C. No MFA on VPN  

D. Unencrypted traffic


*2. Crypto*  

Which provides non-repudiation for email?  

A. Symmetric encryption AES  

B. Hashing SHA-256  

C. Digital signature using sender’s private key  

D. SSL/TLS


*3. Network Security*  

Company has firewall + IDS. Auditor wants to test if attack traffic is blocked. Best test?  

A. Review IDS alert logs  

B. Run vulnerability scan  

C. Attempt attack and check if IPS drops packets  

D. Review firewall rule list


*4. Cloud*  

In SaaS model, who is responsible for encrypting customer data at rest?  

A. CSP only  

B. Customer only  

C. Both CSP and Customer  

D. Third-party auditor


*5. Incident Response*  

Ransomware detected on server. What is auditor’s recommended FIRST step?  

A. Restore from backup  

B. Eradicate malware  

C. Contain infected server from network  

D. Notify law enforcement


*6. DLP*  

Company stores sensitive PII in public S3 bucket with no access controls. Biggest risk?  

A. SQL injection  

B. Insider threat  

C. Data leakage due to misconfiguration  

D. Weak encryption


*7. Mobile/BYOD*  

Auditor observes employees use personal phones for email with no MDM. Biggest control gap?  

A. No antivirus on phones  

B. No centralized wipe/lock capability  

C. Weak phone PIN  

D. No VPN


*8. Physical Security*  

Data center uses water sprinklers. Auditor’s biggest concern?  

A. Fire detection delay  

B. Water damage to equipment  

C. No UPS  

D. Tailgating


*9. Change Mgmt*  

Emergency change made to production DB without testing. Best preventive control?  

A. Detailed change log  

B. Segregation: developer cannot move to production  

C. Post-implementation review  

D. Backup before change


*10. BCP*  

BIA shows RPO = 2 hours, but backups run every 6 hours. Auditor’s conclusion?  

A. Acceptable risk  

B. Backup frequency does not meet RPO  

C. RTO is too low  

D. Need hot site


*11. Database*  

DBA also has system admin rights on DB server. Biggest risk?  

A. SQL injection  

B. Lack of segregation of duties  

C. No encryption  

D. Weak password


*12. EUC*  

Finance uses complex Excel for month-end with no version control or audit trail. Biggest risk?  

A. Formula errors go undetected  

B. File size too large  

C. No password protection  

D. Slow processing


*13. OS Hardening*  

Server has 15 unused services running. Auditor’s top recommendation?  

A. Install antivirus  

B. Disable unused services/ports  

C. Increase password length  

D. Enable logging


*14. Privacy*  

Under GDPR, which is NOT a data subject right?  

A. Right to access  

B. Right to be forgotten  

C. Right to data portability  

D. Right to free software


*15. Vulnerability Mgmt*  

Vuln scan shows 100 findings. Auditor says top priority = 5 critical vulns on internet-facing web server. Reason?  

A. Highest CVSS + exposure  

B. Oldest findings  

C. Most findings on internal servers  

D. Easiest to patch


*16. Forensics*  

Auditor collects evidence from compromised laptop. Best practice for court?  

A. Take screenshots  

B. Copy files to USB, hash original  

C. Use write-blocker + hash + maintain chain of custody  

D. Email evidence to self


*17. PKI*  

User loses private key. What happens?  

A. Public key must be revoked  

B. Certificate must be revoked + new key pair issued  

C. Nothing, public key still works  

D. Only password reset needed


*18. VPN*  

Remote users connect via VPN with split tunneling enabled. Biggest risk?  

A. Slower speed  

B. Malware on home PC can enter corporate network  

C. No encryption  

D. High bandwidth cost


*19. Firewall vs Proxy*  

Which best hides internal IP addresses from internet?  

A. Packet filter firewall  

B. Stateful firewall  

C. Proxy server  

D. IDS


*20. DRP Site*  

Company chooses cold site for DRP to save cost. Auditor’s concern?  

A. Too expensive  

B. RTO will be long due to setup time  

C. No redundancy  

D. Data loss


---


*Part B: Answer Key + Auditor Logic*


1. *B* - Orphaned accounts = terminated user access. Biggest risk per ISACA > weak password

2. *C* - Non-repudiation = digital signature + private key. Hash = integrity, AES = confidentiality

3. *C* - IPS blocks. IDS only alerts. Auditor tests effectiveness, not just reviews rules

4. *B* - SaaS shared model: Customer = data + access. CSP = infra. Data encryption at rest = customer

5. *C* - IR order: Contain > Eradicate > Recover. Containment stops spread

6. *C* - ISACA favorite: Misconfigured cloud storage > hackers for data leakage risk

7. *B* - No MDM = no remote wipe. Biggest risk for lost/stolen device

8. *B* - Water + servers = damage. Data center should use gas suppression

9. *B* - Preventive control for unauthorized change = segregation. Log = detective

10. *B* - RPO 2hr but backup 6hr = gap. Can lose 4hr data

11. *B* - DBA + sysadmin = SOD violation. Can hide changes

12. *A* - ISACA EUC risk = formula errors + no audit trail. That’s #1

13. *B* - Most effective hardening = reduce attack surface by disabling services

14. *D* - GDPR rights: access, erasure, portability. “Free software” not a right

15. *A* - Prioritize by CVSS + exposure. Internet-facing + critical = first

16. *C* - Court evidence = write-blocker + hash + chain of custody. Proves integrity

17. *B* - Private key lost = certificate compromised. Must revoke + reissue

18. *B* - Split tunneling = home network connects to corp. Bridge for malware

19. *C* - Proxy masks internal IPs. Firewall filters, IDS detects

20. *B* - Cold site = no equipment. Long RTO. Cheap but slow recovery


*Score guide*: 17-20 = Domain 5 ready. 14-16 = Revise weak topics. <14 = Redo crypto + cloud + access control


www.gmsisuccess.in