A4-1 -258 Flashcards

1
Q

An organization is considering using a new IT service provider. From an audit perspective, which of the following would be the MOST important item to review?

A. References from other clients for the service providers
B. The physical security of the service provider site
C. The proposed service level agreement with the service provider.
D. Background checks of the service provider’s employees.

A

C. The proposed service level agreement with the service provider.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

An IS auditor is to assess the suitability of a service level agreement (SLA) between the organization and the supplier of the outsources services. To which of the following observations should the IS auditor pay the MOST attention? The SLA does not contain a:

A. transition clause from the old supplier to a new supplier or back to internal in case of expiration or termination.
B. late payment clause between the customer and the supplier.
C. contractual commitment between the customer and the supplier
D. Dispute resolution procedure between the contracting parties.

A

A. transition clause from the old supplier to a new supplier or back to internal in case of expiration or termination.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

An IS auditor reviewing a new outsourcing contract with a service provider would be MOST concerned if which of the following was missing?

A. a clause providing a “right to audit” the service provider
B. A clause providing penalty payments for poor performance.
C. Predefined service level report templates
D. a clause regarding supplier limitation of liability.

A

A. a clause providing a “right to audit” the service provider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

When reviewing the desktop software compliance of an organization, the IS auditor should be MOST concerned if the installed software:

A. was installed, but not documented in the IT department records.
B. was being used by users not properly trained in its use.
C. is not listed in the approved software standards document.
D. license will expire in the next 15 days.

A

C. is not listed in the approved software standards document.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

An IS auditor of a health care organization is reviewing contractual terms and conditions of a third-party cloud provider being considered to host patient health information. Which of the following contractual terms would be the GREATEST risk to the customer organization?

A. Data ownership is retained by the customer organization
B. The third-party provider reserves the right to access data to perform certain operations.
C. Bulk data withdrawal mechanisms are undermined.
D. The customer organization is responsible for backup, archive, and restore.

A

B. The third-party provider reserves the right to access data to perform certain operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following recovery strategies is MOST appropriate for a business having multiple offices within a region and a .limited recovery budget?

A. A hot site maintained by the business
B. A commercial cold site
C. A reciprocal arrangement between its offices
D. A third-party hot site

A

C. A reciprocal arrangement between its offices

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

During an application audit, an IS auditor is asked to provide assurance of the database referential integrity. Which of the following should be reviewed?

A. Field definition
B. Master table definition
C. Composite keys
D. Foreign Key structure

A

D. Foreign Key structure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

An IS auditor is reviewing database security for an organization. Which of the following is the MOST important consideration for database hardening?

A. The default configurations are changed
B. All tables in the database are denormalized.
C. Stored procedures and triggers are encrypted
D. The service port used by the database os changed.

A

A. The default configurations are changed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

In auditing a database environment, an IS auditor will be MOST concerned if the database administrator is performing which of the following functions?

A. Performing database changes according to change management procedures
B. Installing patches or upgrades to the operating system
C. Sizing table space and consulting on table join limitations
D. Performing backup and recovery procedures.

A

B. Installing patches or upgrades to the operating system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following is the MOST reasonable option for recovering a non-critical system?

A. Warm site
B. Mobile site
C. Hot site
D. Cold site

A

D. Cold site

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

An IS auditor is evaluating the effectiveness of the change management process in an organization. What is the MOST important control that the IS auditor should look for to ensure system availability?

A. Changes are authorized by IT managers at all times.
B. User acceptance testing is performed and properly documented.
C. Test plans and procedures exist and are closely followed.
D. Capacity planning is performed as part of each development project.

A

C. Test plans and procedures exist and are closely followed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Data flow diagrams are used by IS auditors to:

A. identify key controls
B. highlight high-level data definitions
C. graphically summarize data paths and storage
D. portray step-by-step details of data generation.

A

C. graphically summarize data paths and storage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following statement is useful while drafting a disaster recovery plan?

A. Downtime costs decrease as the recovery point objective increases
B. Downtime costs increase with time.
C. Recovery costs are independent of time
D. Recovery costs can only be controlled on a short-term basis.

A

B. Downtime costs increase with time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Although management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should FIRST:

A. include the statement from management in the audit report.
B. verify the software is in use through testing.
C. include the item in the audit report.
D. discuss the issue with senior management because it could have a negative impact on the organization.

A

B. verify the software is in use through testing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

An advantage of using unshielded twisted paid (UTP) cable for data communication over the copper based cables is the UTP cable:

A. reduces crosstalk between pairs.
B. provides protection against wiretapping.
C. can be used in long-distant networks.
D. is simple to install.

A

A. reduces crosstalk between pairs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following is the MOST critical element to effectively execute a disaster recovery plan?

A. Offsite storage of backup data
B. Up-to-date list of key disaster recovery contacts
C. Availability of a replacement data center
D. Clearly defined recovery time objective

A

A. Offsite storage of backup data

17
Q

While reviewing the process for continuous monitoring of the capacity and performance of IT resources, as IS auditor should PRIMARILY ensure that the process is focused on:

A. adequately monitoring service levels of IT resources and services.
B. providing data to enable timely planning for capacity and performance requirements
C. providing accurate feedback on IT resource capacity.
D. properly forecasting performance, capacity and throughput of IT resources.

A

C. providing accurate feedback on IT resource capacity.

18
Q

Which of the following groups is the BEST source of information for determining the criticality of application systems as part of a business impact analysis?

A. Business processes owners
B. IT management
C. Senior business management
D. Industry experts

A

A. Business processes owners

19
Q

An IS auditor is reviewing an organization’s disaster recovery plan (RDP) implementation. The project was completed on time and on budget. During the review, the auditor uncovers several areas of concern. Which of the following presents the GREATEST risk?

A. Testing of the DRP has not been performed.
B. The disaster recovery strategy does not specify use of a hot site.
C. The business impact analysis was conducted, but the results were not used.
D. The disaster recovery project manager for the implementation has recently left the organization.

A

C. The business impact analysis was conducted, but the results were not used.

20
Q

A vendor has released several critical security patches over the past few months and this has put a strain on the ability of the administrators to keep the patches tested and deployed in a a timely manner. The administrators have asked if they could reduce the testing of the patches. What is the BEST approach the organization should take?

A. Continue the current process of testing and applying patches.
B. Reduce testing and ensure that an adequate blackout plan is in place.
C. Delay patching until resources for testing are available.
D. Rely on the vendor’s testing of the patches.

A

n place.

A. Continue the current process of testing and applying patches.

21
Q

Which of the following should be a MAJOR concern to an IS auditor who is reviewing a service level agreement (SLA)?

A. A service adjustment resulting from an exception report took a day to implement.
B. The complexity of application logs used for service monitoring made the review difficult.
C. Service measures were not included in the SLA.
D. The document is updated on an annual basis.

A

C. Service measures were not included in the SLA.

22
Q

During an IS audit of the disaster recovery plan of a global enterprise, the auditor observers that some remote offices have very limited local IT resources. Which of the following observations would be the MOST critical for the IS auditor?

A. A test has not been made to ensure that local resources could maintain security and service standards when recovering from a disaster or incident.
B. The corporate business continuity plan does not accurately document the systems that exist at remote offices.
C. Corporate security measure shave not been incorporated into the test plan.
D. A test has not been made to ensure that tape backups from the remote offices are usable.

A

A. A test has not been made to ensure that local resources could maintain security and service standards when recovering from a disaster or incident.

23
Q

Which of the following reports should an IS auditor use to check compliance with a service level agreements (SLA) requirement for uptime?

A. Utilization reports
B. Hardware error reports
C. System logs
D. Availability reports

A

D. Availability reports

24
Q

Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs?

A. System log analysis
B. Compliance testing
C. Forensic analysis
D. Analytical review

A

B. Compliance testing

25
Q

During a change control audit of a production system, an IS auditor finds that the change management process is not formally documented and that some migration procedures failed. What should the IS auditor do NEXT?

A. Recommend redesigning the change management process.
B. Gain more assurance on the findings through root cause analysis.
C. Recommend that program migration be stopped until the change management process is documented.
D. Document the finding and present it to management.

A

B. Gain more assurance on the findings through root cause analysis.