Chapter 2 Self Assessment

Question 1

In order for management to effectively monitor the compliance of processes and applications, which of the following would be the MOST ideal?

A. A central document repository
B. A knowledge management system
C. A dashboard
D. Benchmarking

Answer 1

C. A dashboard

Question 2

Which of the following would be included in an IS strategic plan?

A. Specifications for planned hardware purchases
B. Analysis of future business objectives
C. Target dates for development projects
D. Annual budgetary targets for the IT department

Answer 2

B. Analysis of future business objectives

Question 3

Which of the following BEST describes an IT department’s strategic planning process?

A. The IT department will have either short- or long-range plans depending on the organization’s broader plans and objectives.
B. The IT department’s strategic plan must be time- and project- oriented but not so detailed as to address and help determine priorities to meet business needs.
C. Long-range planning for the IT department should recognize organizational goals, technological advances and regulatory requirements.
D. Short-range planning for the IT department does not need to be integrated into the short-range plans of the organization since technological advances will drive the IT department plans much quicker than organizational plans.

Answer 3

C. Long-range planning for the IT department should recognize organizational goals, technological advances and regulatory requirements.

Question 4

The MOST important responsibility of a data security officer in an organization is:

A. recommending and monitoring data security policies.
B. promoting security awareness within the organization.
C. establishing procedures for IT security policies.
D. administering physical and logical access controls.

Answer 4

A. recommending and monitoring data security policies.

Question 5

What is considered the MOST critical element for the successful implementation of an information security program?

A. An effective enterprise risk management framework (ERM)
B. Senior management commitment
C. An adequate budgeting process
D. Meticulous program planning

Answer 5

B. Senior management commitment

Question 6

An IS auditor should ensure that IT governance performance measures:

A. evaluate the activities of IT oversight committees.
B. provide strategic IT drivers.
C. adhere to regulatory reporting standards and definitions.
D. evaluate the IT department.

Answer 6

A. evaluate the activities of IT oversight committees.

Question 7

Which of the following tasks may be performed by the same person in a well- controlled information processing computer center?

A. Security administration and change management
B. Computer operations and system development
C. System development and change management
D. System development and system maintenance

Answer 7

D. System development and system maintenance

Question 8

Which of the following is the MOST critical control over database administration (DBA)?

A. Approval of DBA activities
B. Segregation of duties in regard to access rights granting/revoking
C. Review of access logs and activities
D. Review of the use of database tools

Answer 8

B. Segregation of duties in regard to access rights granting/revoking

Question 9

When a complete segregation of duties cannot be achieved in an online system environment, which of the following functions should be separated from the others?

A. Origination
B. Authorization
C. Recording
D. Correction

Answer 9

B. Authorization

Question 10

In a small organization where segregation of duties (SoD) is not practical, an employee performs the function of computer operator and application programmer. Which of the following controls should the IS auditor recommend?

A. Automated logging of changes to development libraries
B. Additional staff to provide SoD
C. Procedures that verify that only approved program changes are implemented
D. Access controls to prevent the operator from making program modifications

Answer 10

C. Procedures that verify that only approved program changes are implemented

Question 11

Which of the following control documents describes a software-improvement process that is characterized by five levels, where each level describes a higher level of maturity?

A. ISO 17799
B. CMM
C. COSO
D. CobiT

Answer 11

B. CMM

Question 12

A network administrator should not share the duties of which of the following roles?

A. Quality assurance
B. Systems administrator
C. Application programmer
D. Systems analyst

Answer 12

C. Application programmer

Question 13

You are auditing a credit card payment system. Which of the following methods provides the best assurance that information is entered correctly?

A. Audit trails
B. Separation of data entry and computer operator duties
C. Key verification
D. Supervisory review

Answer 13

C. Key verification

Question 14

Which level of the CMM is characterized by its capability to measure results by qualitative measures?

A. Level 1
B. Level 2
C. Level 3
D. Level 4

Answer 14

C. Level 3

Question 15

Which of the following is most closely associated with bottom-up policy development?

A. Aligns policy with strategy
B. Is a very slow process
C. Does not address concerns of employees
D. Involves risk assessment

Answer 15

D. Involves risk assessment

Question 16

Which of the following offers the best explanation of a balanced score card?

A. Used for benchmarking a preferred level of service
B. Used to measure the effectiveness of IT services by customers and clients
C. Verifies that the organization’s strategy and IT services match
D. Measures the evaluation of help-desk employees

Answer 16

C. Verifies that the organization’s strategy and IT services match

Question 17

Your organization is considering using a new ISP now that the current contract is complete. From an audit perspective, which of the following would be the most important item to review?

A. The service level agreement
B. The physical security of the ISP site
C. References from other clients of the ISP
D. Background checks of the ISP’s employees

Answer 17

A. The service level agreement

Question 18

Separation of duties is one way to limit fraud and misuse. Of the four separation-of-duties con- trols, which most closely matches this explanation: “This control allows employees access to cash or valuables”?

A. Authorization
B. Custody
C. Record keeping
D. Reconciliation

Answer 18

B. Custody

Question 19

Which of the following job roles can be combined to create the least amount of risk or opportunity for malicious acts?

A. Systems analyst and quality assurance
B. Computer operator and systems programmer
C. Security administrator and application programmer
D. Database administrator and systems analyst

Answer 19

D. Database administrator and systems analyst

Question 20

You have been asked to perform a new audit assignment. Your first task is to review the organiza- tion’s strategic plan. Which of the following should be the first item reviewed?

A. Documentation that details the existing infrastructure
B. Previous and planned budgets
C. Organizational charts
D. The business plan

Answer 20

D. The business plan