Domain 2: Governance and Management of IT Part 2B

Question 1

Before implementing an IT balanced scorecard, an organization must:

Answer 1

define key performance indicators.

Question 2

A decision support system is used to help high-level management:

Answer 2

make decisions based on data analysis and interactive models.

Question 3

During a feasibility study regarding outsourcing IT processing, the relevance for the IS auditor of reviewing the vendor’s business continuity plan is to:

Answer 3

evaluate the adequacy of the service levels that the vendor can provide ina contingency.

Question 4

During an audit, which of the following situations are MOST concerning for an organization that significantly outsources IS processing to a private network?

Answer 4

The contract does not contain a right-to-audit clause for the third party.

Question 5

An employee who has access to highly confidential information resigned. Upon departure, which of the following should be done FIRST?

Answer 5

Revoke the employee’s access to all systems.

Question 6

An enterprise hosts its data center onsite and has outsourced the management of its key financial applications to a service provider. Which of the following controls BEST ensures that the service provider’s employees adhere to the security policies?

Answer 6

An indemnity clause is included in the contract with the service provider.

Question 7

An enterprise is looking to obtain cloud hosting services from a cloud vendor with a high level of maturity. Which of the following is MOST important for the auditor to ensure continued alignment with the enterprise’s security requirements?

Answer 7

The vendor agrees to provide annual external audit reports in the contract.

Question 8

An enterprise selected a vendor to develop and implement a new software system. To ensure that the enterprise’s investment in software is protected, which of the following security clauses is MOST important to include in the master services agreement?

Answer 8

Software escrow

Question 9

In a review of the human resources policies and procedures within an organization, an IS auditor is MOST concerned with the absence of a:

Answer 9

termination checklist.

Question 10

In reviewing the IT short-range (tactical) plan, an IS auditor should determine whether:

Answer 10

there is an integration of IT and business personnel within projects.

Question 11

An IS auditor is assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST?

Answer 11

The contractual warranties of the providers support the business needs of the organization.

Question 12

An IS auditor is reviewing a contract management process to determine the financial viability of a software vendor for a critical business application. An IS auditor should determine whether the vendor being considered:

Answer 12

can support the organization in the long term.

Question 13

An IS auditor observes that an enterprise has outsourced software development to a third party that is a startup company. To ensure that the enterprise’s investment in software is protected, which of the following should be recommended by the IS auditor?

Answer 13

There should be a source code escrow agreement in place.

Question 14

An IS auditor reviewing an organization that uses cross-training practices should assess the risk of:

Answer 14

one person knowing all parts of a system.

Question 15

An IS auditor reviewing an outsourcing contract of IT facilities expects it to define the:

Answer 15

ownership of intellectual property.

Question 16

An IS auditor was asked to review a contract for a vendor being considered to provide data center services. Which is the BEST way to determine whether the terms of the contract are adhered to after the contract is signed?

Answer 16

Conduct periodic audit reviews of the vendor.

Question 17

Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to:

Answer 17

reduce the opportunity for an employee to commit an improper or illegal act.

Question 18

An organization has contracted with a vendor for a turnkey solution for their electronic toll collection system (ETCS). The vendor has provided its proprietary application software as part of the solution. The contract should require that:

Answer 18

source code of the ETCS application is placed in escrow.

Question 19

An organization has outsourced its help desk activities. An IS auditor’s GREATEST concern when reviewing the contract and associated service level agreement between the organization and vendor should be the provisions for:

Answer 19

independent audit reports or full audit access.

Question 20

An organization purchased a third-party application and made significant modifications. While auditing the development process for this critical, customer-facing application, the IS auditor noted that the vendor has been in business for only one year. Which of the following helps to mitigate the risk relating to continued application support?

Answer 20

A software escrow agreement

Question 21

Organizations requiring employees to take a mandatory vacation each year PRIMARILY want to ensure:

Answer 21

potential irregularities in processing are identified by a temporary replacement.

Question 22

The PRIMARY benefit of an enterprise architecture initiative is to:

Answer 22

enable the organization to invest in the most appropriate technology.

Question 23

The PRIMARY control purpose of required vacations or job rotations is to:

Answer 23

detect improper or illegal employee acts.

Question 24

Regarding the outsourcing of IT services, which of the following conditions should be of GREATEST concern to an IS auditor?

Answer 24

Core activities that provide a differentiated advantage to the organization have been outsourced.

Question 25

To support an organization’s goals, an IT department should have:

Answer 25

long- and short- term plans.

Question 26

Value delivery from IT to the business is MOST effectively achieved by:

Answer 26

aligning the IT strategy with the enterprise strategy.

Question 27

When an employee is terminated from service, the MOST important action is to:

Answer 27

disable the employee’s logical access.

Question 28

When reviewing an organization’s approved software product list, which of the following is the MOST important thing to verify?

Answer 28

The risk associated with the use of the products is periodically assessed.

Question 29

Which of the following BEST provides assurance of the integrity of new staff?

Answer 29

Background screening

Question 30

Which of the following does an IS auditor consider the MOST relevant to short-term planning for an IT department?

Answer 30

Allocating resources

Question 31

Which of the following does an IS auditor FIRST reference when performing an IS audit?

Answer 31

Approved policies

Question 32

Which of the following goals do you expect to find in an organization’s strategic plan?

Answer 32

Approved suppliers for products offered by the company

Question 33

Which of the following is the BEST reference for an IS auditor to determine a vendor’s ability to meet service level agreement (SLA) requirements for a critical IT security service?

Answer 33

Agreed-on key performance metrics

Question 34

Which of the following is the MOST important for an IS auditor to consider when reviewing a service level agreement with an external IT service provider?

Answer 34

Uptime guarantee

Question 35

Which of the following is the MOST important for an IS auditor to consider when reviewing a service level agreement with an external IT service provider?

Answer 35

Uptime guarantee

Question 36

Which of the following is the MOST important function to be performed by IT management when a service has been outsourced?

Answer 36

Monitoring the outsourcing provider’s performance

Question 37

Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider:

Answer 37

agrees to be subject to

external security reviews.

Question 38

Which of the following is the PRIMARY objective of an IT performance measurement process?

Answer 38

Optimize performance

Question 39

Which of the following reasons BEST describes the purpose of a mandatory vacation policy?

Answer 39

To identify potential errors or inconsistencies in business processes

Question 40

Which of the following should be of PRIMARY concern to an IS auditor reviewing the management of external IT service providers?

Answer 40

Determining if the services were provided as contracted

Question 41

Which of the following situations is addressed by a software escrow agreement?

Answer 41

The vendor of custom-written software goes out of business.

Question 42

While conducting an audit of a service provider, an IS auditor observes that the service provider has outsourced a part of the work to another provider. Because the work involves confidential information, the IS auditor’s PRIMARY concern should be that the:

Answer 42

requirement for protecting confidentiality of information can be compromised.

Question 43

While conducting an IS audit of a service provider for a government program involving confidential information, an IS auditor noted that the service provider delegated a part of the IS work to another subcontractor. Which of the following provides the MOST assurance that the requirements for protecting confidentiality of information are met?

Answer 43

Periodic independent audit of the work delegated to the subcontractor

Question 44

While evaluating software development practices in an organization, an IS auditor notes that the quality assurance (QA) function reports to project management. The MOST important concern for an IS auditor is the:

Answer 44

effectiveness of the QA function because it should interact between project management and user management.

Question 45

While reviewing a quality management system, the IS auditor should PRIMARILY focus on collecting evidence to show that:

Answer 45

Continuous improvement targets are being monitored.