Practice Exam 2 Flashcards

Question 1

Q

An information systems (IS) auditor has been asked by management to review a potentially fraudulent transaction. The PRIMARY focus of the IS auditor while evaluating the transaction should be to:

A.maintain impartiality while evaluating the transaction.
B.ensure that the independence of the IS auditor is maintained.
C.ensure that the integrity of the evidence is maintained.
D.assess all relevant evidence for the transaction.

Answer

A

C. The IS auditor has been requested to perform an investigation to capture evidence that may be used for legal purposes, and, therefore, maintaining the integrity of the evidence should be the foremost goal. Improperly handled computer evidence is subject to being ruled inadmissible in a court of law.

Question 2

Q

An organization is considering using a new IT service provider. From an audit perspective, which of the following is the MOST important item to review?

A.References from other clients for the service provider
B.The physical security of the service provider site
C.The proposed service level agreement (SLA) with the service provider
D.Background checks of the service provider’s employees

Answer

A

C. An SLA is a guarantee that the provider will deliver the services according to the contract. When contracting with a service provider, it is a good practice to enter into an SLA with the provider. The information systems (IS) auditor will want to ensure that performance and security requirements are clearly stated in the SLA.

Question 3

Q

For which of the following controls would an information systems (IS) auditor look in an environment where duties cannot be appropriately segregated?

A.Overlapping controls
B.Boundary controls
C.Access controls
D.Compensating controls

Answer

A

D. Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated.

Question 4

Q

An information systems (IS) auditor finds that not all employees are aware of the enterprise’s information security policy. The IS auditor should conclude that:

A.this lack of knowledge may lead to unintentional disclosure of sensitive information.
B.information security is not critical to all functions.
C.IS audit should provide security training to the employees.
D.the audit finding will cause management to provide continuous training to staff.

Answer

A

A. All employees should be aware of the enterprise’s information security policy to prevent unintentional disclosure of sensitive information. Training is a preventive control. Security awareness programs for employees can prevent unintentional disclosure of sensitive information to outsiders.

Question 5

Q

To ensure that an enterprise is complying with privacy requirements, an information systems (IS) auditor should FIRST review:

A.the IT infrastructure.
B.organizational policies, standards and procedures.
C.legal and regulatory requirements.
D.adherence to organizational policies, standards and procedures.

Answer

A

C. To ensure that the enterprise is complying with privacy issues, an IS auditor should address legal and regulatory requirements first. To comply with legal and regulatory requirements, enterprises need to adopt the appropriate infrastructure. After understanding the legal and regulatory requirements, an IS auditor should evaluate organizational policies, standards and procedures to determine whether they adequately address the privacy requirements, and then review the adherence to these specific policies, standards and procedures.

Question 6

Q

In a distributed system, which of the following BEST allows different components or modules to communicate and coordinate their activities?

A.Message queue interface
B.Application programming interface (API)
C.Remote procedure call
D.Communication infrastructure interface

Answer

A

B. An application programming interface (API) allows components or modules in a distributed system to communicate and coordinate their activities. An API defines a set of rules and protocols that enable the interaction and exchange of data between software components.

Question 7

Q

The internal audit department wrote some scripts that are used for continuous auditing. The IT department asked for copies of the scripts so that they can be used for setting up a continuous monitoring process on key systems. Considering the ability of the information systems (IS) auditors to independently and objectively audit the IT function, should sharing these scripts be permitted?

A.Sharing the scripts is not permitted because it gives IT the ability to pre-audit systems and avoid an accurate, comprehensive audit.
B.Sharing the scripts is required because IT must have the ability to review all programs and software that run on information systems regardless of audit independence.
C.Sharing the scripts is permissible if IT recognizes that audits may be conducted in areas not covered in the scripts.
D.Sharing the scripts is not permitted because the IS auditors who wrote the scripts would not be permitted to audit any information systems where the scripts are being used for monitoring.

Answer

A

C. IS audit may not be able to review the effectiveness of the scripts, but it can still audit all aspects of the systems.

Question 8

Q

Which of the following is the BEST factor for determining the required extent of data collection during the planning phase of an information systems (IS) compliance audit?

A.Complexity of the organization’s operation
B.Findings and issues noted from the prior year
C.Purpose, objective and scope of the audit
D.Auditor’s familiarity with the organization

Answer

A

C. The extent to which data will be collected during an information systems (IS) audit is related directly to the purpose, objective and scope of the audit. An audit with a narrow purpose and limited objective and scope is most likely to result in less data collection than an audit with a wider purpose and scope. Statistical analysis may also determine the extent of data collection, such as sample size or means of data collection.

Question 9

Q

The PRIMARY purpose for meeting with auditees prior to formally closing a review is to:

A.confirm that the auditors did not overlook any important issues.
B.gain agreement on the findings.
C.receive feedback on the adequacy of the audit procedures.
D.test the structure of the final presentation.

Answer

A

B. The primary purpose for meeting with auditees prior to formally closing a review is to gain agreement on the findings and responses from management.

Question 10

Q

Which of the following would be MOST appropriate for helping to detect sensitive information that is stored on the enterprise hard drive(s) with inappropriate authorization or security controls?

A.intrusion detection system (IDS)
B.data loss prevention (DLP)
C.intrusion prevention system (IPS)
D.Transport Layer Security (TLS)

Answer

A

B. Data loss prevention (DLP) systems identify sensitive information stored on endpoint systems or in transit over a network.

Question 11

Q

Which of the following is the BEST reason to implement a policy that places conditions on secondary employment for IT employees?

A.To prevent the misuse of corporate resources
B.To prevent conflicts of interest
C.To prevent employee performance issues
D.To prevent theft of IT assets

Answer

A

B. The best reason to implement and enforce a policy governing secondary employment is to prevent conflicts of interest. Policies should be in place to control IT employees seeking secondary employment from releasing sensitive information or working for a competing organization. Conflicts of interest can result in serious risk, such as fraud, theft of intellectual property or other improprieties.

Question 12

Q

Which of the following statements is useful while drafting a disaster recovery plan (DRP)?

A.Downtime costs decrease as the recovery point objective (RPO) increases.
B.Downtime costs increase with time.
C.Recovery costs are independent of time.
D.Recovery costs can only be controlled on a short-term basis.

Answer

A

B. Downtime costs—such as loss of sales, idle resources and salaries—increase with time. A disaster recovery plan (DRP) should be drawn up to achieve the lowest downtime costs possible.

Question 13

Q

The purpose of a checksum on an amount field in an electronic data interchange communication of financial transactions is to ensure:

A.integrity.
B.authenticity.
C.authorization.
D.nonrepudiation.

Answer

A

A. A checksum that is calculated on an amount field and included in the electronic data interchange communication can be used to identify unauthorized modifications.

Question 14

Q

What kind of software application testing is considered the final stage of testing and typically includes users outside of the development team?

A.Alpha testing
B.White box testing
C.Regression testing
D.Beta testing

Answer

A

D. Beta testing is the final stage of testing and typically includes users outside of the development area. Beta testing is a form of user acceptance testing and generally involves a limited number of users who are external to the development effort.

Question 15

Q

What is the MAJOR benefit of conducting a control self-assessment (CSA) over a traditional audit?

A.It detects risk sooner.
B.It replaces the internal audit function.
C.It reduces the audit workload.
D.It reduces audit resource requirements.

Answer

A

A. Control self-assessments (CSAs) require employees to assess the control stature of their own function. CSAs help to increase the understanding of business risk and internal controls. Because they are conducted more frequently than audits, CSAs help to identify risk in a timelier manner.

Question 16

Q

An enterprise discovers that the computer of the chief financial officer has been infected with malware that includes a keystroke logger and a rootkit. The FIRST action to take is to:

A.contact the appropriate law enforcement authorities to begin an investigation.
B.immediately ensure that no additional data are compromised.
C.disconnect the PC from the network.
D.update the antivirus signature on the PC to ensure that the malware or virus is detected and removed.

Answer

A

C. The most important task is to prevent further data compromise and preserve evidence by disconnecting the computer from the network.

Question 17

Q

An information systems (IS) auditor is reviewing system development for a health care organization with two application environments—production and test. During an interview, the auditor notes that production data are used in the test environment to test program changes. What is the MOST significant potential risk from this situation?

A.The test environment may not have adequate controls to ensure data accuracy.
B.The test environment may produce inaccurate results due to use of production data.
C.Hardware in the test environment may not be identical to the production environment.
D.The test environment may not have adequate access controls implemented to ensure data confidentiality.

Answer

A

D. In many cases, the test environment is not configured with the same access controls that are enabled in the production environment. For example, programmers may have privileged access to the test environment (for testing purposes), but not to the production environment. If the test environment does not have adequate access control, the production data are subject to risk of unauthorized access and/or data disclosure. This is the most significant risk of the choices listed and is especially important in a health care organization where patient data confidentiality is critical and privacy laws in many countries impose strict penalties on misuse of these data.

Question 18

Q

Which of the following is a prevalent risk in the development of end-user computing applications?

A.Applications may not be subject to testing and IT general controls.
B.Development and maintenance costs may be increased.
C.Application development time may be increased.
D.Decision-making may be impaired due to diminished responsiveness to requests for information.

Answer

A

A. End-user computing is defined as the ability of end users to design and implement their own information system using computer software products. End-user developed applications may not be subjected to an independent outside review by systems analysts and frequently are not created in the context of a formal development methodology. These applications may lack appropriate standards, controls, quality assurance procedures and documentation. A risk of end-user applications is that management may rely on them as much as traditional applications.

Question 19

Q

An information systems (IS) auditor is developing an audit plan for an environment that includes new systems. Enterprise management wants the IS auditor to focus on recently implemented systems. How should the IS auditor respond?

A.Audit the new systems as requested by management.
B.Audit systems not included in last year’s scope.
C.Determine the highest-risk systems and plan accordingly.
D.Audit systems not in last year’s scope and the new systems.

Answer

A

C. The best action is to conduct a risk assessment and design the audit plan to cover the areas of highest risk. ISACA IS Audit and Assurance Standard 1201 (Risk Assessment in Planning), statement 1201.1: “The IT audit and assurance function shall use an appropriate risk assessment approach (i.e., data-driven with both quantitative and qualitative factors) and supporting methodology to develop the overall IT audit plan and to determine priorities for the effective allocation of IT audit resources.”

Question 20

Q

An enterprise’s IT director approved the installation of a wireless local area network (WLAN) access point in a conference room for a team of consultants to access the Internet with their laptop computers. The BEST control to protect the corporate servers from unauthorized access is to ensure that:

A.encryption is enabled on the access point.
B.the conference room network is on a separate virtual local area network (VLAN).
C.antivirus signatures and patch levels are current on the consultants’ laptops.
D.default user IDs are disabled and strong passwords are set on the corporate servers.

Answer

A

B. The installation of the wireless network device presents risk to the corporate servers from authorized and unauthorized users. A separate virtual local area network (VLAN) is the best solution because it ensures that authorized and unauthorized users are prevented from gaining network access to database servers, while allowing Internet access to authorized users.

Question 21

Q

An information systems (IS) auditor reviewing wireless network security determines that the Dynamic Host Configuration Protocol is disabled at all wireless access points. This practice:

A.reduces the risk of unauthorized access to the network.
B.is not suitable for small networks.
C.automatically provides an internet protocol (IP) address to anyone.
D.increases the risk associated with Wireless Encryption Protocol.

Answer

A

A. Dynamic Host Configuration Protocol (DHCP) automatically assigns internet protocol (IP) addresses to anyone connecting to the network. With DHCP disabled, static IP addresses must be used, and this requires either administrator support or a higher level of technical skill to attach to the network and gain Internet access.

Question 22

Q

Applying a retention date on a file will ensure that:

A.data cannot be read until the date is set.
B.data will not be deleted before that date.
C.backup copies are not retained after that date.
D.datasets having the same name are differentiated.

Answer

A

B. A retention date ensures that a file cannot be overwritten or deleted before that date has passed.

Question 23

Q

When reviewing an enterprise’s preventive maintenance process for systems at a data center, what is the MOST important practice that should be in place for an information systems (IS) auditor to be able to ensure that adequate maintenance is being performed on all critical computing, power and cooling systems?

A.Proper background checks on all service personnel are conducted.
B.Service personnel are escorted at all times when performing their work.
C.Maintenance is scheduled during noncritical processing times.
D.Verification of maintenance being performed is done independently.

Answer

A

D. Independent verification confirms documented maintenance activities, ensuring their effectiveness in sustaining critical systems. It provides assurance and detects any maintenance process gaps or deficiencies.

Question 24

Q

Which of the following BEST helps to prioritize project activities and determine the timeline for a project?

A.Gantt chart
B.Earned value analysis
C.Program evaluation review technique (PERT)
D.Function point analysis

Answer

A

C. The PERT method works on the principle of obtaining project timelines based on project events for three likely scenarios—worst, best and normal. The timeline is calculated by a predefined formula and identifies the critical path, which identifies the key activities that must be prioritized.

Question 25

Q

From a control perspective, the key element in job descriptions is that they:

A.provide instructions on how to do the job and define authority.
B.are current, documented and readily available to the employee.
C.communicate management’s specific job performance expectations.
D.establish responsibility and accountability for the employee’s actions.

Answer

A

D. From a control perspective, a job description should establish responsibility and accountability. This aids in ensuring that users are given system access in accordance with their defined job responsibilities and are accountable for how they use that access.

Question 26

Q

Which of the following considerations is the MOST important while evaluating a business case for the acquisition of a new accounting application?

A.Total cost of ownership of the application
B.The resources required for implementation
C.Return on investment (ROI) for the enterprise
D.The cost and complexity of security requirements

Answer

A

C. The proposed ROI benefits, and targets or metrics that can be measured, are the most important aspects of a business case. While reviewing the business case, it should be verified that the proposed ROI is achievable, does not make unreasonable assumptions and can be measured for success. (Benefits realization should look beyond project cycles to longer-term cycles that consider the total benefits and total costs throughout the life of the new system.)

Question 27

Q

Which of the following sampling methods is MOST useful when testing for compliance?

A.Attribute sampling
B.Variable sampling
C.Stratified mean-per-unit sampling
D.Difference estimation sampling

Answer

A

A. Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. For example, an attribute sample may check all transactions over a certain predefined dollar amount for proper approvals.

Question 28

Q

An information systems (IS) auditor needs to review the procedures used to restore a software application to its state prior to an upgrade. Therefore, the auditor needs to assess the following:

A.Problem management procedures
B.Software development procedures
C.Back-out procedures
D.Incident management procedures

Answer

A

C. Back-out procedures are used to restore a system to a previous state and are an important element of the change control process. The other choices are not related to the change control process, which specifies what procedures should be followed when software is being upgraded but does not work and requires a fallback to its former state.

Question 29

Q

Which of the following is the BEST method for determining the criticality of each application system in the production environment?

A.Interview the application programmers.
B.Perform a gap analysis.
C.Review the most recent application audits.
D.Perform a business impact analysis (BIA).

Answer

A

D. A business impact analysis (BIA) gives the impact of the loss of each application. A BIA is conducted with representatives of the business that can accurately describe the criticality of a system and its importance to the business.

Question 30

Q

An information systems (IS) auditor is reviewing a contract management process to determine the financial viability of a software vendor for a critical business application. An IS auditor should determine whether the vendor being considered:

A.can deliver on the immediate contract.
B.is of similar financial standing as the organization.
C.has significant financial obligations that can impose liability to the organization.
D.can support the organization in the long term.

Answer

A

D. The long-term financial viability of a vendor is essential for deriving maximum value for the organization—it is more likely that a financially sound vendor will be in business for a long period of time and thereby more likely to be capable of providing long-term support for the purchased product.

Question 31

Q

An information systems (IS) auditor suspects an incident is occurring while an audit is being performed on a financial system. What should the IS auditor do FIRST?

A.Request that the system be shut down to preserve evidence.
B.Report the incident to management.
C.Ask for immediate suspension of the suspect accounts.
D.Investigate the source and nature of the incident.

Answer

A

B. Reporting the suspected incident to management will help initiate the incident response process, which is the most appropriate action. Management is responsible for making decisions regarding the appropriate response. It is not the IS auditor’s role to respond to incidents during an audit.

Question 32

Q

An organization purchased a third-party application and made significant modifications. While auditing the development process for this critical customer-facing application, the information systems (IS) auditor noted that the vendor has been in business for only one year. Which of the following helps to mitigate the risk relating to continued application support?

A.Viability study on the vendor
B.Software escrow agreement
C.Financial evaluation of the vendor
D.Contractual agreement for future enhancements

Answer

A

B. Considering that the vendor has been in the business for only one year, the biggest concern is financial stability or viability of the vendor and the risk of the vendor going out of business. The best way that this risk can be addressed is to have a software escrow agreement for the source code of the application, which provides the entity access to the source code if the vendor goes out of business.

Question 33

Q

The responsibility for authorizing access to a business application system belongs to the:

A.data owner.
B.security administrator.
C.IT security manager.
D.requestor’s immediate supervisor.

Answer

A

A. When a business application is developed, a good practice is to assign an information or data owner to the application. The information owner should be responsible for authorizing access to the application itself or to back-end databases for queries.

Question 34

Q

Which of the following is the MOST significant function of an enterprise public key infrastructure and certificate authority employing X.509 digital certificates?

A.It provides the public/private key set for the encryption and signature services used by email and file space.
B.It binds a digital certificate and its public key to an individual subscriber’s identity.
C.It provides the authoritative source for employee identity and personal details.
D.It provides the authoritative authentication source for object access.

Answer

A

B. PKI is primarily used to gain assurance that protected data or services originated from a legitimate source. The process to ensure the validity of the subscriber identity by linking to the digital certificate/public key is strict and rigorous.

Question 35

Q

Which of the following systems or tools can recognize that a credit card transaction is MORE likely to have resulted from a stolen credit card than from the holder of the credit card?

A.Intrusion detection systems (IDSs)
B.Data mining techniques
C.Stateful inspection firewalls
D.Packet filtering routers

Answer

A

B. Data mining is a technique used to detect trends or patterns of transactions or data. If the historical pattern of charges against a credit card account is changed, then it is a flag that the transaction may have resulted from a fraudulent use of the card.

Question 36

Q

What BEST describes the risk that information collected may contain a material error that may go undetected during information systems (IS) auditing?

A.Inherent risk
B.Audit risk
C.Control risk
D.Detection risk

Answer

A

B. Audit risk is the probability that information or financial reports may contain material errors and that the auditor may not detect an error that has occurred.

Question 37

Q

Which of the following does an information systems (IS) auditor FIRST reference when performing an IS audit?

A.Implemented procedures
B.Approved policies
C.Internal standards
D.Documented practices

Answer

A

B. Policies are high-level documents that represent the corporate philosophy of an organization. Internal standards, procedures and practices are subordinate to policy.

Question 38

Q

The management of an enterprise has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program?

A.Using an intrusion detection system to report incidents.
B.Mandating the use of passwords to access all software.
C.Installing an efficient user log system to track the actions of each user.
D.Training provided on a regular basis to all current and new employees.

Answer

A

D. Regular training is an important part of a security awareness program.

Question 39

Q

An information systems (IS) auditor is performing a review of an organization’s governance model. Which of the following should be of MOST concern to the auditor?

A.The information security policy is not periodically reviewed by senior management.
B.A policy ensuring systems are patched in a timely manner does not exist.
C.The audit committee did not review the organization’s mission statement.
D.An organizational policy related to information asset protection does not exist.

Answer

A

A. Data security policies should be reviewed/refreshed once every year to reflect changes in the organization’s environment. Policies are fundamental to the organization’s governance structure, and, therefore, this is the greatest concern.

Question 40

Q

An organization requests that an information systems (IS) auditor provide a recommendation to enhance the security and reliability of its Voice-over Internet Protocol (VoIP) system and data traffic. Which of the following meets this objective?

A.VoIP infrastructure needs to be segregated using virtual local area networks.
B.Buffers need to be introduced at the VoIP endpoints.
C.Ensure that end-to-end encryption is enabled in the VoIP system.
D.Ensure that emergency backup power is available for all parts of the VoIP infrastructure.

Answer

A

A. Segregating the Voice-over Internet Protocol (VoIP) traffic using virtual local area networks (VLANs) best protects the VoIP infrastructure from network-based attacks, potential eavesdropping and network traffic issues (which helps to ensure uptime).

Question 41

Q

Information for detecting unauthorized input from a user workstation is BEST provided by the:

A.console log printout.
B.transaction journal.
C.automated suspense file listing.
D.user error report.

Answer

A

B. The transaction journal records all transaction activity, which then can be compared to the authorized source documents to identify any unauthorized input.

Question 42

Q

Which of the following BEST helps to detect errors in data processing?

A.Programmed edit checks
B.Well-designed data entry screens
C.Separation of duties
D.Hash totals

Answer

A

D. The use of hash totals is an effective method to reliably detect errors in data processing. A hash total indicates an error in data integrity.

Question 43

Q

During a production system change control audit, an information systems (IS) auditor finds that the change management process is not formally documented and that some migration procedures failed. What should the IS auditor do next?

A.Recommend redesigning the change management process.
B.Gain more assurance on the findings through root cause analysis.
C.Recommend that program migration be stopped until the change process is documented.
D.Document the finding and present it to management.

Answer

A

B. A change management process is critical to IT production systems. Before recommending that the organization take any other action (e.g., stopping migrations or redesigning the change management process), the information systems (IS) auditor should gain assurance that the incidents reported are related to deficiencies in the change management process and not caused by some process other than change management.

Question 44

Q

Which of the following is a network diagnostic tool that monitors and records network information?

A.Online monitor
B.Downtime report
C.Help desk report
D.Protocol analyzer

Answer

A

D. Protocol analyzers are network diagnostic tools that monitor and record network information from packets traveling in the link to which the analyzer is attached.

Question 45

Q

While planning an information systems (IS) audit, an assessment of risk should be made to provide:

A.reasonable assurance that the audit will cover material items.
B.definite assurance that material items will be covered during the audit work.
C.reasonable assurance that all items will be covered by the audit.
D.sufficient assurance that all items will be covered during the audit work.

Answer

A

A. ISACA Information Systems (IS) Audit and Assurance Performance Guideline 2201 (Risk Assessment in Planning) states that the applied risk assessment approach should help with the prioritization and scheduling process of the IS audit and assurance work. The risk assessment should support the selection process of areas and items of audit interest and the decision process to design and conduct particular IS audit engagements.

Question 46

Q

Two months after a major application implementation, management, which assumes that the project went well, requests that an information systems (IS) auditor perform a review of the completed project. The IS auditor’s PRIMARY focus should be to:

A.determine whether user feedback on the system has been documented.
B.assess whether the planned cost benefits are being measured, analyzed and reported.
C.review controls built into the system to assure that they are operating as designed.
D.review subsequent program change requests.

Answer

A

C. Because management is assuming that the implementation went well, the primary focus of the IS auditor is to test the controls built into the application to assure that they are functioning as designed.

Question 47

Q

An enterprise is developing a strategy to upgrade to a newer version of its database software. Which of the following tasks can an information systems (IS) auditor perform without compromising the objectivity of the IS audit function?

A.Advise on the adoption of application controls to the new database software.
B.Provide future estimates of the licensing expenses to the project team.
C.Recommend to the project manager how to improve the efficiency of the migration.
D.Review the acceptance test case documentation before the tests are carried out.

Answer

A

D. The review of the test cases will facilitate the objective of a successful migration and ensure that proper testing is conducted. An IS auditor can advise about the completeness of the test cases.

Question 48

Q

A team conducting a risk analysis is having difficulty projecting the financial losses that can result from a risk. To evaluate the potential impact, the team should:

A.compute the amortization of the related assets.
B.calculate a return on investment (ROI).
C.apply a qualitative approach.
D.spend the time needed to define the loss amount exactly.

Answer

A

C. The common practice when it is difficult to calculate the financial losses is to take a qualitative approach, in which the manager affected by the risk defines the impact in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact).

Question 49

Q

Which of the following is the MOST important security consideration to an enterprise that wants to move a business application to external cloud service (PaaS) provided by a vendor?

A.Classification and categories of data processed by the application
B.Cost of hosting the application internally versus externally
C.Reputation of a vendor based on the market and feedback from clients
D.Drop in application performance due to use of shared services

Answer

A

A. Types of data and their sensitivity is a primary consideration because there might be legal obligations related to data hosting and its level of protection (e.g., personal information, banking information and health information).

Question 50

Q

During an audit of a small organization that provides medical transcription services, an information systems (IS) auditor observes several issues related to the backup and restore process. Which of the following should be the auditor’s GREATEST concern?

A.Restoration testing for backup media is not performed; however, all data restore requests have been successful.
B.The policy for data backup and retention has not been reviewed by the business owner for the past three years.
C.The organization stores transcription backup media offsite using a third-party service provider that inventories backups annually.
D.Failed backup alerts for the marketing department data files are not followed up on or resolved by the IT administrator.

Answer

A

C. Losing a backup medium is a major incident for an organization handling confidential patient data. Privacy laws impose severe penalties, and mandated reporting requirements can harm the organization’s reputation. To ensure proper backup handling, the organization should conduct audit tests, including frequent physical inventories and evaluating controls at the third-party provider.

Question 51

Q

Which of the following controls provides the GREATEST assurance of database integrity?

A.Audit log procedures
B.Table link/reference checks
C.Query/table access time checks
D.Rollback and rollforward database features

Answer

A

B. Performing table link/reference checks serves to detect table linking errors (such as completeness and accuracy of the contents of the database) and, thus, provides the greatest assurance of database integrity.

Question 52

Q

A firewall is being deployed at a new location. Which of the following is the MOST important factor in ensuring a successful deployment?

A.Reviewing logs frequently
B.Testing and validating the rules
C.Training a local administrator at the new location
D.Sharing firewall administrative duties

Answer

A

B. A mistake in the rule set can render a firewall ineffective or insecure. Therefore, testing and validating the rules is the most important factor in ensuring a successful deployment.

Question 53

Q

Which of the following is an advantage of elliptic curve encryption over RSA encryption?

A.Computation speed
B.Ability to support digital signatures
C.Simpler key distribution
D.Message integrity controls

Answer

A

A. The main advantage of elliptical curve cryptography (ECC) over RSA encryption is its computation speed. This is due in part to the use of much smaller keys in the ECC algorithm than in RSA.

Question 54

Q

Which of the following tests performed by an information systems (IS) auditor is the MOST effective in determining compliance with organizational change control procedures?

A.Review software migration records and verify approvals.
B.Identify changes that have occurred and verify approvals.
C.Review change control documentation and verify approvals.
D.Ensure that only appropriate staff can migrate changes into production.

Answer

A

B. The most effective method is to determine what changes have been made (check logs and modified dates) and then verify that they have been approved.

Question 55

Q

What is the BEST action for an information systems (IS) auditor to take when an outsourced monitoring process for remote access is inadequate and management disagrees because intrusion detection system (IDS) and firewall controls are in place?

A.Revise the finding in the audit report per management’s feedback.
B.Retract the finding because the IDS controls are in place.
C.Retract the finding because the firewall rules are monitored.
D.Document the identified finding in the audit report.

Answer

A

D. IS auditor independence dictates that the additional information provided by the auditee is taken into consideration. Normally, an IS auditor does not automatically retract or revise the finding.

Question 56

Q

Which of the following is the BEST approach for an information systems (IS) auditor evaluating IT-related controls as a member of an integrated audit team?

A.Perform IT audits independently and submit findings to the audit manager to include in the final report.
B.Prioritize control testing based on the complexity of the technology implemented by the enterprise.
C.Include in the audit report the impact to the business due to weaknesses found in IT controls.
D.Discuss the findings with the audit manager and afterwards submit the IT audit report to auditee’s management.

Answer

A

C. One of the objectives of an integrated audit is to provide added value to the auditee and improve the overall quality of the audit process. Describing the business impact due to weaknesses in IT-related controls best helps the auditee management in relating the deployment of IT with the business.

Question 57

Q

Which of the following is the BEST control to prevent the deletion of audit logs by unauthorized individuals in an enterprise?

A.Actions performed on log files should be tracked in a separate log.
B.Write access to audit logs should be disabled.
C.Only select personnel should have rights to view or delete audit logs.
D.Backups of audit logs should be performed periodically.

Answer

A

C. Granting audit-log access to only system administrators and security administrators reduces the possibility of these files being deleted.

Question 58

Q

Which of the following stakeholders is the MOST important in terms of developing a business continuity plan (BCP)?

A.Process owners
B.Application owners
C.Board of directors
D.IT management

Answer

A

A. Process owners are essential in identifying the critical business functions, recovery times and resources needed.

Question 59

Q

Which of the following is an effective preventive control to ensure that a database administrator (DBA) complies with the custodianship of the enterprise’s data?

A.Exception reports
B.Separation of duties (SoD)
C.Review of access logs and activities
D.Management supervision

Answer

A

B. Adequate segregation/separation of duties (SoD) is a preventative control that can restrict the activities of the DBA to those that have been authorized by the data owners. SoD can restrict what a DBA can do by requiring more than one person to participate to complete a task.

Question 60

Q

Which of the following BEST helps an information systems (IS) auditor in ensuring that automated data conversion from an old system to a new system has been completed successfully?

A.Operator reports
B.Exception reports
C.Control totals
D.Application logs

Answer

A

B. Exception reports are automated reports that identify errors encountered during processing, including transactions that are not converted automatically.

Question 61

Q

What is the GREATEST risk associated with inadequate management of storage growth in a critical file server?

A.Backup time steadily increases.
B.Backup operational costs significantly increase.
C.Storage operational costs significantly increase.
D.Server recovery work may not meet the recovery time objective (RTO).

Answer

A

D. In case of a crash, recovering a server with an extensive amount of data can require a significant amount of time. If the recovery cannot meet the RTO, there will be a discrepancy in IT strategies. It is important to ensure that server restoration can meet the RTO.

Question 62

Q

During a system development life cycle audit of a human resources and payroll application, the information systems (IS) auditor notes that the data used for user acceptance testing have been masked. The purpose of masking the data is to ensure the:

A.confidentiality of the data.
B.accuracy of the data.
C.completeness of the data.
D.reliability of the data.

Answer

A

A. Masking is used to ensure the confidentiality of data, especially in a user acceptance testing exercise where testers have access to data that they would not have access to in normal production environments.

Question 63

Q

An information systems (IS) auditor is reviewing the physical security measures of an enterprise. Regarding the access card system, the IS auditor should be MOST concerned that:

A.nonpersonalized access cards are given to the cleaning staff, who use a sign-in sheet but show no proof of identity.
B.access cards are not labeled with the enterprise’s name and address to facilitate easy return of a lost card.
C.card issuance and rights administration for the cards are done by different departments, causing unnecessary lead time for new cards.
D.the computer system used for programming the cards can only be replaced after three weeks in the event of a system failure.

Answer

A

A. Physical security is meant to control who is entering a secured area, so identification of all individuals is of utmost importance. It is not adequate to trust unknown external people by allowing them to write down their alleged name without proof (e.g., identity card or driver’s license).

Question 64

Q

An information systems (IS) auditor is asked to review a contract for a vendor being considered to provide data center services. Which is the BEST way to determine whether the terms of the contract are adhered to after the contract is signed?

A.Require the vendor to provide monthly status reports.
B.Have periodic meetings with the client IT manager.
C.Conduct periodic audit reviews of the vendor.
D.Require that performance parameters be stated within the contract.

Answer

A

C. Conducting periodic reviews of the vendor ensures that the agreements within the contract are completed in a satisfactory manner. Without future audit reviews after the contract is signed, service level agreements and the client’s requirements for security controls may become less of a focus for the vendor, and the results may slip. Periodic audit reviews allow the client to look at the vendor’s current state to ensure that the vendor is one with which they want to continue to work.

Answer 65

A

B. If the answers provided to an IS auditor’s questions are not confirmed by documented procedures or job descriptions, the IS auditor should expand the scope of testing the controls and include additional substantive tests.

Answer 66

A

A. Provided that data architecture, technical and operational requirements are sufficiently documented, the alignment to standards can be treated as a specific work package assigned to new project resources.

Answer 67

A

B. A web content filter accepts or denies web communications according to the configured rules. To help the administrator properly configure the tool, enterprises and vendors have made available uniform resource locator blacklists and classifications for millions of websites.

Answer 68

A

D. The cyclic redundancy check (CRC) can check for a block of transmitted data. The workstations generate the CRC and transmit it with the data. The receiving workstation computes a CRC and compares it to the transmitted CRC. If both of them are equal, then the block is assumed error free. In this case (such as, in parity error or echo check), multiple errors can be detected. In general, CRC can detect all single-bit and double-bit errors.

Answer 69

A

B. Administration of cloud computing occurs over the Internet and involves more than one participating entity. It is the responsibility of each of the partners in the cloud computing environment to take care of security issues in their own environments. When there is a security breach, the party responsible for the breach should be identified and made accountable. This is not possible if the service level agreement (SLA) does not address the responsibilities of the partners during a security breach.

Answer 70

A

C. The RPO determines acceptable data loss and the earliest acceptable recovery point in time, quantifying the permissible data loss in case of interruption.

Answer 71

A

C. A structured walk-through including both incident response and business continuity personnel provides the best opportunity to identify gaps or misalignments between the plans.

Answer 72

A

B. Two of the key outcomes of the business impact analysis are the recovery time objective (RTO) and recovery point objective (RPO)—maximum tolerable downtime and data loss—that further help in identifying the recovery strategies.

Answer 73

A

A. Establishing a common recovery point objective (RPO) is most critical for ensuring that interdependencies between systems are properly synchronized. It ensures that systems do not contain data from different points in time that may result in accounting transactions that cannot be reconciled and a loss of referential integrity.

Answer 74

A

A. Certified and accredited systems are systems that have had their security compliance technically evaluated for running in a specific environment and configuration.

Answer 75

A

B. The periodic checking of hard drives would be the most effective method of identifying illegal software packages loaded onto the network.

Brainscape's Knowledge GenomeTM

Practice Exam 2 Flashcards

Brainscape's Knowledge Genome^TM