Pre-Test Flashcards by Host Mom

Which of the following is the MOST important skill an IS auditor should develop to understand the constraints of conducting an audit?

A. Contingency planning
B. IS management resource allocation
C. Project management
D. Knowledge of internal controls

C. Project management

How well did you know this?

Not at all

Perfectly

During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization’s operational risk documentation only contains a few broadly described types of IT risk. What is the MOST appropriate recommendation in this situation?

A. Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts.
B. Use common industry standard aids to divide the existing risk documentation into several individual types of risk which will be easier to handle.
C. No recommendation is necessary because the current approach is appropriate for a medium-sized organization.
D. Establish regular IT risk management meetings to identify and assess risk, and create a mitigation plan as input to the organization’s risk management.

D. Establish regular IT risk management meetings to identify and assess risk, and create a mitigation plan as input to the organization’s risk management.

How well did you know this?

Not at all

Perfectly

An IS auditor is evaluating a virtual machine–based (VM-based) architecture used for all programming and testing environments. The production architecture is a three-tier physical architecture. What is the MOST important IT control to test to ensure availability and confidentiality of the web application in production?

A. Server configuration has been hardened appropriately.
B. Allocated physical resources are available.
C. System administrators are trained to use the virtual machine (VM) architecture.
D. The VM server is included in the disaster recovery plan (DRP).

A. Server configuration has been hardened appropriately.

How well did you know this?

Not at all

Perfectly

A database administrator has detected a performance problem with some tables, which could be solved through denormalization. This situation will increase the risk of:

A. concurrent access.
B. deadlocks.
C. unauthorized access to data.
D. a loss of data integrity.

D. a loss of data integrity.

How well did you know this?

Not at all

Perfectly

Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an electronic funds transfer (EFT) system?

A. Three users with the ability to capture and verify their own messages
B. Five users with the ability to capture and send their own messages
C. Five users with the ability to verify other users and to send their own messages
D. Three users with the ability to capture and verify the messages of other users and to send their own messages

A. Three users with the ability to capture and verify their own messages

How well did you know this?

Not at all

Perfectly

Due to resource constraints of the IS audit team, the audit plan as originally approved cannot be completed. Assuming that the situation is communicated in the audit report, which course of action is MOST acceptable?

A. Test the adequacy of the control design.
B. Test the operational effectiveness of controls.
C. Focus on auditing high-risk areas.
D. Rely on management testing of controls.

C. Focus on auditing high-risk areas.

How well did you know this?

Not at all

Perfectly

A. Test the adequacy of the control design.
B. Test the operational effectiveness of controls.
C. Focus on auditing high-risk areas.
D. Rely on management testing of controls.

C. Focus on auditing high-risk areas.

How well did you know this?

Not at all

Perfectly

Although management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should FIRST:

A. include the statement from management in the audit report.
B. verify the software is in use through testing.
C. include the item in the audit report.
D. discuss the issue with senior management because it could have a negative impact on the organization.

B. verify the software is in use through testing.

How well did you know this?

Not at all

Perfectly

The internal IS audit team is auditing controls over sales returns and is concerned about fraud. Which of the following sampling methods would BEST assist the IS auditors?

A. Stop-or-go
B. Classical variable
C. Discovery
D. Probability-proportional-to-size

C. Discovery

How well did you know this?

Not at all

Perfectly

An IS auditor is determining the appropriate sample size for testing the existence of program change approvals. Previous audits did not indicate any exceptions, and management has confirmed that no exceptions have been reported for the review period. In this context, the IS auditor can adopt a:

A. lower confidence coefficient, resulting in a smaller sample size.
B. higher confidence coefficient, resulting in a smaller sample size.
C. higher confidence coefficient, resulting in a larger sample size.
D. lower confidence coefficient, resulting in a larger sample size.

A. lower confidence coefficient, resulting in a smaller sample size.

How well did you know this?

Not at all

Perfectly

Which of the following is the BEST factor for determining the required extent of data collection during the planning phase of an IS compliance audit?

A. Complexity of the organization’s operation
B. Findings and issues noted from the prior year
C. Purpose, objective and scope of the audit
D. Auditor’s familiarity with the organization

C. Purpose, objective and scope of the audit

How well did you know this?

Not at all

Perfectly

An auditor’s familiarity with the organization is a factor in the planning of an audit, but does not directly affect the determination of how much data to collect. The audit must be based on sufficient evidence of the monitoring of controls and not unduly influenced by the auditor’s familiarity with the organization.
Which of the following does a lack of adequate controls represent?

A. An impact
B. A vulnerability
C. An asset
D. A threat

B. A vulnerability

How well did you know this?

Not at all

Perfectly

Which of the following is the PRIMARY requirement in reporting results of an IS audit? The report is:

A. prepared according to a predefined and standard template.
B. backed by sufficient and appropriate audit evidence.
C. comprehensive in coverage of enterprise processes.
D. reviewed and approved by audit management.

B. backed by sufficient and appropriate audit evidence.

How well did you know this?

Not at all

Perfectly

The MOST appropriate action for an IS auditor to take when shared user accounts are discovered is to:

A. inform the audit committee of the potential issue.
B. review audit logs for the IDs in question.
C. document the finding and explain the risk of using shared IDs.
D. request that the IDs be removed from the system.

C. document the finding and explain the risk of using shared IDs.

How well did you know this?

Not at all

Perfectly

An IS auditor is reviewing security controls for a critical web-based system prior to implementation. The results of the penetration test are inconclusive, and the results will not be finalized prior to implementation. Which of the following is the BEST option for the IS auditor?

A. Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing.
B. Publish a report omitting the areas where the evidence obtained from testing was inconclusive.
C. Request a delay of the implementation date until additional security testing can be completed and evidence of appropriate controls can be obtained.
D. Inform management that audit work cannot be completed prior to implementation and recommend that the audit be postponed.

A. Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing.

How well did you know this?

Not at all

Perfectly

The PRIMARY objective of performing a post-incident review is that it presents an opportunity to:

A. improve internal control procedures.
B. harden the network to industry good practices.
C. highlight the importance of incident response management to management.
D. improve employee awareness of the incident response process.

A. improve internal control procedures.

How well did you know this?

Not at all

Perfectly

An internal IS audit function is planning a general IS audit. Which of the following activities takes place during the FIRST step of the planning phase?

A. Development of an audit program
B. Review of the audit charter
C. Identification of key information own
D. Development of a risk assessment

D. Development of a risk assessment

How well did you know this?

Not at all

Perfectly

Which of the following should an IS auditor use to detect duplicate invoice records within an invoice master file?

A. Attribute sampling
B. Computer-assisted audit techniques (CAATs)
C. Compliance testing
D. Integrated test facility (ITF)

B. Computer-assisted audit techniques (CAATs)

How well did you know this?

Not at all

Perfectly

Which of the following choices is the PRIMARY benefit of requiring a steering committee to oversee IT investment?

A. To conduct a feasibility study to demonstrate IT value
B. To ensure that investments are made according to business requirements
C. To ensure that proper security controls are enforced
D. To ensure that a standard development methodology is implemented

B. To ensure that investments are made according to business requirements

How well did you know this?

Not at all

Perfectly

As an outcome of information security governance, strategic alignment provides:

A. security requirements driven by enterprise requirements.
B. baseline security following good practices.
C. institutionalized and commoditized solutions.
D. an understanding of risk exposure.

A. security requirements driven by enterprise requirements.

How well did you know this?

Not at all

Perfectly

An IS auditor is evaluating the IT governance framework of an organization. Which of the following would be the GREATEST concern?

A. Senior management has limited involvement.
B. Return on investment (ROI) is not measured.
C. Chargeback of IT cost is not consistent.
D. Risk appetite is not quantified.

A. Senior management has limited involvement.

How well did you know this?

Not at all

Perfectly

Which of the following IT governance good practices improves strategic alignment?

A. Supplier and partner risk is managed.
B. A knowledge base on customers, products, markets and processes is in place.
C. A structure is provided that facilitates the creation and sharing of business information.
D. Top management mediates between the imperatives of business and technology.

D. Top management mediates between the imperatives of business and technology.

How well did you know this?

Not at all

Perfectly

An IS auditor reviewing an organization that uses cross-training practices should assess the risk of:

A. dependency on a single person.
B. inadequate succession planning.
C. one person knowing all parts of a system.
D. a disruption of operations.

C. one person knowing all parts of a system.

How well did you know this?

Not at all

Perfectly

Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?

A. Overlapping controls
B. Boundary controls
C. Access controls
D. Compensating controls

D. Compensating controls

How well did you know this?

Not at all

Perfectly

When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is the MOST appropriate? A. Review the strategic alignment of IT with the business. B. Implement accountability rules within the organization. C. Ensure that independent IS audits are conducted periodically. D. Create a chief risk officer (CRO) role in the organization.

B. Implement accountability rules within the organization.

When auditing the archiving of the company’s email communications, the IS auditor should pay the MOST attention to: A. the existence of a data retention policy. B. the storage capacity of the archiving solution. C. the level of user awareness concerning email use. D. the support and stability of the archiving solution manufacturer.

A. the existence of a data retention policy

Which of the following situations is addressed by a software escrow agreement? A. The system administrator requires access to software to recover from a disaster. B. A user requests to have software reloaded onto a replacement hard drive. C. The vendor of custom-written software goes out of business. D. An IS auditor requires access to software code written by the organization.

C. The vendor of custom-written software goes out of business.

Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider: A. claims to meet or exceed industry security standards. B. agrees to be subject to external security reviews. C. has a good market reputation for service and experience. D. complies with security policies of the organization.

B. agrees to be subject to external security reviews.

After the merger of two organizations, multiple self-developed legacy applications from both organizations are to be replaced by a new common platform. Which of the following would be the GREATEST risk? A. Project management and progress reporting is combined in a project management office which is driven by external consultants. B. The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach. C. The resources of each of the organizations are inefficiently allocated while they are being familiarized with the other company’s legacy systems. D. The new platform will force the business areas of both organizations to change their work processes, which will result in extensive training needs.

B. The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach.

To gain an understanding of the effectiveness of an organization’s planning and management of investments in IT assets, an IS auditor should review the: A. enterprise data model. B. IT balanced scorecard (BSC). C. IT organizational structure. D. historical financial statements.

B. IT balanced scorecard (BSC).

Which of the following factors should an IS auditor PRIMARILY focus on when determining the appropriate level of protection for an information asset? A. Results of a risk assessment B. Relative value to the business C. Results of a vulnerability assessment D. Cost of security controls

A. Results of a risk assessment

When an organization’s disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment approaches is being applied? A. Transfer B. Mitigation C. Avoidance D. Acceptance

B. Mitigation

An IS auditor is performing a review of the software quality management process in an organization. The FIRST step should be to: A. verify how the organization follows the standards. B. identify and report the controls currently in place. C. review the metrics for quality evaluation. D. request all standards that have been adopted by the organization.

D. request all standards that have been adopted by the organization.

When developing a formal enterprise security program, the MOST critical success factor (CSF) would be the: A. establishment of a review board. B. creation of a security unit. C. effective support of an executive sponsor. D. selection of a security process owner.

C. effective support of an executive sponsor.

While reviewing a quality management system (QMS) the IS auditor should PRIMARILY focus on collecting evidence to show that: A. quality management systems (QMSs) comply with good practices. B. continuous improvement targets are being monitored. C. standard operating procedures of IT are updated annually. D. key performance indicators (KPIs) are defined.

B. continuous improvement targets are being monitored.

Before implementing an IT balanced scorecard (BSC), an organization must: A. deliver effective and efficient services. B. define key performance indicators. C. provide business value to IT projects. D. control IT expenses.

B. define key performance indicators.

During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that: A. assessment of the situation may be delayed. B. execution of the disaster recovery plan could be impacted. C. notification of the teams might not occur. D. potential crisis recognition might be delayed.

B. execution of the disaster recovery plan could be impacted.

An IS auditor is reviewing an organization’s recovery from a disaster in which not all the critical data needed to resume business operations were retained. Which of the following was incorrectly defined? A. The interruption window B. The recovery time objective (RTO) C. The service delivery objective (SDO) D. The recovery point objective (RPO)

D. The recovery point objective (RPO)

B. Implement accountability rules within the organization.

To optimize an organization’s BCP, an IS auditor should recommend a BIA to determine: A. the business processes that generate the most financial value for the organization and, therefore, must be recovered first B. the priorities and order for recovery to ensure alignment with the organization’s business strategy C. the business processes that must be recovered following a disaster to ensure the organization’s survival D. the priorities and order of recovery, which will recover the greatest number of systems in the shortest time frame

C. the business processes that must be recovered following a disaster to ensure the organization’s survival

Normally, it would be essential to involve which of the following stakeholders in the initiation stage of a project? A. System owners B. System users C. System designers D. System builders

A. System owners

When reviewing an active project, an IS auditor observed that the business case was no longer valid because of a reduction in anticipated benefits and increased costs. The IS auditor should recommend that the: A. project be discontinued. B. business case be updated and possible corrective actions be identified. C. project be returned to the project sponsor for reapproval. D. project be completed and the business case be updated later.

B. business case be updated and possible corrective actions be identified

During the audit of an acquired software package, an IS auditor finds that the software purchase was based on information obtained through the Internet, rather than from responses to a request for proposal (RFP). The IS auditor should FIRST: A. test the software for compatibility with existing hardware. B. perform a gap analysis. C. review the licensing policy. D. ensure that the procedure had been approved.

D. ensure that the procedure had been approved.

A company has contracted with an external consulting firm to implement a commercial financial system to replace its existing system developed in-house. In reviewing the proposed development approach, which of the following would be of GREATEST concern? A. Acceptance testing is to be managed by users. B. A quality plan is not part of the contracted deliverables. C. Not all business functions will be available on initial implementation. D. Prototyping is being used to confirm that the system meets business requirements.

B. A quality plan is not part of the contracted deliverables.

An organization is implementing an enterprise resource planning (ERP) application. Of the following, who is PRIMARILY responsible for overseeing the project to ensure that it is progressing in accordance with the project plan and that it will deliver the expected results? A. Project sponsor B. System development project team (SDPT) C. Project steering committee D. User project team (UPT)

C. Project steering committee

While evaluating software development practices in an organization, an IS auditor notes that the quality assurance (QA) function reports to project management. The MOST important concern for an IS auditor is the: A. effectiveness of the QA function because it should interact between project management and user management. B. efficiency of the QA function because it should interact with the project implementation team. C. effectiveness of the project manager because the project manager should interact with the QA function. D. efficiency of the project manager because the QA function will need to communicate with the project implementation team.

A. effectiveness of the QA function because it should interact between project management and user management.

Which of the following would BEST help to prioritize project activities and determine the time line for a project? A. A Gantt chart B. Earned value analysis (EVA) C. Program evaluation review technique (PERT) D. Function point analysis (FPA)

A. A Gantt chart

An IS auditor has found time constraints and expanded needs to be the root causes for recent violations of corporate data definition standards in a new business intelligence project. Which of the following is the MOST appropriate suggestion for an auditor to make? A. Achieve standards alignment through an increase of resources devoted to the project. B. Align the data definition standards after completion of the project. C. Delay the project until compliance with standards can be achieved. D. Enforce standard compliance by adopting punitive measures against violators.

A. Achieve standards alignment through an increase of resources devoted to the project.

Which of the following would be the BEST approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing? A. Requirements should be tested in terms of importance and frequency of use. B. Test coverage should be restricted to functional requirements. C. Automated tests should be performed through the use of scripting. D. The number of required test runs should be reduced by retesting only defect fixes.

A. Requirements should be tested in terms of importance and frequency of use.

Who should review and approve system deliverables as they are defined and accomplished to ensure the successful completion and implementation of a new business system application? A. User management B. Project steering committee C. Senior management D. Quality assurance staff

A. User management

An IS auditor is reviewing the software development process for an organization. Which of the following functions would be appropriate for the end users to perform? A. Program output testing B. System configuration C. Program logic specification D. Performance tuning

A. Program output testing

From a risk management point of view, the BEST approach when implementing a large and complex IT infrastructure is: A. a major deployment after proof of concept. B. prototyping and a one-phase deployment. C. a deployment plan based on sequenced phases. D. to simulate the new infrastructure before deployment.

C. a deployment plan based on sequenced phases.

During a post-implementation review, which of the following activities should be performed? A. User acceptance testing (UAT) B. Return on investment (ROI) analysis C. Activation of audit trails D. Updates of the state of enterprise architecture (EA) diagrams

B. Return on investment (ROI) analysis

The PRIMARY objective of conducting a post-implementation review for a business process automation project is to: A. ensure that the project meets the intended business requirements. B. evaluate the adequacy of controls. C. confirm compliance with technological standards. D. confirm compliance with regulatory requirements.

A. ensure that the project meets the intended business requirements.

.A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live? A. IS auditor B. Database administrator C. Project manager D. Data owner

D. Data owner

An IS auditor should ensure that review of online electronic funds transfer (EFT) reconciliation procedures should include: A. vouching. B. authorizations. C. corrections. D. tracing.

D. tracing.

Which of the following issues should be a MAJOR concern to an IS auditor who is reviewing a service level agreement (SLA)? A. A service adjustment resulting from an exception report took a day to implement. B. The complexity of application logs used for service monitoring made the review difficult. C. Performance measures were not included in the SLA. D. The document is updated on an annual basis.

C. Performance measures were not included in the SLA.

During a human resources (HR) audit, an IS auditor is informed that there is a verbal agreement between the IT and HR departments as to the level of IT services expected. In this situation, what should the IS auditor do FIRST? A. Postpone the audit until the agreement is documented. B. Report the existence of the undocumented agreement to senior management. C. Confirm the content of the agreement with both departments. D. Draft a service level agreement (SLA) for the two departments.

C. Confirm the content of the agreement with both departments.

Which of the following is the BEST reference for an IS auditor to determine a vendor’s ability to meet service level agreement (SLA) requirements for a critical IT security service? A. Compliance with the master agreement B. Agreed-on key performance metrics C. Results of business continuity tests D. Results of independent audit reports

B. Agreed-on key performance metrics

When reviewing the configuration of network devices, an IS auditor should FIRST identify: A. the good practices for the type of network devices deployed. B. whether components of the network are missing. C. the importance of the network devices in the topology. D. whether subcomponents of the network are being used appropriately.

C. the importance of the network devices in the topology.

Which of the following processes should an IS auditor recommend to assist in the recording of baselines for software releases? A. Change management B. Backup and recovery C. Incident management D. Configuration management

D. Configuration management

An IS auditor is evaluating network performance for an organization that is considering increasing its Internet bandwidth due to a performance degradation during business hours. Which of the following is MOST likely the cause of the performance degradation? A. Malware on servers B. Firewall misconfiguration C. Increased spam received by the email server D. Unauthorized network activities

D. Unauthorized network activities

During fieldwork, an IS auditor experienced a system crash caused by a security patch installation. To provide reasonable assurance that this event will not recur, the IS auditor should ensure that: A. only systems administrators perform the patch process. B. the client’s change management process is adequate. C. patches are validated using parallel testing in production. D. an approval process of the patch, including a risk assessment, is developed.

B. the client’s change management process is adequate.

Which of the following ways is the BEST for an IS auditor to verify that critical production servers are running the latest security updates released by the vendor? A. Ensure that automatic updates are enabled on critical production servers. B. Verify manually that the patches are applied on a sample of production servers. C. Review the change management log for critical production servers. D. Run an automated tool to verify the security patches on production servers.

D. Run an automated tool to verify the security patches on production servers.

The database administrator (DBA) suggests that database efficiency can be improved by denormalizing some tables. This would result in: A. loss of confidentiality. B. increased redundancy. C. unauthorized accesses. D. application malfunctions.

B. increased redundancy.

Segmenting a highly sensitive database results in: A. reduced exposure. B. reduced threat. C. less criticality. D. less sensitivity.

A. reduced exposure.

An IS auditor observed that users are occasionally granted the authority to change system data. This elevated system access is not consistent with company policy yet is required for smooth functioning of business operations. Which of the following controls would the IS auditor MOST likely recommend for long-term resolution? A. Redesign the controls related to data authorization. B. Implement additional segregation of duties controls. C. Review policy to see if a formal exception process is required. D. Implement additional logging controls.

C. Review policy to see if a formal exception process is required.

.Which of the following choices BEST ensures accountability when updating data directly in a production database? A. Before and after screen images B. Approved implementation plans C. Approved validation plan D. Data file security

A. Before and after screen images

Which of the following specifically addresses how to detect cyberattacks against an organization’s IT systems and how to recover from an attack? A. An incident response plan (IRP) B. An IT contingency plan C. A business continuity plan (BCP) D. A continuity of operations plan (COOP)

A. An incident response plan (IRP)

The PRIMARY objective of performing a post-incident review is that it presents an opportunity to: A. improve internal control procedures. B. harden the network to industry good practices. C. highlight the importance of incident response management to management. D. improve employee awareness of the incident response process.

A. improve internal control procedures.

.In a small organization, developers may release emergency changes directly to production. Which of the following will BEST control the risk in this situation? A. Approve and document the change the next business day. B. Limit developer access to production to a specific time frame. C. Obtain secondary approval before releasing to production. D. Disable the compiler option in the production machine.

A. Approve and document the change the next business day.

During an audit of a small enterprise, the IS auditor noted that the IS director has superuser- privilege access that allows the director to process requests for changes to the application access roles (access types). Which of the following should the IS auditor recommend? A. Implement a properly documented process for application role change requests. B. Hire additional staff to provide a segregation of duties (SoD) for application role changes. C. Implement an automated process for changing application roles. D. Document the current procedure in detail, and make it available on the enterprise intranet.

A. Implement a properly documented process for application role change requests.

An IS auditor discovers that some users have installed personal software on their PCs. This is not explicitly forbidden by the security policy. Of the following, the BEST approach for an IS auditor is to recommend that the: A. IT department implement control mechanisms to prevent unauthorized software installation. B. security policy be updated to include specific language regarding unauthorized software. C. IT department prohibit the download of unauthorized software. D. users obtain approval from an IS manager before installing nonstandard software.

B. security policy be updated to include specific language regarding unauthorized software.

Which of the following is a prevalent risk in the development of end-user computing (EUC) applications? A. Applications may not be subject to testing and IT general controls. B. Development and maintenance costs may be increased. C. Application development time may be increased. D. Decision-making may be impaired due to diminished responsiveness to requests for information.

A. Applications may not be subject to testing and IT general controls.

During an IS audit of the disaster recovery plan (DRP) of a global enterprise, the IS auditor observes that some remote offices have very limited local IT resources. Which of the following observations would be the MOST critical for the IS auditor? A. A test has not been made to ensure that local resources could maintain security and service standards when recovering from a disaster or incident. B. The corporate business continuity plan (BCP) does not accurately document the systems that exist at remote offices. C. Corporate security measures have not been incorporated into the test plan. D. A test has not been made to ensure that tape backups from the remote offices are usable.

A. A test has not been made to ensure that local resources could maintain security and service standards when recovering from a disaster or incident.

Which of the following is the BEST indicator of the effectiveness of backup and restore procedures while restoring data after a disaster? A. Members of the recovery team were available. B. Recovery time objectives (RTOs) were met. C. Inventory of backup tapes was properly maintained. D. Backup tapes were completely restored at an alternate site.

B. Recovery time objectives (RTOs) were met.

An IS auditor is reviewing the most recent disaster recovery plan (DRP) of an organization. Which approval is the MOST important when determining the availability of system resources required for the plan? A. Executive management B. IT management C. Board of directors D. Steering committee

B. IT management

Which of the following is the MOST efficient way to test the design effectiveness of a change control process? A. Test a sample population of change requests B. Test a sample of authorized changes C. Interview personnel in charge of the change control process D. Perform an end-to-end walk-through of the process

D. Perform an end-to-end walk-through of the process

Which of the following is the GREATEST risk of an organization using reciprocal agreements for disaster recovery between two business units? A. The documents contain legal deficiencies. B. Both entities are vulnerable to the same incident. C. IT systems are not identical. D. One party has more frequent disruptions than the other.

B. Both entities are vulnerable to the same incident.

An information security policy stating that “the display of passwords must be masked or suppressed” addresses which of the following attack methods? A. Piggybacking B. Dumpster diving C. Shoulder surfing D. Impersonation

C. Shoulder surfing

With the help of a security officer, granting access to data is the responsibility of: A. data owners. B. programmers. C. system analysts. D. librarians.

A. data owners.

Which of the following environmental controls is appropriate to protect computer equipment against short-term reductions in electrical power? A. Power line conditioners B. Surge protective devices C. Alternative power supplies D. Interruptible power supplies

A. Power line conditioners

An IS auditor is reviewing the physical security measures of an organization. Regarding the access card system, the IS auditor should be MOST concerned that: A. nonpersonalized access cards are given to the cleaning staff, who use a sign-in sheet but show no proof of identity. B. access cards are not labeled with the organization’s name and address to facilitate easy return of a lost card. C. card issuance and rights administration for the cards are done by different departments, causing unnecessary lead time for new cards. D. the computer system used for programming the cards can only be replaced after three weeks in the event of a system failure.

A. nonpersonalized access cards are given to the cleaning staff, who use a sign-in sheet but show no proof of identity.

The PRIMARY purpose of installing data leak prevention (DLP) software is to control which of the following choices? A. Access privileges to confidential files stored on servers B. Attempts to destroy critical data on the internal network C. Which external systems can access internal resources D. Confidential documents leaving the internal network

D. Confidential documents leaving the internal network

Neural networks are effective in detecting fraud because they can: A. discover new trends because they are inherently linear. B. solve problems where large and general sets of training data are not obtainable. C. attack problems that require consideration of a large number of input variables. D. make assumptions about the shape of any curve relating variables to the output.

C. attack problems that require consideration of a large number of input variables.

The FIRST step in data classification is to: A. establish ownership. B. perform a criticality analysis. C. define access rules. D. create a data dictionary.

A. establish ownership.

From a control perspective, the PRIMARY objective of classifying information assets is to: A. establish guidelines for the level of access controls that should be assigned. B. ensure access controls are assigned to all information assets. C. assist management and auditors in risk assessment. D. identify which assets need to be insured against losses.

A. establish guidelines for the level of access controls that should be assigned.

When reviewing the procedures for the disposal of computers, which of the following should be the GREATEST concern for the IS auditor? A. Hard disks are overwritten several times at the sector level but are not reformatted before leaving the organization. B. All files and folders on hard disks are separately deleted, and the hard disks are formatted before leaving the organization. C. Hard disks are rendered unreadable by hole-punching through the platters at specific positions before leaving the organization. D. The transport of hard disks is escorted by internal security staff to a nearby metal recycling company, where the hard disks are registered and then shredded.

B. All files and folders on hard disks are separately deleted, and the hard disks are formatted before leaving the organization.

.The risk of dumpster diving is BEST mitigated by: A. implementing security awareness training. B. placing shred bins in copy rooms. C. developing a media disposal policy. D. placing shredders in individual offices.

A. implementing security awareness training.

Which of the following is the BEST way for an IS auditor to determine the effectiveness of a security awareness and training program? A. Review the security training program. B. Ask the security administrator. C. Interview a sample of employees. D. Review the security reminders to employees.

C. Interview a sample of employees.

Which of the following is the MAIN reason an organization should have an incident response plan? The plan helps to: A. ensure prompt recovery from system outages. B. contain costs related to maintaining DRP capabilities. C. ensure that customers are promptly notified of issues such as security breaches. D. minimize the impact of an adverse event.

D. minimize the impact of an adverse event.

The CSIRT of an organization disseminates detailed descriptions of recent threats. An IS auditor’s GREATEST concern should be that the users may: A. use this information to launch attacks. B. forward the security alert. C. implement individual solutions. D. fail to understand the threat.

A. use this information to launch attacks.

An IS audit department considers implementing continuous auditing techniques for a multinational retail enterprise that requires high availability of its key systems. A PRIMARY benefit of continuous auditing is that: A. effective preventive controls are enforced. B. system integrity is ensured. C. errors can be corrected in a timely fashion. D. fraud can be detected more quickly.

D. fraud can be detected more quickly.

The internal audit department has written some scripts that are used for continuous auditing of some information systems. The IT department has asked for copies of the scripts so that they can use them for setting up a continuous monitoring process on key systems. Would sharing these scripts with IT affect the ability of the IS auditors to independently and objectively audit the IT function? A. Sharing the scripts is not permitted because it would give IT the ability to pre-audit systems and avoid an accurate, comprehensive audit. B. Sharing the scripts is required because IT must have the ability to review all programs and software that runs on IS systems regardless of audit independence. C. Sharing the scripts is permissible as long as IT recognizes that audits may still be conducted in areas not covered in the scripts. D. Sharing the scripts is not permitted because it would mean that the IS auditors who wrote the scripts would not be permitted to audit any IS systems where the scripts are being used for monitoring.

C. Sharing the scripts is permissible as long as IT recognizes that audits may still be conducted in areas not covered in the scripts.

The success of control self-assessment (CSA) depends highly on: A. having line managers assume a portion of the responsibility for control monitoring. B. assigning staff managers the responsibility for building, but not monitoring, controls. C. the implementation of a stringent control policy and rule-driven controls. D. the implementation of supervision and the monitoring of controls of assigned duties.

A. having line managers assume a portion of the responsibility for control monitoring.

When conducting an IT security risk assessment, the IS auditor asked the IT security officer to participate in a risk identification workshop with users and business unit representatives. What is the MOST important recommendation that the IS auditor should make to obtain successful results and avoid future conflicts? A. Ensure that the IT security risk assessment has a clearly defined scope. B. Require the IT security officer to approve each risk rating during the workshop. C. Suggest that the IT security officer accept the business unit risk and rating. D. Select only commonly accepted risk with the highest submitted rating.

A. Ensure that the IT security risk assessment has a clearly defined scope.

An IS auditor is performing an audit in the data center when the fire alarm begins sounding. The audit scope includes disaster recovery, so the auditor observes the data center staff response to the alarm. Which of the following is the MOST important action for the data center staff to complete in this scenario? A. Notify the local fire department of the alarm condition. B. Prepare to activate the fire suppression system. C. Ensure that all persons in the data center are evacuated. D. Remove all backup tapes from the data center.

C. Ensure that all persons in the data center are evacuated.

When evaluating the controls of an electronic data interchange (EDI) application, an IS auditor should PRIMARILY be concerned with the risk of: A. excessive transaction turnaround time. B. application interface failure. C. improper transaction authorization. D. nonvalidated batch totals.

C. improper transaction authorization.

An organization is replacing a payroll program that it developed in-house, with the relevant subsystem of a commercial enterprise resource planning (ERP) system. Which of the following would represent the HIGHEST potential risk? A. Undocumented approval of some project changes B. Faulty migration of historical data from the old system to the new system C. Incomplete testing of the standard functionality of the ERP subsystem D. Duplication of existing payroll permissions on the new ERP subsystem

B. Faulty migration of historical data from the old system to the new system

An IS auditor reviewing a series of completed projects finds that the implemented functionality often exceeded requirements and most of the projects ran significantly over budget. Which of these areas of the organization’s project management process is the MOST likely cause of this issue? A. Project scope management B. Project time management C. Project risk management D. Project procurement management

A. Project scope management

Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date? A. Estimation of the actual end date based on the completion percentages and estimated time to complete, taken from status reports B. Confirmation of the target date based on interviews with experienced managers and staff involved in the completion of the project deliverables C. Extrapolation of the overall end date based on completed work packages and current resources D. Calculation of the expected end date based on current resources and remaining available project budget

C. Extrapolation of the overall end date based on completed work packages and current resources

An IS auditor has been asked to participate in project initiation meetings for a critical project. The IS auditor’s MAIN concern should be that the: A. complexity and risk associated with the project have been analyzed. B. resources needed throughout the project have been determined. C. technical deliverables have been identified. D. a contract for external parties involved in the project has been completed

A. complexity and risk associated with the project have been analyzed.

The PRIMARY objective of service-level management (SLM) is to: A. define, agree on, record and manage the required levels of service. B. ensure that services are managed to deliver the highest achievable level of availability. C. keep the costs associated with any service at a minimum. D. monitor and report any legal noncompliance to business management.

A. define, agree on, record and manage the required levels of service.

The BEST audit procedure to determine if unauthorized changes have been made to production code is to: A. examine the change control system records and trace them forward to object code files. B. review access control permissions operating within the production program libraries. C. examine object code to find instances of changes and trace them back to change control records. D. review change approved designations established within the change control system.

C. examine object code to find instances of changes and trace them back to change control records.

Which of the following is the BEST method for determining the criticality of each application system in the production environment? A. Interview the application programmers. B. Perform a gap analysis. C. Review the most recent application audits. D. Perform a business impact analysis (BIA).

D. Perform a business impact analysis (BIA).

Which of the following issues should be the GREATEST concern to the IS auditor when reviewing an IT disaster recovery test? A. Due to the limited test time window, only the most essential systems were tested. The other systems were tested separately during the rest of the year. B. During the test, some of the backup systems were defective or not working, causing the test of these systems to fail. C. The procedures to shut down and secure the original production site before starting the backup site required far more time than planned. D. Every year, the same employees perform the test. The recovery plan documents are not used because every step is well known by all participants.

B. During the test, some of the backup systems were defective or not working, causing the test of these systems to fail.

28.Which of the following groups is the BEST source of information for determining the criticality of application systems as part of a business impact analysis (BIA)? A. Business processes owners B. IT management C. Senior business management D. Industry experts

A. Business processes owners

While designing the business continuity plan (BCP) for an airline reservation system, the MOST appropriate method of data transfer/backup at an offsite location would be: A. shadow file processing. B. electronic vaulting. C. hard-disk mirroring. D. hot-site provisioning.

A. shadow file processing.

The information security policy that states “each individual must have his/her badge read at every controlled door” addresses which of the following attack methods? A. Piggybacking B. Shoulder surfing C. Dumpster diving D. Impersonation

A. Piggybacking

An IS auditor discovers that uniform resource locators (URLs) for online control self-assessment questionnaires are sent using URL shortening services. The use of URL shortening services would MOST likely increase the risk of which of the following attacks? A. Internet protocol (IP) spoofing B. Phishing C. Structured query language (SQL) injection D. Denial-of-service (DoS)

B. Phishing

A company is planning to install a network-based intrusion detection system (IDS) to protect the web site that it hosts. Where should the device be installed? A. On the local network B. Outside the firewall C. In the demilitarized zone (DMZ) D. On the server that hosts the web site

C. In the demilitarized zone (DMZ)

What would be the MOST effective control for enforcing accountability among database users accessing sensitive information? A. Implement a log management process. B. Implement a two-factor authentication. C. Use table views to access sensitive data. D. Separate database and application servers.

A. Implement a log management process.

What is the BEST approach to mitigate the risk of a phishing attack? A. Implementation of an intrusion detection system (IDS) B. Assessment of web site security C. Strong authentication D. User education

D. User education

Which of the following BEST encrypts data on mobile devices? A. Elliptical curve cryptography (ECC) B. Data encryption standard (DES) C. Advanced encryption standard (AES) D. The Blowfish algorithm

A. Elliptical curve cryptography (ECC)

When protecting an organization’s IT systems, which of the following is normally the next line of defense after the network firewall has been compromised? A. Personal firewall B. Antivirus programs C. Intrusion detection system (IDS) D. Virtual local area network (VLAN) configuration

C. Intrusion detection system (IDS)

Which of the following would MOST effectively enhance the security of a challenge-response based authentication system? A. Selecting a more robust algorithm to generate challenge strings B. Implementing measures to prevent session hijacking attacks C. Increasing the frequency of associated password changes D. Increasing the length of authentication strings

B. Implementing measures to prevent session hijacking attacks

An IS auditor is reviewing a software-based firewall configuration. Which of the following represents the GREATEST vulnerability? The firewall software: A. is configured with an implicit deny rule as the last rule in the rule base. B. is installed on an operating system with default settings. C. has been configured with rules permitting or denying access to systems or networks. D. is configured as a virtual private network (VPN) endpoint.

B. is installed on an operating system with default settings.