Review 2

Question 1

The cost of ongoing operations when a disaster recovery plan (DRP) is in place, compared to not having a DRP, will MOST likely:

A) increase.
B) decrease.
C) remain the same.
D) be unpredictable.

Answer 1

Answer: A) increase.

Increase is correct. Due to the additional cost of testing, maintaining and implementing disaster recovery plan (DRP) measures, the cost of normal operations for any organization will always increase after a DRP implementation (i.e., the cost of normal operations during a nondisaster period will be more than the cost of operations during a nondisaster period when no DRP was in place).

Decrease is incorrect. The implementation of a DRP will always result in additional costs to the organization.

Remain the same is incorrect. The implementation of a DRP will always result in additional costs to the organization.

Be unpredictable is incorrect. The costs of a DRP are fairly predictable and consistent.

Question 2

An IS auditor evaluating logical access controls should FIRST:

A) document the controls applied to the potential access paths to the system.
B) test controls over the access paths to determine if they are functional.
C) evaluate the security environment in relation to written policies and practices.
D) obtain an understanding of the security risk to information processing.

Answer 2

Answer: D) obtain an understanding of the security risk to information processing.

Obtain an understanding of the security risk to information processing is correct. When evaluating logical access controls, an IS auditor should first obtain an understanding of the security risk facing information processing by reviewing relevant documentation, by inquiries, and conducting a risk assessment. This is necessary so that the IS auditor can ensure the controls are adequate to address risk

Question 3

An organization completed a business impact analysis as part of business continuity planning. The NEXT step in the process is to develop:

A) a business continuity strategy.
B) a test and exercise plan.
C) a user training program.
D) the business continuity plan.

Answer 3

Answer: A) a business continuity strategy.

A business continuity strategy is correct. This is the next phase because it identifies the best way to recover. The criticality of the business process, the cost, the time required to recover, and security must be considered during this phase

Question 4

While auditing a third-party IT service provider, an IS auditor discovered that access reviews were not being performed as required by the contract. The IS auditor should:

A) report the issue to IT management.
B) discuss the issue with the service provider.
C) perform a risk assessment.
D) perform an access review.

Answer 4

Answer: A) report the issue to IT management

Report the issue to IT management is correct. During an audit, if there are material issues that are of concern, they need to be reported to management in the audit report.

Question 5

As part of the business continuity planning process, which of the following should be identified FIRST in the business impact analysis?

A) Risk such as single point-of-failure and infrastructure risk
B) Threats to critical business processes
C) Critical business processes for ascertaining the priority for recovery
D) Resources required for resumption of business

Answer 5

Answer: C) Critical business processes for ascertaining the priority for recovery.

Critical business processes for ascertaining the priority for recovery is correct. The identification of critical business processes should be addressed first so that the priorities and time lines for recovery can be documented.

Question 6

Which of the following sampling methods would be the MOST effective to determine whether purchase orders issued to vendors have been authorized as per the authorization matrix?

A) Variable sampling
B) Stratified mean per unit
C) Attribute sampling
D) Unstratified mean per unit

Answer 6

Answer: C) Attribute sampling

Attribute sampling is correct. This is the method used for compliance testing. In this scenario, the operation of a control is being evaluated, and therefore, the attribute of whether each purchase order was correctly authorized would be used to determine compliance with the control.

Variable sampling is incorrect. This is the method used for substantive testing, which involves testing transactions for quantitative aspects such as monetary values.

Stratified mean per unit is incorrect. This is used in variable sampling.

Unstratified mean per unit is incorrect. This is used in variable sampling.

Question 7

An IS auditor wants to analyze audit trails on critical servers to discover potential anomalies in user or system behavior. Which of the following is the MOST suitable for performing that task?

Computer-aided software engineering tools

Embedded data collection tools

Trend/variance detection tools

Heuristic scanning tools

Answer 7

Trend/variance detection tools are correct. They look for anomalies in user or system behavior, such as invoices with increasing invoice numbers.

Computer-aided software engineering tools is incorrect. These are used to assist in software development.

Embedded data collection tools is incorrect. Embedded (audit) data collection software, such as systems control audit review file or systems audit review file, is used to provide sampling and production statistics, but not to conduct an audit log analysis.

Heuristic scanning tools is incorrect. These are a type of virus scanning used to indicate possible infected traffic.

Question 8

While reviewing a quality management system, the IS auditor should PRIMARILY focus on collecting evidence to show that:

quality management systems comply with good practices.

continuous improvement targets are being monitored.

standard operating procedures of IT are updated annually.

key performance indicators are defined.

Answer 8

Continuous improvement targets are being monitored is correct. Continuous and measurable improvement of quality is the primary requirement to achieve the business objective for the quality management system (QMS).

Quality management systems comply with good practices is incorrect. Generally, good practices are adopted according to business requirements. Therefore, conforming to good practices may or may not be a requirement of the business.

Standard operating procedures of it are updated annually is incorrect. Updating operating procedures is part of implementing the QMS; however, it must be part of change management and not an annual activity.

Key performance indicators are defined is incorrect. Key performance indicators may be defined in a QMS, but they are of little value if they are not being monitored.

Question 9

During an audit, the IS auditor discovers that the human resources (HR) department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following is of GREATEST concern?

Maximum acceptable downtime metrics have not been defined in the contract.

The IT department does not manage the relationship with the cloud vendor.

The help desk call center is in a different country, with different privacy requirements.

Organization-defined security policies are not applied to the cloud application.

Answer 9

During an audit, the IS auditor discovers that the human resources (HR) department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following is of GREATEST concern?

Maximum acceptable downtime metrics have not been defined in the contract.

The IT department does not manage the relationship with the cloud vendor.

The help desk call center is in a different country, with different privacy requirements.

Organization-defined security policies are not applied to the cloud application.

Question 10

An IS auditor is evaluating a newly developed IT policy for an organization. Which of the following factors does the IS auditor consider MOST important to facilitate compliance with the policy upon its implementation?

Existing IT mechanisms enabling compliance

Alignment of the policy to the business strategy

Current and future technology initiatives

Regulatory compliance objectives defined in the policy

Answer 10

Existing IT mechanisms enabling compliance is correct. The organization should be able to comply with a policy when it is implemented. The most important consideration when evaluating the new policy should be the existing mechanisms in place that enable the organization and its employees to comply with the policy.

Alignment of the policy to the business strategy is incorrect. Policies should be aligned with the business strategy, but this does not affect an organization’s ability to comply with the policy upon implementation.

Current and future technology initiatives is incorrect. They should be driven by the needs of the business and would not affect an organization’s ability to comply with the policy.

Regulatory compliance objectives defined in the policy is incorrect. Regulatory compliance objectives may be defined in the IT policy, but that would not facilitate compliance with the policy. Defining objectives would only result in the organization knowing the desired state and would not aid in achieving compliance.

Question 11

Which of the following inputs adds the MOST value to the strategic IT initiative decision-making process?

The maturity of the project management process

The regulatory environment

Past audit findings

The IT project portfolio analysis

Answer 11

The IT project portfolio analysis is correct. Portfolio analysis provides the best input into the decision-making process relating to planning strategic IT initiatives. An analysis of the IT portfolio provides comparable information of planned initiatives, projects and ongoing IT services, which allows the IT strategy to be aligned with the business strategy.

The maturity of the project management process is incorrect. The maturity of the project management process is more important with respect to managing the day-to-day operations of IT versus performing strategic planning.

The regulatory environment is incorrect. Regulatory requirements may drive investment in certain technologies and initiatives; however, having to meet regulatory requirements is not typically the main focus of the IT and business strategy.

Past audit findings is incorrect. Past audit findings may drive investment in certain technologies and initiatives; however, having to remediate past audit findings is not the main focus of the IT and business strategy.

Question 12

Which of the following represents an example of a preventive control with respect to IT personnel?

A security guard stationed at the server room door

An intrusion detection system

Implementation of a badge entry system for the IT facility

A fire suppression system in the server room

Answer 12

Implementation of a badge entry system for the IT facility is correct. Preventive controls are used to reduce the probability of an adverse event. A badge entry system prevents unauthorized entry to the facility.

A security guard stationed at the server room door is incorrect. A security guard stationed at the server room door is a deterrent control.

An intrusion detection system is incorrect. An intrusion detection system is a detective control.

A fire suppression system in the server room is incorrect. A fire suppression system is a corrective control.

Question 13

Which of the following is the MOST important skill that an IS auditor should develop to understand the constraints of conducting an audit?

Managing audit staff

Allocating resources

Project management

Attention to detail

Answer 13

Project management is correct. Audits often involve resource management, deliverables, scheduling and deadlines that are similar to project management good practices.

Managing audit staff is incorrect. This is not the only aspect of conducting an audit.

Allocating resources is incorrect. These resources, including time and personnel, are needed for overall project management skills.

Attention to detail is incorrect. This is needed, but it is not a constraint of conducting audits.

Question 14

Depending on the complexity of an organization’s business continuity plan (BCP), it may be developed as a set of plans to address various aspects of business continuity and disaster recovery. In such an environment, it is essential that:

each plan is consistent with one another.

all plans are integrated into a single plan.

each plan is dependent on one another.

the sequence for implementation of all plans is defined.

Answer 14

Each plan is consistent with one another is correct. Depending on the complexity of an organization, there could be more than one plan to address various aspects of business continuity and disaster recovery, but the plans must be consistent to be effective.

All plans are integrated into a single plan is incorrect. The plans do not necessarily have to be integrated into one single plan.

Each plan is dependent on one another is incorrect. Although each plan may be independent, each plan has to be consistent with other plans to have a viable business continuity planning strategy.

The sequence for implementation of all plans is defined is incorrect. It may not be possible to define a sequence in which plans have to be implemented because it may be dependent on the nature of disaster, criticality, recovery time, etc.

Question 15

An IS auditor of a large organization is reviewing the roles and responsibilities of the IT function and finds some individuals serving multiple roles. Which one of the following combinations of roles should be of GREATEST concern for the IS auditor?

Network administrators are responsible for quality assurance.

System administrators are application programmers.

End users are security administrators for critical applications.

Systems analysts are database administrators.

Answer 15

System administrators are application programmers is correct. When individuals serve multiple roles, this represents a separation-of-duties problem with associated risk. System administrators should not be application programmers, due to the associated rights of both functions. A person with both system and programming rights can do almost anything on a system, including creating a back door. The other combinations of roles are valid from a separation of duties perspective.

Network administrators are responsible for quality assurance is incorrect. Ideally, network administrators should not be responsible for quality assurance because they could approve their own work. However, that is not as serious as the combination of system administrator and application programmer, which would allow nearly unlimited abuse of privilege.

End users are security administrators for critical applications is incorrect. End users are security administrators for critical applications is incorrect. In some distributed environments, especially with small staffing levels, users may also manage security.

Systems analysts are database administrators is incorrect. While a database administrator is a very privileged position it would not be in conflict with the role of a systems analyst.

Question 16

An IS auditor notes daily reconciliation of visitor access card inventory is not aligned with the organization’s procedures. Which of the following is the auditor’s BEST course of action?

Do not report the lack of reconciliation.

Recommend regular physical inventory counts.

Report the lack of daily reconciliations.

Recommend the implementation of a more secure access system.

Answer 16

Report the lack of daily reconciliations is correct. The IS auditor should report the lack of daily reconciliation as an exception, because a physical inventory count gives assurance only at a point in time and the practice is not in compliance with management’s mandated activity.

Do not report the lack of reconciliation is incorrect. Absence of discrepancy in physical count only confirms absence of any impact but cannot be a reason to overlook failure of operation of the control. The issue should be reported because the control was not followed.

Recommend regular physical inventory counts is incorrect. While the IS auditor may in some cases recommend a change in procedures, the primary goal is to observe and report when the current process is deficient.

Recommend the implementation of a more secure access system is incorrect. While the IS auditor may in some cases recommend a more secure solution, the primary goal is to observe and report when the current process is deficient.

Question 17

An IS auditor is reviewing an IT security risk management program. Measures of security risk should:

address all of the network risk.

be tracked over time against the IT strategic plan.

consider the entire IT environment.

result in the identification of vulnerability tolerances.

Answer 17

Consider the entire IT environment is correct. When assessing IT security risk, it is important to consider the entire IT environment.

Address all of the network risk is incorrect. Measures of security risk should not be limited to network risk, but rather focus on those areas with the highest criticality so as to achieve maximum risk reduction at the lowest possible cost.

Be tracked over time against the IT strategic plan is incorrect. IT strategic plans are not granular enough to provide appropriate measures. Objective metrics must be tracked over time against measurable goals; thus, the management of risk is enhanced by comparing today’s results against results from last week, last month and last quarter. Risk measures will profile assets on a network to objectively measure vulnerability risk.

Result in the identification of vulnerability tolerances is incorrect. Measures of security risk do not identify tolerances

Question 18

During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that:

assessment of the situation may be delayed.

execution of the disaster recovery plan could be impacted.

notification of the teams might not occur.

potential crisis recognition might be delayed.

Answer 18

Execution of the disaster recovery plan could be impacted is correct. Execution of the business continuity and disaster recovery plans would be impacted if the organization does not know when to declare a crisis.

Assessment of the situation may be delayed is incorrect. Problem and severity assessment would provide information necessary in declaring a disaster, but the lack of a crisis declaration point would not delay the assessment.

Notification of the teams might not occur is incorrect. After a potential crisis is recognized, the teams responsible for crisis management need to be notified. Delaying the declaration of a disaster would impact or negate the effect of having response teams, but this is only one part of the larger impact.

Potential crisis recognition might be delayed is incorrect. Potential crisis recognition is the first step in recognizing or responding to a disaster and would occur prior to the declaration of a disaster.

Question 19

While observing a full simulation of the business continuity plan, an IS auditor notices that the notification systems within the organizational facilities could be severely impacted by infrastructure damage. The BEST recommendation the IS auditor can provide to the organization is to ensure:

the salvage team is trained to use the notification system.

the notification system provides for the recovery of the backup.

redundancies are built into the notification system.

the notification systems are stored in a vault.

Answer 19

Redundancies are built into the notification system is correct. If the notification system has been severely impacted by the damage, redundancy would be the best control.

The salvage team is trained to use the notification system is incorrect. The salvage team would not be able to use a severely damaged notification system, even if they are trained to use it.

The notification system provides for the recovery of the backup is incorrect. The recovery of the backups has no bearing on the notification system.

The notification systems are stored in a vault is incorrect. Storing the notification system in a vault would be of little value if the building is damaged.

Question 20

The PRIMARY purpose of an IT forensic audit is:

to participate in investigations related to corporate fraud.

the systematic collection and analysis of evidence after a system irregularity.

to assess the correctness of an organization’s financial statements.

to preserve evidence of criminal activity.

Answer 20

The systematic collection and analysis of evidence after a system irregularity is correct. This best describes a forensic audit. The evidence collected can then be analyzed and used in judicial proceedings.

To participate in investigations related to corporate fraud is incorrect. Forensic audits are not limited to corporate fraud.

To assess the correctness of an organization’s financial statements is incorrect. Assessing the correctness of an organization’s financial statements is not the primary purpose of most forensic audits.

To preserve evidence of criminal activity is incorrect. Forensics is the investigation of evidence related to a crime or misbehavior. Preserving evidence is the forensic process, but not the primary purpose.

Question 21

Which of the following is the initial step in creating a firewall policy?

A cost-benefit analysis of methods for securing the applications

Identification of network applications to be externally accessed

Identification of vulnerabilities associated with network applications to be externally accessed

Creation of an application traffic matrix showing protection methods

Answer 21

Identification of network applications to be externally accessed is correct. Identification of the applications required across the network should be the initial step. After identification, depending on the physical location of these applications in the network and the network model, the person in charge will be able to understand the need for, and possible methods of, controlling access to these applications.

A cost-benefit analysis of methods for securing the applications is incorrect. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step.

Identification of vulnerabilities associated with network applications to be externally is incorrect. Having identified the externally accessed applications, the second step is to identify vulnerabilities (weaknesses) associated with the network applications.

Creation of an application traffic matrix showing protection methods is incorrect. The fourth step is to analyze the application traffic and create a matrix showing how each type of traffic will be protected.

Question 22

When reviewing the IT strategic planning process, an IS auditor should ensure that the plan:

incorporates state of the art technology.

addresses the required operational controls.

articulates the IT mission and vision.

specifies project management practices.

Answer 22

Articulates the it mission and vision is correct. The IT strategic plan must include a clear articulation of the IT mission and vision.

Incorporates state of the art technology is incorrect. The plan does not need to address state of the art technology; the decision to implement new technology is dependent on the approach to risk and management strategy.

Addresses the required operational controls is incorrect. The plan does not need to address operational controls because those are too granular for strategic planning.

Specifies project management practices is incorrect. The plan should be implemented with proper project management, but the plan does not need to address project management practices.

Question 23

Data flow diagrams are used by IS auditors to:

identify key controls.

highlight high-level data definitions.

graphically summarize data paths and storage.

portray step-by-step details of data generation.

Answer 23

Graphically summarize data paths and storage is correct. Data flow diagrams are used as aids to graph or chart data flow and storage. They trace data from their origination to destination, highlighting the paths and storage of data.

Identify key controls is incorrect. This is not the focus of data flow diagrams. The focus is as the name states—flow of data.

Highlight high-level data definitions is incorrect. A data dictionary may be used to document data definitions, but the data flow diagram is used to document how data move through a process.

Portray step-by-step details of data generation is incorrect. The purpose of a data flow diagram is to track the movement of data through a process and is not primarily to document or indicate how data are generated.

Question 24

Which of the following BEST ensures the effectiveness of controls related to interest calculation for an accounting system?

Re-performance

Process walk-through

Observation

Documentation review

Answer 24

Re-performance is correct. To ensure the effectiveness of controls, it is most effective to conduct re-performance. When the same result is obtained after the performance by an independent person, this provides the strongest assurance.

Process walk-through is incorrect. This may help the auditor understand the controls better; however, it may not be as useful as conducting re-performance for a sample of transactions.

Observation is incorrect. This is a valid audit method to verify that operators are using the system appropriately; however, conducting re-performance is a better method.

Documentation review is incorrect. This may be of some value for understanding the control environment; however, conducting re-performance is a better method.