Review 2 Flashcards
The cost of ongoing operations when a disaster recovery plan (DRP) is in place, compared to not having a DRP, will MOST likely:
A) increase.
B) decrease.
C) remain the same.
D) be unpredictable.
Answer: A) increase.
Increase is correct. Due to the additional cost of testing, maintaining and implementing disaster recovery plan (DRP) measures, the cost of normal operations for any organization will always increase after a DRP implementation (i.e., the cost of normal operations during a nondisaster period will be more than the cost of operations during a nondisaster period when no DRP was in place).
Decrease is incorrect. The implementation of a DRP will always result in additional costs to the organization.
Remain the same is incorrect. The implementation of a DRP will always result in additional costs to the organization.
Be unpredictable is incorrect. The costs of a DRP are fairly predictable and consistent.
An IS auditor evaluating logical access controls should FIRST:
A) document the controls applied to the potential access paths to the system.
B) test controls over the access paths to determine if they are functional.
C) evaluate the security environment in relation to written policies and practices.
D) obtain an understanding of the security risk to information processing.
Answer: D) obtain an understanding of the security risk to information processing.
Obtain an understanding of the security risk to information processing is correct. When evaluating logical access controls, an IS auditor should first obtain an understanding of the security risk facing information processing by reviewing relevant documentation, by inquiries, and conducting a risk assessment. This is necessary so that the IS auditor can ensure the controls are adequate to address risk
An organization completed a business impact analysis as part of business continuity planning. The NEXT step in the process is to develop:
A) a business continuity strategy.
B) a test and exercise plan.
C) a user training program.
D) the business continuity plan.
Answer: A) a business continuity strategy.
A business continuity strategy is correct. This is the next phase because it identifies the best way to recover. The criticality of the business process, the cost, the time required to recover, and security must be considered during this phase
While auditing a third-party IT service provider, an IS auditor discovered that access reviews were not being performed as required by the contract. The IS auditor should:
A) report the issue to IT management.
B) discuss the issue with the service provider.
C) perform a risk assessment.
D) perform an access review.
Answer: A) report the issue to IT management
Report the issue to IT management is correct. During an audit, if there are material issues that are of concern, they need to be reported to management in the audit report.
As part of the business continuity planning process, which of the following should be identified FIRST in the business impact analysis?
A) Risk such as single point-of-failure and infrastructure risk
B) Threats to critical business processes
C) Critical business processes for ascertaining the priority for recovery
D) Resources required for resumption of business
Answer: C) Critical business processes for ascertaining the priority for recovery.
Critical business processes for ascertaining the priority for recovery is correct. The identification of critical business processes should be addressed first so that the priorities and time lines for recovery can be documented.
Which of the following sampling methods would be the MOST effective to determine whether purchase orders issued to vendors have been authorized as per the authorization matrix?
A) Variable sampling
B) Stratified mean per unit
C) Attribute sampling
D) Unstratified mean per unit
Answer: C) Attribute sampling
Attribute sampling is correct. This is the method used for compliance testing. In this scenario, the operation of a control is being evaluated, and therefore, the attribute of whether each purchase order was correctly authorized would be used to determine compliance with the control.
Variable sampling is incorrect. This is the method used for substantive testing, which involves testing transactions for quantitative aspects such as monetary values.
Stratified mean per unit is incorrect. This is used in variable sampling.
Unstratified mean per unit is incorrect. This is used in variable sampling.
An IS auditor wants to analyze audit trails on critical servers to discover potential anomalies in user or system behavior. Which of the following is the MOST suitable for performing that task?
A. Computer-aided software engineering tools
B. Embedded data collection tools
C. Trend/variance detection tools
D. Heuristic scanning tools
C. Trend/variance detection tools are
correct. They look for anomalies in user or system behavior, such as invoices with increasing invoice numbers.
Computer-aided software engineering tools is incorrect. These are used to assist in software development.
Embedded data collection tools is incorrect. Embedded (audit) data collection software, such as systems control audit review file or systems audit review file, is used to provide sampling and production statistics, but not to conduct an audit log analysis.
Heuristic scanning tools is incorrect. These are a type of virus scanning used to indicate possible infected traffic.
While reviewing a quality management system, the IS auditor should PRIMARILY focus on collecting evidence to show that:
A. quality management systems comply with good practices.
B. continuous improvement targets are being monitored.
C. standard operating procedures of IT are updated annually.
D. key performance indicators are defined.
B. Continuous improvement targets are being monitored is correct. Continuous and measurable improvement of quality is the primary requirement to achieve the business objective for the quality management system (QMS).
Quality management systems comply with good practices is incorrect. Generally, good practices are adopted according to business requirements. Therefore, conforming to good practices may or may not be a requirement of the business.
Standard operating procedures of it are updated annually is incorrect. Updating operating procedures is part of implementing the QMS; however, it must be part of change management and not an annual activity.
Key performance indicators are defined is incorrect. Key performance indicators may be defined in a QMS, but they are of little value if they are not being monitored.
During an audit, the IS auditor discovers that the human resources (HR) department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following is of GREATEST concern?
A) Maximum acceptable downtime metrics have not been defined in the contract.
B) The IT department does not manage the relationship with the cloud vendor.
C) The help desk call center is in a different country, with different privacy requirements.
D) Organization-defined security policies are not applied to the cloud application.
?
An IS auditor is evaluating a newly developed IT policy for an organization. Which of the following factors does the IS auditor consider MOST important to facilitate compliance with the policy upon its implementation?
A) Existing IT mechanisms enabling compliance
B) Alignment of the policy to the business strategy
C) Current and future technology initiatives
D) Regulatory compliance objectives defined in the policy
A) Existing IT mechanisms enabling compliance is correct.
The organization should be able to comply with a policy when it is implemented. The most important consideration when evaluating the new policy should be the existing mechanisms in place that enable the organization and its employees to comply with the policy.
Alignment of the policy to the business strategy is incorrect. Policies should be aligned with the business strategy, but this does not affect an organization’s ability to comply with the policy upon implementation.
Current and future technology initiatives is incorrect. They should be driven by the needs of the business and would not affect an organization’s ability to comply with the policy.
Regulatory compliance objectives defined in the policy is incorrect. Regulatory compliance objectives may be defined in the IT policy, but that would not facilitate compliance with the policy. Defining objectives would only result in the organization knowing the desired state and would not aid in achieving compliance.
Which of the following inputs adds the MOST value to the strategic IT initiative decision-making process?
A) The maturity of the project management process
B) The regulatory environment
C) Past audit findings
D) The IT project portfolio analysis.
The IT project portfolio analysis is correct.
Portfolio analysis provides the best input into the decision-making process relating to planning strategic IT initiatives. An analysis of the IT portfolio provides comparable information of planned initiatives, projects and ongoing IT services, which allows the IT strategy to be aligned with the business strategy.
The maturity of the project management process is incorrect. The maturity of the project management process is more important with respect to managing the day-to-day operations of IT versus performing strategic planning.
The regulatory environment is incorrect. Regulatory requirements may drive investment in certain technologies and initiatives; however, having to meet regulatory requirements is not typically the main focus of the IT and business strategy.
Past audit findings is incorrect. Past audit findings may drive investment in certain technologies and initiatives; however, having to remediate past audit findings is not the main focus of the IT and business strategy.
Which of the following represents an example of a preventive control with respect to IT personnel?
A) A security guard stationed at the server room door
B) An intrusion detection system
C) Implementation of a badge entry system for the IT facility
D) A fire suppression system in the server room
C) Implementation of a badge entry system for the IT facility is correct.
Preventive controls are used to reduce the probability of an adverse event. A badge entry system prevents unauthorized entry to the facility.
A security guard stationed at the server room door is incorrect. A security guard stationed at the server room door is a deterrent control.
An intrusion detection system is incorrect. An intrusion detection system is a detective control.
A fire suppression system in the server room is incorrect. A fire suppression system is a corrective control.
Which of the following is the MOST important skill that an IS auditor should develop to understand the constraints of conducting an audit?
A) Managing audit staff
B) Allocating resources
C) Project management
D) Attention to detail
C) Project management is correct.
Audits often involve resource management, deliverables, scheduling and deadlines that are similar to project management good practices.
Managing audit staff is incorrect. This is not the only aspect of conducting an audit.
Allocating resources is incorrect. These resources, including time and personnel, are needed for overall project management skills.
Attention to detail is incorrect. This is needed, but it is not a constraint of conducting audits.
Depending on the complexity of an organization’s business continuity plan (BCP), it may be developed as a set of plans to address various aspects of business continuity and disaster recovery. In such an environment, it is essential that:
A) each plan is consistent with one another.
B) all plans are integrated into a single plan.
C) each plan is dependent on one another.
D) the sequence for implementation of all plans is defined.
A) Each plan is consistent with one another is correct.
Depending on the complexity of an organization, there could be more than one plan to address various aspects of business continuity and disaster recovery, but the plans must be consistent to be effective.
All plans are integrated into a single plan is incorrect. The plans do not necessarily have to be integrated into one single plan.
Each plan is dependent on one another is incorrect. Although each plan may be independent, each plan has to be consistent with other plans to have a viable business continuity planning strategy.
The sequence for implementation of all plans is defined is incorrect. It may not be possible to define a sequence in which plans have to be implemented because it may be dependent on the nature of disaster, criticality, recovery time, etc.
An IS auditor of a large organization is reviewing the roles and responsibilities of the IT function and finds some individuals serving multiple roles. Which one of the following combinations of roles should be of GREATEST concern for the IS auditor?
A) Network administrators are responsible for quality assurance.
B) System administrators are application programmers.
C) End users are security administrators for critical applications.
D) Systems analysts are database administrators.
C) System administrators are application programmers is correct.
When individuals serve multiple roles, this represents a separation-of-duties problem with associated risk. System administrators should not be application programmers, due to the associated rights of both functions. A person with both system and programming rights can do almost anything on a system, including creating a back door. The other combinations of roles are valid from a separation of duties perspective.
Network administrators are responsible for quality assurance is incorrect. Ideally, network administrators should not be responsible for quality assurance because they could approve their own work. However, that is not as serious as the combination of system administrator and application programmer, which would allow nearly unlimited abuse of privilege.
End users are security administrators for critical applications is incorrect. End users are security administrators for critical applications is incorrect. In some distributed environments, especially with small staffing levels, users may also manage security.
Systems analysts are database administrators is incorrect. While a database administrator is a very privileged position it would not be in conflict with the role of a systems analyst.