Domain 4
A4-83 An organization completed a business impact analysis as part of business continuity planning. The NEXT step in the process is to develop: A. a business continuity strategy. B. a test and exercise plan. C. a user training program. D. the business continuity plan (BCP).
A is the correct answer. Justification: A. A business continuity strategy is the next phase because it identifies the best way to recover. The criticality of the business process, the cost, the time required to recover, and security must be considered during this phase. B. The recovery strategy and plan development precede the test plan. C. Training can only be developed once the business continuity plan (BCP) is in place. D. A strategy must be determined before the BCP is developed.
A4-71 Which of the following would an IS auditor consider to be the MOST important to review when conducting a disaster recovery audit? A. A hot site is contracted for and available as needed. B. A business continuity manual is available and current. C. Insurance coverage is adequate and premiums are current. D. Data backups are performed timely and stored offsite.
D is the correct answer. Justification: A. A hot site is important, but it is of no use if there are no data backups for it. B. A business continuity manual is advisable but not most important in a disaster recovery audit. C. Insurance coverage should be adequate to cover costs but is not as important as having the data backup. D. Without data to process, all other components of the recovery effort are in vain. Even in the absence of a plan, recovery efforts of any type would not be practical without data to process.
A4-63 An offsite information processing facility with electrical wiring, air conditioning and flooring, but no computer or communications equipment, is a: A. cold site. B. warm site. C. dial-up site. D. duplicate processing facility.
A is the correct answer. Justification: A. A cold site is ready to receive equipment but does not offer any components at the site in advance of the need. B. A warm site is an offsite backup facility that is partially configured with network connections and selected peripheral equipment-such as disk and tape units, controllers and central processing units-to operate an information processing facility. C. A dial-up site is used for remote access, but not for offsite information processing. D. A duplicate information processing facility is a dedicated, fully-developed recovery site that can back up critical applications.
A4-38 A new business requirement required changing database vendors. Which of the following areas should the IS auditor PRIMARILY examine in relation to this implementation? A. Integrity of the data B. Timing of the cutover C. Authorization level of users D. Normalization of the data
A is the correct answer. Justification: A. A critical issue when migrating data from one database to another is the integrity of the data and ensuring that the data are migrated completely and correctly. B. The timing of the cutover is important, but because the data are being migrated to a new database, duplication should not be an issue. C. The authorization of the users is not as relevant as the authorization of the application because the users will interface with the database through an application, and the users will not directly interface with the database. D. Normalization is used to design the database and is not necessarily related to database migration.
A4-28 Which of the following would an IS auditor consider to be MOST helpful when evaluating the effectiveness and adequacy of a preventive computer maintenance program? A. A system downtime log B. Vendors' reliability figures C. Regularly scheduled maintenance log D. A written preventive maintenance schedule
A is the correct answer. Justification: A. A system downtime log provides evidence regarding the effectiveness and adequacy of computer preventive maintenance programs. The log is a detective control, but because it is validating the effectiveness of the maintenance program, it is validating a preventive control. B. Vendor's reliability figures are not an effective measure of a preventive maintenance program. C. Reviewing the log is a good detective control to ensure that maintenance is being done; however, only the system downtime will indicate whether the preventive maintenance is actually working well. D. A schedule is a good control to ensure that maintenance is scheduled and that no items are missed in the maintenance schedule; however, it is not a guarantee that the work is actually being done.
A4-99 Business units are concerned about the performance of a newly implemented system. Which of the following should an IS auditor recommend? A. Develop a baseline and monitor system usage. B. Define alternate processing procedures. C. Prepare the maintenance manual. D. Implement the changes users have suggested.
A is the correct answer. Justification: A. An IS auditor should recommend the development of a performance baseline and monitor the system's performance against the baseline to develop empirical data upon which decisions for modifying the system can be made. B. Alternate processing procedures will not alter a system's performance, and no changes should be made until the reported issue has been examined more thoroughly. C. A maintenance manual will not alter a system's performance or address the user concerns. D. Implementing changes without knowledge of the cause(s) for the perceived poor performance may not result in a more efficient system.
A4-20 A vendor has released several critical security patches over the past few months and this has put a strain on the ability of the administrators to keep the patches tested and deployed in a timely manner. The administrators have asked if they could reduce the testing of the patches. What approach should the organization take? A. Continue the current process of testing and applying patches. B. Reduce testing and ensure that an adequate back-out plan is in place. C. Delay patching until resources for testing are available. D. Rely on the vendor's testing of the patches.
A is the correct answer. Justification: A. Applying security software patches promptly is critical to maintain the security of the servers; further, testing the patches is important because the patches may affect other systems and business operations. Because the vendor has recently released several critical patches in a short time, it can be hoped that this is a temporary problem and does not need a revision to policy or procedures. B. Reduced testing increases the risk of business operation disruption due to a faulty or incompatible patch. While a back-out plan does help mitigate this risk, a thorough testing up front would be the more appropriate option. C. Applying security software patches promptly is critical to maintain the security of the servers. Delaying patching would increase the risk of a security breach due to system vulnerability. D. The testing done by the vendor may not be applicable to the systems and environment of the organization that needs to deploy the patches.
A4-88 Which of the following activities performed by a database administrator should be performed by a different person? A. Deleting database activity logs B. Implementing database optimization tools C. Monitoring database usage D. Defining backup and recovery procedures
A is the correct answer. Justification: A. Because database activity logs record activities performed by the database administrator (DBA), deleting them should be performed by an individual other than the DBA. This is a compensating control to aid in ensuring an appropriate segregation of duties and is associated with the DBA's role. B. Implementing database optimization tools is part of the DBA's normal job function. C. Monitoring database usage is part of the DBA's normal job function. D. Defining backup and recovery procedures is part of the DBA's normal job function.
A4-27 Management considered two projections for its disaster recovery plan: plan A with two months to fully recover and plan B with eight months to fully recover. The recovery point objectives are the same in both plans. It is reasonable to expect that plan B projected higher: A. downtime costs. B. resumption costs. C. recovery costs. D. walk-through costs.
A is the correct answer. Justification: A. Because management considered a longer time window for recovery in plan B, downtime costs included in the plan are likely to be higher. B. Because the recovery time for plan B is longer, resumption costs can be expected to be lower. C. Because the recovery time for plan B is longer, recovery costs can be expected to be lower. D. Walk-through costs are not a part of disaster recovery.
A4-18 Which of the following groups is the BEST source of information for determining the criticality of application systems as part of a business impact analysis? A. Business processes owners B. IT management C. Senior business management D. Industry experts
A is the correct answer. Justification: A. Business process owners have the most relevant information to contribute because the business impact analysis (BIA) is designed to evaluate criticality and recovery time lines, based on business needs. B. While IT management must be involved, they may not be fully aware of the business processes that need to be protected. C. While senior management must be involved, they may not be fully aware of the criticality of applications that need to be protected. D. The BIA is dependent on the unique business needs of the organization and the advice of industry experts is of limited value.
A4-92 The purpose of code signing is to provide assurance that: A. the software has not been subsequently modified. B. the application can safely interface with another signed application. C. the signer of the application is trusted. D. the private key of the signer has not been compromised.
A is the correct answer. Justification: A. Code signing ensures that the executable code came from a reputable source and has not been modified after being signed. B. The signing of code will not ensure that it will integrate with other applications. C. Code signing will provide assurance of the source but will not ensure that the source is trusted. The code signing will, however, ensure that the code has not been modified. D. The compromise of the sender's private key would result in a loss of trust and is not the purpose of code signing.
A4-41 Which of the following is widely accepted as one of the critical components in networking management? A. Configuration and change management B. Topological mappings C. Application of monitoring tools D. Proxy server troubleshooting
A is the correct answer. Justification: A. Configuration management is widely accepted as one of the key components of any network because it establishes how the network will function internally and externally. It also deals with the management of configuration and monitoring performance. Change management ensures that the setup and management of the network is done properly, including managing changes to the configuration, removal of default passwords and possibly hardening the network by disabling unneeded services. B. Topological mappings provide outlines of the components of the network and its connectivity. This is important to address issues such as single points of failure and proper network isolation but is not the most critical component of network management. C. Application monitoring is not a critical part of network management. D. Proxy server troubleshooting is used for troubleshooting purposes, and managing a proxy is only a small part of network management.
A4-8 An IS auditor is reviewing database security for an organization. Which of the following is the MOST important consideration for database hardening? A. The default configurations are changed. B. All tables in the database are denormalized. C. Stored procedures and triggers are encrypted. D. The service port used by the database server is changed.
A is the correct answer. Justification: A. Default database configurations, such as default passwords and services, need to be changed; otherwise, the database could be easily compromised by malicious code and by intruders. B. The denormalization of a database is related more to performance than to security. C. Limiting access to stored procedures is a valid security consideration but not as critical as changing default configurations. D. Changing the service port used by the database is a component of the configuration changes that could be made to the database, but there are other more critical configuration changes that should be made first.
A4-77 A hot site should be implemented as a recovery strategy when the: A. disaster downtime tolerance is low. B. recovery point objective is high. C. recovery time objective is high. D. maximum tolerable downtime is long.
A is the correct answer. Justification: A. Disaster downtime tolerance is the time gap during which the business can accept non-availability of IT facilities. If this time gap is low, recovery strategies that can be implemented within a short period of time, such as a hot site, should be used. B. The recovery point objective (RPO) is the earliest point in time at which it is possible to recover the data. A high RPO means that the process would result in greater losses of data. C. A high recovery time objective means that additional time would be available for the recovery strategy, thus making other recovery alternatives-such as warm or cold sites-viable alternatives. D. If the maximum tolerable downtime is long, then a warm or cold site is a more cost-effective solution.
A4-43 Which of the following represents the GREATEST risk created by a reciprocal agreement for disaster recovery made between two companies? A. Developments may result in hardware and software incompatibility. B. Resources may not be available when needed. C. The recovery plan cannot be live tested. D. The security infrastructures in each company may be different.
A is the correct answer. Justification: A. If one organization updates its hardware and software configuration, it may mean that it is no longer compatible with the systems of the other party in the agreement. This may mean that each company is unable to use the facilities at the other company to recover their processing following a disaster. B. Resources being unavailable when needed are an intrinsic risk in any reciprocal agreement, but this is a contractual matter and is not the greatest risk. C. The plan can be tested by paper-based walk-throughs and possibly by agreement between the companies. D. The difference in security infrastructures, while a risk, is not insurmountable.
A4-74 While designing the business continuity plan (BCP) for an airline reservation system, the MOST appropriate method of data transfer/backup at an offsite location would be: A. shadow file processing. B. electronic vaulting. C. hard-disk mirroring. D. hot-site provisioning.
A is the correct answer. Justification: A. In shadow file processing, exact duplicates of the files are maintained at the same site or at a remote site. The two files are processed concurrently. This is used for critical data files such as airline booking systems. B. Electronic vaulting electronically transmits data either to direct access storage, an optical disc or another storage medium; this is a method used by banks. This is not usually in real time as much as a shadow file system is. C. Hard-disk mirroring provides redundancy in case the primary hard disk fails. All transactions and operations occur on two hard disks in the same server. D. A hot site is an alternate site ready to take over business operations within a few hours of any business interruption and is not a method for backing up data.
A4-97 An IS auditor should recommend the use of library control software to provide reasonable assurance that: A. program changes have been authorized. B. only thoroughly tested programs are released. C. modified programs are automatically moved to production. D. source and executable code integrity is maintained.
A is the correct answer. Justification: A. Library control software should be used to separate test from production libraries in mainframe and/or client server environments. The main objective of library control software is to provide assurance that program changes have been authorized. B. Library control software is concerned with authorized program changes and cannot determine whether programs have been thoroughly tested. C. Programs should not be moved automatically into production without proper authorization. D. Library control software provides reasonable assurance that the source code and executable code are matched at the time a source code is moved to production. Access control will ensure the integrity of the software, but the most important benefit of version control software is to ensure that all changes are authorized.
A4-48 A database administrator (DBA) who needs to make emergency changes to a database after normal working hours should log in: A. with their named account to make the changes. B. with the shared DBA account to make the changes. C. to the server administrative account to make the changes. D. to the user's account to make the changes.
A is the correct answer. Justification: A. Logging in using the named user account before using the database administrator (DBA) account provides accountability by noting the person making the changes. B. The DBA account is typically a shared user account. The shared account makes it difficult to establish the identity of the support user who is performing the database update. C. The server administrative accounts are shared and may be used by multiple support users. In addition, the server privilege accounts may not have the ability to perform database changes. D. The use of a normal user account would not have sufficient privileges to make changes on the database.
A4-64 An optimized disaster recovery plan for an organization should: A. reduce the length of the recovery time and the cost of recovery. B. increase the length of the recovery time and the cost of recovery. C. reduce the duration of the recovery time and increase the cost of recovery. D. not affect the recovery time or the cost of recovery.
A is the correct answer. Justification: A. One of the objectives of a disaster recovery plan (DRP) is to reduce the duration and cost of recovering from a disaster. B. A DRP would increase the cost of operations before and after the disaster occurs. C. A DRP should reduce the time to return to normal operations. D. A DRP should reduce the cost that could result from a disaster.
A4-86 When reviewing a disaster recovery plan, an IS auditor should be MOST concerned with the lack of: A. process owner involvement. B. well-documented testing procedures. C. an alternate processing facility. D. a well-documented data classification scheme.
A is the correct answer. Justification: A. Process owner involvement is a critical part of the business impact analysis(BIA), which is used to create the disaster recovery plan. If the IS auditor determined that process owners were not involved, this would be a significant concern. B. While well-documented testing procedures are important, unless process owners are involved there is no way to know whether the priorities and critical elements of the plan are valid. C. An alternate processing facility may be a requirement to meet the needs of the business; however, such a decision needs to be based on the BIA. D. A data classification scheme is important to ensure that controls over data are appropriate; however, this is a lesser concern than a lack of process owner involvement.
A4-79 Which of the following stakeholders is the MOST important in terms of developing a business continuity plan? A. Process owners B. Application owners C. The board of directors D. IT management
A is the correct answer. Justification: A. Process owners are essential in identifying the critical business functions, recovery times and resources needed. B. A business continuity plan (BCP) is concerned with the continuity of business processes, while applications may or may not support critical business processes. C. The board of directors might approve the plan, but they are typically not involved in the details of developing the BCP. D. IT management will identify the IT resources, servers and infrastructure needed to support the critical business functions as defined by the business process owners.
A4-22 During an IS audit of the disaster recovery plan of a global enterprise, the auditor observes that some remote offices have very limited local IT resources. Which of the following observations would be the MOST critical for the IS auditor? A. A test has not been made to ensure that local resources could maintain security and service standards when recovering from a disaster or incident. B. The corporate business continuity plan does not accurately document the systems that exist at remote offices. C. Corporate security measures have not been incorporated into the test plan. D. A test has not been made to ensure that tape backups from the remote offices are usable.
A is the correct answer. Justification: A. Regardless of the capability of local IT resources, the most critical risk would be the lack of testing, which would identify quality issues in the recovery process. B. The corporate business continuity plan may not include disaster recovery plan (DRP) details for remote offices. It is important to ensure that the local plans have been tested. C. Security is an important issue because many controls may be missing during a disaster. However, not having a tested plan is more important. D. The backups cannot be trusted until they have been tested. However, this should be done as part of the overall tests of the DRP.
A4-16 Which of the following is the MOST critical element to effectively execute a disaster recovery plan? A. Offsite storage of backup data B. Up-to-date list of key disaster recovery contacts C. Availability of a replacement data center D. Clearly defined recovery time objective
A is the correct answer. Justification: A. Remote storage of backups is the most critical disaster recovery plan (DRP) element of the items listed because access to backup data is required to restore systems. B. Having a list of key contacts is important but not as important as having adequate data backup. C. A DRP may use a replacement data center or some other solution such as a mobile site, reciprocal agreement or outsourcing agreement. D. Having a clearly defined recovery time objective is especially important for business continuity planning, but the core element of disaster recovery (the recovery of IT infrastructure and capability) is data backup.
A4-3 An IS auditor reviewing a new outsourcing contract with a service provider would be MOST concerned if which of the following was missing? A. A clause providing a "right to audit" the service provider B. A clause defining penalty payments for poor performance C. Predefined service level report templates D. A clause regarding supplier limitation of liability
A is the correct answer. Justification: A. The absence of a "right to audit" clause or other form of attestation that the supplier was compliant with a certain standard would potentially prevent the IS auditor from investigating any aspect of supplier performance moving forward, including control deficiencies, poor performance and adherence to legal requirements. This would be a major concern for the IS auditor because it would be difficult for the organization to assess whether the appropriate controls had been put in place. B. While a clear definition of penalty payment terms is desirable, not all contracts require the payment of penalties for poor performance, and when performance penalties are required, these penalties are often subject to negotiation on a case-by-case basis. As such, the absence of this information would not be as significant as a lack of right to audit. C. While the inclusion of service level report templates would be desirable, as long as the requirement for service level reporting is included in the contract, the absence of predefined templates for reporting is not a significant concern. D. The absence of a limitation of liability clause for the service provider would, theoretically, expose the provider to unlimited liability. This would be to the advantage of the outsourcing company so, while the IS auditor might highlight the absence of such a clause, it would not constitute a major concern.
A4-84 An IS auditor performing an application maintenance audit would review the log of program changes for the: A. Authorization of program changes. B. Creation date of a current object module. C. Number of program changes actually made. D. Creation date of a current source program.
A is the correct answer. Justification: A. The auditor wants to ensure that only authorized changes have been made to the application. The auditor would therefore review the log of program changes to verify that all changes have been approved. B. The creation date of the current object module will not indicate earlier changes to the application. C. The auditor will review the system to notice the number of changes actually made but then will verify that all the changes were authorized. D. The creation date of the current source program will not identify earlier changes.
A4-2 An IS auditor is to assess the suitability of a service level agreement (SLA) between the organization and the supplier of outsourced services. To which of the following observations should the IS auditor pay the MOST attention? The SLA does not contain a: A. transition clauses from the old supplier to a new supplier or back to internal in the case of expiration or termination. B. late payment clause between the customer and the supplier. C. contractual commitment for service improvement. D. dispute resolution procedure between the contracting parties.
A is the correct answer. Justification: A. The delivery of IT services for a specific customer always implies a close linkage between the client and the supplier of the service. If there are no contract terms to specify how the transition to a new supplier may be performed, there is the risk that the old supplier may simply "pull the plug" if the contract expires or is terminated or may not make data available to the outsourcing organization or new supplier. This would be the greatest risk to the organization. B. Contractual issues regarding payment, service improvement and dispute resolution are important but not as critical as ensuring that service disruption, data loss, data retention, or other significant events occur in the event that the organization switches to a new firm providing outsourced services. C. The service level agreement (SLA) should address performance requirements and metrics to report on the status of services provided; it's nice to have commitment for performance improvement, although it's not mandated. D. The SLA should address a dispute resolution procedure and specify the jurisdiction in case of a legal dispute, but this is not the most critical part of an SLA.
A4-46 Vendors have released patches fixing security flaws in their software. Which of the following should an IS auditor recommend in this situation? A. Assess the impact of patches prior to installation. B. Ask the vendors for a new software version with all fixes included. C. Install the security patch immediately. D. Decline to deal with these vendors in the future.
A is the correct answer. Justification: A. The effect of installing the patch should be immediately evaluated and installation should occur based on the results of the evaluation. There are numerous cases where a patch from one vendor has affected other systems; therefore, it is necessary to test the patches as much as possible before rolling them out to the entire organization. B. New software versions with all fixes included are not always available and a full installation could be time consuming. C. To install the patch without knowing what it might affect could easily cause problems. The installation of a patch may also affect system availability; therefore, the patch should be rolled out at a time that is acceptable to the business. D. Declining to deal with vendors does not take care of the flaw and may severely limit service options.
A4-100 The PRIMARY objective of service-level management is to: A. define, agree on, record and manage the required levels of service. B. ensure that services are managed to deliver the highest achievable level of availability. C. keep the costs associated with any service at a minimum. D. monitor and report any legal noncompliance to business management.
A is the correct answer. Justification: A. The objective of service-level management (SLM) is to negotiate, document and manage (i.e., provide and monitor) the services in the manner in which the customer requires those services. B. SLM does not necessarily ensure that services are delivered at the highest achievable level of availability (e.g., redundancy and clustering). Although maximizing availability might be necessary for some critical services, it cannot be applied as a general rule of thumb. C. SLM cannot ensure that costs for all services will be kept at a low or minimum level because costs associated with a service will directly reflect the customer's requirements. D. Monitoring and reporting legal noncompliance is not a primary objective of SLM.
A4-62 When reviewing system parameters, an IS auditor's PRIMARY concern should be that: A. they are set to meet both security and performance requirements. B. changes are recorded in an audit trail and periodically reviewed. C. changes are authorized and supported by appropriate documents. D. access to parameters in the system is restricted.
A is the correct answer. Justification: A. The primary concern is to find the balance between security and performance. Recording changes in an audit trail and periodically reviewing them is a detective control; however, if parameters are not set according to business rules, monitoring of changes may not be an effective control. B. Reviewing changes to ensure that they are supported by appropriate documents is also a detective control. C. If parameters are set incorrectly, the related documentation and the fact that these are authorized does not reduce the impact. D. Restriction of access to parameters ensures that only authorized staff can access the parameters; however, if the parameters are set incorrectly, restricting access will still have an adverse impact.
A4-58 Recovery procedures for an information processing facility are BEST based on: A. recovery time objcctive. B. recovery point objective. C. maximum tolerable outage. D. information security policy.
A is the correct answer. Justification: A. The recovery time objective (RTO). is the amount of time allowed for the recovery of a business function or resource after a disaster occurs; the RTO is the desired recovery time frame based on maximum tolerable outage (MTO) and available recovery alternatives. B. The recovery point objective (RPO) has the greatest influence on the recovery strategies for given data. It is determined based on the acceptable data loss in case of a disruption of operations. The RPO effectively quantifies the permissible amount of data loss in case of interruption. C. MTO is the amount of time allowed for the recovery of a business function or resource after a disaster occurs; it represents the time by which the service must be restored before the organization is faced with the threat of collapse. D. An information security policy does not address recovery procedures.
A4-15 An advantage of using unshielded twisted-pair (UTP) cable for data communication over other copper-based cables is that UTP cable: A. reduces crosstalk between pairs. B. provides protection against wiretapping. C. can be used in long-distance networks. D. is simple to install.
A is the correct answer. Justification: A. The use of unshielded twisted-pair (UTP) in copper will reduce the likelihood of crosstalk. B. While the twisted nature of the media will reduce sensitivity to electromagnetic disturbances, an unshielded copper wire does not provide adequate protection against wiretapping. C. Attenuation sets in if copper twisted-pair cable is used for longer than 100 meters, necessitating the use of a repeater. D. The tools and techniques to install UTP are not simpler or easier than other copper-based cables.
A4-45 When auditing the onsite archiving process of emails, the IS auditor should pay the MOST attention to: A. the existence of a data retention policy. B. the storage capacity of the archiving solution. C. the level of user awareness concerning email use. D. the support and stability of the archiving solution manufacturer.
A is the correct answer. Justification: A. Without a data retention policy that is aligned to the company's business and compliance requirements, the email archive may not preserve and reproduce the correct information when required. B. The storage capacity of the archiving solution would be irrelevant if the proper email messages have not been properly preserved and others have been deleted. C. The level of user awareness concerning email use would not directly affect the completeness and accuracy of the archived email. D. The support and stability of the archiving solution manufacturer is secondary to the need to ensure a retention policy. Vendor support would not directly affect the completeness and accuracy of the archived email.
A4-49 During an assessment of software development practices, an IS auditor finds that open source software components were used in an application designed for a client. What is the GREATEST concern the auditor would have about the use of open source software? A. The client did not pay for the open source software components. B. The organization and client must comply with open source software license terms. C. Open source software has security vulnerabilities. D. Open source software is unreliable for commercial use.
B is the correct answer. Justification: A. A major benefit of using open source software is that it is free. The client is not required to pay for the open source software components; however, both the developing organization and the client should be concerned about the licensing terms and conditions of the open source software components that are being used. B. There are many types of open source software licenses and each has different terms and conditions. Some open source software licensing allows use of the open source software component freely but requires that the completed software product must also allow the same rights. This is known as viral licensing, and if the development organization is not careful, its products could violate licensing terms by selling the product for profit. The IS auditor should be most concerned with open source software licensing compliance to avoid unintended intellectual property risk or legal consequences. C. Open source software, just like any software code, should be tested for security flaws and should be part of the normal system development life cycle (SDLC)process. This is not more of a concern than licensing compliance. D. Open source software does not inherently lack quality. Like any software code, it should be tested for reliability and should be part of the normal SDLC process. This is not more of a concern than licensing compliance.
A4-85 Which of the following assures an enterprise of the existence and effectiveness of internal controls relative to the service provided by a third party? A. The current service level agreement B. A recent independent third-party audit report C. The current business continuity plan procedures D. A recent disaster recovery plan test report
B is the correct answer. Justification: A. A service level agreement defines the contracted level of service; however, it would not provide assurance related to internal controls. B. An independent third-party audit report such as a Statements on Standards for Attestation Engagements 16 would provide assurance of the existence and effectiveness of internal controls at the third party. C. While a business continuity plan is essential, it would not provide assurance related to internal controls. D. While a disaster recovery plan is essential, it would not provide assurance related to internal controls.
A4-39 The objective of concurrency control in a database system is to: A. restrict updating of the database to authorized users. B. ensure integrity when two processes attempt to update the same data at the same time. C. prevent inadvertent or unauthorized disclosure of data in the database. D. ensure the accuracy, completeness and consistency of data.
B is the correct answer. Justification: A. Access controls restrict updating of the database to authorized users. B. Concurrency controls prevent data integrity problems, which can arise when two update processes access the same data item at the same time. C. Controls such as passwords prevent the inadvertent or unauthorized disclosure of data from the database. D. Quality controls such as edits ensure the accuracy, completeness and consistency of data maintained in the database.
A4-57 There are several methods of providing telecommunication continuity. The method of routing traffic through split-cable or duplicate-cable facilities is called: A. alternative routing. B. diverse routing. C. long-haul network diversity. D. last-mile circuit protection.
B is the correct answer. Justification: A. Alternative routing is a method of routing information via an alternate medium such as copper cable or fiber optics. This involves the use of different networks, circuits or end points should the normal network be unavailable. B. Diverse routing routes traffic through split-cable facilities or duplicate-cable facilities. This can be accomplished with different and/or duplicate cable sheaths. If different cable sheaths are used, the cable may be in the same conduit and, therefore, subject to the same interruptions as the cable it is backing up. The communication service subscriber can duplicate the facilities by having alternate routes, although the entrance to and from the customer premises may be in the same conduit. The subscriber can obtain diverse routing and alternate routing from the local carrier, including dual-entrance facilities. This type of access is time consuming and costly. C. Long-haul network diversity is a diverse, long-distance network using different packet switching circuits among the major long-distance carriers. It ensures long-distance access should any carrier experience a network failure. D. Last-mile circuit protection is a redundant combination of local carrier T-1s (E-Is in Europe), microwave and/or coaxial cable access to the local communications loop. This enables the facility to have access during a local carrier communication disaster. Alternate local-carrier routing is also used.
A4-76 Code erroneously excluded from a production release was subsequently moved into the production environment, bypassing normal change procedures. Which of the following choices is of MOST concern to the IS auditor performing a post-implementation review? A. The code was missed during the initial implementation. B. The change did not have change management approval. C. The error was discovered during the postimplementation review. D. The release team used the same change order number.
B is the correct answer. Justification: A. Although missing a component of a release is indicative of a process deficiency, it is of more concern that the missed change was promoted into the production environment without management approval. B. Change management approval of changes mitigates the risk of unauthorized changes being introduced to the production environment. Unauthorized changes might result in disruption of systems or fraud. It is, therefore, imperative to ensure that each change has appropriate change management approval. C. Most release/change control errors are discovered during postimplementation review. It is of greater concern that the change was promoted without management approval after it was discovered. D. Using the same change order number is not a relevant concern
A4-91 An IS auditor discovers that some users have installed personal software on their PCs. This is not explicitly forbidden by the security policy. Of the following, the BEST approach for an IS auditor is to recommend that the: A. IT department implement control mechanisms to prevent unauthorized software installation. B. Security policy be updated to include the specific language regarding unauthorized software. C. IT department prohibit the download of unauthorized software. D. Users obtain approval from an IS manager before installing nonstandard software.
B is the correct answer. Justification: A. An IS auditor's obligation is to report on observations noted and make the best recommendation, which is to address the situation through policy. The IT department cannot implement controls in the absence of the authority provided through policy. B. Lack of specific language addressing unauthorized software in the acceptable use policy is a weakness in administrative controls. The policy should be reviewed and updated to address the issue-and provide authority for the IT department to implement technical controls. C. Preventing downloads of unauthorized software is not the complete solution. Unauthorized software can be also introduced through compact discs (CDs) and universal serial bus (USB) drives. D. Requiring approval from the IS manager before installation of the nonstandard software is an exception handling control. It would not be effective unless a preventive control to prohibit user installation of unauthorized software is established first.
A4-40 Which of the following controls would provide the GREATEST assurance of database integrity? A. Audit log procedures B. Table link/reference checks C. Query/table access time checks D. Rollback and rollforward database features
B is the correct answer. Justification: A. Audit log procedures enable recording of all events that have been identified and help in tracing the events. However, they only point to the event and do not ensure completeness or accuracy of the database contents. B. Performing table link/reference checks serves to detect table linking errors (such as completeness and accuracy of the contents of the database), and thus provides the greatest assurance of database integrity. C. Querying/monitoring table access time checks helps designers improve database performance but not integrity. D. Rollback and rollforward database features ensure recovery from an abnormal disruption. They assure the integrity of the transaction that was being processed at the time of disruption, but do not provide assurance on the integrity of the contents of the database.
A4-68 An IS auditor finds that database administrators (DBAs) have access to the log location on the database server and the ability to purge logs from the system. What is the BEST audit recommendation to ensure that DBA activity is effectively monitored? A. Change permissions to prevent DBAs from purging logs. B. Forward database logs to a centralized log server to which the DBAs do not have access. C. Require that critical changes to the database are formally approved. D. Back up database logs to tape.
B is the correct answer. Justification: A. Changing the database administrator (DBA) permissions to prevent DBAs from purging logs may not be feasible and does not adequately protect the availability and integrity of the database logs. B. To protect the availability and integrity of the database logs, it is most feasible to forward the database logs to a centralized log server to which the DBAs do not have access. C. Requiring that critical changes to the database are formally approved does not adequately protect the availability and integrity of the database logs. D. Backing up database logs to tape does not adequately protect the availability and integrity of the database logs.
A4-36 The database administrator suggests that database efficiency can be improved by denormalizing some tables. This would result in: A. loss of confidentiality. B. increased redundancy. C. unauthorized accesses. D. application malfunctions.
B is the correct answer. Justification: A. Denormalization should not cause loss of confidentiality even though confidential data may be involved. The database administrator should ensure that access controls to the databases remain effective. B. Normalization is a design or optimization process for a relational database that increases redundancy. Redundancy, which is usually considered positive when it is a question of resource availability, is negative in a database environment because it demands additional and otherwise unnecessary data handling efforts. Denormalization is sometimes advisable for functional reasons. C. Denormalization pertains to the structure of the database, not the access controls. It should not result in unauthorized access. D. Denormalization may require some changes to the calls between databases and applications but should not cause application malfunctions.
A4-26 An IS auditor evaluating the resilience of a high-availability network should be MOST concerned if: A. the setup is geographically dispersed. B. the servers are clustered in one site. C. a hot site is ready for activation. D. diverse routing is implemented for the network.
B is the correct answer. Justification: A. Dispersed geographic locations provide backup if a site has been destroyed. B. A clustered setup in one site makes the entire network vulnerable to natural disasters or other disruptive events. C. A hot site would also be a good alternative for a single point-of-failure site. D. Diverse routing provides telecommunications backup if a network is not available.
A4-13 Which of the following statements is useful while drafting a disaster recovery plan? A. Downtime costs decrease as the recovery point objective increases. B. Downtime costs increase with time. C. Recovery costs are independent of time. D. Recovery costs can only be controlled on a short-term basis.
B is the correct answer. Justification: A. Downtime costs are not related to the recovery point objective (RPO). The RPO defines the data backup strategy, which is related to recovery costs rather than to downtime costs. B. Downtime costs-such as loss of sales, idle resources, salaries-increase with time. A disaster recovery plan should be drawn to achieve the lowest downtime costs possible. C. Recovery costs decrease with the time allowed for recovery. For example, recovery costs to recover business operations within two days will be higher than the cost to recover business within seven days. The essence of an effective DRP is to minimize uncertainty and increase predictability. D. With good planning, recovery costs can be predicted and contained.
A4-44 Which of the following is MOST directly affected by network performance monitoring tools? A. Integrity B. Availability C. Completeness D. Confidentiality
B is the correct answer. Justification: A. Network monitoring tools can be used to detect errors that are propagating through a network, but their primary focus is on network reliability so that the network is available when required. B. Network monitoring tools allow observation of network performance and problems. This allows the administrator to take corrective action when network problems are observed. Therefore, the characteristic that is most directly affected by network monitoring is availability. C. Network monitoring tools will not measure completeness of the communication. This is measured by the end points in the communication. D. A network monitoring tool can violate confidentiality by allowing a network administrator to observe non-encrypted traffic. This requires careful protection and policies regarding the use of network monitoring tools.
A4-9 In auditing a database environment, an IS auditor will be MOST concerned if the database administrator is performing which of the following functions? A. Performing database changes according to change management procedures B. Installing patches or upgrades to the operating system C. Sizing table space and consulting on table join limitations D. Performing backup and recovery procedures
B is the correct answer. Justification: A. Performing database changes according to change management procedures would be a normal function of the database administrator (DBA) and would be compliant with the procedures of the organization. B. Installing patches or upgrades to the operating system is a function that should be performed by a systems administrator, not by a DBA. If a DBA were performing this function, there would be a risk based on inappropriate segregation of duties. C. A DBA is expected to support the business through helping design, create and maintain databases and the interfaces to the databases. D. The DBA often performs or supports database backup and recovery procedures.
A4-52 When an organization's disaster recovery plan has a reciprocal agreement, which of the following risk treatment approaches is being applied? A. Transfer B. Mitigation C. Avoidance D. Acceptance
B is the correct answer. Justification: A. Risk transfer is the transference of risk to a third party (e.g., buying insurance for activities that pose a risk). B. A reciprocal agreement in which two organizations agree to provide computing resources to each other in the event of a disaster is a form of risk mitigation. This usually works well if both organizations have similar information processing facilities. Because the intended effect of reciprocal agreements is to have a functional disaster recovery plan, it is a risk mitigation strategy. C. Risk avoidance is the decision to cease operations or activities that give rise to a risk. For example, a company may stop accepting credit card payments to avoid the risk of credit card information disclosure. D. Risk acceptance occurs when an organization decides to accept the risk as it is and to do nothing to mitigate or transfer it.
A4-51 Which of the following tests performed by an IS auditor would be the MOST effective in determining compliance with change control procedures in an organization? A. Review software migration records and verify approvals. B. Identify changes that have occurred and verify approvals. C. Review change control documentation and verify approvals. D. Ensure that only appropriate staff can migrate changes into production.
B is the correct answer. Justification: A. Software migration records may not have all changes listed changes could have been made that were not included in the migration records. B. The most effective method is to determine what changes have been made (check logs and modified dates) and then verify that they have been approved. C. Change control records may not have all changes listed. D. Ensuring that only appropriate staff can migrate changes into production is a key control process but, in itself, does not verify compliance.
A4-53 A programmer maliciously modified a production program to change data and then restored it back to the original code. Which of the following would MOST effectively detect the malicious activity? A. Comparing source code B. Reviewing system log files C. Comparing object code D. Reviewing executable and source code integrity
B is the correct answer. Justification: A. Source code comparisons are ineffective because the original programs were restored, and the changed program does not exist. B. Reviewing system log files is the only trail that may provide information about the unauthorized activities in the production library. C. Object code comparisons are ineffective because the original programs were restored, and the changed program does not exist. D. Reviewing executable and source code integrity is an ineffective control, because the source code was changed back to the original and will agree with the current executable.
A4-24 Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs? A. System log analysis B. Compliance testing C. Forensic analysis D. Analytical review
B is the correct answer. Justification: A. System log analysis would identify changes and activity on a system but would not identify whether the change was authorized unless conducted as a part of a compliance test. B. Determining that only authorized modifications are made to production programs would require the change management process be reviewed to evaluate the existence of a trail of documentary evidence. Compliance testing would help to verify that the change management process has been applied consistently. C. Forensic analysis is a specialized technique for criminal investigation. D. An analytical review assesses the general control environment of an organization.
A4-87 An organization has outsourced its help desk function. Which of the following indicators would be the BEST to include in the service level agreement? A. Overall number of users supported B. First call resolution rate C. Number of incidents reported to the help desk D. Number of agents answering the phones
B is the correct answer. Justification: A. The contract price will usually be based on the number of users supported, but the performance metrics should be based on the ability to provide effective support and address user problems rapidly. B. Because it is about service level (performance) indicators, the percentage of incidents solved on the first call is a good way to measure the effectiveness of the supporting organization. C. The number of reported incidents cannot be controlled by the outsource supplier; therefore, that cannot be an effective measure. D. The efficiency and effectiveness of the people answering the calls and being able to address problems rapidly are more important than the number of people answering the calls.
A4-5 An IS auditor of a health care organization is reviewing contractual terms and conditions of a third-party cloud provider being considered to host patient health information. Which of the follow contractual terms would be the GREATEST risk to the customer organization? A. Data ownership is retained by the customer organization. B. The third-party provider reserves the right to access data to perform certain operations. C. Bulk data withdrawal mechanisms are undefined. D. The customer organization is responsible for backup, archive and restore.
B is the correct answer. Justification: A. The customer organization would want to retain data ownership and, therefore, this would not be a risk. B. Some service providers reserve the right to access customer information (third-party access) to perform certain transactions and provide certain services. In the case of protected health information, regulations may restrict certain access. Organizations must review the regulatory environment in which the cloud provider operates because it may have requirements or restrictions of its own. Organizations must then determine whether the cloud provider provides appropriate controls to ensure that data are appropriately secure. C. An organization may eventually wish to discontinue its service with a third-party cloud-based provider. The organization would then want to remove its data from the system and ensure that the service provider clears the system (including any backups) of its data. Some providers do not offer automated or bulk data withdrawal mechanisms, which the organization needs to migrate its data. These aspects should be clarified prior to using a third-party provider. D. An organization may need to plan its own data recovery processes and procedures if the service provider does not make this available or the organization has doubts about the service provider's. processes. This would only be a risk if the customer organization was unable to perform these activities itself.
A4-56 An IS auditor reviewing an organization's disaster recovery plan should PRIMARILY verify that it is: A. tested every six months. B. regularly reviewed and updated. C. approved by the chief executive officer. D. communicated to every department head in the organization.
B is the correct answer. Justification: A. The plan must be subjected to regular testing, but the period between tests will depend on the nature of the organization, the amount of change in the organization and the relative importance of IS. Three months, or even annually, may be appropriate in different circumstances. B. The plan should be reviewed at appropriate intervals, depending on the nature of the business and the rate of change of systems and personnel. Otherwise, it may become out of date and may no longer be effective. C. Although the disaster recovery plan should receive the approval of senior management, it need not be the chief executive officer if another executive officer is equally or more appropriate. For a purely IS-related plan, the executive responsible for technology may have approved the plan. D. Although a business continuity plan is likely to be circulated throughout an organization, the IS disaster recovery plan will usually be a technical document and only relevant to IS and communication staff.
A4-30 Applying a retention date on a file will ensure that: A. data cannot be read until the date is set. B. data will not be deleted before that date. C. backup copies are not retained after that date. D. datasets having the same name are differentiated.
B is the correct answer. Justification: A. The retention date will not affect the ability to read the file. B. A retention date will ensure that a file cannot be overwritten or deleted before that date has passed. C. Backup copies would be expected to have a different retention date and, therefore, may be retained after the file has been overwritten. D. The creation date, not the retention date, will differentiate files with the same name.
A4-14 Although management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should FIRST: A. include the statement from management in the audit report. B. verify the software is in use through testing. C. include the item in the audit report. D. discuss the issue with senior management because it could have a negative impact on the organization.
B is the correct answer. Justification: A. The statement from management may be included in the audit report, but the auditor should independently validate the statements made by management to ensure completeness and accuracy. B. When there is an indication that an organization might be using unlicensed software, the IS auditor should obtain sufficient evidence before including it in report. C. With respect to this matter, representations obtained from management cannot be independently verified. D. If the organization is using software that is not licensed, the IS auditor, to maintain objectivity and independence, must include this in the report, but the IS auditor should verify that this is in fact the case before presenting it to senior management.
A4-98 Which of the following would help to ensure the portability of an application connected to a database? A. Verification of database import and export procedures B. Usage of a Structured Query Language C. Analysis of stored procedures/triggers D. Synchronization of the entity-relation model with the database physical schema
B is the correct answer. Justification: A. Verification of import and export procedures with other systems ensures better interfacing with other systems but does not contribute to the portability of an application connecting to a database. B. The use of Structured Query Language facilitates portability because it is an industry standard used by many systems. C. Analyzing stored procedures/triggers ensures proper access/performance but does not contribute to the portability of an application connecting to a database. D. Reviewing the design entity-relation model will be helpful but does not contribute to the portability of an application connecting to a database.
A4-29 An organization has implemented an online customer help desk application using a software as a service (SaaS) operating model. An IS auditor is asked to recommend the best control to monitor the service level agreement (SLA) with the SaaS vendor as it relates to availability. What is the BEST recommendation that the IS auditor can provide? A. Ask the SaaS vendor to provide a weekly report on application uptime. B. Implement an online polling tool to monitor the application and record outages. C. Log all application outages reported by users and aggregate the outage time weekly. D. Contract an independent third party to provide weekly reports on application uptime.
B is the correct answer. Justification: A. Weekly application availability reports are useful, but these reports represent only the vendor's perspective. While monitoring these reports, the organization can raise concerns of inaccuracy; however, without internal monitoring, such concerns cannot be substantiated. B. Implementing an online polling tool to monitor and record application outages is the best option for an organization to monitor the software as a service application availability. Comparing internal reports with the vendor's service level agreement (SLA) reports would ensure that the vendor's monitoring of the SLA is accurate and that all conflicts are appropriately resolved. C. Logging the outage times reported by users is helpful but does not give a true picture of all outages of the online application. Some outages may go unreported, especially if the outages are intermittent. D. Contracting a third party to implement availability monitoring is not a cost-effective option. Additionally, this results in a shift from monitoring the SaaS vendor to monitoring the third party.
A4-61 An IS auditor is performing a review of the disaster recovery hot site used by a financial institution. Which of the following would be the GREATEST concern? A. System administrators use shared accounts which never expire at the hot site. B. Disk space utilization data are not kept current. C. Physical security controls at the hot site are less robust than at the main site. D. Servers at the hot site do not have the same specifications as at the main site.
B is the correct answer. Justification: A. While it is not a good practice for security administrators to share accounts that do not expire, the greater risk in this scenario would be running out of disk space. B. Not knowing how much disk space is in use and, therefore, how much is needed at the disaster recovery site could create major issues in the case of a disaster. C. Physical security controls are important, and this would be a concern, but the more important concern would be running out of disk space. The particular physical characteristic of the disaster recovery site may call for different controls that may appear to be less robust than the main site; however, such a risk could be addressed through policy and procedures or by adding additional personnel if needed. D. As long as the servers at the hot site are capable of running the programs that are required in a disaster recovery situation, the precise capabilities of the servers at the hot site is not a major risk. It is necessary to ensure that software configuration and settings match the servers at the main site, but it is not unusual for newer and more powerful servers to exist at the main site for everyday production use while the standby servers are less powerful.
A4-25 During a change control audit of a production system, an IS auditor finds that the change management process is not formally documented and that some migration procedures failed. What should the IS auditor do next? A. Recommend redesigning the change management process. B. Gain more assurance on the findings through root cause analysis. C. Recommend that program migration be stopped until the change process is documented. D. Document the finding and present it to management.
B is the correct answer. Justification: A. While it may be necessary to redesign the change management process, this cannot be done until a root cause analysis is conducted to determine why the current process is not being followed. B. A change management process is critical to IT production systems. Before recommending that the organization take any other action (e.g., stopping migrations, redesigning the change management process), the IS auditor should gain assurance that the incidents reported are related to deficiencies in the change management process and not caused by some process other than change management. C. A business relies on being able to make changes when necessary, and security patches must often be deployed promptly. It would not be feasible to halt all changes until a new process is developed. D. The results of the audit including the findings of noncompliance will be delivered to management once a root cause analysis of the issue has been completed.
A4-81 During fieldwork, an IS auditor experienced a system crash caused by a security patch installation. To provide reasonable assurance that this event will not recur, the IS auditor should ensure that: A. only systems administrators perform the patch process. B. the client's change management process is adequate. C. patches are validated using parallel testing in production. D. an approval process of the patch, including a risk assessment, is developed.
B is the correct answer. Justification: A. While system administrators would normally install patches, it is more important that changes be made according to a formal procedure that includes testing and implementing the change during nonproduction times. B. The change management process, which would include procedures regarding implementing changes during production hours, helps to ensure that this type of event does not recur. An IS auditor should review the change management process, including patch management procedures, to verify that the process has adequate controls and to make suggestions accordingly. C. While patches would normally undergo testing, it is often impossible to test all patches thoroughly. It is more important that changes be made during nonproduction times, and that a backout plan is in place in case of problems. D. An approval process alone could not directly prevent this type of incident from happening. There should be a complete change management process that includes testing, scheduling and approval.
A4-60 An IS auditor discovers that the disaster recovery plan(DRP)for a company does not include a critical application hosted in the cloud. Management's response states that the cloud vendor is responsible for disaster recovery (DR) and DR-related testing. What is the NEXT course of action for the IS auditor to pursue? A. Plan an audit of the cloud vendor. B. Review the vendor contract to determine its DR capabilities. C. Review an independent auditor's report of the cloud vendor. D. Request a copy of the DRP from the cloud vendor.
B is the correct answer. Justification: Auditing the cloud vendor would be useful; however, this would only be useful if the vendor is contractually required to provide disaster recovery (DR) services. B. DR services can only be expected from the vendor when explicitly listed in the contract with well-defined recovery time objectives and recovery point objectives. Without the contractual language, the vendor is not required to provide DR services. C. An independent auditor's report, such as Statements on Standards for Attestation Engagements 16, on DR capabilities can be reviewed to ascertain the vendor's DR capabilities; however, this will only be fruitful if the vendor is contractually required to provide DR services. D. A copy of DR policies can be requested to review their adequacy; however, this will only be useful if the vendor is contractually required to provide DR services.
A4-1 An organization is considering using a new IT service provider. From an audit perspective, which of the following would be the MOST important item to review? A. References from other clients for the service provider B. The physical security of the service provider site C. The proposed service level agreement with the service provider D. Background checks of the service provider's employees
C is the correct answer. Justification: A. A due diligence activity such as reviewing references from other clients is a good practice, but the service level agreement(SLA) would be most critical because it would define what specific levels of performance would be required and make the provider contractually obligated to deliver what was promised. B. A due diligence activity such as reviewing physical security controls is a good practice, but the SLA would be most critical because it would define what specific levels of security would be required and make the provider contractually obligated to deliver what was promised. C. When contracting with a service provider, it is a good practice to enter into an SLA with the provider. An SLA is a guarantee that the provider will deliver the services according to the contract. The IS auditor will want to ensure that performance and security requirements are clearly stated in the SLA. D. A due diligence activity such as the use of background checks for the service provider's employees is a good practice, but the SLA would be most critical because it would define what specific levels of security and labor practices would be required and make the provider contractually obligated to deliver what was promised.
A4-6 Which of the following recovery strategies is MOST appropriate for a business having multiple offices within a region and a limited recovery budget? A. A hot site maintained by the business B. A commercial cold site C. A reciprocal arrangement between its offices D. A third-party hot site
C is the correct answer. Justification: A. A hot site maintained by the business would be a costly solution but would provide a high degree of confidence. B. Multiple cold sites leased for the multiple offices would lead to an ineffective solution with poor availability. C. For a business having many offices within a region, a reciprocal arrangement among its offices would be most appropriate. Each office could be designated as a recovery site for some other office. This would be the least expensive approach and would provide an acceptable level of confidence. D. A third-party facility for recovery is provided by a traditional hot site. This would be a costly approach providing a high degree of confidence.
A4-73 Which of the following is a continuity plan test that simulates a system crash and uses actual resources to cost-effectively obtain evidence about the plan's effectiveness? A. Paper test B. Post-test C. Preparedness test D. Walk-through
C is the correct answer. Justification: A. A paper test is a walk-through of the plan, involving major players, who attempt to determine what might happen in a particular type of service disruption in the plan's execution. A paper test usually precedes the preparedness test. B. A post-test is actually a test phase and is comprised of a group of activities such as returning all resources to their proper place, disconnecting equipment, returning personnel and deleting all company data from third-party systems. C. A preparedness test is a localized version of a full test, wherein resources are expended in the simulation of a system crash. This test is performed regularly on different aspects of the plan and can be a cost-effective way to gradually obtain evidence about the plan's effectiveness. It also provides a means to improve the plan in increments. D. A walk-through is a test involving a simulated disaster situation that tests the preparedness and understanding of management and staff rather than the actual resources.
A4-42 In evaluating programmed controls over password management, which of the following is the IS auditor MOST likely to rely on? A. A size check B. A hash total C. A validity check D. A field check
C is the correct answer. Justification: A. A size check is useful because passwords should have a minimum length, but it is not as strong of a control as validity. B. Passwords are not typically entered in a batch mode, so a hash total would not be effective. More important, a system should not accept incorrect values of a password, so a hash total as a control will not indicate any weak passwords, errors or omissions. C. A validity check would be the most useful for the verification of passwords because it would verify that the required format has been used-for example, not using a dictionary word, including non-alphabetical characters, etc. An effective password must have several different types of characters: alphabetical, numeric and special. D. The implementation of a field check would not be as effective as a validity check that verifies that all password criteria have been met.
A4-4 When reviewing the desktop software compliance of an organization, the IS auditor should be MOST concerned if the installed software: A. was installed, but not documented in the IT department records. B. was being used by users not properly trained in its use. C. is not listed in the approved software standards document. D. license will expire in the next 15 days.
C is the correct answer. Justification: A. All software, including licenses, should be documented in IT department records, but this is not as serious as the violation of policy in installing unapproved software. B. Discovering that users have not been formally trained in the use of a software product is common, and while not ideal, most software includes help files and other tips that can assist in learning how to use the software effectively. C. The installation of software that is not allowed by policy is a serious violation and could put the organization at security, legal and financial risk. Any software that is allowed should be part of a standard software list. This is the first thing to review because this would also indicate compliance with policies. D. A software license that is about to expire is not a risk if there is a process in place to renew it.
A4-66 A financial institution that processes millions of transactions each day has a central communications processor (switch) for connecting to automated teller machines. Which of the following would be the BEST contingency plan for the communications processor? A. Reciprocal agreement with another organization B. Alternate processor in the same location C. Alternate processor at another network node D. Duplex communication links
C is the correct answer. Justification: A. Reciprocal agreements make an organization dependent on the other organization and raise privacy, competition and regulatory issues. B. Having an alternate processor in the same location resolves the equipment problem but would not be effective if the failure was caused by environmental conditions (i.e., power disruption). C. The unavailability of the central communications processor would disrupt all access to the banking network. This could be caused by an equipment, power or communications failure. Having a duplicate processor in another location that could be used for alternate processing is the best solution. D. The installation of duplex communication links would only be appropriate if the failure were limited to the communication link.
A4-19 An IS auditor is reviewing an organization's disaster recovery plan (DRP) implementation. The project was completed on time and on budget. During the review, the auditor uncovers several areas of concern. Which of the following presents the GREATEST risk? A. Testing of the DRP has not been performed. B. The disaster recovery strategy does not specify use of a hot site. C. The business impact analysis was conducted, but the results were not used. D. The disaster recovery project manager for the implementation has recently left the organization.
C is the correct answer. Justification: A. Although testing a disaster recovery plan (DRP) is a critical component of a successful disaster recovery strategy, this is not the biggest risk; the biggest risk comes from a plan that is not properly designed. B. Use of a hot site is a strategic determination based on tolerable downtime, cost and other factors. Although using a hot site may be considered a good practice, this is a very costly solution that may not be required for the organization. C. The risk of not using the results of the business impact analysis (BIA) for disaster recovery planning means that the DRP may not be designed to recover the most critical assets in the correct order. As a result, the plan may not be adequate to allow the organization to recover from a disaster. D. If the DRP is designed and documented properly, the loss of an experienced project manager should have minimal impact. The risk of a poorly designed plan that may not meet the requirements of the business is much more significant than the risk posed by loss of the project manager.
A4-33 Which of the following is a MAJOR concern during a review of help desk activities? A. Certain calls could not be resolved by the help desk team. B. A dedicated line is not assigned to the help desk team. C. Resolved incidents are closed without reference to end users. D. The help desk instant messaging has been down for more than six months.
C is the correct answer. Justification: A. Although this is of concern, it should be expected. A problem escalation procedure should be developed to handle such scenarios. B. Ideally, a help desk team should have dedicated lines, but this exception is not as serious as the technical team unilaterally closing an incident. C. The help desk function is a service-oriented unit. The end users must be advised before an incident can be regarded as closed. D. Instant messaging is an add-on to improve the effectiveness of the help desk team. Its absence cannot be seen as a major concern as long as calls can still be made.
A4-11 An IS auditor is evaluating the effectiveness of the change management process in an organization. What is the MOST important control that the IS auditor should look for to ensure system availability? A. Changes are authorized by managers at all times. B. User acceptance testing is performed and properly documented. C. Test plans and procedures exist and are closely followed. D. Capacity planning is performed as part of each development project.
C is the correct answer. Justification: A. Changes are usually required to be signed off by a business analyst, member of the change control board or other authorized representative, not necessarily by IT management. B. User acceptance testing is important but not a critical element of change control and would not usually address the topic of availability as asked in the question. C. The most important control for ensuring system availability is to implement a sound test plan and procedures that are followed consistently. D. While capacity planning should be considered in each development project, it will not ensure system availability, nor is it part of the change control process.
A4-17 While reviewing the process for continuous monitoring of the capacity and performance of IT resources, an IS auditor should PRIMARILY ensure that the process is focused on: A. adequately monitoring service levels of IT resources and services. B. providing data to enable timely planning for capacity and performance requirements. C. providing accurate feedback on IT resource capacity. D. properly forecasting performance, capacity and throughput of IT resources.
C is the correct answer. Justification: A. Continuous monitoring helps to ensure that service level agreements (SLAs) are met, but this would not be the primary focus of monitoring. It is possible that even if a system were offline, it would meet the requirements of an SLA. Therefore, accurate availability monitoring is more important. B. While data gained from capacity and performance monitoring would be an input to the planning process, the primary focus would be to monitor availability. C. Accurate capacity monitoring of IT resources would be the most critical element of a continuous monitoring process. D. While continuous monitoring would help management to predict likely IT resource capabilities, the more critical issue would be that availability monitoring is accurate.
A4-78 In which of the following situations is it MOST appropriate to implement data mirroring as the recovery strategy? A. Disaster tolerance is high. B. The recovery time objective is high. C. The recovery point objective is low. D. The recovery point objective is high.
C is the correct answer. Justification: A. Data mirroring is a data recovery technique, and disaster tolerance addresses the allowable time for an outage of the business. B. The recovery time objective (RTO) is an indicator of the disaster tolerance. Data mirroring addresses data loss, not the RTO. C. The recovery point objective (RPO) indicates the latest point in time at which it is possible to recover the data. This determines how often the data must be backed up to minimize data loss. If the RPO is low, then the organization does not want to lose much data and must use a process such as data mirroring to prevent data loss. D. If the RPO is high, then a less expensive backup strategy can be used; data mirroring should not be implemented as the data recovery strategy.
A4-21 Which of the following issues should be a MAJOR concern to an IS auditor who is reviewing a service level agreement(SLA)? A. A service adjustment resulting from an exception report took a day to implement. B. The complexity of application logs used for service monitoring made the review difficult. C. Service measures were not included in the SLA. D. The document is updated on an annual basis.
C is the correct answer. Justification: A. Resolving issues related to exception reports is an operational issue that should be addressed in the service level agreement (SLA); however, a response time of one day may be acceptable depending on the terms of the SLA. B. The complexity of application logs is an operational issue, which is not related to the SLA. C. Lack of service measures will make it difficult to gauge the efficiency and effectiveness of the IT services being provided. D. While it is important that the document be current, depending on the term of the agreement, it may not be necessary to change the document more frequently than annually.
A4-89 Which of the following is the BEST reason for integrating the testing of non-critical systems in disaster recovery plans (DRPs) with business continuity plans (BCPs)? A. To ensure that DRPs are aligned to the business impact analysis. B. Infrastructure recovery personnel can be assisted by business subject matter experts. C. BCPs may assume the existence of capabilities that are not in DRPs. D. To provide business executives with knowledge of disaster recovery capabilities.
C is the correct answer. Justification: A. Disaster recovery plans (DRPs) should be aligned with the business impact analysis; however, this has no impact on integrating the testing of noncritical systems in DRPs with business continuity plans BCPs). B. Infrastructure personnel will be focused on restoring the various platforms that make up the infrastructure, and it is not necessary for business subject matter experts to be involved. C. BCPs may assume the existence of capabilities that are not part of the DRPs, such as allowing employees to work from home during the disaster; however, IT may not have made sufficient provisions for these capabilities (e.g., they cannot support a large number of employees working from home). While the noncritical systems are important, it is possible that they are not part of the DRPs. For example, an organization may use an online system that does not interface with the internal systems. If the business function using the system is a critical process, the system should be tested, and it may not be part of the DRP. Therefore, DRP and BCP testing should be integrated. D. While business executives may be interested in the benefits of disaster recovery, testing is not the best way to accomplish this task.
A4-37 An IS auditor has been assigned to conduct a test that compares job run logs to computer job schedules. Which of the following observations would be of the GREATEST concern to the IS auditor? A. There are a growing number of emergency changes. B. There were instances when some jobs were not completed on time. C. There were instances when some jobs were overridden by computer operators. D. Evidence shows that only scheduled jobs were run.
C is the correct answer. Justification: A. Emergency changes are acceptable as long as they are properly documented as part of the process. B. Instances of jobs not being completed on time is a potential issue and should be investigated, but it is not the greatest concern. C. The overriding of computer processing jobs by computer operators could lead to unauthorized changes to data or programs. This is a control concern; thus, it is always critical. D. The audit should find that all scheduled jobs were run and that any exceptions were documented. This would not be a violation.
A4-12 Data flow diagrams are used by IS auditors to: A. identify key controls. B. highlight high-level data definitions. C. graphically summarize data paths and storage. D. portray step-by-step details of data generation.
C is the correct answer. Justification: A. Identifying key controls is not the focus of data flow diagrams. The focus is as the name states-flow of data. B. A data dictionary may be used to document data definitions, but the data flow diagram is used to document how data move through a process. C. Data flow diagrams are used as aids to graph or chart data flow and storage. They trace data from their origination to destination, highlighting the paths and storage of data. D. The purpose of a data flow diagram is to track the movement of data through a process and is not primarily to document or indicate how data are generated.
A4-59 An IS auditor is performing an audit in the data center when the fire alarm begins sounding. The audit scope includes disaster recovery, so the auditor observes the data center staff respond to the alarm. Which of the following is the MOST important action for the data center staff to complete in this scenario? A. Notify the local fire department of the alarm condition. B. Prepare to activate the fire suppression system. C. Ensure all persons in the data center are evacuated. D. Remove all backups from the data center.
C is the correct answer. Justification: A. Life safety is always the first priority, and notifying the fire department of the alarm is not typically necessary because most data center alarms are configured to automatically report to the local authorities. B. Fire suppression systems are designed to operate automatically, and activating the system when staff are not yet evacuated could create confusion and panic, leading to injuries or even fatalities. Manual triggering of the system could be necessary under certain conditions, but only after all other data center personnel are safely evacuated. C. In an emergency, safety of life is always the first priority; therefore, the complete and orderly evacuation of the facility staff would be the most important activity. D. Removal of backups from the data center is not an appropriate action because it could delay the evacuation of personnel. Most companies would have copies of backups in offsite storage to mitigate the risk of data loss for this type of disaster
A4-94 Responsibility and reporting lines cannot always be established when auditing automated systems because: A. diversified control makes ownership irrelevant. B. staff traditionally changes jobs with greater frequency. C. ownership is difficult to establish where resources are shared. D. duties change frequently in the rapid development of technology.
C is the correct answer. Justification: A. Ownership is required to ensure that someone has responsibility for the secure and proper operation of a system and the protection of data. B. The movement of staff is not a serious issue because the responsibility should be linked to a job description, not an individual. C. The actual data and/or application owner may be hard to establish because of the complex nature of both data and application systems and many systems support more than one business department. D. Duties may change frequently, but that does not absolve the organization of having a declared owner for systems and data.
A4-32 An IS auditor needs to review the procedures used to restore a software application to its state prior to an upgrade. Therefore, the auditor needs to assess: A. problem management procedures. B. software development procedures. C. back-out procedures. D. incident management procedures.
C is the correct answer. Justification: A. Problem management procedures are used to track user feedback and issues related to the operation of an application for trend analysis and problem resolution. B. Software development procedures such as the software development life cycle (SDLC) are used to manage the creation or acquisition of new or modified software. C. Back-out procedures are used to restore a system to a previous state and are an important element of the change control process. The other choices are not related to the change control process-a process which specifies what procedures should be followed when software is being upgraded but the upgrade does not work and requires a fallback to its former state. D. Incident management procedures are used to manage errors or problems with system operation. They are usually used by a help desk. One of the incident management procedures may be how to follow a fallback plan.
A4-34 The MAIN purpose for periodically testing offsite disaster recovery facilities is to: A. protect the integrity of the data in the database. B. eliminate the need to develop detailed contingency plans. C. ensure the continued compatibility of the contingency facilities. D. ensure that program and system documentation remains current.
C is the correct answer. Justification: A. The testing of an offsite facility does nothing to protect the integrity of the database. It may test the validity of backups but does not protect their integrity. B. Testing an offsite location validates the value of the contingency plans and is not used to eliminate detailed plans. C. The main purpose of offsite hardware testing is to ensure the continued compatibility of the contingency facilities so that assurance can be gained that the contingency plans would work in an actual disaster. D. Program and system documentation should be reviewed continuously for currency. A test of an offsite facility may ensure that the documentation for that site is current, but this is not the purpose of testing an offsite facility.
A4-50 An IS auditor reviewing database controls discovered that changes to the database during normal working hours were handled through a standard set of procedures. However, changes made after normal hours required only an abbreviated number of steps. In this situation, which of the following would be considered an adequate set of compensating controls? A. Allow changes to be made only with the database administrator (DBA) user account B. Make changes to the database after granting access to a normal user account C. Use the DBA user account to make changes, log the changes and review the change log the following day D. Use the normal user account to make changes, log the changes and review the change log the following day
C is the correct answer. Justification: A. The use of the database administrator (DBA) user account without logging would permit uncontrolled changes to be made to databases after access to the account was obtained. B. A normal user account should not have access to a database. This would permit uncontrolled changes to any of the databases. C. The use of a DBA user account is normally set up to log all changes made and is most appropriate for changes made outside of normal hours. The use of a log, which records the changes, allows changes to be reviewed. Because an abbreviated number of steps are used, this represents an adequate set of compensating controls. D. Users should not be able to make changes. Logging would only provide information on changes made but would not limit changes to only those who were authorized.
A4-55 The PRIMARY benefit of an IT manager monitoring technical capacity is to: A. identify the need for new hardware and storage procurement. B. determine the future capacity need based on usage. C. ensure that the service level requirements are met. D. ensure that systems operate at optimal capacity.
C is the correct answer. Justification: A. This is one benefit of monitoring technical capacity because it can help forecast future demands, not just react to system failures. However, the primary responsibility of the IT manager is to meet the overall requirement to ensure that IT is meeting the service level expectations of the business. B. Determining future capacity is one definite benefit of technical capability monitoring. C. Capacity monitoring has multiple objectives; however, the primary objective is to ensure compliance with the internal service level agreement between the business and IT. D. IT management is interested in ensuring that systems are operating at optimal capacity, but their primary obligation is to ensure that IT is meeting the service level requirements of the business.
A4-65 A disaster recovery plan for an organization's financial system specifies that the recovery point objective is zero and the recovery time objective is 72 hours. Which of the following is the MOST cost-effective solution? A. A hot site that can be operational in eight hours with asynchronous backup of the transaction logs B. Distributed database systems in multiple locations updated asynchronously C. Synchronous updates of the data and standby active systems in a hot site D. Synchronous remote copy of the data in a warm site that can be operational in 48 hours
D is the correct answer. Justification: A. A hot site would meet the recovery time objective (RTO) but would incur higher costs than necessary. B. Asynchronous updates of the database in distributed locations do not meet the recovery point objective (RPO). C. Synchronous updates of the data and standby active systems in a hot site meet the RPO and RTO requirements but are costlier than a warm site solution. D. The synchronous copy of the data storage achieves the RPO, and a warm site operational in 48 hours meets the required RTO.
A4-10 Which of the following is the MOST reasonable option for recovering a non-critical system? A. Warm site B. Mobile site C. Hot site D. Cold site
D is the correct answer. Justification: A. A warm site is generally available at a medium cost, requires less time to become operational and is suitable for sensitive operations that should be recovered in a moderate amount of time. B. A mobile site is a vehicle ready with all necessary computer equipment that can be moved to any location, depending upon the need. The need for a mobile site depends upon the scale of operations. C. A hot site is contracted for a shorter time period at a higher cost, and it is better suited for recovery of vital and critical applications. D. Generally, a cold site is contracted for a longer period at a lower cost. Because it requires more time to make a cold site operational, it is generally used for noncritical applications.
A4-95 Which of the following distinguishes a business impact analysis from a risk assessment? A. An inventory of critical assets B. An identification of vulnerabilities C. A listing of threats D. A determination of acceptable downtime
D is the correct answer. Justification: A. An inventory of critical assets is completed in both a risk assessment and a business impact analysis (BIA). B. An identification of vulnerabilities is relevant in both a risk assessment and a BIA. C. A listing of threats is relevant both in a risk assessment and a BIA. D. A determination of acceptable downtime is made only in a BIA.
A4-70 Which of the following activities should the business continuity manager perform FIRST after the replacement of hardware at the primary information processing facility? A. Verify compatibility with the hot site B. Review the implementation report C. Perform a walk-through of the disaster recovery plan D. Update the IT assets inventory
D is the correct answer. Justification: A. Before validating that the new hardware is compatible with the recovery site, the business continuity manager should update the listing of all equipment and IT assets included in the business continuity plan. B. The implementation report will be of limited value to the business continuity manager because the equipment has been installed. C. The walk-through of the plan should only be done after the asset inventory has been updated. D. An IT assets inventory is the basic input for the business continuity/disaster recovery plan, and the plan must be updated to reflect changes in the IT infrastructure.
A4-72 Which of the following should the IS auditor review to ensure that servers are optimally configured to support processing requirements? A. Benchmark test results B. Server logs C. Downtime reports D. Server utilization data
D is the correct answer. Justification: A. Benchmark tests are designed to compare system performance using standardized criteria; however, benchmark testing does not provide the best data to ensure the optimal configuration of servers in an organization. B. A server log contains data showing activities performed on the server but does not contain the utilization data required to ensure the optimal configuration of servers. C. A downtime report identifies the elapsed time when a computer is not operating correctly because of machine failure but is not useful in determining optimal server configurations. D. Monitoring server utilization identifies underutilized servers and monitors overall server utilization. Underutilized servers do not provide the business with optimal cost-effectiveness. By monitoring server usage, IT management can take appropriate measures to raise the utilization ratio and provide the most effective return on investment.
A4-93 An IS auditor analyzing the audit log of a database management system (DBMS) finds that some transactions were partially executed as a result of an error and have not been rolled back. Which of the following transaction processing features has been violated? A. Consistency B. Isolation C. Durability D. Atomicity
D is the correct answer. Justification: A. Consistency ensures that the database is in a proper state when the transaction begins and ends and that the transaction has not violated integrity rules. B. Isolation means that, while in an intermediate state, the transaction data are invisible to external operations. This prevents two transactions from attempting to access the same data at the same time. C. Durability guarantees that a successful transaction will persist and cannot be undone. D. Atomicity guarantees that either the entire transaction is processed or none of it is.
A4-7 During an application audit, an IS auditor is asked to provide assurance of the database referential integrity. Which of the following should be reviewed? A. Field definition B. Master table definition C. Composite keys D. Foreign key structure
D is the correct answer. Justification: A. Field definitions describe the layout of the table but are not directly related to referential integrity. B. Master table definition describes the structure of the database but is not directly related to referential integrity. C. Composite keys describe how the keys are created but are not directly related to referential integrity. D. Referential integrity in a relational database refers to consistency between coupled (linked) tables. Referential integrity is usually enforced by the combination of a primary key or candidate key (alternate key) and a foreign key. For referential integrity to hold, any field in a table that is declared a foreign key should contain only values from a parent table's primary key or a candidate key.
A4-67 Which of the following provides the BEST evidence of an organization's disaster recovery capability readiness? A. A disaster recovery plan (DRP) B. Customer references for the alternate site provider C. Processes for maintaining the DRP D. Results of tests and exercises
D is the correct answer. Justification: A. Having a plan is important, but a plan cannot be considered effective until it has been tested. B. Customer references may aid in choosing an alternate site provider but will not ensure the effectiveness of the plan. C. A disaster recovery plan must be kept up to date through a regular maintenance and review schedule, but this is not as important as testing. D. Only tests and exercises demonstrate the adequacy of the plans and provide reasonable assurance of an organization's disaster recovery capability readiness.
A4-82 A batch transaction job failed in production; however, the same job returned no issues during user acceptance testing (UAT). Analysis of the production batch job indicates that it was altered after UAT. Which of the following ways would be the BEST to mitigate this risk in the future? A. Improve regression test cases. B. Activate audit trails for a limited period after release. C. Conduct an application user access review. D. Ensure that developers do not have access to code after testing.
D is the correct answer. Justification: A. Improving the quality of the testing would not be applicable in this case because the more important issue is that developers have access to the production environment. B. Activating audit trails or performing additional logging may be useful; however, the more important issue is that developers have access to the production environment. C. Conducting an application user access review would not identify developers' access to code because they would not be included in this review. D. To ensure proper segregation of duties, developers should be restricted to the development environment only. If code needs to be modified after user acceptance testing, the process must be restarted in development.
A4-75 Which of the following is the BEST method for determining the criticality of each application system in the production environment? A. Interview the application programmers. B. Perform a gap analysis. C. Review the most recent application audits. D. Perform a business impact analysis.
D is the correct answer. Justification: A. Interviews with the application programmers will provide limited information related to the criticality of the systems. B. A gap analysis is relevant to system development and project management but does not determine application criticality. C. The audits may not contain the required information about application criticality or may not have been done recently. D. A business impact analysis (BIA) will give the impact of the loss of each application. A BIA is conducted with representatives of the business that can accurately describe the criticality of a system and its importance to the business.
A4-90 An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation? A. Log all table update transactions. B. Implement before-and-after image reporting. C. Use tracing and tagging. D. Implement integrity constraints in the database.
D is the correct answer. Justification: A. Logging all table update transactions is a detective control that would not help avoid invalid data entry. B. Implementing before-and-after image reporting is a detective control that would not help avoid the situation. C. Tracing and tagging are used to test application systems and controls and could not prevent out-of- range data. D. Implementing integrity constraints in the database is a preventive control because data are checked against predefined tables or rules, preventing any undefined data from being entered.
A4-35 A large chain of shops with electronic funds transfer at point-of-sale devices has a central communications processor for connecting to the banking network. Which of the following is the BEST disaster recovery plan for the communications processor? A. Offsite storage of daily backups B. Alternative standby processor onsite C. Installation of duplex communication links D. Alternative standby processor at another network node
D is the correct answer. Justification: A. Offsite storage of backups would not help, because electronic funds transfer tends to be an online process and offsite storage will not replace the dysfunctional processor. B. The provision of an alternate processor onsite would be fine if it were an equipment problem but would not help in the case of a power outage and may require technical expertise to cutover to the alternate equipment. C. Installation of duplex communication links would be most appropriate if it were only the communication link that failed. D. Having an alternative standby processor at another network node would be the best solution. The unavailability of the central communications processor would disrupt all access to the banking network, resulting in the disruption of operations for all of the shops. This could be caused by failure of equipment, power or communications.
A4-31 Which of the following is a network diagnostic tool that monitors and records network information? A. Online monitor B. Downtime report C. Help desk report D. Protocol analyzer
D is the correct answer. Justification: A. Online monitors measure telecommunication transmissions and determine whether transmissions were accurate and complete. B. Downtime reports track the availability of telecommunication lines and circuits. C. Help desk reports are prepared by the help desk, which is staffed or supported by IS technical support personnel trained to handle problems occurring during the course of IS operations. D. Protocol analyzers are network diagnostic tools that monitor and record network information from packets traveling in the link to which the analyzer is attached.
A4-69 While performing a review of a critical third-party application, an IS auditor would be MOST concerned with discovering: A. inadequate procedures for ensuring adequate system portability. B. inadequate operational documentation for the system. C. an inadequate alternate service provider listing. D. an inadequate software escrow agreement.
D is the correct answer. Justification: A. Procedures to ensure that systems are developed so that they can be ported to other system platforms will help ensure that the system can still continue functioning without affecting the business process if changes to the infrastructure occur. This is less important than availability of the software. B. Inadequate operational documentation is a risk but would be less significant than the risk of unavailability of the software. C. While alternate service providers could be used if a vendor goes out of business, having access to the source code via a software escrow agreement is more important. D. The inclusion of a clause in the agreement that requires software code to be placed in escrow helps to ensure that the customer can continue to use the software and/or obtain technical support if a vendor were to go out of business.
A4-80 Which of the following is the MOST efficient and sufficiently reliable way to test the design effectiveness of a change control process? A. Test a sample population of change requests B. Test a sample of authorized changes C. Interview personnel in charge of the change control process D. Perform an end-to-end walk-through of the process
D is the correct answer. Justification: A. Testing a sample population of changes is a test of compliance and operating effectiveness to ensure that users submitted the proper documentation/ requests. It does not test the effectiveness of the design. B. Testing changes that have been authorized may not provide sufficient assurance of the entire process because it does not test the elements of the process related to authorization or detect changes that bypassed the controls. C. Interviewing personnel in charge of the change control process is not as effective as a walk-through of the change controls process because people may know the process but not follow it. D. Observation is the best and most effective method to test changes to ensure that the process is effectively designed.
A4-54 An IS auditor is reviewing an organization's recovery from a disaster in which not all the critical data needed to resume business operations were retained. Which of the following was incorrectly defined? A. The interruption window B. The recovery time objective C. The service delivery objective D. The recovery point objective
D is the correct answer. Justification: A. The interruption window is defined as the amount of time during which the organization is unable to maintain operations from the point of failure to the time that the critical services/applications are restored. B. The recovery time objective is determined based on the acceptable downtime in the case of a disruption of operations. C. The service delivery objective (SDO) is directly related to the business needs. SDO is the level of services to be reached during the alternate process mode until the normal situation is restored. D. The recovery point objective (RPO) is determined based on the acceptable data loss in the case of a disruption of operations. RPO defines the point in time from which it is necessary to recover the data and quantifies, in terms of time, the permissible amount of data loss in the case of interruption.
A4-96 When reviewing a hardware maintenance program, an IS auditor should assess whether: A. the schedule of all unplanned maintenance is maintained. B. it is in line with historical trends. C. it has been approved by the IS steering committee. D. the program is validated against vendor specifications.
D is the correct answer. Justification: A. Unplanned maintenance cannot be scheduled. B. Hardware maintenance programs do not necessarily need to be in line with historic trends. C. Maintenance schedules normally are not approved by the steering committee. D. Although maintenance requirements vary based on complexity and performance workloads, a hardware maintenance schedule should be validated against the vendor-provided specifications.
A4-47 Which of the following controls would be MOST effective in ensuring that production source code and object code are synchronized? A. Release-to-release source and object comparison reports B. Library control software restricting changes to source code C. Restricted access to source code and object code D. Date and time-stamp reviews of source and object code
D is the correct answer. Justification: A. Using version control software and comparing source and object code is a good practice but may not detect a problem where the source code is a different version than the object code. B. All production libraries should be protected with access controls, and this may protect source code from tampering. However, this will not ensure that source and object codes are based on the same version. C. It is a good practice to protect all source and object code-even in development. However, this will not ensure the synchronization of source and object code. D. Date and time-stamp reviews of source and object code would ensure that source code, which has been compiled, matches the production object code. This is the most effective way to ensure that the approved production source code is compiled and is the one being used.
A4-23 Which of the following reports should an IS auditor use to check compliance with a service level agreement's requirement for uptime? A. Utilization reports B. Hardware error reports C. System logs D. Availability reports
D is the correct answer. Justification: A. Utilization reports document the use of computer equipment, and can be used by management to predict how, where and/or when resources are required. B. Hardware error reports provide information to aid in detecting hardware failures and initiating corrective action. These error reports may not indicate actual system uptime. C. System logs are used for recording the system's activities. They may not indicate availability. D. IS inactivity, such as downtime, is addressed by availability reports. These reports provide the time periods during which the computer was available for utilization by users or other processes.