MIS 415 exam 1 Questions
An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the a. Hardware configuration b. Application development methodology c. Access control software d. Ownership of intellectual property
Ownership of intellectual property
Which of the following processes would be the best candidate for business process reengineering? A. Excluded process B. Nonworking process C. Working process D. Marginal process
Nonworking process
Select the best answer to finish this statement: A is strategic in nature, while the is tactical. A. policy, procedure B. standard, procedure C. procedure, standard D. policy, standard
policy, standard
What is the first priority of management upon the possible detection of an irregular or illegal act? A. Shut down access to the system. B. Aid the process of investigation and inquiry. C. Notify appropriate law enforcement. D. Contact auditors to schedule an audit of the situation
Aid the process of investigation and inquiry.
Which is the primary benefit of using a risk-based approach in audit planning? A. Simplifies resource scheduling. B. Allocates resources to the areas of highest concern. C. Properly trained personnel are available. D. Lowers the overall cost of compliance.
Allocates resources to the areas of highest concern.
Which of the following is the best description of an ongoing audit program for regulatory compliance? a. An audit may be automated by using audit program software. b. An audit is performed once for the entire year and then repeated by using the same information for each successive year. c. An audit is a series of assessments performed by the auditee for the purpose of licensing and regulatory compliance. d. An audit is a series of unique projects of short duration that add up to cover all the steps necessary for annual compliance.
An audit is a series of unique projects of short duration that add up to cover all the steps necessary for annual compliance.
Which of the following is in the BEST position to approve changes to the audit charter? a. Board of directors b. Executive management c. Director of internal audit d. Audit committee
Audit committee
Which of the following is the best example of implementing a detective control via administrative methods? A. Auditing of system configuration and log files B. Running a verification of the backup tape for integrity C. Using an intrusion detection and prevention system (IDPS) D. Restoring a damaged file using a copy from the vendor
Auditing of system configuration and log files
Which of the following is not defined as a nonaudit role? a. System designer b. Operational staff member c. Auditor d. Organizational manager
Auditor
During the performance of an audit, a reportable finding is identified with the auditee. The auditee immediately fixed the problem upon identification. Which of the following is true as a result of this interaction? A. Auditee resolved the problem before the audit report is written, therefore no finding exists. B. Auditor can verify that the corrective action has been taken before the audit report is written, therefore no finding exists. C. Auditor includes the finding in the final audit report as resolved. D. Auditor lists the finding as it existed.
Auditor lists the finding as it existed.
Assessments and audits have several points in common. Which of the following statements provides the best description of an assessment compared to an audit? a. Assessment reports provide a high assurance of the situation. b. Audits are more formal than assessments. c. Both provide reports that can be used for licensing purposes. d. They are similar in nature; the difference is in wording.
Audits are more formal than assessments
Which of the following functions should be separated from the others if segregation of duties cannot be achieved in an automated system? A. Origination B. Authorization C. Reprocessing D. Transaction logging
Authorization
The Software Engineering Institute's Capability Maturity Model (CMM) is best described by which of the following options? a. Documentation of accomplishments achieved during program development b. Baseline of the current progress or regression c. Relationship of application performance to the user's stated requirement d. Measurement of resources necessary to ensure a reduction in coding defects
Baseline of the current progress or regression
Which of the following goals would you expect to find in an organization's strategic plan? a. Become the supplier of choice for the product offered b. Perform an evaluation of information technology needs c. Test a new accounting package d. Implement a new project planning system within the next 12 months
Become the supplier of choice for the product offered
Which of these choices is the best answer regarding who is primarily responsible for providing internal controls to detect, correct, and prevent irregularities or illegal acts? A. Board of directors B. Information technology C. Legal, aka general council D. Human resources
Board of directors
After presenting the report at the conclusion of an audit, the lead auditor discovers the omission of a procedure. What should the auditor do next? A. Log on to CareerBuilder.com and change their current employment status to available. B. Cancel the report if audit alternatives cannot compensate for the deficiency. C. File an incident disclosure report with the audit association to minimize any liability. D. No action is required as long as the omitted procedure is included in the next audit
Cancel the report if audit alternatives cannot compensate for the deficiency.
Which of the following is the best way for an auditor to prove their competence to perform an audit? A. Having prior experience working in information technology B. Citing each point in a regulation with an audit objective and specific test C. Obtaining auditor certification with ongoing training D. Having prior experience in financial auditing
Citing each point in a regulation with an audit objective and specific test
What are three of the four key perspectives on the IT balanced scorecard? A. Business justification, service-level agreements, budget B. Organizational staffing, cost reduction, employee training C. Cost reduction, business process, growth D. Service level, critical success factors, vendor selection
Cost reduction, business process, growth
During the selection of a BPR project, which of the following is the ideal target with the highest return? a. Working process b. Nonworking process c. Marginal process d. Excluded process
Nonworking process
The Capability Maturity Model (CMM) contains five levels of achievement. Which of the following options contains three of the levels in proper sequence? a. Managed, Defined, Repeatable b. Initial, Managed, Repeatable c. Initial, Managed, Defined d. Defined, Managed, Optimized
Defined, Managed, Optimized
Which of the following is not one of the three major control types? A. Detective B. Deterrent C. Preventive D. Corrective
Deterrent
The auditor is permitted to deviate from professional audit standards when they feel it is necessary because of which of the following? A. Standards are designed for discretionary use. B. The unique characteristics of each client will require auditor flexibility. C. Deviating from standards is almost unheard of and would require significant justification. D. Deviation depends on the authority granted in the audit charter
Deviating from standards is almost unheard of and would require significant justification.
An external IS auditor discovers that systems in the scope of the audit were implemented by an associate. In such a circumstance, IS audit management should: a. Remove the IS auditor from the engagement b. Disclose the issue to the client c. Take steps to restore the IS auditor's independence d. Cancel the engagement
Disclose the issue to the client
Which sampling method is used when the likelihood of finding evidence is low? A. Discovery B. Cell C. Random D. Stop and go
Discovery
What is the name of the decentralized control method enabling someone to make a decision based on their own options? a. Detailed b. Executive c. Discretionary d. Mandatory
Discretionary
Which of these is not the purpose of the ISO 15489 standard for a records management system? a. Define the legal definition of the minimum handling requirements for data records. b. Provide a legal standard of negligence and culpability. c. Define governance responsibilities during the life cycle of data. d. Eliminate the need for a detailed classification list of each data set.
Eliminate the need for a detailed classification list of each data set.
When conducting an IT security risk assessment, the IS auditor asked the IT security officer to participate in a risk identification workshop with users and business unit representatives. What is the MOST important recommendation that the IS auditor should make to obtain successful results and avoid future conflicts? a. Ensure that the IT security risk assessment has a clearly defined scope b. Require the IT security officer to approve each risk rating during the workshop c. Suggest that the IT security officer accept the business unit risk and rating d. Select only commonly accepted risk with the highest submitted rating
Ensure that the IT security risk assessment has a clearly defined scope
Which of the following answers contains the steps for business process reengineering (BPR) in proper sequence? A. Diagnose, envision, redesign, reconstruct B. Envision, initiate, diagnose, redesign, reconstruct, evaluate C. Evaluate, envision, redesign, reconstruct, review D. Initiate, evaluate, diagnose, reconstruct, review
Envision, initiate, diagnose, redesign, reconstruct, evaluate
Which of the following options contains the steps for business process reengineering (BPR) in the proper sequence? a. Initiate, evaluate, diagnose, reconstruct, review b. Diagnose, envision, redesign, reconstruct c. Envision, initiate, diagnose, redesign, reconstruct, evaluat d. Evaluate, envision, redesign, reconstruct, review
Envision, initiate, diagnose, redesign, reconstruct, evaluate
Information that proves or disproves a stated issue. Information that an auditor gathers in the course of performing an IS audit; relevant if it pertains to the audit objectives and has a logical relationship to the findings and conclusions it is used to support. a. Control b. Exit Interview c. Audit Evidence d. Evidence
Evidence
A shadow organization refers to two groups performing similar functions under different departments. What does the presence of a shadow organization indicate? a. A relationship of trust and proper delegation of authority b. A sponsor who is cooperating as a team player with separation of duties c. Executive distrust or failure to integrate d. Twice the support coverage
Executive distrust or failure to integrate
Which of the following statements is not true regarding the audit committee? a.Executives can be hired and fired by the audit committee because this committee is responsible for management oversight. b. The audit committee is composed of members from the board of directors. This committee has the authority to hire external auditors, and external auditors may meet with the committee on a quarterly basis without other executives present. c. The audit committee provides senior executives a method of bringing problems into a confidential discussion for the purpose of exploring a resolution. d. Executives inside the organization oversee the audit committee and are responsible for keeping the committee busy working on compliance programs.
Executives inside the organization oversee the audit committee and are responsible for keeping the committee busy working on compliance programs.
Which of the following represents the hierarchy of controls from highest level to lowest level? A. General, pervasive, detailed, application B. Pervasive, general, application, detailed C. Detailed, pervasive, application, detailed D. Application, general, detailed, pervasive
General, pervasive, detailed, application
What term simply means the right people of authority looked at the issue, made an intelligent decision, and took appropriate action? a. Corporate responsibility b. Governance c. Chain of command d. Leadership
Governance
Which of the following nonstatistical audit samples is also known as a judgmental sample? A. Haphazard B. Attribute C. Unstratified mean D. Random
Haphazard
The final decision to include a material finding in an audit report should e made by the a. Chief executive officer (CEO) of the organization b. Auditee's manager c. Audit committee d. IS auditor
IS auditor
The PRIMARY objective of testing a business continuity plan is to: a. Familiarize employees with the business continuity plan b. Exercise all possible disaster scenarios c. Ensure that all residual risk is addressed d. Identify limitations of the business continuity plan
Identify limitations of the business continuity plan
Which of the following assurance methods is acceptable for external use, including licensing? a. Internal audit b. Assessment c. Independent audit d. External audit
Independent Audit
What is the primary technique for reporting compliance with key requirements in operations? a. Technical recommendations from IT b. COBIT performance framework c. Identify business issues and governance objectives d. Individual elements created from contracts and regulations
Individual elements created from contracts and regulations
Which of the following audit tools incorporates dummy transactions into the normal processing on a system? A. Continuous and intermittent simulation (CIS) B. Integrated test facility (ITF) C. Program audit hooks D. Snapshot
Integrated test facility (ITF)
What are common types of audits? a. Financial, SAS-74, compliance, administrative b. Forensic, accounting, verification, regulatory c. Information systems, SAS-70, regulatory, procedural d. Integrated, operational, compliance, administrative
Integrated, operational, compliance, administrative
Which of the following statements is not true concerning the use of a records management system? a. Details the foundation of all security control decisions determined by management b. Contains metadata describing acceptable and unacceptable handling procedures c. Provides a list of each data file to be protected d. Is not necessary for evidence of proper record keeping
Is not necessary for evidence of proper record keeping
Why is change control considered a governance issue? Proper implementation of change control reduces the need for separate test and production systems. b. It allows management to save time by granting more authority to administrators. c. It forces separation of duties to ensure that at least two people agree with the decision. d. Change control increases the trust factor.
It forces separation of duties to ensure that at least two people agree with the decision.
Which of the following is true regarding the principle of auditor independence? A. It is not an issue for auditors working for a consulting company. B. It is required for an external audit to prevent bias. C. An internal auditor must undergo certification training to be independent. D. The audit committee would bestow independence on the auditor.
It is required for an external audit to prevent bias.
Which of the following options is true about the term auditor independence? a. An internal auditor must undergo certification training to be independent. b. It is not an issue for auditors working for a consulting company. c. The audit committee bestows independence upon the auditor. d. It is required for an external audit.
It is required for an external audit.
The most important and relevant controls a. Inherent Risk b. Key Controls c. Control Risk d. Audit Evidence
Key Controls
Which statement about the Capability Maturity Model is not true? a. Level 3 processes have published objectives, measurements, and standards that are in effect across departmental boundaries. b. Level 5 provides maximum control in outsourcing because the definition of requirements is very specific. c. Level 3 provides quantitative measurement of the process output. d. Level 5 maturity converts a product into a commodity and allows a company to pay less and demand unquestionable adherence to management's authority.
Level 3 provides quantitative measurement of the process output.
Which of the following statements is true concerning the role of management and the role of the auditor? A. Management uses the auditor's report before making their assertions. B. Management must make their assertions prior to reading the auditor's report. C. The auditor is able to view only evidence that has been predetermined by management. D. The auditor's opinion will be based on the desire of management
Management must make their assertions prior to reading the auditor's report.
Portfolio management includes all of the following except which one? A. Selection of projects based on the best return on investment B. Centralized control of priorities across the projects C. Management of concurrent projects D. Method of controlling changes in the work breakdown structure
Method of controlling changes in the work breakdown structure
When an organization's disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment approaches is being applied? a. Acceptance b. Avoidance c. Mitigation d. Transfer
Mitigation
What is the correct sequence for benchmark processes in business process reengineering (BPR) projects? a. Observe, research, analyze, adapt, plan, implement b. Plan, research, observe, analyze, adapt, improve c. Plan, observe, analyze, improve, test d. Research, test, plan, adapt, analyze, improve
Plan, research, observe, analyze, adapt, improve
The MOST important reason for an IS auditor to obtain sufficient and appropriate audit evidence is to a. Perform the audit according to the defined scope b. Comply with regulatory requirements c. Provide a basis for drawing reasonable conclusions d. Ensure complete audit coverage
Provide a basis for drawing reasonable conclusions
What is the best definition of auditing? A. Review of past history using evidence to tell the story B. Forecasting compliance generated by a new system preparing to enter production C. Precompliance assessment based on management's intended design D. Certification testing of the system benefits or failures
Review of past history using evidence to tell the story
When segregation of duties concerns exist between IT support staff and end users, what would be a suitable compensating control? a. Reviewing transaction and application logs b. Locking user sessions after a specified period of inactivity c. Performing background checks prior to hiring IT staff d. Restricting physical access to computing equipment
Reviewing transaction and application logs
What would be the area of greatest interest during an audit of a business process reengineering (BPR) project? a. Vendor participation, documentation, installation assistance, and training b. Risk management planning alignment of the project to business objectives. c. Planning methods include Program Evaluation Review Technique (PERT). d. The steering committee approves sufficient controls for fraud detection.
Risk management planning alignment of the project to business objectives.
Which of the following business process reengineering (BPR) risks are likely to occur during the design phase? a. Technical risk, detection risk, audit risk b. Scope risk, skill risk, political risk c. Management risk, technical risk, HR risk d. Transition risk, skill risk, financial risk
Scope risk, skill risk, political risk
What function does the auditor provide? A. Second set of eyes, which are external to the subject under review B. Independent assurance that the claims of management are correct C. Assistance by fixing problems found during the audit D. Adapting standards to fit the needs of the client
Second set of eyes, which are external to the subject under review
Which type of charge?8-back scheme is notorious for violating separation of duties or for attempting to exceed authority? a. Charge back b. Actual usage billing c. Budgeted cost d. Sponsor pays
Sponsor pays
What is the definition of a standard as compared to a guideline? a. Guidelines are recommended controls necessary to support standards, which are discretionary. b. Standards are mandatory controls designed to support a policy. Following guidelines is discretionary. c. Standards are discretionary controls used with guidelines to aid the reader's decision process. d. Guidelines are intended to designate a policy, whereas standards are used in the absence of a policy.
Standards are mandatory controls designed to support a policy. Following guidelines is discretionary.
Which of the following is the best choice to ensure that internal control objectives are met? A. Top executive issues a policy stating compliance objectives. B. Procedures are created to govern employee conduct. C. Suitable systems for tracking and reporting incidents are used. D. The clients operating records are audited annually
Suitable systems for tracking and reporting incidents are used.
Which of the following would be evaluated as a preventive control by an IS auditor performing an audit? a. Tracing and tagging b. Transaction logs c. Before and after image reporting d. Table lookups
Table lookups
Which of the following is not considered a control failure? a. Modifying an ineffective procedure outside of change control b. Implementing a policy or standard without consequences of failure c. Testing to discover how many policy violations have occurred d. Using a policy that lacks a detective mechanism to identify violations
Testing to discover how many policy violations have occurred
A member of the auditee staff offers to loan you an unauthorized copy of software that you need for a short time. What should you, as the auditor, always remember? A. It's okay to borrow the software for one-time use. B. The auditee is not acting in an ethical manner. C. The auditee will usually get amnesty for turning in the auditor or discrediting the auditor. D. Odds of getting caught on this are very low.
The auditee will usually get amnesty for turning in the auditor or discrediting the
Which of the following statements is true concerning the auditor's qualified opinion? A. The auditor has reservations about the findings. B. The auditor is professionally qualified to give an opinion. C. The auditor has no reservations about the findings. D. The auditor has prior experience working in the IT department.
The auditor has reservations about the findings.
How should the auditor assist in the remediation of problems found during the audit? a. The auditor should never take ownership of problems found. Auditors are encouraged to provide general advice to the auditee, including an explanation of what to look for during the audit. b. The auditor should help the auditees. The auditor can add value by defining the specific steps necessary for remediation of the problem. c. The auditor should decide whether the problem is major or minor and then advise the auditee with a specific solution after considering the impact to the business. d. The auditor should take ownership of the issue and participate in designing the plan for fixing the problem.
The auditor should never take ownership of problems found. Auditors are encouraged to provide general advice to the auditee, including an explanation of what to look for during the audit.
Which of the following is true concerning reporting by internal auditors? A. Results can be used for industry licensing. B. The corresponding value of the audit report is high. C. Results can be used for external reporting. D. The corresponding value of the audit report is low.
The corresponding value of the audit report is low
Which of the following is true concerning the roles of data owner, data user, and data custodian? a. The data user implements controls as necessary. b. The data custodian is responsible for specifying acceptable usage. c. The data owner specifies controls. d. The data custodian specifies security classification.
The data owner specifies controls.
Who should issue the organizational policies? Policies should originate from the bottom and move up to the department manager for approval. b. The policy should be signed and enforced by any level of management. c. The policy should be signed and enforced by the highest level of management. d. The auditor should issue the policies in accordance with standards, and they should be authorized by the highest level of management to ensure compliance
The policy should be signed and enforced by the highest level of management.
What is the principal issue surrounding the use of CAAT software? A. The capability of the software vendor B. Documentary evidence is more effective C. Inability of automated tools to consider the human characteristics of the environment D. The possible cost, complexity, and security of output
The possible cost, complexity, and security of output
What is the purpose of the audit committee? A. To provide daily coordination of all audit activities B. To challenge and review assurances C. To assist the managers with training in auditing skills D. To govern, control, and manage the organization
To challenge and review assurances
What is the purpose of ISACA's professional ethics statement? a. To provide procedural advisement to the new IS auditor b. To provide advice on when it is acceptable for the auditor to deviate from audit standards c. To clearly specify acceptable and unacceptable behavior d. To provide instructions on how to deal with irregularities and illegal acts by the client
To clearly specify acceptable and unacceptable behavior
Which of the following is not cited in the text as a reason that balanced scorecard (BSC) implementations could fail? a. Top management providing full support b. Lack of BSC training and awareness c. Politics of losing the department budget d. Empire building by the department head
Top management providing full support
Which of the following would be a concern that the auditor should explain in the audit report along with their findings? A. Lack of a detailed list of audit objectives B. Undue restrictions placed by management on evidence use or audit procedure C. Communicating results directly to the chairperson of the audit committee D. Need by the current auditor to communicate with the prior auditors
Undue restrictions placed by management on evidence use or audit procedure
In regard to the IT governance control objectives, which of the following occurrences would the auditor be most concerned about during execution of the audit? A. Using the practice of self-monitoring to report problems B. Using proper change control C. Conflict in the existing reporting relationship D. Production system without accreditation
Using proper change control
What is the difference between a threat and a vulnerability? a. Vulnerabilities are a path that can be taken by a threat, resulting in a loss. b. Vulnerability is a negative event that will cause a loss if it occurs. c. Threats are risks and become a vulnerability if they occur. d. Threats are the path that can be exploited by a vulnerability.
Vulnerabilities are a path that can be taken by a threat, resulting in a loss
An IS auditor is planning to evaluate the control design effectiveness related to an automated billing process. Which of the following is the MOST effective approach for the auditor to adopt? a. Process narrative b. Reperformance c. Inquiry d. Walk-through
Walk-through
An IS auditor reviewing the process to monitor access logs wishes to evaluate the manual log review process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose? a. Inspection b. Walk-through c. Reperformance d. Inquiry
Walk-through
Who should the auditor notify if an illegal or inappropriate act involves the persons responsible for governance of controls? A. Law enforcement B. Audit committee C. Federal regulators D. Whistle-blower hotline
Whistle-blower hotline