CISA Questions

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

A database administrator has detected a performance problem with some tables, which could be solved through denormalization. This situation will increase the risk of: concurrent access. deadlocks. unauthorized access to data. a loss of data integrity.

A loss of data integrity is correct. Normalization is the removal of redundant data elements from the database structure. Disabling normalization in relational databases will create redundancy and a risk of not maintaining consistency of data, with the consequent loss of data integrity. Concurrent access is incorrect. Denormalization will have no effect on concurrent access to data in a database; concurrent access is resolved through locking. Deadlocks is incorrect. These are a result of locking of records. This is not related to normalization. Unauthorized access to data is incorrect. Access to data is controlled by defining user rights to information and is not affected by denormalization.

Many IT projects experience problems because the development time and/or resource requirements are underestimated. Which of the following techniques provides the GREATEST assistance in developing an estimate of project duration? Function point analysis Program evaluation review technique chart Rapid application development Object-oriented system development

A program evaluation review technique chart is correct. This will help determine project duration once all the activities and the work involved with those activities are known. Function point analysis is incorrect. This is a technique for determining the size of a development task based on the number of function points. Function points are factors such as inputs, outputs, inquiries and logical internal files. While this will help determine the size of individual activities, it will not assist in determining project duration because there are many overlapping tasks. Rapid application development is incorrect. This is a methodology that enables organizations to develop strategically important systems faster while reducing development costs and maintaining quality. Object-oriented system development is incorrect. This is the process of solution specification and modeling but will not assist in calculating project duration.

An organization is implementing an enterprise resource planning application. Of the following, who is PRIMARILY responsible for overseeing the project to ensure that it is progressing in accordance with the project plan and that it will deliver the expected results? Project sponsor System development project team Project steering committee User project team

A project steering committee is correct. A project steering committee that provides an overall direction for the enterprise resource planning (ERP) implementation project is responsible for reviewing the project's progress to ensure that it will deliver the expected results. A project sponsor is incorrect. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support. The sponsor provides funding for the project and works closely with the project manager to define the critical success factors or metrics for the project. The project sponsor is not responsible for reviewing the progress of the project. System development project team is incorrect. A system development project team (SDPT) completes the assigned tasks, works according to the instructions of the project manager and communicates with the user project team. The SDPT is not responsible for overseeing the progress of the project. A user project team (UPT) is incorrect. A user project team (UPT) completes the assigned tasks, communicates effectively with the system development team and works according to the advice of the project manager. A UPT is not responsible for reviewing the progress of the project.

An IS auditor is validating a control that involves a review of system-generated exception reports. Which of the following is the BEST evidence of the effectiveness of the control? Walk-through with the reviewer of the operation of the control System-generated exception reports for the review period with the reviewer's sign-off A sample system-generated exception report for the review period, with follow-up action items noted by the reviewer Management's confirmation of the effectiveness of the control for the review period

A sample system-generated exception report for the review period, with follow-up action items noted by the reviewer is correct. This represents the best possible evidence of the effective operation of the control, because there is documented evidence that the reviewer reviewed the exception report and took actions based on the exception report. Walk-through with the reviewer of the operation of the control is incorrect. A walk-through highlights how a control is designed to work, but it seldom highlights the effectiveness of the control, or exceptions or constraints in the process. System-generated exception reports for the review period with the reviewer's sign-off is incorrect. Reviewer sign-off does not demonstrate the effectiveness of the control if the reviewer does not note follow-up actions for the exceptions identified. Management's confirmation of the effectiveness of the control for the review period is incorrect and suffers from lack of independence—management might be biased toward the effectiveness of the controls put in place.

An IS auditor has been asked to review the implementation of a customer relationship management system for a large organization. The IS auditor discovered the project incurred significant over-budget expenses and scope creep caused the project to miss key dates. Which of the following should the IS auditor recommend for future projects? Project management training A software baseline A balanced scorecard Automated requirements software

A software baseline is correct. Use of a software baseline provides a cutoff point for the design of the system and allows the project to proceed as scheduled without being delayed by scope creep. Project management training is incorrect. While project management training is a good practice, it does not necessarily prevent scope creep without the use of a software baseline and a robust requirements change process. A balanced scorecard is incorrect. This is a coherent set of performance measures organized into four categories that includes traditional financial measures, but adds customer, internal business process, and learning and growth perspectives. It does not prevent scope creep. Automated requirements software is incorrect. Use of automated requirements software does not decrease the risk of scope creep.

Neural networks are effective in detecting fraud because they can: discover new trends because they are inherently linear. solve problems where large and general sets of training data are not obtainable. address problems that require consideration of a large number of input variables. make assumptions about the shape of any curve relating variables to the output.

Address problems that require consideration of a large number of input variables is correct. Neural networks can be used to attack problems that require consideration of numerous input variables. They are capable of capturing relationships and patterns often missed by other statistical methods, but they will not discover new trends. Discover new trends because they are inherently linear is incorrect. Neural networks are inherently nonlinear. Solve problems where large and general sets of training data are not obtainable is incorrect. Neural networks will not work well at solving problems for which sufficiently large and general sets of training data are not obtainable. Make assumptions about the shape of any curve relating variables to the output is incorrect. Neural networks make no assumption about the shape of any curve relating variables to the output.

Which of the following is the BEST reference for an IS auditor to determine a vendor's ability to meet service level agreement (SLA) requirements for a critical IT security service? Compliance with the master agreement Agreed-on key performance metrics Results of business continuity tests Results of independent audit reports

Agreed-on key performance indicators is correct. Key performance indicators are metrics that allow for a means to measure performance. Service level agreements (SLAs) are statements related to expected service levels. For example, an Internet service provider (ISP) may guarantee that their service will be available 99.99 percent of the time. Compliance with the master contract is incorrect. The master contract typically includes terms, conditions and costs but does not typically include service levels. Results of business continuity tests is incorrect. If applicable to the service, results of business continuity tests are typically included as part of the due diligence review. Results of independent audit reports is incorrect. Independent audits report on the financial condition of an organization or the control environment. Reviewing audit reports is typically part of the due diligence review. Even audits must be performed against a set of standards or metrics to validate compliance.

Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider: claims to meet or exceed industry security standards. agrees to be subject to external security reviews. has a good market reputation for service and experience. complies with security policies of the organization.

Agrees to be subject to external security reviews is correct. It is critical that an independent security review of an outsourcing vendor be obtained, because customer credit information will be kept with the vendor. Claims to meet or exceed industry security standards is incorrect. Compliance with security standards is important, but there is no way to verify or prove that is the case without an independent review. Has a good market reputation for service and experience is incorrect. Though long experience in business and good reputation is an important factor to assess service quality, the business cannot outsource to a provider whose security control is weak. Complies with security policies of the organization is incorrect. Compliance with organizational security policies is important, but there is no way to verify or prove that that is the case without an independent review.

An IS auditor finds that a disaster recovery plan for critical business functions does not cover all systems. Which of the following is the MOST appropriate course of action for the IS auditor? Alert management and evaluate the impact of not covering all systems. Cancel the audit. Complete the audit of the systems covered by the existing DRP. Postpone the audit until the systems are added to the DRP.

Alert management and evaluate the impact of not covering all systems is correct. An IS auditor should make management aware that some systems are omitted from the disaster recovery plan (DRP). An IS auditor should continue the audit and include an evaluation of the impact of not including all systems in the DRP. Cancel the audit is incorrect. Canceling the audit is an inappropriate action. Complete the audit of the systems covered by the existing DRP is incorrect. Ignoring the fact that some systems are not covered would violate audit standards that require reporting all material findings and is an inappropriate action. Postponing the audit is an inappropriate action. The audit should be completed according to the initial scope with identification to management of the risk of systems not being covered.

Which of the following does an IS auditor consider the MOST relevant to short-term planning for an IT department? Allocating resources Adapting to changing technologies Conducting control self-assessments Evaluating hardware needs

Allocating resources is correct. The IT department should specifically consider the manner in which resources are allocated in the short term. The IS auditor ensures that the resources are being managed adequately. Adapting to changing technologies is incorrect. Investments in IT need to be aligned with top management strategies rather than be relevant to short-term planning and focus on technology for technology's sake. Conducting control self-assessments is incorrect. This is not as critical as allocating resources during short-term planning for the IT department. Evaluating hardware needs is incorrect. This is not as critical as allocating resources during short-term planning for the IT department.

The PRIMARY advantage of a continuous audit approach is that it: does not require an IS auditor to collect evidence on system reliability while processing is taking place. allows the IS auditor to review and follow up on audit issues in a timely manner. places the responsibility for enforcement and monitoring of controls on the security department instead of audit. simplifies the extraction and correlation of data from multiple and complex systems.

Allows the IS auditor to review and follow up on audit issues in a timely manner is correct. Continuous audit allows audit and response to audit issues in a timely manner because audit findings are gathered in near real time. Does not require an IS auditor to collect evidence on system reliability while processing is taking place is incorrect. The continuous audit approach often requires an IS auditor to collect evidence on system reliability while processing is taking place. Places the responsibility for enforcement and monitoring of controls on the security department instead of audit is incorrect. Responsibility for enforcement and monitoring of controls is primarily the responsibility of management. Simplifies the extraction and correlation of data from multiple and complex systems is incorrect. The use of continuous audit is not based on the complexity or number of systems being monitored.

An organization is considering connecting a critical PC-based system to the Internet. Which of the following would provide the BEST protection against hacking? An application-level gateway A remote access server A proxy server Port scanning

An application-level gateway is correct. This is the best way to protect against hacking because it can be configured with detailed rules that describe the type of user or connection that is or is not permitted. It analyzes, in detail, each package—not only in layers one through four of the Open System Interconnection model, but also layers five through seven, which means that it reviews the commands of each higher-level protocol (Hypertext Transmission Protocol, File Transfer Protocol, Simple Network Management Protocol, etc.). A remote access server is incorrect. In this situation, there is a device (server) that asks for a username and password before entering the network. This is good when accessing private networks, but it can be mapped or scanned from the Internet, creating security exposure. A proxy server is incorrect. This can provide excellent protection, but depending on the type of proxy, they may not be able to examine traffic as effectively as an application gateway. For proxy servers to work, an individual is needed who really knows how to do this, and applications can use different ports for the different sections of the program. Port scanning is incorrect. This is used to detect vulnerabilities or open ports on a network, but not when trying to control what comes from the Internet, or when all the ports available need to be controlled. For example, the port for Ping (echo request) could be blocked and the IP addresses would be available for the application and browsing but would not respond to Ping.

Which of the following specifically addresses how to detect cyberattacks against an organization's IT systems and how to recover from an attack? An incident response plan An IT contingency plan A business continuity plan A continuity of operations plan

An incident response plan (IRP) is correct. This determines the information security responses to incidents such as cyberattacks on systems and/or networks. This plan establishes procedures to enable security personnel to identify, mitigate and recover from malicious computer incidents such as unauthorized access to a system or data, denial-of-service or unauthorized changes to system hardware or software. An IT contingency plan is incorrect. This addresses IT system disruptions and establishes procedures for recovering from a major application or general support system failure. The contingency plan deals with ways to recover from an unexpected failure, but it does not address the identification or prevention of cyberattacks. A business continuity plan (BCP) is incorrect. This addresses business processes and provides procedures for sustaining essential business operations while recovering from a significant disruption. While a cyberattack could be severe enough to require use of the BCP, the IRP would be used to determine which actions should be taken—both to stop the attack as well as to resume normal operations after the attack. A continuity of operations plan is incorrect. This addresses the subset of an organization's missions that are deemed most critical and contains procedures to sustain these functions at an alternate site for a short time period.

An enterprise hosts its data center onsite and has outsourced the management of its key financial applications to a service provider. Which of the following controls BEST ensures that the service provider's employees adhere to the security policies? Sign-off is required on the enterprise's security policies for all users. An indemnity clause is included in the contract with the service provider. Mandatory security awareness training is implemented for all users. Security policies should be modified to address compliance by third-party users.

An indemnity clause is included in the contract with the service provider is correct. Having the service provider sign an indemnity clause will ensure compliance to the enterprise's security policies, because any violations discovered will lead to a financial liability for the service provider. This will also prompt the enterprise to monitor security violations closely. Sign-off is required on the enterprise's security policies for all users is incorrect. Having users sign off on policies is a good practice; however, this only puts the onus of compliance on the individual user, not on the organization. Mandatory security awareness training is implemented for all users is incorrect. Awareness training is an excellent control but will not ensure that the service provider's employees adhere to policy. Security policies should be modified to address compliance by third-party users is incorrect. Modification of security policy does not ensure compliance by users unless the policies are appropriately communicated to users and enforced, and awareness training is provided.

Which of the following types of firewalls provide the GREATEST degree and granularity of control? Screening router Packet filter Application gateway Circuit gateway

Application gateway is correct. This is similar to a circuit gateway, but it has specific proxies for each service. To handle web services, it has a Hypertext Transmission Protocol (HTTP) proxy that acts as an intermediary between externals and internals but is specifically for HTTP. This means that it not only checks the packet Internet Protocol (IP) addresses (Open Systems Interconnection [OSI] Layer 3) and the ports it is directed to (in this case port 80, or layer 4), it also checks every HTTP command (OSI Layers 5 and 7). Therefore, it works in a more detailed (granularity) way than the other choices. Screening router is incorrect. Screening routers and packet filters work at the protocol, service and/or port level. This means that they analyze packets from layers 3 and 4 and not from higher levels. Packet filter is incorrect. This works at too low of a level of the communication stack to provide granular control. Circuit gateway is incorrect. This is based on a proxy or program that acts as an intermediary between external and internal accesses. This means that, during an external access, instead of opening a single connection to the internal server, two connections are established—one from the external server to the proxy (which conforms the circuit-gateway) and one from the proxy to the internal server. OSI Layers 3 and 4 (IP and Transmission Control Protocol) and some general features from higher protocols are used to perform these tasks.

Which of the following is a prevalent risk in the development of end-user computing applications? Applications may not be subject to testing and IT general controls. Development and maintenance costs may be increased. Application development time may be increased. Decision-making may be impaired due to diminished responsiveness to requests for information.

Applications may not be subject to testing and IT general controls is correct. End-user computing (EUC) is defined as the ability of end users to design and implement their own information system using computer software products. End-user developed applications may not be subjected to an independent outside review by systems analysts and frequently are not created in the context of a formal development methodology. These applications may lack appropriate standards, controls, quality assurance procedures, and documentation. A risk of end-user applications is that management may rely on them as much as traditional applications. Development and maintenance costs may be increased is incorrect. EUC systems typically result in reduced application development and maintenance costs. Application development time may be increased is incorrect. EUC systems typically result in a reduced development cycle time. Decision-making may be impaired due to diminished responsiveness to requests for information is incorrect. EUC systems normally increase flexibility and responsiveness to management's information requests because the system is being developed directly by the user community.

During an access control review for a mainframe application, an IS auditor discovers user security groups without designated owners. The PRIMARY reason that this is a concern to the IS auditor is that without ownership, there is no one with clear responsibility for: updating group metadata. reviewing existing user access. approval of user access. removing terminated users.

Approval of user access is correct. Without an owner to provide approval for user access to the group, unauthorized individuals could potentially gain access to any sensitive data within the rights of the group. Updating group metadata is incorrect. Updating data about the group is not a great concern when compared to unauthorized access. Reviewing existing user access is incorrect. While the periodic review of user accounts is a good practice, this is a detective control and not as robust as preventing unauthorized access to the group in the first place. Removing terminated users is incorrect. This is a compensating control for the normal termination process and is also a detective control.

Which of the following does an IS auditor FIRST reference when performing an IS audit? Implemented procedures Approved policies Internal standards Documented practices

Approved policies is correct. Policies are high-level documents that represent the corporate philosophy of an organization. Internal standards, procedures and practices are subordinate to policy. Implemented procedures is incorrect. Procedures are implemented in accordance with policy. Internal standards is incorrect. Standards are subordinate to policy. Documented practices is incorrect. Practices are subordinate to policy.

The risk associated with electronic evidence gathering is MOST likely reduced by an email: destruction policy. security policy. archive policy. audit policy.

Archive policy is correct. With a policy of well-archived email records, access to or retrieval of specific email records to comply with legal requirements is possible. Destruction policy is incorrect. The email retention policy would include the destruction or deletion of emails. This must be compliant with legal requirements to retain emails. Security policy is incorrect. A security policy is too high level and would not address the risk of inadequate retention of emails or the ability to provide access to emails when required. Audit policy is incorrect. An audit policy would not address the legal requirement to provide emails as electronic evidence.

Which of the following is MOST critical for the successful implementation and maintenance of a security policy? Assimilation of the framework and intent of a written security policy by all appropriate parties Management support and approval for the implementation and maintenance of a security policy Enforcement of security rules by providing punitive actions for any violation of security rules Stringent implementation, monitoring and enforcing of rules by the security officer through access control software

Assimilation of the framework and intent of a written security policy by all appropriate parties is correct. This is critical to the successful implementation and maintenance of the security policy. If a policy is not assimilated into daily actions, it will not be effective. Management support and approval for the implementation and maintenance of a security policy is incorrect. Management support and commitment is, no doubt, important, but for successful implementation and maintenance of a security policy, educating the users on the importance of security is paramount. Enforcement of security rules by providing punitive actions for any violation of security rules is incorrect. Punitive actions are needed to enforce the policy but are not the key to successful implementation. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software is incorrect. The stringent implementation, monitoring and enforcing of rules by the security officer through access control software, and provision for punitive actions for violation of security rules is important, but it is dependent on the support and education of management and users on the importance of security.

Which of the following sampling methods is MOST useful when testing for compliance? Attribute sampling Variable sampling Stratified mean per unit sampling Difference estimation sampling

Attribute sampling is correct. It is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. For example, an attribute sample may check all transactions over a certain predefined dollar amount for proper approvals. Variable sampling is incorrect. It is based on the calculation of a mean from a sample extracted from the entire population and using that to estimate the characteristics of the entire population. For example, a sample of 10 items shows an average price of US $10 per item. For the entire population of 1,000 items, the total value is estimated to be US $10,000. This is not a good way to measure compliance with a process. Stratified mean-per-unit sampling is incorrect. This attempts to ensure that the entire population is represented in the sample. This is not an effective way to measure compliance. Difference estimation sampling is incorrect. This examines measure deviations and extraordinary items and is not a good way to measure compliance.

Which of the following sampling methods would be the MOST effective to determine whether purchase orders issued to vendors have been authorized as per the authorization matrix? Variable sampling Stratified mean per unit Attribute sampling Unstratified mean per unit

Attribute sampling is correct. This is the method used for compliance testing. In this scenario, the operation of a control is being evaluated, and therefore, the attribute of whether each purchase order was correctly authorized would be used to determine compliance with the control. Variable sampling is incorrect. This is the method used for substantive testing, which involves testing transactions for quantitative aspects such as monetary values. Stratified mean per unit is incorrect. This is used in variable sampling. Unstratified mean per unit is incorrect. This is used in variable sampling.

Which of the following would be expected to approve the audit charter? Chief financial officer Chief executive officer Audit steering committee Audit committee

Audit committee is correct. One of the primary functions of the audit committee is to create and approve the audit charter. The chief financial officer (CFO) is incorrect. CFO does not approve the audit charter but may be responsible for allocating funds in support of the audit charter. The CFO may also be a part of the audit committee or audit steering committee but would not approve the charter on their own. The chief executive officer (CEO) is incorrect. CEO does not approve the audit charter. The CEO may be informed, but they are independent of the audit committee. Audit steering committee is incorrect. The steering committee would most likely be composed of various members of senior management whose purpose is to work under the framework of the audit charter and would not approve the charter itself.

Which of the following is in the BEST position to approve changes to the audit charter? Board of directors Audit committee Executive management Director of internal audit

Audit committee is correct. The audit committee is a subgroup of the board of directors. The audit department should report to the audit committee and the audit charter should be approved by the committee. Board of directors is incorrect. The board of directors does not need to approve the charter; it is best presented to the audit committee for approval. Executive management is incorrect. Executive management is not required to approve the audit charter and will not have the independence to approve the charter. The audit committee is in the best position to approve the charter because it is an independent and senior group. Director of internal audit is incorrect. While the director of internal audit may draft the charter and make changes, the audit committee should have the final approval of the charter.

Which of the following is responsible for the approval of an information security policy? IT department Security committee Security administrator Board of directors

Board of directors is correct. Normally, the approval of an information systems security policy is the responsibility of top management or the board of directors. The IT department is incorrect. This department is responsible for the execution of the policy, having no authority in framing the policy. The security committee is incorrect. This group also functions within the broad security policy framed by the board of directors. The security administrator is incorrect. This role is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized.

When reviewing an active project, an IS auditor observed that the business case was no longer valid because of a reduction in anticipated benefits and increased costs. The IS auditor should recommend that the: project be discontinued. business case be updated and possible corrective actions be identified. project be returned to the project sponsor for reapproval. project be completed and the business case be updated later.

Business case be updated and possible corrective actions be identified is correct. The IS auditor should recommend that the business case be kept current throughout the project because it is a key input to decisions made throughout the life of any project. Project be discontinued is incorrect. An IS auditor should not recommend discontinuing or completing the project before reviewing an updated business case. Project be returned to the project sponsor for re-approval is incorrect. The project cannot be returned to the sponsor until the business case has been updated. Project be completed and the business case be updated later is incorrect. An IS auditor should not recommend completing the project before reviewing an updated business case and ensuring approval from the project sponsor.

An IS auditor assesses the project management process for an internal software development project. In respect to the software functionality, the IS auditor should look for sign-off by: the project manager. systems development management. business unit management. the quality assurance team.

Business unit management is correct. This group assumes ownership of the project and the resulting system. It is responsible for acceptance testing and confirming that the required functions are available in the software. The project manager is incorrect. This individual provides day-to-day management and leadership of the project and ensures that project activities remain in line with the overall direction. The project manager cannot sign off on project requirements; that would be a violation of separation of duties. Systems development management is incorrect. This group provides technical support for hardware and software environments. The quality assurance team is incorrect. This group ensures the quality of the project by measuring adherence to the organization's system development life cycle. They will conduct testing but not sign off on the project requirements.

An IS auditor is reviewing a contract management process to determine the financial viability of a software vendor for a critical business application. An IS auditor should determine whether the vendor being considered: can deliver on the immediate contract. is of similar financial standing as the organization. has significant financial obligations that can impose liability to the organization. can support the organization in the long term.

Can support the organization in the long term is correct. The long-term financial viability of a vendor is essential for deriving maximum value for the organization—it is more likely that a financially sound vendor would be in business for a long period of time and thereby more likely to be capable of providing long-term support for the purchased product. Can deliver on the immediate contract is incorrect. The capability of the organization to support the enterprise should extend beyond the time of execution of the immediate contract. The objective of financial evaluation should not be confined to the immediate contract but should be to provide assurance of sustainability over a longer time frame. Is of similar financial standing as the organization is incorrect. Whether the vendor is of similar financial standing as the purchaser is irrelevant to this review. Has significant financial obligations that can impose liability to the organization is incorrect. The vendor should not have financial obligations that could impose a liability to the purchaser; the financial obligations are usually from the purchaser to the vendor.

Due to changes in IT, the disaster recovery plan of a large organization has been changed. What is the PRIMARY risk if the new plan is not tested? Catastrophic service interruption High consumption of resources Total cost of the recovery may not be minimized Users and recovery teams may face severe difficulties when activating the plan

Catastrophic service interruption is correct. If a new disaster recovery plan (DRP) is not tested, the possibility of a catastrophic service interruption that the organization cannot recover from is the most critical of all risk. High consumption of resources is incorrect. A DRP that has not been tested may lead to a higher consumption of resources than expected, but that is not the most critical risk. Total cost of the recovery may not be minimized is incorrect. An untested DRP may be inefficient and lead to extraordinary costs, but the most serious risk is the failure of critical services. Users and recovery teams may face severe difficulties when activating the plan is incorrect. Testing educates users and recovery teams so that they can effectively execute the DRP, but the most critical risk is the failure of core business services.

An IS auditor is reviewing security incident management procedures for the company. Which of the following choices is the MOST important consideration? Chain of custody of electronic evidence System breach notification procedures Escalation procedures to external agencies Procedures to recover lost data

Chain of custody of electronic evidence is correct. The preservation of evidence is the most important consideration in regard to security incident management. If data and evidence are not collected properly, valuable information could be lost and would not be admissible in a court of law should the company decide to pursue litigation. System breach notification procedures is incorrect. System breach notification is an important aspect and, in many cases, may even be required by laws and regulations; however, the security incident may not be a breach and the notification procedure might not apply. Escalation procedures to external agencies is incorrect. Escalation procedures to external agencies such as the local police or special agencies dealing in cybercrime are important. However, without proper chain of custody procedures, vital evidence may be lost and would not be admissible in a court of law should the company decide to pursue litigation. Procedures to recover lost data is incorrect. While having procedures in place to recover lost data is important, it is critical to ensure that evidence is protected to ensure follow-up and investigation.

As part of audit planning, an IS auditor is designing various data validation tests to effectively detect transposition and transcription errors. Which of the following will BEST help in detecting these errors? Range check Validity check Duplicate check Check digit

Check digit is correct. A check digit is a numeric value that has been calculated mathematically and is added to data to ensure that original data have not been altered or that an incorrect, but valid, match has occurred. The check digit control is effective in detecting transposition and transcription errors. Range check is incorrect. Range checks can only ensure that data fall within a predetermined range but cannot detect transposition errors. Validity check is incorrect. Validity checks are generally programmed checking of data validity in accordance with predetermined criteria. Duplicate check is incorrect. Duplicate check analysis is used to test defined or selected primary keys for duplicate primary key values.

Which of the following antispam filtering methods has the LOWEST possibility of false-positive alerts? Rule-based Check-sum based Heuristic filtering Statistic-based

Check-sum based is correct. The advantage of this type of filtering is that it lets ordinary users help identify spam, and not just administrators, thus vastly increasing the pool of spam fighters. The disadvantage is that spammers can insert unique invisible gibberish—known as hashbusters—into the middle of each of their messages, thus making each message unique and having a different checksum. This leads to an arms race between the developers of the checksum software and the developers of the spam-generating software. Rule-based is incorrect. This will trigger false-positive alert each time a key word is met in the message. Heuristic filtering is incorrect. A heuristic is a technique designed for solving a problem more quickly when classic methods are too slow, or for finding an approximate solution when classic methods fail to find any exact solution. This is achieved by trading optimality, completeness, accuracy, or precision for speed. In a way, it can be considered a shortcut. Statistic-based is incorrect. Statistical filtering analyzes the frequency of each word within the message and then evaluating the message as a whole. Therefore, it can ignore a suspicious keyword if the entire message is within normal bounds, however prone to false-positive alerts.

With respect to business continuity strategies, an IS auditor interviews key stakeholders in an organization to determine whether they understand their roles and responsibilities. The IS auditor is attempting to evaluate the: clarity and simplicity of the business continuity plans. adequacy of the business continuity plans. effectiveness of the business continuity plans. ability of IS and end-user personnel to respond effectively in emergencies.

Clarity and simplicity of the business continuity plans is correct. The IS auditor should interview key stakeholders to evaluate how well they understand their roles and responsibilities. When all stakeholders have a detailed understanding of their roles and responsibilities in the event of a disaster, an IS auditor can deem the business continuity plan to be clear and simple. Adequacy of the business continuity plans is incorrect. To evaluate adequacy, the IS auditor should review the plans and compare them to appropriate standards and the results of tests of the plan. Effectiveness of the business continuity plans is incorrect. To evaluate effectiveness, the IS auditor should review the results from previous tests or incidents. This is the best determination for the evaluation of effectiveness. An understanding of roles and responsibilities by key stakeholders will assist in ensuring the business continuity plan is effective. Ability of IS and end-user personnel to respond effectively in emergencies is incorrect. To evaluate the response, the IS auditor should review results of continuity tests. This will provide the IS auditor with assurance that target and recovery times are met. Emergency procedures and employee training need to be reviewed to determine whether the organization has implemented plans to allow for an effective response.

Which of the following BEST limits the impact of server failures in a distributed environment? Redundant pathways Clustering Dial backup lines Standby power

Clustering is correct. This allows two or more servers to work as a unit so that when one of them fails, the other takes over. Redundant pathways is incorrect. These will minimize the impact of channel communications failures but will not address the problem of server failure. Dial backup lines is incorrect. These will minimize the impact of channel communications failures but not a server failure. Standby power is incorrect. This provides an alternative power source in the event of an energy failure but does not address the problem of a server failure.

Which of the following is the GREATEST risk to the effectiveness of application system controls? Removal of manual processing steps Inadequate procedure manuals Collusion between employees Unresolved regulatory compliance issues

Collusion between employees is correct. Collusion is an active attack where users collaborate to bypass controls such as separation of duties. Such breaches may be difficult to identify because even well-thought-out application controls may be circumvented. Removal of manual processing steps is incorrect. Automation should remove manual processing steps wherever possible. The only risk would be the removal of manual security controls without replacement with automated controls. Inadequate procedure manuals is incorrect. The lack of documentation is a problem on many systems but not a serious risk in most cases. Unresolved regulatory compliance issues is incorrect. Unregulated compliance issues are a risk but do not measure the effectiveness of the controls.

Which of the following database controls would ensure that the integrity of transactions is maintained in an online transaction processing system's database? Authentication controls Data normalization controls Read/write access log controls Commitment and rollback controls

Commitment and rollback controls is correct. These are directly relevant to integrity. These controls ensure that database operations that form a logical transaction unit will be completed entirely or not at all (i.e., if, for some reason, a transaction cannot be fully completed, then incomplete inserts/updates/deletes are rolled back so that the database returns to its pretransition state). Authentication controls is incorrect. This would ensure that only authorized personnel can make changes but would not ensure the integrity of the changes. Data normalization controls is incorrect. This is not used to protect the integrity of online transactions. Read/write access log controls is incorrect. Log controls are a detective control but will not ensure the integrity of the data in the database.

Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs? System log analysis Compliance testing Forensic analysis Analytical review

Compliance testing is correct. Determining that only authorized modifications are made to production programs would require the change management process be reviewed to evaluate the existence of a trail of documentary evidence. Compliance testing would help to verify that the change management process has been applied consistently. System log analysis is incorrect. This would identify changes and activity on a system but would not identify whether the change was authorized unless conducted as a part of a compliance test. Forensic analysis is incorrect. This is a specialized technique for criminal investigation. Analytical review is incorrect. This assesses the general control environment of an organization.

While auditing an e-commerce architecture, an IS auditor notes that customer master data are stored on the web server for six months after the transaction date and then purged due to inactivity. Which of the following should be the PRIMARY concern for the IS auditor? Availability of customer data Integrity of customer data Confidentiality of customer data System storage performance

Confidentiality of customer data is correct. Due to its exposure to the Internet, storing customer data for six months raises concerns regarding confidentiality of customer data. Availability of customer data is incorrect. This may be affected during an Internet connection outage, but this is of a lower concern than confidentiality. Integrity of customer data is incorrect. This is affected only if security controls are weak enough to permit unauthorized modifications to the data, and it may be tracked by logging of changes. Confidentiality of data is a larger concern. System storage performance is incorrect. This may be a concern due to the volume of data. However, the bigger issue is that the information is protected.

Which of the following BEST describes the objective of an IS auditor discussing the audit findings with the auditee? Communicate results to the auditee. Develop time lines for the implementation of suggested recommendations. Confirm the findings and propose a course of corrective action. Identify compensating controls to the identified risk.

Confirm the findings and propose a course of corrective action is correct. Before communicating the results of an audit to senior management, the IS auditor should discuss the findings with the auditee. The goal of this discussion is to confirm the accuracy of the findings and to propose or recommend a course of corrective action. Communicate results to the auditee is incorrect. Based on this discussion, the IS auditor will finalize the report and present the report to relevant levels of senior management after the findings are confirmed. This discussion should, however, also address a timetable for remediation of the audit findings. Develop time lines for the implementation of suggested recommendations is incorrect. This discussion informs management of the findings of the audit, and, based on these discussions, management may agree to develop an implementation plan for the suggested recommendations, along with the time lines. Identify compensating controls to the identified risk is incorrect. At the draft report stage, the IS auditor may recommend various controls to mitigate the risk, but the purpose of the meeting is to validate the findings of the audit with management.

An IS auditor finds that user acceptance testing of a new system is being repeatedly interrupted by defect fixes from the developers. Which of the following would be the BEST recommendation for an IS auditor to make? Consider the feasibility of a separate user acceptance environment. Schedule user testing to occur at a given time each day. Implement a source code version control tool. Only retest high-priority defects.

Consider the feasibility of a separate user acceptance environment is correct. A separate environment or environments is normally necessary for testing to be efficient and effective and to ensure the integrity of production code. It is important that the development and test code bases be separate. When defects are identified they can be fixed in the development environment, without interrupting testing, before being migrated in a controlled manner to the test environment. A separate test environment can also be used as the final staging area from which code is migrated to production. This enforces a separation between development and production code. The logistics of setting up and refreshing customized test data is easier if a separate environment is maintained. Schedule user testing to occur at a given time each day is incorrect. If developers and testers are sharing the same environment, they have to work effectively at separate times of the day. It is unlikely that this would provide optimum productivity. Implement a source code version control tool is incorrect. Use of a source code control tool is a good practice, but it does not properly mitigate the lack of an appropriate test environment. Only retest high-priority defects is incorrect. Even low priority fixes run the risk of introducing unintended results when combined with the rest of the system code. To prevent this, regular regression testing covering all code changes should occur. A separate test environment makes the logistics of regression testing easier to manage.

A vendor has released several critical security patches over the past few months and this has put a strain on the ability of the administrators to keep the patches tested and deployed in a timely manner. The administrators have asked if they could reduce the testing of the patches. What approach should the organization take? Continue the current process of testing and applying patches. Reduce testing and ensure that an adequate backout plan is in place. Delay patching until resources for testing are available. Rely on the vendor's testing of the patches.

Continue the current process of testing and applying patches is correct. Applying security software patches promptly is critical to maintain the security of the servers; further, testing the patches is important because the patches may affect other systems and business operations. Because the vendor has recently released several critical patches in a short time, it can be hoped that this is a temporary problem and does not need a revision to policy or procedures. Reduce testing and ensure that an adequate backout plan is in place is incorrect. Reduced testing increases the risk of business operation disruption due to a faulty or incompatible patch. While a backout plan does help mitigate this risk, a thorough testing up front would be the more appropriate option. Delay patching until resources for testing are available is incorrect. Applying security software patches promptly is critical to maintain the security of the servers. Delaying patching would increase the risk of a security breach due to system vulnerability.

For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing emerging risk? Use of computer-assisted audit techniques Quarterly risk assessments Sampling of transaction logs Continuous auditing

Continuous auditing is correct. The implementation of continuous auditing enables a real-time feed of information to management through automated reporting processes so that management may implement corrective actions more quickly. Use of computer-assisted audit techniques is incorrect. Using software tools such as computer-assisted audit techniques to analyze transaction data can provide detailed analysis of trends and potential risk, but it is not as effective as continuous auditing, because there may be a time differential between executing the software and analyzing the results. Quarterly risk assessment is incorrect. This may be a good technique, but it is not as responsive as continuous auditing. The sampling of transaction logs is incorrect. This is a valid audit technique; however, risk may exist that is not captured in the transaction log, and there may be a potential time lag in the analysis.

While reviewing a quality management system, the IS auditor should PRIMARILY focus on collecting evidence to show that: quality management systems comply with good practices. continuous improvement targets are being monitored. standard operating procedures of IT are updated annually. key performance indicators are defined.

Continuous improvement targets are being monitored is correct. Continuous and measurable improvement of quality is the primary requirement to achieve the business objective for the quality management system (QMS). Quality management systems comply with good practices is incorrect. Generally, good practices are adopted according to business requirements. Therefore, conforming to good practices may or may not be a requirement of the business. Standard operating procedures of it are updated annually is incorrect. Updating operating procedures is part of implementing the QMS; however, it must be part of change management and not an annual activity. Key performance indicators are defined is incorrect. Key performance indicators may be defined in a QMS, but they are of little value if they are not being monitored.

An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the: most valuable information assets. IS audit resources to be deployed. auditee personnel to be interviewed. control objectives and activities.

Control objectives and activities is correct. After the business process is identified, the IS auditor should first identify the control objectives and activities associated with the business process that should be validated in the audit. Most valuable information assets is incorrect. All assets need to be identified, not just information assets. To determine the key information assets to be audited, the IS auditor should first determine which control objectives and key control activities should be validated. Only information assets that are related to the control objectives and key control activities are relevant for scoping the audit. IS audit resources to be deployed is incorrect. Only after determining which controls and related relevant information assets are to be validated can the IS auditor decide on the key IS audit resources (with the relevant skill sets) that should be deployed for the audit. Auditee personnel to be interviewed is incorrect. Only after determining the key control activities to be validated can the IS auditor identify the relevant process personnel who should be interviewed.

Which of the following is MOST important to ensure that effective application controls are maintained? Exception reporting Manager involvement Control self-assessment Peer reviews

Control self-assessment (CSA) is correct. CSA is the review of business objectives and internal controls in a formal and documented collaborative process. It includes testing the design of automated application controls. Exception reporting is incorrect. This only looks at errors or problems but will not ensure controls are still working. Manager oversight is incorrect. This is important but may not be a consistent or well-defined process compared to CSA. Peer reviews is incorrect. These lack the direct involvement of audit specialists and management.

An organization is migrating from a legacy system to an enterprise resource planning system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a: correlation of semantic characteristics of the data migrated between the two systems. correlation of arithmetic characteristics of the data migrated between the two systems. correlation of functional characteristics of the processes between the two systems. relative efficiency of the processes between the two systems.

Correlation of semantic characteristics of the data migrated between the two systems is correct. Due to the fact that the two systems could have a different data representation, including the database schema, the IS auditor's main concern should be to verify that the interpretation of the data (structure) is the same in the new as it was in the old system. Correlation of arithmetic characteristics of the data migrated between the two systems is incorrect. Arithmetic characteristics represent aspects of data structure and internal definition in the database and, therefore, are less important than the semantic characteristics. Correlation of functional characteristics of the processes between the two systems is incorrect. A review of the correlation of the functional characteristics between the two systems is not relevant to a data migration review. Relative efficiency of the processes between the two systems is incorrect. A review of the relative efficiencies of the processes between the two systems is not relevant to a data migration review.

Which of the following would be BEST prevented by a raised floor in the computer machine room? Damage of wires around computers and servers A power failure from static electricity Shocks from earthquakes Water flood damage

Damage of wires around computers and servers is correct. The primary reason for having a raised floor is to enable ventilation systems, power cables and data cables to be installed underneath the floor. This eliminates the safety and damage risk posed when cables are placed in a spaghetti-like fashion on an open floor. A power failure from static electricity is incorrect. Static electricity should be avoided in the machine room; therefore, measures such as specially manufactured carpet or shoes would be more appropriate for static prevention than a raised floor. Shocks from earthquakes is incorrect. Raised floors do not address shocks from earthquakes. To address earthquakes, anti-seismic architecture would be required to establish a quake-resistant structural framework. Water flood damage is incorrect. Computer equipment needs to be protected against water. However, a raised floor would not prevent damage to the machines in the event of overhead water pipe leakage.

Which of the following would an IS auditor consider to be the MOST important to review when conducting a disaster recovery audit? A hot site is contracted for and available as needed. A business continuity manual is available and current. Insurance coverage is adequate and premiums are current. Data backups are performed timely and stored offsite.

Data backups are performed timely and stored offsite is correct. Without data to process, all other components of the recovery effort are in vain. Even in the absence of a plan, recovery efforts of any type would not be practical without data to process. A hot site is contracted for and available as needed is incorrect. A hot site is important, but it is of no use if there are no data backups for it. A business continuity manual is available and current is incorrect. A business continuity manual is advisable but not most important in a disaster recovery audit. Insurance coverage is adequate and premiums are current is incorrect. Insurance coverage should be adequate to cover costs but is not as important as having the data backup.

Which of the following is the GREATEST concern associated with the use of peer-to-peer computing? Virus infection Data leakage Network performance issues Unauthorized software usage

Data leakage is correct. Peer-to-peer computing can share the contents of a user hard drive over the Internet. The risk that sensitive data could be shared with others is the greatest concern. Virus infection is incorrect. While peer-to-peer computing does increase the risk of virus infection, the risk of data leakage is more severe, especially if it contains proprietary data or intellectual property. Network performance issues is incorrect. Peer-to-peer computing may use more network bandwidth and, therefore, may create performance issues. However, data leakage is a more severe risk. Unauthorized software usage is incorrect. Peer-to-peer computing may be used to download or share unauthorized software, which users could install on their PCs unless other controls prevent it. However, data leakage is a more severe risk.

An IS auditor is assessing a biometric system used to protect physical access to a data center containing regulated data. Which of the following observations is the GREATEST concern to the auditor? Administrative access to the biometric scanners or the access control system is permitted over a virtual private network. Biometric scanners are not installed in restricted areas. Data transmitted between the biometric scanners and the access control system do not use a securely encrypted tunnel. Biometric system risk analysis was last conducted three years ago

Data transmitted between the biometric scanners and the access control system do not use a securely encrypted tunnel is correct. Data transmitted between the biometric scanners and the access control system should use a securely encrypted tunnel to protect the confidentially of the biometric data. Administrative access to the biometric scanners or the access control system is permitted over a virtual private network is incorrect. Generally, virtual private network software provides a secure tunnel so that remote administration functions can be performed. This is not a concern. Biometric scanners are not installed in restricted areas is incorrect. Biometric scanners are best located in restricted areas to prevent tampering, but video surveillance is an acceptable mitigating control. The greatest concern is lack of a securely encrypted tunnel between the scanners and the access control system. Biometric system risk analysis was last conducted three years ago is incorrect. The biometric risk analysis should be reperformed periodically, but an analysis performed three years ago is not necessarily a cause for concern.

An IS auditor is conducting a postimplementation review of an enterprise's network. Which of the following findings would be of MOST concern? Wireless mobile devices are not password-protected. Default passwords are not changed when installing network devices. An outbound web proxy does not exist. All communication links do not use encryption.

Default passwords are not changed when installing network devices is correct. The most significant risk in this case would be if the factory default passwords are not changed on critical network equipment. This could allow anyone to change the configurations of network equipment. Wireless mobile devices are not password-protected is incorrect. While mobile devices that are not password-protected would be a risk, it would not be as significant as unsecured network devices. An outbound web proxy does not exist is incorrect. The use of a web proxy is a good practice but may not be required depending on the enterprise. All communication links do not use encryption is incorrect. Encryption is a good control for data security but is not appropriate to use for all communication links due to cost and complexity.

The PRIMARY purpose of a business impact analysis is to: define recovery strategies. identify the alternate site. improve recovery testing. calculate the annual loss expectancy.

Define recovery strategies is correct. One of the primary outcomes of a business impact analysis (BIA) is the recovery time objective and the recovery point objective, which help in defining the recovery strategies. Identify the alternate site is incorrect. A BIA, itself, will not help in identifying the alternate site. That is determined during the recovery strategy phase of the project. Improve recovery testing is incorrect. A BIA, itself, will not help improve recovery testing. That is done during the implementation and testing phase of the project. Calculate the annual loss expectancy is incorrect. The annual loss expectancy of critical business assets and processes is determined during risk assessment and will be reviewed in the BIA, but this is not the primary advantage.

Which of the following is the FIRST step performed prior to creating a risk ranking for the annual internal IS audit plan? Prioritize the identified risk. Define the audit universe. Identify the critical controls. Determine the testing approach.

Define the audit universe is correct. In a risk-based audit approach, the IS auditor identifies risk to the organization based on the nature of the business. To plan an annual audit cycle, the types of risk must be ranked. To rank the types of risk, the auditor must first define the audit universe by considering the IT strategic plan, organizational structure and authorization matrix. Prioritize the identified risk is incorrect. After the audit universe is defined, the IS auditor can prioritize risk based on its overall impact on different operational areas of the organization covered under the audit universe. Identify the critical controls is incorrect. The controls that help in mitigating high-risk areas are generally critical controls and their effectiveness provides assurance on mitigation of risk. However, this cannot be done unless the types of risk are ranked. Determine the testing approach is incorrect. The testing approach is based on the risk ranking.

When preparing a business case to support the need of an electronic data warehouse solution, which of the following choices is the MOST important to assist management in the decision-making process? Discuss a single solution. Consider security controls. Demonstrate feasibility. Consult the audit department.

Demonstrate feasibility is correct. The business case should demonstrate feasibility for any potential project. By including a feasibility study in the business case along with a cost-benefit analysis, management can make an informed decision. Discuss a single solution is incorrect. A business case should discuss all possible solutions to a given problem, which would enable management to select the best option. This may include the option not to undertake the project. Consider security controls is incorrect. It may be important to include security considerations in the business case if security is important to the solution and will address the problem; however, the feasibility study is more important and is necessary regardless of the type of problem. Consult the audit department is incorrect. While the person preparing the business case may consult with the organization's audit department, this would be situational and is not necessary to include in the business case.

Which of the following is the MOST effective method for disposing of magnetic media that contains confidential information? Degaussing Defragmenting Erasing Destroying

Destroying is correct. Destroying magnetic media is the only way to assure that confidential information cannot be recovered. Degaussing is incorrect. Degaussing or demagnetizing is a good control, but not sufficient to fully erase highly confidential information from magnetic media. Defragmenting is incorrect. The purpose of defragmentation is to improve efficiency by eliminating fragmentation in file systems; it does not remove information. Erasing is incorrect. Erasing or deleting magnetic media does not remove the information; this method simply changes a file's indexing information.

Which of the following factors is MOST critical when evaluating the effectiveness of an IT governance implementation? Ensure that assurance objectives are defined. Determine stakeholder requirements and involvement. Identify relevant risk and related opportunities. Determine relevant enablers and their applicability.

Determine stakeholder requirements and involvement is correct. The most critical factor to be considered in auditing an IT governance implementation is to determine stakeholder requirements and involvement. This drives the success of the project. Based on this, the assurance scope and objectives are determined. Ensure that assurance objectives are defined is incorrect. Stakeholders' needs and their involvement form the basis for scoping the IT governance implementation. This will be used to define assurance objectives. Identify relevant risk and related opportunities is incorrect. The relevant risk and related opportunities are identified and driven by the assurance objectives. Determine relevant enablers and their applicability is incorrect. The relevant enablers and their applicability for the IT governance implementation are considered based on assurance objectives.

An IS auditor is reviewing system access and discovers an excessive number of users with privileged access. The IS auditor discusses the situation with the system administrator, who states that some personnel in other departments need privileged access and management has approved the access. Which of the following would be the BEST course of action for the IS auditor? Determine whether compensating controls are in place. Document the issue in the audit report. Recommend an update to the procedures. Discuss the issue with senior management.

Determine whether compensating controls are in place is correct. An excessive number of users with privileged access is not necessarily an issue if compensating controls are in place. Document the issue in the audit report is incorrect. An IS auditor should gather additional information before presenting the situation in the report. Recommend an update to the procedures is incorrect. An update to procedures would not address a potential weakness in logical security and may not be feasible if individuals are required to have this access to perform their jobs. Discuss the issue with senior management is incorrect. The IS auditor should gather additional information before reporting the item to senior management.

The specific advantage of white box testing is that it: verifies a program can operate successfully with other parts of the system. ensures a program's functional operating effectiveness without regard to the internal program structure. determines procedural accuracy or conditions of a program's specific logic paths. examines a program's functionality by executing it in a tightly controlled or virtual environment with restricted access to the host system.

Determines procedural accuracy or conditions of a program's specific logic paths is correct. White box testing assesses the effectiveness of software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program's logic paths. Verifies a program can operate successfully with other parts of the system is incorrect. Verifying the program can operate successfully with other parts of the system is sociability testing. Ensures a program's functional operating effectiveness without regard to the internal program structure is incorrect. Testing the program's functionality without knowledge of internal structures is black box testing. Examines a program's functionality by executing it in a tightly controlled or virtual environment with restricted access to the host system is incorrect. Controlled testing of programs in a semi-debugged environment, either heavily controlled step-by-step or via monitoring in virtual machines, is sand box testing.

Which of the following is the BEST way to ensure that incident response activities are consistent with the requirements of business continuity? Draft and publish a clear practice for enterprise-level incident response. Establish a cross-departmental working group to share perspectives. Develop a scenario and perform a structured walk-through. Develop a project plan for end-to-end testing of disaster recovery.

Develop a scenario and perform a structured walk-through is correct. A structured walk-through including both incident response and business continuity personnel provides the best opportunity to identify gaps or misalignments between the plans. Draft and publish a clear practice for enterprise-level incident response is incorrect. Publishing an enterprise-level incident response plan is effective only if business continuity aligned itself to incident response. Incident response supports business continuity, not the other way around. Establish a cross-departmental working group to share perspectives is incorrect. Sharing perspectives is valuable, but a working group does not necessarily lead to ensuring that the interface between plans is workable. Develop a project plan for end-to-end testing of disaster recovery is incorrect. A project plan developed for disaster recovery will not necessarily address deficiencies in business continuity or incident response.

Which of the following preventive controls BEST helps secure a web application? Password masking Developer training Use of encryption Vulnerability testing

Developer training is correct. Of the given choices, teaching developers to write secure code is the best way to secure a web application. Password masking is incorrect. This is a necessary preventive control but is not the best way to secure an application. Use of encryption is incorrect. Encryption will protect data but is not sufficient to secure an application because other flaws in coding could compromise the application and data. Ensuring that applications are designed in a secure way is the best way to secure an application. This is accomplished by ensuring that developers are adequately educated on secure coding practices. Vulnerability testing is incorrect. This can help to ensure the security of web applications; however, the best preventive control is developer education because building secure applications from the start is more effective.

An IS auditor performing an audit has determined that developers have been granted administrative access to the virtual machine management console to manage their own servers used for software development and testing. Which of the following choices would be of MOST concern for the IS auditor? Developers have the ability to create or de-provision servers. Developers could gain elevated access to production servers. Developers can affect the performance of production servers with their applications. Developers could install unapproved applications to any servers.

Developers have the ability to create or de-provision servers is correct. Virtualization offers the ability to create or destroy virtual machines (VMs) through the administrative interface with administrative access. While a developer would be unlikely to de-provision a production server, the administrative console would grant him/her the ability to do this, which would be a significant risk. Developers could gain elevated access to production servers is incorrect. When properly configured, the administrative console of a virtual server host does not allow an individual to bypass the authentication of the guest operating system (OS) to access the server. In this case, while the developers could potentially start, stop or even de-provision a production VM, they could not gain elevated access to the OS of the guest through the administrative interface. Developers can affect the performance of production servers with their applications is incorrect. While there could be instances where a software development team might use resource-intensive applications that could cause performance issues for the virtual host, the greater risk would be the ability to de-provision VMs. Developers could install unapproved applications to any servers is incorrect. When properly configured, the administrative console of a virtual server host does not allow an individual to bypass the authentication of the guest OS to access the server; therefore, the concern that unauthorized software could be installed is not valid.

Which of the following represents the GREATEST risk created by a reciprocal agreement for disaster recovery made between two companies? Developments may result in hardware and software incompatibility. Resources may not be available when needed. The recovery plan cannot be live tested. The security infrastructures in each company may be different.

Developments may result in hardware and software incompatibility is correct. If one organization updates its hardware and software configuration, it may mean that it is no longer compatible with the systems of the other party in the agreement. This may mean that each company is unable to use the facilities at the other company to recover their processing following a disaster. Resources may not be available when needed is incorrect. Resources being unavailable when needed are an intrinsic risk in any reciprocal agreement, but this is a contractual matter and is not the greatest risk. The recovery plan cannot be live tested is incorrect. The plan can be tested by paper-based walk-throughs and possibly by agreement between the companies. The security infrastructures in each company may be different is incorrect. The difference in security infrastructures, while a risk, is not insurmountable.

An external IS auditor discovers that systems in the scope of the audit were implemented by an associate. In such a circumstance, IS audit management should: remove the IS auditor from the engagement. cancel the engagement. disclose the issue to the client. take steps to restore the IS auditor's independence.

Disclose the issue to the client is correct. In circumstances in which the IS auditor's independence is impaired and the IS auditor continues to be associated with the audit, the facts surrounding the issue of the IS auditor's independence should be disclosed to the appropriate management and in the report. Remove the IS auditor from the engagement is incorrect. It is not necessary to withdraw the IS auditor unless there is a statutory limitation, which exists in certain countries. Cancel the engagement is incorrect. Canceling the engagement is not required if properly disclosed and accepted. Take steps to restore the IS auditor's independence is incorrect. This is not a feasible solution. The independence of the IS auditor cannot be restored while continuing to conduct the audit.

During an IS audit, which is the BEST method for an IS auditor to evaluate the implementation of segregation of duties within an IT department? Discuss it with the IT managers. Review the IT job descriptions. Research past IT audit reports. Evaluate the organizational structure.

Discuss with the IT managers is correct. Discussing the implementation of segregation of duties with the IT managers is the best way to determine how responsibilities are assigned within the department. Review the IT job descriptions is incorrect. Job descriptions may not be the best source of information because they can be outdated or what is documented in the job descriptions may be different from what is actually performed. Research past IT audit reports is incorrect. Past IS audit reports are not the best source of information because they may not accurately describe how IT responsibilities are assigned. Evaluate the organizational structure is incorrect. Evaluating the organizational structure may give a limited view on the allocation of IT responsibilities. The responsibilities also may have changed over time.

During an IS audit of a global organization, the IS auditor discovers that the organization uses Voice-over Internet Protocol over the Internet as the sole means of voice connectivity among all offices. Which of the following presents the MOST significant risk for the organization's VoIP infrastructure? Network equipment failure Distributed denial-of-service attack Premium-rate fraud (toll fraud) Social engineering attack

Distributed denial-of-service (DDoS) attack is correct. This would potentially disrupt the organization's ability to communicate among its offices and have the highest impact. In a traditional voice network, a DDoS attack would only affect the data network, not voice communications. Network equipment failure is incorrect. The use of Voice-over Internet Protocol does not introduce any unique risk with respect to equipment failure, and redundancy can be used to address network failure. Premium-rate fraud (toll fraud) is incorrect. Toll fraud occurs when someone compromises the phone system and makes unauthorized long- distance calls. While toll fraud may cost the business money, the more severe risk would be the disruption of service. Social engineering attack is incorrect. This involves gathering sensitive information to launch an attack and can be exercised over any kind of telephony.

There are several methods of providing telecommunication continuity. The method of routing traffic through split cable or duplicate cable facilities is called: alternative routing. diverse routing. long-haul network diversity. last-mile circuit protection.

Diverse routing is correct. This routes traffic through split-cable facilities or duplicate-cable facilities. This can be accomplished with different and/or duplicate cable sheaths. If different cable sheaths are used, the cable may be in the same conduit and, therefore, subject to the same interruptions as the cable it is backing up. The communication service subscriber can duplicate the facilities by having alternate routes, although the entrance to and from the customer premises may be in the same conduit. The subscriber can obtain diverse routing and alternate routing from the local carrier, including dual-entrance facilities. This type of access is time consuming and costly. Alternative routing is incorrect. This is a method of routing information via an alternate medium such as copper cable or fiber optics. This involves the use of different networks, circuits or end points should the normal network be unavailable. Long-haul network diversity is incorrect. This is a diverse, long-distance network using different packet switching circuits among the major long-distance carriers. It ensures long-distance access should any carrier experience a network failure. Last-mile circuit protection is incorrect. This is a redundant combination of local carrier T-1s (E-1s in Europe), microwave and/or coaxial cable access to the local communications loop. This enables the facility to have access during a local carrier communication disaster. Alternate local-carrier routing is also used.

Which of the following types of penetration tests effectively evaluates the incident handling and response capability of the system administrator? Targeted testing Internal testing Double-blind testing External testing

Double-blind testing is correct. In double-blind testing, the penetration tester has little or limited knowledge about the target system, and personnel at the target site have not been informed that a test is being performed. Because the administrator and security staff at the target are not aware of the test, it can effectively evaluate the incident handling and response capability of the system administrator. Targeted testing is incorrect. In targeted testing, penetration testers are provided with information related to target and network design and the target's IT team is aware of the testing activities. Internal testing is incorrect. This refers to attacks and control circumvention attempts on the target from within the perimeter. The system administrator is typically aware of the testing activities. External testing is incorrect. This is a generic term that refers to attacks and control circumvention attempts on the target from outside the target system. The system administrator may or may not be aware of the testing activities, so this is not the correct answer. (Note: Rather than concentrating on specific terms, CISA candidates should understand the differences between various types of penetration testing.)

The activation of an enterprise's business continuity plan should be based on predetermined criteria that address the: duration of the outage. type of outage. probability of the outage. cause of the outage.

Duration of the outage is correct. The initiation of a business continuity plan (action) should primarily be based on the maximum period for which a business function can be disrupted before the disruption threatens the achievement of organizational objectives. Type of outage is incorrect. This is not as important to the activation of the plan as the length or duration of the outage. Probability of the outage is incorrect. This would be relevant to the frequency of incidents, not the need to activate the plan. The plan is designed to be activated after an event of a certain duration occurs. Cause of the outage is incorrect. This may affect the response plan to be activated, but not the decision to activate the plan. The plan will be activated any time an event of a predetermined duration occurs.

Depending on the complexity of an organization's business continuity plan (BCP), it may be developed as a set of plans to address various aspects of business continuity and disaster recovery. In such an environment, it is essential that: each plan is consistent with one another. all plans are integrated into a single plan. each plan is dependent on one another. the sequence for implementation of all plans is defined.

Each plan is consistent with one another is correct. Depending on the complexity of an organization, there could be more than one plan to address various aspects of business continuity and disaster recovery, but the plans must be consistent to be effective. All plans are integrated into a single plan is incorrect. The plans do not necessarily have to be integrated into one single plan. Each plan is dependent on one another is incorrect. Although each plan may be independent, each plan has to be consistent with other plans to have a viable business continuity planning strategy. The sequence for implementation of all plans is defined is incorrect. It may not be possible to define a sequence in which plans have to be implemented because it may be dependent on the nature of disaster, criticality, recovery time, etc.

While evaluating software development practices in an organization, an IS auditor notes that the quality assurance (QA) function reports to project management. The MOST important concern for an IS auditor is the: effectiveness of the QA function because it should interact between project management and user management. efficiency of the QA function because it should interact with the project implementation team. effectiveness of the project manager because the project manager should interact with the QA function. efficiency of the project manager because the QA function needs to communicate with the project implementation team.

Effectiveness of the QA function because it should interact between project management and user management is correct. To be effective, the quality assurance (QA) function should be independent of project management. If it is not, project management may put pressure on the QA function to approve an inadequate product. Efficiency of the QA function because it should interact with the project implementation team is incorrect. The efficiency of the QA function is not impacted by interacting with the project implementation team. The QA team does not release a product for implementation until it meets QA requirements. Effectiveness of the project manager because the project manager should interact with the QA function is incorrect. The project manager responds to the issues raised by the QA team. This does not impact the effectiveness of the project manager. Efficiency of the project manager because the QA function needs to communicate with the project implementation team is incorrect. The QA function's interaction with the project implementation team should not impact the efficiency of the project manager.

The GREATEST advantage of using web services for the exchange of information between two systems is: secure communication. improved performance. efficient interfacing. enhanced documentation.

Efficient interfacing is correct. Web services facilitate the interoperable exchange of information between two systems regardless of the operating system or programming language used. Secure communication is incorrect. Communication is not necessarily more secure using web services. Improved performance is incorrect. The use of web services will not necessarily increase performance. Enhanced documentation is incorrect. There is no documentation benefit in using web services.

The PRIMARY benefit of an enterprise architecture initiative is to: enable the organization to invest in the most appropriate technology. ensure security controls are implemented on critical platforms. allow development teams to be more responsive to business requirements. provide business units with greater autonomy to select IT solutions that fit their needs.

Enable the organization to invest in the most appropriate technology is correct. The primary focus of the enterprise architecture (EA) is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization; therefore, the goal of the EA is to help the organization to implement the technology that is most effective. Ensure security controls are implemented on critical platforms is incorrect. Ensuring that security controls are implemented on critical platforms is important, but this is not the function of the EA. The EA may be concerned with the design of security controls; however, the EA would not help to ensure that they were implemented. The primary focus of the EA is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization. Allow development teams to be more responsive to business requirements is incorrect. While the EA process may enable development teams to be more efficient, because they are creating solutions based on standard platforms using standard programming languages and methods, the more critical benefit of the EA is to provide guidance for IT investments of all types, which encompasses much more than software development. Provide business units with greater autonomy to select it solutions that fit their needs is incorrect. A primary focus of the EA is to define standard platforms, databases and interfaces. Business units that invest in technology would need to select IT solutions that meet their business needs and are compatible with the EA of the enterprise. There may be instances when a proposed solution works better for a business unit but is not at all consistent with the EA of the enterprise, so there would be a need to compromise to ensure that the application can be supported by IT. Overall, the EA would restrict the ability of business units in terms of the potential IT systems that they may wish to implement. The support requirements would not be affected in this case.

The PRIMARY purpose of implementing Redundant Array of Inexpensive Disks level 1 in a file server is to: achieve performance improvement. provide user authentication. ensure availability of data. ensure the confidentiality of data.

Ensure availability of data is correct. Redundant Array of Inexpensive Disks (RAID) level 1 provides disk mirroring. Data written to one disk are also written to another disk. Users in the network access data in the first disk; if disk one fails, the second disk takes over. This redundancy ensures the availability of data. Achieve performance improvement is incorrect. RAID level 1 does not improve performance. It writes the data to two separate disk drives. Provide user authentication is incorrect. RAID level 1 has no relevance to authentication. Ensure the confidentiality of data is incorrect. RAID level 1 does nothing to provide for data confidentiality.

An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should: apply the patch according to the patch's release notes. ensure that a good change management process is in place. thoroughly test the patch before sending it to production. approve the patch after doing a risk assessment.

Ensure that a good change management process is in place is correct. An IS auditor must review the change management process, including patch management procedures, and verify that the process has adequate controls and make suggestions accordingly. Apply the patch according to the patch's release notes is incorrect. The IS auditor should not apply the patch. That is an administrator responsibility. Thoroughly test the patch before sending it to production is incorrect. The testing of the patch is the responsibility of the development or production support team, not the auditor. Approve the patch after doing a risk assessment is incorrect. The IS auditor is not authorized to approve a patch. That is a responsibility of a steering committee.

During the audit of an acquired software package, an IS auditor finds that the software purchase was based on information obtained through the Internet, rather than from responses to a request for proposal. The IS auditor should FIRST: test the software for compatibility with existing hardware. perform a gap analysis. review the licensing policy. ensure that the procedure had been approved.

Ensure that the procedure had been approved is correct. In the case of a deviation from the predefined procedures, an IS auditor should first ensure that the procedure followed for acquiring the software is consistent with the business objectives and has been approved by the appropriate authorities. Test the software for compatibility with existing hardware is incorrect. Because the software package has already been acquired, it is most likely that it is in use and therefore compatible with existing hardware. Further, the first responsibility of the IS auditor is to ensure that the purchasing procedures have been approved. Perform a gap analysis is incorrect. Because there was no request for proposal, there may be no documentation of the expectations of the product and nothing to measure a gap against. The first task for the IS auditor is to ensure that the purchasing procedures were approved. Review the licensing policy is incorrect. The licensing policy should be reviewed to ensure proper licensing but only after the purchasing procedures are checked.

The MAIN purpose for periodically testing offsite disaster recovery facilities is to: protect the integrity of the data in the database. eliminate the need to develop detailed contingency plans. ensure the continued compatibility of the contingency facilities. ensure that program and system documentation remains current.

Ensure the continued compatibility of the contingency facilities is correct. The main purpose of offsite hardware testing is to ensure the continued compatibility of the contingency facilities so that assurance can be gained that the contingency plans would work in an actual disaster. Protect the integrity of the data in the database is incorrect. The testing of an offsite facility does nothing to protect the integrity of the database. It may test the validity of backups but does not protect their integrity. Eliminate the need to develop detailed contingency plans is incorrect. Testing an offsite location validates the value of the contingency plans and is not used to eliminate detailed plans. Ensure that program and system documentation remains current is incorrect. Program and system documentation should be reviewed continuously for currency. A test of an offsite facility may ensure that the documentation for that site is current, but this is not the purpose of testing an offsite facility.

A certificate authority (CA) can delegate the processes of: revocation and suspension of a subscriber's certificate. generation and distribution of the CA public key. establishing a link between the requesting entity and its public key. issuing and distributing subscriber certificates.

Establishing a link between the requesting entity and its public key is a function of a registration authority. This may or may not be performed by a CA; therefore, this function can be delegated. Revocation and suspension of a subscriber's certificate is incorrect. These are functions of the subscriber certificate life cycle management, which the certificate authority (CA) must perform. Generation and distribution of the CA public key is incorrect. This is a part of the CA key life cycle management process and, as such, cannot be delegated. Issuing and distributing subscriber certificates is incorrect. These are functions of the subscriber certificate life cycle management, which the CA must perform.

In the process of evaluating program change controls, an IS auditor would use source code comparison software to: examine source program changes without information from IS personnel. detect a source program change made between acquiring a copy of the source and the comparison run. identify and validate any differences between the control copy and the production program. ensure that all changes made in the current source copy are tested.

Examine source program changes without information from IS personnel is correct. When an IS auditor uses a source code comparison to examine source program changes without information from IS personnel, the IS auditor has an objective, independent and relatively complete assurance of program changes, because the source code comparison identifies the changes. Detect a source program change made between acquiring a copy of the source and the comparison run is incorrect. The changes detected by the source code comparison are between two versions of the software. This does not detect changes made since the acquisition of the copy of the software. Identify and validate any differences between the control copy and the production program is incorrect. Confirmation that the current production program is the same as the control copy could be made through evaluation of program change controls.. Ensure that all changes made in the current source copy are tested is incorrect. Source code comparison detects all changes between an original and a changed program; however, the comparison will not ensure that the changes have been adequately tested.

During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that: assessment of the situation may be delayed. execution of the disaster recovery plan could be impacted. notification of the teams might not occur. potential crisis recognition might be delayed.

Execution of the disaster recovery plan could be impacted is correct. Execution of the business continuity and disaster recovery plans would be impacted if the organization does not know when to declare a crisis. Assessment of the situation may be delayed is incorrect. Problem and severity assessment would provide information necessary in declaring a disaster, but the lack of a crisis declaration point would not delay the assessment. Notification of the teams might not occur is incorrect. After a potential crisis is recognized, the teams responsible for crisis management need to be notified. Delaying the declaration of a disaster would impact or negate the effect of having response teams, but this is only one part of the larger impact. Potential crisis recognition might be delayed is incorrect. Potential crisis recognition is the first step in recognizing or responding to a disaster and would occur prior to the declaration of a disaster.

An IS auditor is evaluating a newly developed IT policy for an organization. Which of the following factors does the IS auditor consider MOST important to facilitate compliance with the policy upon its implementation? Existing IT mechanisms enabling compliance Alignment of the policy to the business strategy Current and future technology initiatives Regulatory compliance objectives defined in the policy

Existing IT mechanisms enabling compliance is correct. The organization should be able to comply with a policy when it is implemented. The most important consideration when evaluating the new policy should be the existing mechanisms in place that enable the organization and its employees to comply with the policy. Alignment of the policy to the business strategy is incorrect. Policies should be aligned with the business strategy, but this does not affect an organization's ability to comply with the policy upon implementation. Current and future technology initiatives is incorrect. They should be driven by the needs of the business and would not affect an organization's ability to comply with the policy. Regulatory compliance objectives defined in the policy is incorrect. Regulatory compliance objectives may be defined in the IT policy, but that would not facilitate compliance with the policy. Defining objectives would only result in the organization knowing the desired state and would not aid in achieving compliance.

After initial investigation, an IS auditor has reasons to believe that fraud may be present. The IS auditor should: expand activities to determine whether an investigation is warranted. report the matter to the audit committee. report the possibility of fraud to management. consult with external legal counsel to determine the course of action to be taken.

Expand activities to determine whether an investigation is warranted is correct. An IS auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended. Report the matter to the audit committee is incorrect. The IS auditor should notify the appropriate authorities within the organization only if it has determined that the indicators of fraud are sufficient to recommend an investigation. Report the possibility of fraud to management is incorrect. The IS auditor should report the possibility of fraud to top management only after there is sufficient evidence to launch an investigation. This may be affected by whether management may be involved in the fraud. Consult with external legal counsel to determine the course of action to be taken is incorrect. Normally, the IS auditor does not have authority to consult with external legal counsel.

An IS auditor reviews one day of logs for a remotely managed server and finds one case where logging failed, and the backup restarts cannot be confirmed. What should the IS auditor do? Issue an audit finding. Seek an explanation from IS management. Review the classifications of data held on the server. Expand the sample of logs reviewed.

Expand the sample of logs reviewed is correct. IS Audit and Assurance Standards require that an IS auditor gather sufficient and appropriate audit evidence. The IS auditor has found a potential problem and now needs to determine whether this is an isolated incident or a systematic control failure. Issue an audit finding is incorrect. At this stage it is too preliminary to issue an audit finding. Seeking an explanation from management is advisable, but it is better to gather additional evidence to properly evaluate the seriousness of the situation. Seek an explanation from IS management is incorrect. Without gathering more information on the incident and the frequency of the incident, it is difficult to obtain a meaningful explanation from management. Review the classifications of data held on the server is incorrect. A backup failure, which has not been established at this point, will be serious if it involves critical data. However, the issue is not the importance of the data on the server, where a problem has been detected, but whether a systematic control failure that impacts other servers exists.

Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date? Estimation of the actual end date based on the completion percentages and estimated time to complete, taken from status reports Confirmation of the target date based on interviews with experienced managers and staff involved in the completion of the project deliverables Extrapolation of the overall end date based on completed work packages and current resources Calculation of the expected end date based on current resources and remaining available project budget

Extrapolation of the overall end date based on completed work packages and current resources is correct. Direct observation of results is better than estimations and qualitative information gained from interviews or status reports. Project managers and involved staff tend to underestimate the time needed for completion and the necessary time buffers for dependencies between tasks, while overestimating the completion percentage for tasks underway (i.e., 80:20 rule). Estimation of the actual end date based on the completion percentages and estimated time to complete, taken from status reports is incorrect. The IS auditor cannot count on the accuracy of data in status reports for reasonable assurance. Confirmation of the target date based on interviews with experienced managers and staff involved in the completion of the project deliverables is incorrect. Interviews are a valuable source of information but will not necessarily identify any project challenges because the people being interviewed are involved in project. Calculation of the expected end date based on current resources and remaining available project budget is incorrect. The calculation based on remaining budget does not consider the speed at which the project has been progressing.

Which of the following insurance types provide for a loss arising from fraudulent acts by employees? Business interruption Fidelity coverage Errors and omissions Extra expense

Fidelity coverage is correct. This type of insurance covers the loss arising from dishonest or fraudulent acts by employees. Business interruption is incorrect. Business interruption insurance covers the loss of profit due to the disruption in the operations of an organization. Errors and omissions is incorrect. This type of insurance provides legal liability protection in the event that the professional practitioner commits an act that results in financial loss to a client. Extra expense is incorrect. This type of insurance is designed to cover the extra costs of continuing operations following a disaster/disruption within an organization.

Which of the following network components is PRIMARILY set up to serve as a security measure by preventing unauthorized traffic between different segments of the network? Firewalls Routers Layer 2 switches Virtual local area networks

Firewalls is correct. Firewall systems are the primary tool that enables an organization to prevent unauthorized access between networks. An organization may choose to deploy one or more systems that function as firewalls. Routers is incorrect. These can filter packets based on parameters, such as source address but are not primarily a security tool. Layer 2 switches is incorrect. Based on Media Access Control addresses, layer 2 switches separate traffic without determining whether it is authorized or unauthorized traffic. Virtual local area networks is incorrect. A virtual local area network is a functionality of some switches that allows them to control traffic between different ports even though they are in the same physical local access network. Nevertheless, they do not effectively deal with authorized versus unauthorized traffic.

An organization has outsourced its help desk function. Which of the following indicators would be the BEST to include in the service level agreement? Overall number of users supported First call resolution rate Number of incidents reported to the help desk Number of agents answering the phones

First call resolution rate is correct. Because it is about service level (performance) indicators, the percentage of incidents solved on the first call is a good way to measure the effectiveness of the supporting organization. Overall number of users supported is incorrect. The contract price will usually be based on the number of users supported, but the performance metrics should be based on the ability to provide effective support and address user problems rapidly. Number of incidents reported to the help desk is incorrect. The number of reported incidents cannot be controlled by the outsource supplier; therefore, that cannot be an effective measure. Number of agents answering the phones is incorrect. The efficiency and effectiveness of the people answering the calls and being able to address problems rapidly are more important than the number of people answering the calls.

An IS audit department is considering implementing continuous auditing techniques for a multinational retail enterprise that processes a large volume of transactions per day. A PRIMARY benefit of continuous auditing is that: effective preventive controls are enforced. system integrity is ensured. errors can be corrected in a timely fashion. fraud can be detected more quickly.

Fraud can be detected more quickly is correct. Continuous auditing techniques assist the auditing function in reducing the use of auditing resources through continuous collection of evidence. This approach assists the IS auditors in identifying fraud in a timely fashion and allows the auditors to focus on relevant data. Effective preventive controls are enforced is incorrect. Continuous monitoring is detective in nature and, therefore, does not necessarily assist the IS auditor in monitoring for preventive controls. The approach will detect and monitor for errors that have already occurred. In addition, continuous monitoring will benefit the internal audit function in reducing the use of auditing resources and in the timely reporting of errors or inconsistencies. System integrity is ensured is incorrect. System integrity is typically associated with preventive controls such as input controls and quality assurance reviews. These controls do not typically benefit an internal auditing function implementing continuous monitoring. Continuous monitoring benefits the internal audit function because it reduces the use of auditing resources. Errors can be corrected in a timely fashion is incorrect. Continuous audit will detect errors but not correct them. Correcting errors is the function of the organization's management and not the internal audit function. Continuous auditing benefits the internal audit function because it reduces the use of auditing resources to create a more efficient auditing function.

A company has recently upgraded its purchase system to incorporate electronic data interchange (EDI) transmissions. Which of the following controls should be implemented in the EDI interface to provide for efficient data mapping? Key verification One-for-one checking Manual recalculations Functional acknowledgements

Functional acknowledgments is correct. Acting as an audit trail for electronic data interchange transactions, functional acknowledgments are one of the main controls used in data mapping. Key verification is incorrect. This is used for encryption and protection of data but not for data mapping. One-for-one checking is incorrect. This validates that transactions are accurate and complete but does not map data. Manual recalculations is incorrect. They are used to verify that the processing is correct but do not map data.

A medium-sized organization, whose IT disaster recovery measures have been in place and regularly tested for years, has just developed a formal business continuity plan (BCP). A basic BCP tabletop exercise has been performed successfully. Which testing should an IS auditor recommend be performed NEXT to verify the adequacy of the new BCP? Full-scale test with relocation of all departments, including IT, to the contingency site Walk-through test of a series of predefined scenarios with all critical personnel involved IT disaster recovery test with business departments involved in testing the critical applications Functional test of a scenario with limited IT involvement

Functional test of a scenario with limited IT involvement is correct. After a tabletop exercise has been performed, the next step would be a functional test, which includes the mobilization of staff to exercise the administrative and organizational functions of a recovery. Because the IT part of the recovery has been tested for years, it would be more efficient to verify and optimize the BCP before actually involving IT in a full-scale test. The full-scale test would be the last step of the verification process before entering into a regular annual testing schedule. Full-scale test with relocation of all departments, including IT, to the contingency site is incorrect. A full-scale test in the situation described might fail because it would be the first time that the plan is actually exercised, and a number of resources (including IT) and time would be wasted. Walk-through test of a series of predefined scenarios with all critical personnel involved is incorrect. The walk-through test is a basic type of testing. Its intention is to make key staff familiar with the plan and discuss critical plan elements, rather than verifying its adequacy. IT disaster recovery test with business departments involved in testing the critical applications is incorrect. The recovery of applications should always be verified and approved by the business instead of being purely IT-driven. The IT plan has been tested repeatedly so a disaster recovery test would not help in verifying the administrative and organizational parts of the BCP, which are not IT-related.

After identifying the findings, the IS auditor should FIRST: gain agreement on the findings. determine mitigation measures for the findings. inform senior management of the findings. obtain remediation deadlines to close the findings.

Gain agreement on the findings is correct. If findings are not agreed upon and confirmed by both parties, then there may be an issue during sign-off on the final audit report or while discussing findings with management. When agreement is obtained with the auditee, it implies the finding is understood and a clear plan of action can be determined. Determine mitigation measures for the findings is incorrect. Although the auditor may recommend mitigation measures, the organization ultimately decides and implements the mitigation strategies as a function of risk management. Inform senior management of the findings is incorrect. Before senior management is informed, it is imperative that the auditor informs the auditee and gains agreement on the audit findings to correctly communicate the risk. Obtaining remediation deadlines to close the findings is incorrect and is not the first step in communicating the audit findings.

During a change control audit of a production system, an IS auditor finds that the change management process is not formally documented and that some migration procedures failed. What should the IS auditor do next? Recommend redesigning the change management process. Gain more assurance on the findings through root cause analysis. Recommend that program migration be stopped until the change process is documented. Document the finding and present it to management.

Gain more assurance on the findings through root cause analysis is correct. A change management process is critical to IT production systems. Before recommending that the organization take any other action (e.g., stopping migrations, redesigning the change management process), the IS auditor should gain assurance that the incidents reported are related to deficiencies in the change management process and not caused by some process other than change management. Recommend redesigning the change management process is incorrect. While it may be necessary to redesign the change management process, this cannot be done until a root cause analysis is conducted to determine why the current process is not being followed. Recommend that program migration be stopped until the change process is documented is incorrect. A business relies on being able to make changes when necessary, and security patches must often be deployed promptly. It would not be feasible to halt all changes until a new process is developed. Document the finding and present it to management is incorrect. The results of the audit including the findings of noncompliance will be delivered to management once a root cause analysis of the issue has been completed.

Which of the following is MOST effective for monitoring transactions exceeding predetermined thresholds? Generalized audit software An integrated test facility Regression tests Transaction snapshots

Generalized audit software (GAS) is correct. This is a data analytic tool that can be used to filter large amounts of data. An integrated test facility is incorrect. Integrated test facilities test the processing of the data and cannot be used to monitor real-time transactions. Regression tests is incorrect. These are used to test new versions of software to ensure that previous changes and functionality are not inadvertently overwritten or disabled by the new changes. Transaction snapshots is incorrect. Gathering information through snapshots alone is not sufficient. GAS will assist with an analysis of the data.

Which of the following BEST ensures the integrity of a server's operating system? Protecting the server in a secure location Setting a boot password Hardening the server configuration Implementing activity logging

Hardening the server configuration is correct. This means to configure it in the most secure manner (install latest security patches, properly define access authorization for users and administrators, disable insecure options and uninstall unused services) to prevent nonprivileged users from gaining the right to execute privileged instructions and, thus, take control of the entire machine, jeopardizing the integrity of the OS. Protecting the server in a secure location is incorrect. This is a good practice, but it does not ensure that a user will not try to exploit logical vulnerabilities and compromise the operating system (OS). Setting a boot password is incorrect. This is a good practice but does not ensure that a user will not try to exploit logical vulnerabilities and compromise the OS. Implementing activity logging is incorrect. This has two weaknesses in this scenario—it is a detective control (not a preventive one), and the attacker who already gained privileged access can modify logs or disable them.

An IS auditor discovers that developers have operator access to the command line of a production environment operating system. Which of the following controls would BEST mitigate the risk of undetected and unauthorized program changes to the production environment? Commands typed on the command line are logged. Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs. Access to the operating system command line is granted through an access restriction tool with preapproved rights. Software development tools and compilers have been removed from the production environment.

Hash keys are calculated periodically for programs and matched against hash keys calculated for the most recent authorized versions of the programs is correct. The matching of hash keys over time would allow detection of changes to files. Commands typed on the command line are logged is incorrect. Having a log is not a control; reviewing the log is a control. Access to the operating system command line is granted through an access restriction tool with preapproved rights is incorrect. Because the access was already granted at the command line level, it will be possible for the developers to bypass the control. Software development tools and compilers have been removed from the production environment is incorrect. Removing the tools from the production environment will not mitigate the risk of unauthorized activity by the developers.

An IS auditor reviewing access controls for a client-server environment should FIRST: evaluate the encryption technique. identify the network access points. review the identity management system. review the application level access controls.

Identify the network access points is correct. A client-server environment typically contains several access points and uses distributed techniques, increasing the risk of unauthorized access to data and processing. To evaluate the security of the client server environment, all network access points should be identified. Evaluate the encryption techniques is incorrect. This would be performed at a later stage of the review. Review the identity management system is incorrect. This would be performed at a later stage of the review. Review the application level access controls is incorrect. This would be performed at a later stage of the review.

An IS auditor performing a review of application controls would evaluate the: efficiency of the application in meeting the business processes. impact of any exposures discovered. business processes served by the application. application's optimization.

Impact of any exposures discovered is correct. An application control review involves the evaluation of the application's automated controls and an assessment of any exposures resulting from the control weaknesses. Efficiency of the application in meeting the business processes is incorrect. The IS auditor is reviewing the effectiveness of the controls, not the suitability of the application to meet business needs. Business processes served by the application is incorrect. This is not part of an audit restricted to a review of the application controls. Application's optimization is incorrect. One area to be reviewed may be the efficiency and optimization of the application, but this is not the area being reviewed in this audit.

During an audit of a small enterprise, the IS auditor noted that the IS director has superuser-privilege access that allows the director to process requests for changes to the application access roles (access types). Which of the following should the IS auditor recommend? Implement a properly documented process for application role change requests. Hire additional staff to provide a segregation of duties for application role changes. Implement an automated process for changing application roles. Document the current procedure in detail and make it available on the enterprise intranet.

Implement a properly documented process for application role change requests is correct. The IS auditor should recommend implementation of processes that could prevent or detect improper changes from being made to the major application roles. The application role change request process should start and be approved by the business owner; then, the IS director can make the changes to the application. Hire additional staff to provide a segregation of duties for application role changes is incorrect. While it is preferred that a strict segregation of duties be adhered to and that additional staff be recruited, this practice is not always possible in small enterprises. The IS auditor must look at recommended alternative processes. Implement an automated process for changing application roles is incorrect. An automated process for managing application roles may not be practical to prevent improper changes being made by the IS director, who also has the most privileged access to the application. Document the current procedure in detail and make it available on the enterprise intranet is incorrect. Making the existing process available on the enterprise intranet would not provide any value to protect the system.

An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation? Log all table update transactions. Implement integrity constraints in the database. Implement before and after image reporting. Use tracing and tagging.

Implement integrity constraints in the database is correct. This is a preventive control because data are checked against predefined tables or rules, which prevents any undefined data from being entered. Log all table update transactions is incorrect. This provides audit trails and is a detective control but will not prevent the introduction of inaccurate data. Implement before and after image reporting is incorrect. This makes it possible to trace the impact that transactions have on computer records and is a detective control. Use tracing and tagging is incorrect. This is used to test application systems and controls but is not a preventive control that can avoid out-of-range data.

Which of the following is the MOST efficient strategy for the backup of large quantities of mission-critical data when the systems need to be online to take sales orders 24 hours a day? Implementing a fault-tolerant disk-to-disk backup solution Making a full backup to tape weekly and an incremental backup nightly Creating a duplicate storage area network (SAN) and replicating the data to a second SAN Creating identical server and storage infrastructure at a hot site

Implementing a fault-tolerant disk-to-disk backup solution is correct. Disk-to-disk backup, also called disk-to-disk-to-tape backup or tape cache, is when the primary backup is written to disk instead of tape. That backup can then be copied, cloned or migrated to tape at a later time (hence the term "disk-to-disk-to-tape"). This technology allows the backup of data to be performed without impacting system performance and allows a large quantity of data to be backed up in a very short backup window. In case of a failure, the fault-tolerant system can transfer immediately to the other disk set. Making a full backup to tape weekly and an incremental backup nightly is incorrect. While a backup strategy involving tape drives is valid, because many computer systems must be taken offline so that backups can be performed, there is the need to create a backup window, typically during each night. This would not enable the system to be available 24/7. For a system that must remain online at all times, the only feasible way to back up the data is to either duplicate the data to a server that gets backed up to tape, or deploy a disk-to-disk solution, which is effectively the same thing. Creating a duplicate storage area network (SAN) and replicating the data to a second SAN is incorrect. While creating a duplicate SAN and replicating the data to a second SAN provides some redundancy and data protection, this is not really a backup solution. If the two systems are at the same site, there is a risk that an incident such as a fire or flood in the data center could lead to data loss. Creating identical server and storage infrastructure at a hot site is incorrect. While creating an identical server and storage infrastructure at a hot site provides a great deal of redundancy and availability to enable the system to stay operational, it does not address the need for long-term data storage. There is still the need to create an efficient method of backing up data.

Which of the following would MOST effectively enhance the security of a challenge-response based authentication system? Selecting a more robust algorithm to generate challenge strings Implementing measures to prevent session hijacking attacks Increasing the frequency of associated password changes Increasing the length of authentication strings

Implementing measures to prevent session hijacking attacks is correct. Challenge response-based authentication is prone to session hijacking or man-in-the-middle attacks. Security management should be aware of this and engage in risk assessment and control design such as periodic authentication when they employ this technology. Selecting a more robust algorithm to generate challenge strings is incorrect. This will enhance the security; however, this may not be as important in terms of risk mitigation when compared to man-in-the-middle attacks. Increasing the frequency of associated password changes is incorrect. Frequently changing passwords is a good security practice; however, the exposures lurking in communication pathways may pose a greater risk. Increasing the length of authentication strings is incorrect. This will not prevent man-in-the-middle or session hijacking attacks.

Which of the following would be the GREATEST concern if audit objectives are not established during the initial phase of an audit program? Key stakeholders are incorrectly identified. Control costs will exceed planned budget. Important business risk may be overlooked. Previously audited areas may be inadvertently included.

Important business risk may be overlooked is correct. Without an audit scope, the appropriate risk assessment has not been performed, and therefore, the auditor might not audit those areas of highest risk for the organization. Key stakeholders are incorrectly identified is incorrect. In certain cases, it may be more difficult to discuss findings when incorrect stakeholders are identified, thus delaying the communication of audit findings. However, this is not as concerning as important business risk not being included in audit scope. Control costs will exceed planned budget is incorrect. Many factors determine the cost of controls. Therefore, it is difficult to state that only audit objectives will determine the control cost. However, this is not as important if key risk is not identified. Previously audited areas may be inadvertently included is incorrect. Auditing previously audited areas is not an efficient use of resources; however, this is not as big of a concern as key risk not being identified.

While designing the business continuity plan for an airline reservation system, the MOST appropriate method of data transfer/backup at an offsite location would be: shadow file processing. electronic vaulting. hard-disk mirroring. hot-site provisioning.

In shadow file processing, exact duplicates of the files are maintained at the same site or at a remote site. The two files are processed concurrently. This is used for critical data files such as airline booking systems. Electronic vaulting electronically transmits data either to direct access storage, an optical disc or another storage medium; this is a method used by banks. This is not usually in real time as much as a shadow file system is. Hard-disk mirroring provides redundancy in case the primary hard disk fails. All transactions and operations occur on two hard disks in the same server. A hot site is an alternate site ready to take over business operations within a few hours of any business interruption and is not a method for backing up data.

A company is planning to install a network-based intrusion detection system to protect the web site that it hosts. Where should the device be installed? On the local network Outside the firewall In the demilitarized zone On the server that hosts the web site

In the demilitarized zone (DMZ) is correct. Network-based intrusion detection systems (IDSs) detect attack attempts by monitoring network traffic. A public web server is typically placed on the protected network segment known as the DMZ. An IDS installed in the DMZ detects and reports on malicious activity originating from the Internet as well as the internal network, thus allowing the administrator to act. On the local network is incorrect. While an IDS can be installed on the local network to ensure that systems are not subject to internal attacks, a company's public web server would not normally be installed on the local network, but rather in the DMZ. Outside the firewall is incorrect. It is not unusual to place a network IDS outside of the firewall just to watch the traffic that is reaching the firewall, but this would not be used to specifically protect the web application. On the server that hosts the web site is incorrect. A host-based IDS would be installed on the web server, but a network-based IDS would not.

Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The auditor should: include the finding in the final report, because the IS auditor is responsible for an accurate report of all findings. not include the finding in the final report because management resolved the item. not include the finding in the final report, because corrective action can be verified by the IS auditor during the audit. include the finding in the closing meeting for discussion purposes only.

Include the finding in the final report, because the IS auditor is responsible for an accurate report of all findings is correct and is a generally accepted audit practice. If an action is taken after the audit started and before it ended, the audit report should identify the finding and describe the corrective action taken. An audit report should reflect the situation, as it existed at the start of the audit. All corrective actions taken by the auditee should be reported in writing. Not include the finding in the final report because management resolved the item is incorrect. The audit report should contain all relevant findings and the response from management even if the finding has been resolved. This would mean that subsequent audits may test for the continued resolution of the control. Not include the finding in the final report, because corrective action can be verified by the IS auditor during the audit is incorrect. The audit report should contain the finding so that it is documented and the removal of the control subsequent to the audit would be noticed. Include the finding in the closing meeting for discussion purposes only is incorrect. The audit report should contain the finding and resolution, and this can be mentioned in the final meeting. The audit report should list all relevant findings and the response from management.

When reviewing a project where quality is a major concern, an IS auditor should use the project management triangle to explain that: increases in quality can be achieved, if resource allocation is decreased. increases in quality are only achieved if resource allocation is increased. decreases in delivery time can be achieved, if resource allocation is decreased. decreases in delivery time can only be achieved if quality is decreased.

Increases in quality can be achieved, if resource allocation is decreased is correct. The three primary dimensions of a project are determined by the deliverables, the allocated resources and the delivery time. The area of the project management triangle, comprised of these three dimensions, is fixed. Depending on the degree of freedom, changes in one dimension might be compensated by changing either one or both remaining dimensions. Thus, if resource allocation is decreased, an increase in quality can be achieved if a delay in the delivery time of the project will be accepted. The area of the triangle always remains constant. Increases in quality are only achieved if resource allocation is increased is incorrect. Increases in quality can be achieved if resource allocation is increased or through increases in delivery time, not only through increases in resource allocation. Decreases in delivery time can be achieved, if resource allocation is decreased is incorrect. A decrease in both delivery time and resource allocation would mean that quality would have to decrease. Decreases in delivery time can only be achieved if quality is decreased is incorrect. A decrease in delivery time may also be addressed through an increase in resource allocation, even if the quality remains constant.

During which phase of software application testing should an organization perform the testing of architectural design? Acceptance testing System testing Integration testing Unit testing

Integration testing is correct. This evaluates the connection of two or more components that pass information from one area to another. The objective is to use unit-tested modules, thus building an integrated structure according to the design. Acceptance testing is incorrect. This determines whether the solution meets the requirements of the business and is performed after system staff has completed the initial system test. This testing includes both quality assurance testing and user acceptance testing, although not combined. System testing is incorrect. This relates a series of tests by the test team or system maintenance staff to ensure that the modified program interacts correctly with other components. System testing references the functional requirements of the system. Unit testing is incorrect. This references the detailed design of the system and uses a set of cases that focus on the control structure of the procedural design to ensure that the internal operation of the program performs according to specification.

During the requirements definition stage of a proposed enterprise resource planning system, the project sponsor requests that the procurement and accounts payable modules be linked. Which of the following test methods would be the BEST to perform? Unit testing Integration testing Sociability testing Quality assurance testing

Integration testing is correct. This is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective is to take unit-tested modules and build an integrated structure dictated by design. Unit testing is incorrect. This is a technique that is used to test program logic within a particular program or module and does not specifically address the linkage between software modules. Integration testing is the best answer. Sociability testing is incorrect. This confirms that the new or modified system can operate in its target environment without adversely impacting existing systems and does not specifically address the linkage between software modules. Integration testing is the best answer. Quality assurance testing is incorrect. This is primarily used to ensure that the logic of the application is correct and does not specifically address the linkage between software modules. Integration testing is the best answer.

Which of the following is an advantage of the top-down approach to software testing? Interface errors are identified early. Testing can be started before all programs are complete. It is more effective than other testing approaches. Errors in critical modules are detected sooner.

Interface errors are identified early is correct. The advantage of the top-down approach is that tests of major functions are conducted early, thus enabling the detection of interface errors sooner. Testing can be started before all programs are complete is incorrect. That testing can be started before all programs are complete is an advantage of the bottom-up approach to system testing. It is more effective than other testing approaches is incorrect. The most effective testing approach is dependent on the environment being tested. Errors in critical modules are detected sooner is incorrect. Detecting errors in critical modules sooner is an advantage of the bottom-up approach to system testing.

An IS auditor performing a review of a major software development project finds that it is on schedule and under budget even though the software developers have worked considerable amounts of unplanned overtime. The IS auditor should: conclude that the project is progressing as planned because dates are being met. question the project manager further to identify whether overtime costs are being tracked accurately. conclude that the programmers are intentionally working slowly to earn extra overtime pay. investigate further to determine whether the project plan may not be accurate.

Investigate further to determine whether the project plan may not be accurate is correct. Although the dates on which key projects are completed are important, there may be issues with the project plan if an extraordinary amount of unplanned overtime is required to meet those dates. In most cases, the project plan is based on a certain number of hours, and requiring programmers to work considerable overtime is not a good practice. Although overtime costs may be an indicator that something is wrong with the plan, in many organizations, the programming staff may be salaried, so overtime costs may not be directly recorded. Conclude that the project is progressing as planned because dates are being met is incorrect. Although the project is on time and budget, there may be problems with the project plan because considerable amounts of unplanned overtime have been required. Question the project manager further to identify whether overtime costs are being tracked accurately is incorrect. There is a possibility that the project manager has hidden some costs to make the project look better; however, the real problem may be with whether the project plan is realistic, not just the accounting. Conclude that the programmers are intentionally working slowly to earn extra overtime pay is incorrect. It is possible that the programmers are trying to take advantage of the time system, but if the overtime has been required to keep the project on track it is more likely that the time lines and expectations of the project are unrealistic.

When reviewing the desktop software compliance of an organization, the IS auditor should be MOST concerned if the installed software: was installed, but not documented in the IT department records. was being used by users not properly trained in its use. is not listed in the approved software standards document. license will expire in the next 15 days.

Is not listed in the approved software standards document is correct. The installation of software that is not allowed by policy is a serious violation and could put the organization at security, legal and financial risk. Any software that is allowed should be part of a standard software list. This is the first thing to review because this would also indicate compliance with policies. Was installed, but not documented in the IT department records is incorrect. All software, including licenses, should be documented in IT department records, but this is not as serious as the violation of policy in installing unapproved software. Was being used by users not properly trained in its use is incorrect. Discovering that users have not been formally trained in the use of a software product is common, and while not ideal, most software includes help files and other tips that can assist in learning how to use the software effectively. License will expire in the next 15 days is incorrect. A software license that is about to expire is not a risk if there is a process in place to renew it.

The MOST important factor in planning a black box penetration test is: the documentation of the planned testing procedure. a realistic evaluation of the environment architecture to determine scope. knowledge by the management staff of the client organization. scheduling and deciding on the timed length of the test.

Knowledge by the management staff of the client organization is correct. Black box penetration testing assumes no prior knowledge of the infrastructure to be tested. Testers simulate an attack from someone who is unfamiliar with the system. It is important to have management knowledge of the proceedings so that if the test is identified by the monitoring systems, the legality of the actions can be determined quickly. The documentation of the planned testing procedure is incorrect. A penetration test should be carefully planned and executed, but the most important factor is proper approvals. A realistic evaluation of the environment architecture to determine scope is incorrect. In a black box penetration test, the environment is not known to the testing organization. Scheduling and deciding on the timed length of the test is incorrect. A test must be scheduled so as to minimize the risk of affecting critical operations; however, this is part of working with the management of the organization.

Which of the following represents the GREATEST potential risk in an electronic data interchange (EDI) environment? Lack of transaction authorizations Loss or duplication of EDI transmissions Transmission delay Deletion or manipulation of transactions prior to or after establishment of application controls

Lack of transaction authorizations is correct. Because the interaction between parties is electronic, there is no inherent authentication occurring; therefore, lack of transaction authorization is the greatest risk. Loss or duplication of electronic data interchange transmissions is incorrect. This is an example of risk, but because all transactions should be logged, the impact is not as great as that of unauthorized transactions. Transmission delay is incorrect. This may terminate the process or hold the line until the normal time for processing has elapsed; however, there will be no loss of data. Deletion or manipulation of transactions prior to, or after, establishment of application controls is incorrect. This is an example of risk. Logging detects any alteration to the data, and the impact is not as great as that of unauthorized transactions.

An IS auditor is performing a post-implementation review of an organization's system and identifies output errors within an accounting application. The IS auditor determined this was caused by input errors. Which of the following controls should the IS auditor recommend to management? Recalculations Limit checks Run-to-run totals Reconciliations

Limit checks is correct. Processing controls should be implemented as close as possible to the point of data entry. Limit checks are one type of input validation check that provides a preventive control to ensure that invalid data cannot be entered because values must fall within a predetermined limit. Recalculations is incorrect. A sample of transactions may be recalculated manually to ensure that processing is accomplishing the anticipated task. Recalculations are performed after the output phase. Run-to-run totals is incorrect. These provide the ability to verify data values through the stages of application processing. Run-to-run total verification ensures that data read into the computer were accepted and then applied to the updating process. Run-to-run totals are performed after the output phase. Reconciliations is incorrect. Reconciliation of file totals should be performed on a routine basis. Reconciliations may be performed through the use of a manually maintained account, a file control record or an independent control file. Reconciliations are performed after the output phase.

Results of a post-implementation review indicate that only 75 percent of the users can log in to the application concurrently. Which of the following could have BEST discovered the identified weakness of the application? Volume testing, Stress testing, Stress testing, Recovery testing

Load testing is correct. This evaluates the performance of the software under normal and peak conditions. Because this application is not supporting normal numbers of concurrent users, the load testing must not have been adequate. Stress testing is incorrect. This determines the capacity of the software to cope with an abnormal number of users or simultaneous operations. Because the number of concurrent users in this question is within normal limits, the answer is load testing, not stress testing. Recovery testing is incorrect. This evaluates the ability of a system to recover after a failure. Volume testing is incorrect. This evaluates the impact of incremental volume of records (not users) on a system.

Which of the following BEST mitigates the risk of backup media containing irreplaceable information being lost or stolen while in transit? Ensure that media are encrypted. Maintain a duplicate copy. Maintain chain of custody. Ensure that personnel are bonded.

Maintain a duplicate copy is correct. Sensitive data should always be fully backed up before being transmitted or moved. Backups of sensitive information should be treated with the same control considerations as the actual data. Ensure that media are encrypted is incorrect. Although strong encryption protects against disclosure, it will not mitigate the loss of irreplaceable data. Maintain chain of custody is incorrect. Chain of custody is an important control, but it will not mitigate a loss if a locked area is broken into and media removed or if media are lost while in an individual's custody. Ensure that personnel are bonded is incorrect. Bonded security, although good for preventing theft, will not protect against accidental loss or destruction.

A decision support system is used to help high-level management: solve highly structured problems. combine the use of decision models with predetermined criteria. make decisions based on data analysis and interactive models. support only structured decision-making tasks.

Make decisions based on data analysis and interactive models is correct. A decision support system (DSS) emphasizes flexibility in the decision-making approach of management through data analysis and the use of interactive models, not fixed criteria. Solve highly structured problems is incorrect. A DSS is aimed at solving less structured problems. Combine the use of decision models with predetermined criteria is incorrect. A DSS combines the use of models and analytic techniques with traditional data access and retrieval functions but is not limited by predetermined criteria. Support only structured decision-making tasks is incorrect. A DSS supports semistructured decision-making tasks.

What is the MOST prevalent security risk when an organization implements remote virtual private network (VPN) access to its network? Malicious code could be spread across the network. The VPN logon could be spoofed. Traffic could be sniffed and decrypted. The VPN gateway could be compromised.

Malicious code could be spread across the network is correct. Virtual private network (VPN) is a mature technology; VPN devices are hard to break. However, when remote access is enabled, malicious code in a remote client could spread to the organization's network. One problem is when the VPN terminates inside the network and the encrypted VPN traffic goes through the firewall. This means that the firewall cannot adequately examine the traffic. The VPN logon could be spoofed is incorrect. A secure VPN solution would use two-factor authentication to prevent spoofing. Traffic could be sniffed and decrypted is incorrect. Sniffing encrypted traffic does not generally provide an attack vector for its unauthorized decryption. The VPN gateway could be compromised is incorrect. A misconfigured or poorly implemented VPN gateway could be subject to attack, but if it is located in a secure subnet, then the risk is reduced.

Which of the following is the key benefit of a control self-assessment? Management ownership of the internal controls supporting business objectives is reinforced. Audit expenses are reduced when the assessment results are an input to external audit work. Fraud detection will be improved because internal business staff are engaged in testing controls. Internal auditors can shift to a consultative approach by using the results of the assessment.

Management ownership of the internal controls supporting business objectives is reinforced is correct. The objective of control self-assessment (CSA) is to have business management become more aware of the importance of internal control and their responsibility in terms of corporate governance. Audit expenses are reduced when the assessment results are an input to external audit work is incorrect and is not a key benefit of CSA. Fraud detection is improved because internal business staff are engaged in testing controls is incorrect. Improved fraud detection is important but not as important as control ownership. It is not a principal objective of CSA. Internal auditors can shift to a consultative approach by using the results of the assessment is incorrect. CSA may give more insights to internal auditors, allowing them to take a more consultative role; however, this is an additional benefit, not the key benefit.

When an organization's disaster recovery plan has a reciprocal agreement, which of the following risk treatment approaches is being applied? Transfer Mitigation Avoidance Acceptance

Mitigation is correct. A reciprocal agreement in which two organizations agree to provide computing resources to each other in the event of a disaster is a form of risk mitigation. This usually works well if both organizations have similar information processing facilities. Because the intended effect of reciprocal agreements is to have a functional disaster recovery plan, it is a risk mitigation strategy. Transfer is incorrect. Risk transfer is the transference of risk to a third party (e.g., buying insurance for activities that pose a risk). Avoidance is incorrect. Risk avoidance is the decision to cease operations or activities that give rise to a risk. For example, a company may stop accepting credit card payments to avoid the risk of credit card information disclosure. Acceptance is incorrect. Risk acceptance occurs when an organization decides to accept the risk as it is and to do nothing to mitigate or transfer it.

An IS auditor is reviewing access controls for a manufacturing organization. During the review, the IS auditor discovers that data owners have the ability to change access controls for a low-risk application. The BEST course of action for the IS auditor is to: recommend that mandatory access control (MAC) be implemented. report this as a finding to upper management. report this to the data owners to determine whether it is an exception. not report this issue because discretionary access controls are in place.

Not report this issue because discretionary access controls are in place is correct. Discretionary access control (DAC) allows data owners to modify access, which is a normal procedure and is a characteristic of DAC. Recommend that mandatory access control be implemented is incorrect. It is more appropriate for data owners to have DAC in a low-risk application. Report this as a finding to upper management is incorrect. The use of DAC may not be an exception and, until confirmed, should not be reported as an issue. Report this to the data owners to determine whether it is an exception is incorrect. While an IS auditor may consult with data owners regarding whether this access is allowed normally, the IS auditor should not rely on the auditee to determine whether this is an issue. error_outline First Time Score 14% answered this question correctly their first time.

In a contract with a hot, warm or cold site, contractual provisions should PRIMARILY cover which of the following considerations? Physical security measures Total number of subscribers Number of subscribers permitted to use a site at one time References by other users

Number of subscribers permitted to use a site at one time is correct. The contract should specify the number of subscribers permitted to use the site at any one time. The contract can be written to give preference to certain subscribers. Physical security measures is incorrect. These are not always part of the contract, although they are an important consideration when choosing a third-party site. Total number of subscribers is incorrect. This is a consideration, but more important is whether the agreement limits the number of subscribers in a building or in a specific area. It is also good to know if other subscribers are competitors. References by other users is incorrect. The references that other users can provide are a consideration taken before signing the contract; it is by no means part of the contractual provisions.

Which audit technique provides the BEST evidence of the segregation of duties in an IT department? Discussion with management Review of the organization chart Observation and interviews Testing of user access rights

Observation and interviews is correct. Based on the observations and interviews, the IS auditor can evaluate the segregation of duties. By observing the IT staff performing their tasks, an IS auditor can identify whether they are performing any incompatible operations. By interviewing the IT staff, the auditor can get an overview of the tasks performed. Discussion with management is incorrect. Management may not be aware of the detailed functions of each employee in the IT department and whether the controls are being followed. Therefore, discussion with the management provides only limited information regarding segregation of duties. Review of the organization chart is incorrect. An organization chart does not provide details of the functions of the employees or whether the controls are working correctly. Testing of user access rights is incorrect. This provides information about the rights users have within the IS systems but does not provide complete information about the functions they perform. Observation is a better option because user rights can be changed between audits.

An IS auditor evaluating logical access controls should FIRST: document the controls applied to the potential access paths to the system. test controls over the access paths to determine if they are functional. evaluate the security environment in relation to written policies and practices. obtain an understanding of the security risk to information processing.

Obtain an understanding of the security risk to information processing is correct. When evaluating logical access controls, an IS auditor should first obtain an understanding of the security risk facing information processing by reviewing relevant documentation, by inquiries, and conducting a risk assessment. This is necessary so that the IS auditor can ensure the controls are adequate to address risk. Document the controls applied to the potential access paths to the system is incorrect. Documentation and evaluation is the second step in assessing the adequacy, efficiency and effectiveness of the controls and is based on the risk to the system that necessitates the controls. Test controls over the access paths to determine if they are functional is incorrect. The third step is to test the access paths—to determine if the controls are functioning. Evaluate the security environment in relation to written policies and practices is incorrect. It is only after the risk is determined and the controls documented that the IS auditor can evaluate the security environment to assess its adequacy through review of the written policies, observation of practices and comparison of them to appropriate security good practices.

Which of the following is the BEST control to prevent the deletion of audit logs by unauthorized individuals in an organization? Actions performed on log files should be tracked in a separate log. Write access to audit logs should be disabled. Only select personnel should have rights to view or delete audit logs. Backups of audit logs should be performed periodically.

Only select personnel should have rights to view or delete audit logs is correct. Granting access to audit logs to only system administrators and security administrators would reduce the possibility of these files being deleted. Actions performed on log files should be tracked in a separate log is incorrect. Having additional copies of log file activity would not prevent the original log files from being deleted. Write access to audit logs should be disabled is incorrect. For servers and applications to operate correctly, write access cannot be disabled. Backups of audit logs should be performed periodically is incorrect. Frequent backups of audit logs would not prevent the logs from being deleted.

Which of the following is the PRIMARY objective of an IT performance measurement process? Minimize errors Gather performance data Establish performance baselines Optimize performance

Optimize performance is correct. An IT performance measurement process can be used to optimize performance, measure and manage products/services, assure accountability and make budget decisions. Minimize errors is incorrect. This is an aspect of performance but not the primary objective of performance management. Gather performance data is incorrect. This is necessary to measure IT performance but is not the objective of the process. Establish performance baselines is incorrect. The performance measurement process compares actual performance with baselines but is not the objective of the process.

An audit charter should: be dynamic and change to coincide with the changing nature of technology and the audit profession. clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls. document the audit procedures designed to achieve the planned audit objectives. outline the overall authority, scope and responsibilities of the audit function.

Outline the overall authority, scope and responsibilities of the audit function is correct. An audit charter should state management's objectives for and delegation of authority to IS auditors. Be dynamic and change to coincide with the changing nature of technology and the audit profession is incorrect. The audit charter should not be subject to changes in technology and should not significantly change over time. The charter should be approved at the highest level of management. Clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls is incorrect. An audit charter states the authority and reporting requirements for the audit but not the details of maintenance of internal controls. Document the audit procedures designed to achieve the planned audit objectives is incorrect.An audit charter is not at a detailed level and, therefore, does not include specific audit objectives or procedures.

Which of the following responsibilities would MOST likely compromise the independence of an IS auditor when reviewing the risk management process? Participating in the design of the risk management framework Advising on different implementation techniques Facilitating risk awareness training Performing due diligence of the risk management processes

Participating in the design of the risk management framework is correct. This involves designing controls, which compromises the independence of the IS auditor to audit the risk management process. Advising on different implementation techniques is incorrect as this does not compromise the IS auditor's independence because the IS auditor will not be involved in the decision-making process. Facilitating awareness training is incorrect. This does not hamper the IS auditor's independence because the auditor will not be involved in the decision-making process. Performing a due diligence review of the risk management processes is incorrect. Due diligence reviews are a type of audit generally related to mergers and acquisitions.

An organization uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (e.g., hourly rate changes, terminations) are completed and delivered to the bank, which prepares checks and reports for distribution. To BEST ensure payroll data accuracy: payroll reports should be compared to input forms. gross payroll should be recalculated manually. checks should be compared to input forms. checks should be reconciled with output reports.

Payroll reports should be compared to input forms is correct. The best way to confirm data accuracy, when input is provided by the organization and output is generated by the bank, is to verify the data input (input forms) with the results of the payroll reports. Gross payroll should be recalculated manually is incorrect. Recalculating gross payroll manually only verifies whether the processing is correct and not the data accuracy of inputs. Checks should be compared to input forms is incorrect. Comparing checks to input forms is not feasible because checks contain the processed information and input forms contain the input data. Checks should be reconciled with output reports is incorrect. Reconciling checks with output reports only confirms that checks were issued as stated on output reports.

Which of the following is the MOST effective when determining the correctness of individual account balances migrated from one database to another? Compare the hash total before and after the migration. Verify that the number of records is the same for both databases. Perform sample testing of the migrated account balances. Compare the control totals of all of the transactions.

Perform sample testing of the migrated account balances is correct. This will involve the comparison of a selection of individual transactions from the database before and after the migration. Compare the hash total before and after the migration is incorrect. The hash total will only validate the data integrity at a batch level rather than at a transaction level. Verify that the number of records is the same for both databases is incorrect. Databases are composed of records that can contain multiple fields. The number of records will not allow an IS auditor to ascertain whether some of these fields have been successfully migrated. Compare the control totals of all of the transactions is incorrect. This does not imply that the records are complete or that individual values are accurate.

Which of the following types of risk is MOST likely encountered in a software as a service environment? Noncompliance with software license agreements Performance issues due to Internet delivery method Higher cost due to software licensing requirements Higher cost due to the need to update to compatible hardware

Performance issues due to Internet delivery method is correct. The risk that can be most likely encountered in a software as a service (SaaS) environment is speed and availability issues, because SaaS relies on the Internet for connectivity. Noncompliance with software license agreements is incorrect. SaaS is provisioned on a usage basis and the number of users is monitored by the SaaS provider; therefore, there should be no risk of noncompliance with software license agreements. Higher cost due to software licensing requirements is incorrect. The costs for a SaaS solution should be fixed as a part of the services contract and considered in the business case presented to management for approval of the solution. Higher cost due to the need to update to compatible hardware is incorrect. The open design and Internet connectivity allow most SaaS to run on virtually any type of hardware.

Which of the following is the BEST way to ensure that organizational policies comply with legal requirements? Inclusion of a blanket legal statement in each policy Periodic review by subject matter experts Annual sign-off by senior management on organizational policies Policy alignment to the most restrictive regulations

Periodic review by subject matter experts is correct. Periodic review of policies by personnel with specific knowledge of regulatory and legal requirements best ensures that organizational policies are aligned with legal requirements. Inclusion of a blanket legal statement in each policy is incorrect. A blanket legal statement in each policy to adhere to all applicable laws and regulations is ineffective because the readers of the policy (internal personnel) will not know which statements are applicable or the specific nature of their requirements. As a result, personnel may lack the knowledge to perform the required activities for legal compliance. Annual sign-off by senior management on organizational policies is incorrect. This helps set the tone at the top but does not ensure that the policies comply with regulatory and legal requirements. Policy alignment to the most restrictive regulations is incorrect. Aligning policies to the most restrictive regulations may create an unacceptable financial burden for the organization. This could then lead to securing minimal risk systems to the same degree as those containing sensitive customer data and other information protected by legislation.

Which of the following is an advantage of an integrated test facility (ITF)? It uses actual master files or dummies and the IS auditor does not have to review the source of the transaction. Periodic testing does not require separate test processes. It validates application systems and ensures the correct operation of the system. The need to prepare test data is eliminated.

Periodic testing does not require separate test processes is correct. An integrated test facility (ITF) creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. Careful planning is necessary, and test data must be isolated from production data. It uses actual master files or dummies, and the IS auditor does not have to review the source of the transaction is incorrect. The ITF tests a test transaction as if it were a real transaction and validates that transaction processing is being done correctly. It is not related to reviewing the source of a transaction. It validates application systems and ensures the correct operation of the system is incorrect. An ITF does validate the correct operation of a transaction in an application, but it does not ensure that a system is being operated correctly. The need to prepare test data is eliminated is incorrect. The ITF is based on the integration of test data into the normal process flow, so test data is still required.

An organization is proposing to establish a wireless local area network (WLAN). Management asks the IS auditor to recommend security controls for the WLAN. Which of the following would be the MOST appropriate recommendation? Physically secure wireless access points to prevent tampering. Use service set identifiers that clearly identify the organization. Encrypt traffic using the Wired Equivalent Privacy mechanism. Implement the Simple Network Management Protocol to allow active monitoring.

Physically secure wireless access points to prevent tampering is correct. Physically securing access points such as wireless routers, as well as preventing theft, addresses the risk of malicious parties tampering with device settings. If access points can be physically reached, it is often a simple matter to restore weak default passwords and encryption keys, or to totally remove authentication and encryption from the network. Use service set identifiers that clearly identify the organization is incorrect. Service set identifiers should not be used to identify the organization because hackers can associate the wireless local area network with a known organization, and this increases both their motivation to attack and, potentially, the information available to do so. Encrypt traffic using the Wired Equivalent Privacy mechanism is incorrect. The original Wired Equivalent Privacy security mechanism has been demonstrated to have a number of exploitable weaknesses. The more recently developed Wi-Fi Protected Access and Wi-Fi Protected Access 2 standards represent considerably more secure means of authentication and encryption. Implement the Simple Network Management Protocol to allow active monitoring is incorrect. Installing Simple Network Management Protocol on wireless access points can actually open up security vulnerabilities. If SNMP is required at all, then SNMP v3, which has stronger authentication mechanisms than earlier versions, should be deployed.

An IS auditor is reviewing a project that is using an agile software development approach. Which of the following should the IS auditor expect to find? Use of a capability maturity model Regular monitoring of task-level progress against schedule Extensive use of software development tools to maximize team productivity Post iteration reviews that identify lessons learned for future use in the project

Post iteration reviews that identify lessons learned for future use in the project is correct. A key tenet of the agile approach to software project management is ongoing team learning to refine project management and software development processes as the project progresses. One of the best ways to achieve this is that the team considers and documents what worked well and what could have worked better at the end of each iteration and identifies improvements to be implemented in subsequent iterations. Additionally, less importance is placed on formal paper-based deliverables, with the preference being effective informal communication within the team and with key outside contributors. Agile projects produce releasable software in short iterations, typically ranging from four to eight weeks. This, in itself, instills considerable performance discipline within the team. This, combined with short daily meetings to agree on what the team is doing and the identification of any impediments, renders task-level tracking against a schedule redundant. Use of a capability maturity model is incorrect. The capability maturity model places heavy emphasis on predefined formal processes and formal project management and software development deliverables, while agile software development projects, by contrast, rely on refinement of process as dictated by the particular needs of the project and team dynamics. Regular monitoring of task-level progress against schedule is incorrect. Task-level tracking is not used because daily meetings identify challenges and impediments to the project. Extensive use of software development tools to maximize team productivity is incorrect. Agile projects make use of suitable development tools; however, tools are not seen as the primary means of achieving productivity. Team harmony, effective communications and collective ability to solve challenges are of greater importance.

Which of the following is a characteristic of timebox management? Not suitable for prototyping or rapid application development Eliminates the need for a quality process Prevents cost overruns and delivery delays Separates system and user acceptance testing

Prevents cost overruns and delivery delays is correct. Timebox management, by its nature, sets specific time and cost boundaries. It is effective in controlling costs and delivery time lines by ensuring that each segment of the project is divided into small controllable time frames. Not suitable for prototyping or rapid application development is incorrect. Timebox management is very suitable for prototyping and rapid application development. Eliminates the need for a quality process is incorrect. Timebox management does not eliminate the need for a quality process. Separates system and user acceptance testing is incorrect. Timebox management integrates system and user acceptance testing.

When reviewing a disaster recovery plan, an IS auditor should be MOST concerned with the lack of: process owner involvement. well-documented testing procedures. an alternate processing facility. a well-documented data classification scheme.

Process owner involvement is correct. This is a critical part of the business impact analysis (BIA), which is used to create the disaster recovery plan. If the IS auditor determined that process owners were not involved, this would be a significant concern. Well-documented testing procedures is incorrect. While these are important, unless process owners are involved there is no way to know whether the priorities and critical elements of the plan are valid. An alternate processing facility is incorrect. This may be a requirement to meet the needs of the business; however, such a decision needs to be based on the BIA. A well-documented data classification scheme is incorrect. This is important to ensure that controls over data are appropriate; however, this is a lesser concern than a lack of process owner involvement.

An IS auditor is assisting in the design of the emergency change control procedures for an organization with a limited budget. Which of the following recommendations BEST helps to establish accountability for the system support personnel? Production access is granted to the individual support ID when needed. Developers use a firefighter ID to promote code to production. A dedicated user promotes emergency changes to production. Emergency changes are authorized prior to promotion.

Production access is granted to the individual support ID when needed is correct. Production access should be controlled and monitored to ensure segregation of duties. During an emergency change, a user who normally does not have access to production may require access. The best process to ensure accountability within the production system is to have the information security team create a production support group and add the user ID to that group to promote the change. When the change is complete the ID can be removed from the group. This process ensures that activity in production is linked to the specific ID that was used to make the change. Developers use a firefighter ID to promote code to production is incorrect. Some organizations may use a firefighter ID, which is a generic/shared ID, to promote changes to production. When needed, the developer can use this ID to access production. It may still be difficult to determine who made the change; therefore, although this process is commonly used, the use of a production support ID is a better choice. A dedicated user promotes emergency changes to production is incorrect. Having a dedicated user who promotes changes to production in an emergency is ideal but is generally not cost-effective and may not be realistic for emergency changes. Emergency changes are authorized prior to promotion is incorrect. Emergency changes are, by definition, unauthorized changes. Approvals usually are obtained following promotion of the change to production. All changes should be auditable, and that can best be accomplished by having a user ID added/removed to the production support group as needed.

An external IS auditor issues an audit report pointing out the lack of firewall protection features at the perimeter network gateway and recommending a specific vendor product to address this vulnerability. The IS auditor has failed to exercise: professional independence. organizational independence. technical competence. professional competence.

Professional independence is correct. When an IS auditor recommends a specific vendor, the auditor's professional independence is compromised. Organizational independence is incorrect. This has no relevance to the content of an audit report and should be considered at the time of accepting the engagement. Technical competence is incorrect. This is not relevant to the requirement of independence. Professional competence is incorrect. This is not relevant to the requirement of independence.

Why does an audit manager review the staff's audit papers, even when the IS auditors have many years of experience? Internal quality requirements The audit guidelines The audit methodology Professional standards

Professional standards is correct. Professional standards from ISACA, The Institute of Internal Auditors and the International Federation of Accountants require supervision of audit staff to accomplish audit objectives and comply with competence, professional proficiency and documentation requirements, and more. Internal quality requirements is incorrect. They may exist but are superseded by the requirement of supervision to comply with professional standards. Audit guidelines is incorrect. These exist to provide guidance on how to achieve compliance with professional standards. For example, they may provide insights on the purpose of supervision and examples of how supervisory duties are to be performed to achieve compliance with professional standards. The audit methodology is incorrect. This is a well-configured process/procedure to achieve audit objectives. While an audit methodology is a meaningful tool, supervision is generally driven by compliance with professional standards.

An IS auditor should recommend the use of library control software to provide reasonable assurance that: program changes have been authorized. only thoroughly tested programs are released. modified programs are automatically moved to production. source and executable code integrity is maintained.

Program changes have been authorized is correct. Library control software should be used to separate test from production libraries in mainframe and/or client server environments. The main objective of library control software is to provide assurance that program changes have been authorized. Only thoroughly tested programs are released is incorrect. Library control software is concerned with authorized program changes and cannot determine whether programs have been thoroughly tested. Modified programs are automatically moved to production is incorrect. Programs should not be moved automatically into production without proper authorization. Source and executable code integrity is maintained is incorrect. Library control software provides reasonable assurance that the source code and executable code are matched at the time a source code is moved to production. Access control will ensure the integrity of the software, but the most important benefit of version control software is to ensure that all changes are authorized.

Which of the following BEST helps ensure that deviations from the project plan are identified? A project management framework A project management approach A project resource plan Project performance criteria

Project performance criteria is correct. To identify deviations from the project plan, project performance criteria must be established as a baseline. Successful completion of the project plan is indicative of project success. A project management framework is incorrect. Establishment of a project management framework identifies the scope and boundaries of managing projects and the consistent method to be applied when initiating a project but does not define the criteria used to measure project success. A project management approach is incorrect. This defines guidelines for project management processes and deliverables but does not define the criteria used to measure project success. A project resource plan is incorrect. This defines the responsibilities, relationships, authorities and performance criteria of project team members but does not wholly define the criteria used to measure project success.

A company's development team does not follow generally accepted system development life cycle practices. Which of the following is MOST likely to cause problems for software development projects? Functional verification of the prototypes is assigned to end users. The project is implemented while minor issues are open from user acceptance testing. Project responsibilities are not formally defined at the beginning of a project. Program documentation is inadequate.

Project responsibilities are not formally defined at the beginning of a project is correct. Errors or lack of attention in the initial phases of a project may cause costly errors and inefficiencies in later phases. Proper planning is required at the beginning of a project. Functional verification of the prototypes is assigned to end users is incorrect. Prototypes are verified by users. The project is implemented while minor issues are open from user acceptance testing is incorrect. User acceptance testing is seldom completely successful. If errors are not critical, they may be corrected after implementation without seriously affecting usage. Program documentation is inadequate is incorrect. Lack of adequate program documentation, while a concern, is not as big a risk as the lack of assigned responsibilities during the initial stages of the project.

Which of the following is a network diagnostic tool that monitors and records network information? Online monitor Downtime report Help desk report Protocol analyzer

Protocol analyzer is correct. These are network diagnostic tools that monitor and record network information from packets traveling in the link to which the analyzer is attached. Online monitor is incorrect. These measure telecommunication transmissions and determine whether transmissions were accurate and complete. Downtime report is incorrect. These track the availability of telecommunication lines and circuits. Help desk report is incorrect. These are prepared by the help desk, which is staffed or supported by IS technical support personnel trained to handle problems occurring during the course of IS operations.

Due to resource constraints, a developer requires full access to production data to support certain problems reported by production users. Which of the following choices would be a good compensating control for controlling unauthorized changes in production? Provide and monitor separate developer login IDs for programming and for production support. Capture activities of the developer in the production environment by enabling detailed audit trails. Back up all affected records before allowing the developer to make production changes. Ensure that all changes are approved by the change manager prior to implementation.

Provide and monitor separate developer login IDs for programming and for production support is correct. Providing separate login IDs that would only allow a developer privileged access when required is a good compensating control, but it must also be backed up with monitoring and supervision of the activity of the developer. Capture activities of the developer in the production environment by enabling detailed audit trails is incorrect. While capturing activities of the developer via audit trails or logs would be a good practice, the control would not be effective unless these audit trails are reviewed on a periodic basis. Back up all affected records before allowing the developer to make production changes is incorrect. This would allow for rollback in case of an error but would not prevent or detect unauthorized changes. Ensure that all changes are approved by the change manager prior to implementation is incorrect. Even though changes are approved by the change manager, a developer with full access can easily circumvent this control.

Which of the following is the most important element in the design of a data warehouse? Quality of the metadata Speed of the transactions Volatility of the data Vulnerability of the system

Quality of the metadata is correct. This is the most important element in the design of a data warehouse. A data warehouse is a copy of transaction data specifically structured for query and analysis. Metadata describes the data in the warehouse and aims to provide a table of contents to the stored information. Companies that have built warehouses believe that metadata are the most important component of the warehouse. Speed of the transactions is incorrect. A data warehouse is used for analysis and research, not for production operations, so the speed of transactions is not relevant. Volatility of the data is incorrect. Data in a data warehouse is frequently received from many sources and vast amounts of information may be received on an hourly or daily basis. Except to ensure adequate storage capability, this is not a primary concern of the designer. Vulnerability of the system is incorrect. Data warehouses may contain sensitive information, or can be used to research sensitive information, so the security of the data warehouse is important. However, this is not the primary concern of the designer.

Which of the following BEST ensures the effectiveness of controls related to interest calculation for an accounting system? Re-performance Process walk-through Observation Documentation review

Re-performance is correct. To ensure the effectiveness of controls, it is most effective to conduct re-performance. When the same result is obtained after the performance by an independent person, this provides the strongest assurance. Process walk-through is incorrect. This may help the auditor understand the controls better; however, it may not be as useful as conducting re-performance for a sample of transactions. Observation is incorrect. This is a valid audit method to verify that operators are using the system appropriately; however, conducting re-performance is a better method. Documentation review is incorrect. This may be of some value for understanding the control environment; however, conducting re-performance is a better method.

At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should: report the error as a finding and leave further exploration to the auditee's discretion. attempt to resolve the error. recommend that problem resolution be escalated. ignore the error because it is not possible to get objective evidence for the software error.

Recommend that problem resolution be escalated is correct. When an IS auditor observes such conditions, it is best to fully apprise the auditee and suggest that further problem resolutions be attempted including escalation if necessary. Report the error as a finding and leave further exploration to the auditee's discretion is incorrect. Recording it as a minor error and leaving it to the auditee's discretion would be inappropriate. Action should be taken before the application goes into production. Attempt to resolve the error is incorrect. The IS auditor is not authorized to resolve the error. Ignore the error because it is not possible to get objective evidence for the software error is incorrect. Neglecting the error would indicate that the IS auditor has not taken steps to further probe the issue to its logical end.

In a disaster recovery situation, which of the following is the MOST important metric to ensure that data are synchronized between critical systems? Recovery point objective Recovery time objective Recovery service resilience Recovery service scalability

Recovery point objective is correct. Establishing a common recovery point objective is most critical for ensuring that interdependencies between systems are properly synchronized. It ensures that systems do not contain data from different points in time that may result in accounting transactions that cannot be reconciled and a loss of referential integrity. Recovery time objective is incorrect. These are not as important to synchronize because they normally vary depending on the level of effort and resources required to restore a system. Recovery service resilience is incorrect. These measures the fault tolerance due to data exceptions and ability to restart and recover from internal failures. Recovery service scalability is incorrect. This refers to the capacity constraints and limitations that a recovery solution may have relative to the original system configuration.

Which of the following is the BEST indicator of the effectiveness of backup and restore procedures while restoring data after a disaster? Members of the recovery team were available. Recovery time objectives were met. Inventory of backup tapes was properly maintained. Backup tapes were completely restored at an alternate site.

Recovery time objectives (RTOs) were met is correct. The effectiveness of backup and restore procedures is best ensured RTOs being met because these are the requirements that are critically defined during the business impact analysis stage, with the inputs and involvement of all business process owners. Members of the recovery team were available is incorrect. The availability of key personnel does not ensure that backup and restore procedures will work effectively. Inventory of backup tapes was properly maintained is incorrect. The inventory of the backup tapes is only one element of the successful recovery. Backup tapes were completely restored at an alternate site is incorrect. The restoration of backup tapes is a critical success, but only if they were able to be restored within the time frames set by the RTO.

An advantage of using unshielded twisted-pair (UTP) cable for data communication over other copper-based cables is that UTP cable: reduces crosstalk between pairs. provides protection against wiretapping. can be used in long-distance networks. is simple to install.

Reduces crosstalk between pairs is correct. The use of unshielded twisted-pair (UTP) in copper will reduce the likelihood of crosstalk. Provides protection against wiretapping is incorrect. While the twisted nature of the media will reduce sensitivity to electromagnetic disturbances, an unshielded copper wire does not provide adequate protection against wiretapping. Can be used in long-distance networks is incorrect. Attenuation sets in if copper twisted-pair cable is used for longer than 100 meters, necessitating the use of a repeater. Is simple to install is incorrect. The tools and techniques to install UTP are not simpler or easier than other copper-based cables.

An IS auditor reviewing wireless network security determines that the Dynamic Host Configuration Protocol is disabled at all wireless access points. This practice: reduces the risk of unauthorized access to the network. is not suitable for small networks. automatically provides an IP address to anyone. increases the risk associated with Wireless Encryption Protocol.

Reduces the risk of unauthorized access to the network is correct. Dynamic Host Configuration Protocol (DHCP) automatically assigns IP addresses to anyone connecting to the network. With DHCP disabled, static IP addresses must be used, and this requires either administrator support or a higher level of technical skill to attach to the network and gain Internet access. Is not suitable for small networks is incorrect. DHCP is suitable for networks of all sizes from home networks to large complex organizations. Automatically provides an IP address to anyone is incorrect. DHCP does not provide IP addresses when disabled. Increases the risk associated with Wireless Encryption Protocol (WEP) is incorrect. Disabling of the DHCP makes it more difficult to exploit the well-known weaknesses in WEP.

Which of the following is a control that can be implemented to reduce risk of internal fraud if application programmers are allowed to move programs into the production environment in a small organization? Post-implementation functional testing Registration and review of changes Validation of user requirements User acceptance testing

Registration and review of changes is correct. An independent review of the changes to the program in production could identify potential unauthorized changes, versions or functionality that the programmer had put into production. Post-implementation functional testing is incorrect. This would not be as effective because the system could be accepted by the end user without detecting the undocumented functionality. Validation of user requirements is incorrect. This would not be as effective because the system could meet user requirements and still include undocumented functionalities. User acceptance testing is incorrect. This would not be as effective because the system could be accepted by the end users, and the undocumented functionalities could remain undetected.

Which of the following will MOST successfully identify overlapping key controls in business application systems? Reviewing system functionalities that are attached to complex business processes Submitting test transactions through an integrated test facility Replacing manual monitoring with an automated auditing solution Testing controls to validate that they are effective

Replacing manual monitoring with an automated auditing solution is correct. As part of the effort to realize continuous audit management, there are cases for introducing an automated monitoring and auditing solution. All key controls need to be clearly aligned for systematic implementation; thus, analysts can discover unnecessary or overlapping key controls in existing systems. Reviewing system functionalities that are attached to complex business processes is incorrect. In general, highly complex business processes may have more key controls than business areas with less complexity; however, finding, with certainty, unnecessary controls in complex areas is not always possible. If a well-thought-out key control structure was established from the beginning, finding any overlap in key controls will not be possible. Submitting test transactions through an integrated test facility is incorrect. An integrated test facility is an audit technique to test the accuracy of the processes in the application system. It may find control flaws in the application system, but it would be difficult to find the overlap in key controls. Testing controls to validate that they are effective is incorrect. By testing controls to validate whether they are effective, the IS auditor can identify whether there are overlapping controls; however, the process of implementing an automated auditing solution would better identify overlapping controls.

During an audit, the IS auditor notes the application developer also performs quality assurance testing on another application. Which of the following is the MOST important course of action for the auditor? Recommend compensating controls. Review the code created by the developer. Analyze the quality assurance dashboards. Report the identified condition.

Report the identified condition is correct. The software quality assurance role should be independent and separate from development and development activities. The same person should not hold both roles because this would cause a segregation of duties concern. The IS auditor should report this condition when identified. Recommend compensating controls is incorrect. Although compensating controls may be a good idea, the primary response in this case should be to report the condition, because the risk associated with this should be reported to the users of the audit report. Review the code created by the developer is incorrect. Evaluating the code created by the application developer is not the appropriate response in this case. The IS auditor may evaluate a sample of changes to determine whether the developer tested his/her own code, but the primary response should be to report the condition. Analyze the quality assurance dashboards is incorrect. Analyzing the quality assurance dashboards can help evaluate the actual impact of the lack of segregation of duties but does not address the underlying risk. The primary response should be to report the condition.

While auditing a third-party IT service provider, an IS auditor discovered that access reviews were not being performed as required by the contract. The IS auditor should: report the issue to IT management. discuss the issue with the service provider. perform a risk assessment. perform an access review.

Report the issue to IT management is correct. During an audit, if there are material issues that are of concern, they need to be reported to management in the audit report. Discuss the issue with the service provider is incorrect. The IS auditor may discuss the issue with the service provider; however, the appropriate response is to report the issue to IT management because they are ultimately responsible. Perform a risk assessment is incorrect. This issue can serve as an input for a future risk assessment, but the issue of noncompliance should be reported to management regardless of whether the IS auditor believes there is a significant risk. Perform an access review is incorrect. The IS auditor could perform an access review as part of the audit to determine if there are errors, but not on behalf of the third-party IT service provider. It is more important to report the issue in the audit report to management.

During the course of an application software review, an IS auditor identified minor weaknesses in a relevant database environment that is out of scope for the audit. The BEST option is to: include a review of the database controls in the scope. document for future review. work with database administrators to correct the issue. report the weaknesses as observed.

Report the weaknesses as observed is correct. Any weakness noticed should be reported, even if it is outside the scope of the current audit. Weaknesses identified during an application software review need to be reported to management. Include a review of the database controls in the scope is incorrect. Executing audits and reviews outside the scope is not advisable. In this case, the weakness identified is considered to be a minor issue, and it is sufficient to report the issue and address it at a later time. Document for future review is incorrect. In this case, the weakness identified is considered to be a minor issue. The IS auditor should formally report the weaknesses as an observation rather than documenting it to address during a future audit. Work with database administrators to correct the issue is incorrect. It is not appropriate for the IS auditor to work with database administrators to correct the issue.

An IS auditor found that the enterprise architecture (EA) recently adopted by an organization has an adequate current-state representation. However, the organization has started a separate project to develop a future-state representation. The IS auditor should: recommend that this separate project be completed as soon as possible. report this issue as a finding in the audit report. recommend the adoption of the Zachmann framework. re-scope the audit to include the separate project as part of the current audit.

Report this issue as a finding in the audit report is correct. It is critical for the EA to include the future state because the gap between the current state and the future state will determine IT strategic and tactical plans. If the EA does not include a future-state representation, it is not complete, and this issue should be reported as a finding. Recommend that this separate project be completed as soon as possible is incorrect. The IS auditor does not ordinarily provide input on the timing of projects, but rather provides an assessment of the current environment. The most critical issue in this scenario is that the enterprise architecture (EA) is undergoing change, so the IS auditor should be most concerned with reporting this issue. Recommend the adoption of the Zachmann framework is incorrect. The organization is free to choose any EA framework, and the IS auditor should not recommend a specific framework. Re-scope the audit to include the separate project as part of the current audit is incorrect. Changing the scope of an audit to include the secondary project is not required, although a follow-up audit may be desired.

An IS auditor is performing a review of the software quality management process in an organization. The FIRST step should be to: verify how the organization complies with the standards. identify and report the existing controls. review the metrics for quality evaluation. request all standards adopted by the organization.

Request all standards adopted by the organization is correct. Because an audit measures compliance with the standards of the organization, the first step of the review of the software quality management process should be to determine the evaluation criteria in the form of standards adopted by the organization. The evaluation of how well the organization follows their own standards cannot be performed until the IS auditor has determined what standards exist. Verify how the organization complies the standards is incorrect. The auditor needs to know what standards the organization has adopted and then measure compliance with those standards. Determining how the organization follows the standards is secondary to knowing what the standards are. The other items listed—verifying how well standards are being followed, identifying relevant controls and reviewing the quality metrics—are secondary to the identification of standards. Identify and report the existing controls is incorrect. The first step is to know the standards and what policies and procedures are mandated for the organization, then to document the controls and measure compliance. Review the metrics for quality evaluation is incorrect. The metrics cannot be reviewed until the auditor has a copy of the standards that describe or require the metrics.

An IS auditor is reviewing a third-party agreement for a new cloud-based accounting service provider. Which of the following considerations is the MOST important with regard to the privacy of the accounting data? Data retention, backup and recovery Return or destruction of information Network and intrusion detection A patch management process

Return or destruction of information is correct. When reviewing a third-party agreement, the most important consideration with regard to the privacy of the data is the clause concerning the return or secure destruction of information at the end of the contract. Data retention, backup and recovery is incorrect. These are important controls; however, they do not guarantee data privacy. Network and intrusion detection is incorrect. These are helpful when securing the data, but on their own, they do not guarantee data privacy stored at a third-party provider. A patch management process is incorrect. This helps secure servers and may prohibit unauthorized disclosure of data; however, it does not affect the privacy of the data.

During a post-implementation review of an enterprise resource management system, an IS auditor would MOST likely: review access control configuration. evaluate interface testing. review detailed design documentation. evaluate system testing.

Review access control configuration is correct. Reviewing access control configuration would be the first task performed to determine whether security has been appropriately mapped in the system. Evaluate interface testing is incorrect. Because a post-implementation review is done after user acceptance testing and actual implementation, one would not engage in interface testing or detailed design documentation. Evaluating interface testing would be part of the implementation process. Review detailed design documentation is incorrect. The issue of reviewing detailed design documentation is not generally relevant to an enterprise resource management system because these are usually vendor packages with user manuals. System testing should be performed before final user signoff. Further, because the system has been implemented, the IS auditor would only check the detailed design if there appeared to be a gap between design and functionality. Evaluate system testing is incorrect. System testing should be performed before final user signoff. The IS auditor should not need to review the system tests post-implementation.

Which of the following processes will be MOST effective in reducing the risk that unauthorized software on a backup server is distributed to the production server? Manually copy files to accomplish replication. Review changes in the software version control system. Ensure that developers do not have access to the backup server. Review the access control log of the backup server.

Review changes in the software version control system is correct. It is common practice for software changes to be tracked and controlled using version control software. An IS auditor should review reports or logs from this system to identify the software that is promoted to production. Only moving the versions on the version control system program will prevent the transfer of development or earlier versions. Manually copy files to accomplish replication is incorrect. Even if replication is be conducted manually with due care, there still remains a risk to copying unauthorized software from one server to another. Ensure that developers do not have access to the backup server is incorrect. If unauthorized code was introduced onto the backup server by developers, controls on the production server and the software version control system should mitigate this risk. Review the access control log of the backup server is incorrect. Review of the access log will identify staff access or the operations performed; however, it may not provide enough information to detect the release of unauthorized software.

An IS auditor observed that users are occasionally granted the authority to change system data. This elevated system access yet is required for smooth functioning of business operations. Which of the following controls would the IS auditor MOST likely recommend for long-term resolution? Redesign the controls related to data authorization. Implement additional segregation of duties controls. Review policy to see if a formal exception process is required. Implement additional logging controls.

Review policy to see if a formal exception process is required is correct. If the users are granted access to change data in support of the business requirements, and the policy should be followed. If there is no policy for the granting of extraordinary access, then one should be designed to ensure no unauthorized changes are made. Redesign the controls related to data authorization is incorrect. Data authorization controls should be driven by the policy. While there may be some technical controls that could be adjusted, if the data changes happen infrequently, then an exception process would be the better choice. Implement additional segregation of duties controls is incorrect. While adequate segregation of duties is important, the IS auditor must first review policy to see if there is a formal documented process for this type of temporary access controls to enforce segregation of duties. Implement additional logging controls is incorrect. Audit trails are needed whenever temporary elevated access is required. However, but this is not the first step the auditor should take in reviewing the overall process.

An enterprise is developing a strategy to upgrade to a newer version of its database software. Which of the following tasks can an IS auditor perform without compromising the objectivity of the IS audit function? Advise on the adoption of application controls to the new database software. Provide future estimates of the licensing expenses to the project team. Recommend to the project manager how to improve the efficiency of the migration. Review the acceptance test case documentation before the tests are carried out.

Review the acceptance test case documentation before the tests are carried out is correct. The review of the test cases will facilitate the objective of a successful migration and ensure that proper testing is conducted. An IS auditor can advise as to the completeness of the test cases. Advise on the adoption of application controls to the new database software is incorrect. Independence can be compromised if the IS auditor advises on the adoption of specific application controls. Provide future estimates of the licensing expenses to the project team is incorrect. Independence can be compromised if the IS auditor were to audit the estimate of future expenses used to support a business case for management approval of the project. Recommend to the project manager how to improve the efficiency of the migration is incorrect. Advising the project manager on how to increase the efficiency of the migration may compromise the IS auditor's independence.

An IS auditor is assigned to audit a software development project, which is more than 80 percent complete, but has already overrun time by 10 percent and costs by 25 percent. Which of the following actions should the IS auditor take? Report that the organization does not have effective project management. Recommend the project manager be changed. Review the IT governance structure. Review the business case and project management.

Review the business case and project management is correct. Before making any recommendations, an IS auditor needs to understand the project and the factors that have contributed to bringing the project over budget and over schedule. Report that the organization does not have effective project management is incorrect. The organization may have effective project management practices and still be behind schedule or over budget. Recommend the project manager be changed is incorrect. There is no indication that the project manager should be changed without looking into the reasons for the overrun. Review the IT governance structure is incorrect. The organization may have sound IT governance and still be behind schedule or over budget.

Management observed that the initial phase of a multiphase implementation was behind schedule and over budget. Prior to commencing with the next phase, an IS auditor's PRIMARY suggestion for a postimplementation focus should be to: assess whether the planned cost benefits are being measured, analyzed and reported. review control balances and verify that the system is processing data accurately. review the impact of program changes made during the first phase on the remainder of the project. determine whether the system's objectives were achieved.

Review the impact of program changes made during the first phase on the remainder of the project is correct. Because management is aware that the project had problems, reviewing the subsequent impact will provide insight into the types and potential causes of the project issues. This will help to identify whether IT has adequately planned for those issues in subsequent projects. Assess whether the planned cost benefits are being measured, analyzed and reported is incorrect. While all choices are valid, the post-implementation focus and primary objective should be understanding the impact of the problems in the first phase on the remainder of the project. Review control balances and verify that the system is processing data accurately is incorrect. The review should assess whether the control is working correctly but should focus on the problems that led to project overruns in budget and time. Determine whether the system's objectives were achieved is incorrect. Ensuring that the system works is a primary objective for the IS auditor, but in this case because the project planning was a failure, the IS auditor should focus on the reasons for, and impact of, the failure.

When performing a database review, an IS auditor notices that some tables in the database are not normalized. The IS auditor should next: recommend that the database be normalized. review the conceptual data model. review the stored procedures. review the justification.

Review the justification is correct. If the database is not normalized, the IS auditor should review the justification because, in some situations, denormalization is recommended for performance reasons. Recommend that the database be normalized is incorrect. The IS auditor should not recommend normalizing the database until further investigation takes place. Review the conceptual data model is incorrect. This will not provide information about normalization or the justification for the level of normalization. Review the stored procedures is incorrect. This will not provide information about normalization.

When developing a business continuity plan, which of the following tools should be used to gain an understanding of the organization's business processes? Business continuity self-audit Resource recovery analysis Risk assessment Gap analysis

Risk assessment is correct. This, along with business impact assessment, are tools for understanding the business as a part of a business continuity plan (BCP). Business continuity self-audit is incorrect. This is a tool for evaluating the adequacy of the BCP but not for gaining an understanding of the business. Resource recovery analysis is incorrect. This is a tool for identifying the components necessary for a business resumption strategy but not for gaining an understanding of the business. Gap analysis is incorrect. The role gap analysis can play in BCP is to identify deficiencies in a plan but not for gaining an understanding of the business.

Which of the following types of risk could result from inadequate software baselining? Sign-off delays Software integrity violations Scope creep Inadequate controls

Scope creep is correct. A software baseline is the cutoff point in the design and development of a system. Beyond this point, additional requirements or modifications to the scope must go through formal, strict procedures for approval based on a business cost-benefit analysis. Failure to adequately manage a system through baselining can result in uncontrolled changes in a project's scope and may incur time and budget overruns. Sign-off delays is incorrect. may occur due to inadequate software baselining; however, these are most likely caused by scope creep. Software integrity violations is incorrect. This can be caused by hardware or software failures, malicious intrusions or user errors. Software baselining does not help prevent software integrity violations. Inadequate controls is incorrect. These are most likely present in situations in which information security is not duly considered from the beginning of system development; they are not a risk that can be adequately addressed by software baselining.

Which of the following types of firewalls would BEST protect a network from an Internet attack? Screened subnet firewall Application filtering gateway Packet filtering router Circuit-level gateway

Screened subnet firewall is correct. This would provide the best protection. The screening router can be a commercial router or a node with routing capabilities and the ability to allow or avoid traffic between nets or nodes based on addresses, ports, protocols, interfaces, etc. The subnet would isolate Internet-based traffic from the rest of the corporate network. Application-level filtering gateway is incorrect. These are mediators between two entities that want to communicate, also known as proxy gateways. The application level (proxy) works at the application level, not just at a packet level. This would be the best solution to protect an application but not a network. Packet filtering router is incorrect. This examines the header of every packet or data traveling between the Internet and the corporate network. This is a low-level control. Circuit-level gateway is incorrect. This firewall, such as a Socket Secure server, will protect users by acting as a proxy but is not the best defense for a network.

Which of the following would be the BEST overall control for an Internet business looking for confidentiality, reliability and integrity of data? Secure Sockets Layer Intrusion detection system Public key infrastructure Virtual private network

Secure Sockets Layer (SSL) is correct. This is used for many e-commerce applications to set up a secure channel for communications providing confidentiality through a combination of public and symmetric key encryption and integrity through hash message authentication code. Intrusion detection system is incorrect. This will log network activity but is not used for protecting traffic over the Internet. Public key infrastructure is incorrect. This is used in conjunction with SSL or for securing communications such as e-commerce and email. Virtual private network (VPN) is incorrect. This is a generic term for a communications tunnel that can provide confidentiality, integrity and authentication (reliability). A VPN can operate at different levels of the Open Systems Interconnection stack and may not always be used in conjunction with encryption. SSL can be called a type of VPN.

An IS auditor is reviewing Secure Sockets Layer enabled web sites for the company. Which of the following choices would be the HIGHEST risk? Expired digital certificates Self-signed digital certificates Using the same digital certificate for multiple web sites Using 56-bit digital certificates

Self-signed digital certificates is correct. These are not signed by a certificate authority (CA) and can be created by anyone. Thus, they can be used by attackers to impersonate a web site, which may lead to data theft or perpetrate a man-in-the-middle attack. Expired digital certificates is incorrect. This leads to blocked access to the web site leading to unwanted downtime. However, there is no loss of data. Therefore, the comparative risk is lower. Using the same digital certificate for multiple web sites is incorrect. This is not a significant risk. Wildcard digital certificates may be used for multiple subdomain web sites. Using 56-bit digital certificates is incorrect. These may be needed to connect with older versions of operating systems (OSs) or browsers. While they have a lower strength than 128-bit or 256-bit digital certificates, the comparative risk of a self-signed certificate is higher.

Establishing the level of acceptable risk is the responsibility of: quality assurance management. senior business management. the chief information officer. the chief security officer.

Senior business management is correct. Senior management should establish the acceptable risk level because they have the ultimate or final responsibility for the effective and efficient operation of the organization as a senior manager of the business process. The person can be the quality assurance (QA), chief information officer (CIO), or the chief security officer (CSO), but the responsibility rests with the business manager. Quality assurance management is incorrect. QA is concerned with reliability and consistency of processes. The QA team is not responsible for determining an acceptable risk level. The chief information officer is incorrect. The establishment of acceptable risk levels is a senior business management responsibility. The CIO is the most senior official of the enterprise who is accountable for IT advocacy; aligning IT and business strategies; and planning, resourcing and managing the delivery of IT services, information and the deployment of associated human resources. The CIO is rarely the person that determines acceptable risk levels because this could be a conflict of interest unless the CIO is the senior business process owner. The chief security officer is incorrect. The establishment of acceptable risk levels is a senior business management responsibility. The CSO is responsible for enforcing the decisions of the senior management team unless the CIO is the business process manager.

To prevent Internet Protocol (IP) spoofing attacks, a firewall should be configured to drop a packet for which the sender of a packet: specifies the route that a packet should take through the network (the source routing field is enabled). puts multiple destination hosts (the destination field has a broadcast address in the destination field). indicates that the computer should immediately stop using the TCP connection (a reset flag is turned on). allows use of dynamic routing instead of static routing (Open Shortest Path First protocol is enabled).

Specifies the route that a packet should take through the network (the source routing field is enabled) is correct. Internet Protocol (IP) spoofing takes advantage of the source-routing option in the IP. With this option enabled, an attacker can insert a spoofed source IP address. The packet will travel the network according to the information within the source-routing field, bypassing the logic in each router, including dynamic and static routing. Puts multiple destination hosts (the destination field has a broadcast address) is incorrect. If a packet has a broadcast destination address, it is definitely suspicious and if allowed to pass will be sent to all addresses in the subnet. This is not related to IP spoofing. Indicates that the computer should immediately stop using the TCP connection (a reset flag is turned on) is incorrect. Turning on the reset flag is part of the normal procedure to end a Transmission Control Protocol connection. Allows use of dynamic routing instead of static routing (Open Shortest Path First protocol is enabled) is incorrect. The use of dynamic or static routing will not represent a spoofing attack.

During a data center audit, an IS auditor observes that some parameters in the tape management system are set to bypass or ignore tape header records. Which of the following is the MOST effective compensating control for this weakness? Staging and job setup Supervisory review of logs Regular backup of tapes Offsite storage of tapes

Staging and job setup is correct. If the IS auditor finds that there are effective staging and job setup processes, this can be accepted as a compensating control. Not reading header records may otherwise result in loading the wrong tape and deleting or accessing data on the loaded tape. Supervisory review of logs is incorrect. This is a detective control that would not prevent loading of the wrong tapes. Regular backup of tapes is incorrect. This is not related to bypassing tape header records. Offsite storage of tapes is incorrect. This would not prevent loading the wrong tape because of bypassing header records.

Which of the following is the MOST reliably effective method for dealing with the spread of a network worm that exploits vulnerability in a protocol? Install the latest vendor security patches immediately. Block the protocol traffic in the perimeter firewall. Block the protocol traffic between internal network segments. Stop the services that the protocol uses.

Stop the services that the protocol uses is correct. This is the most effective way to prevent a worm from spreading, because it directly addresses the means of propagation at the lowest practical level. Install the latest vendor security patches immediately is incorrect. This will improve the situation only if a patch has been released that addresses the particular vulnerability in the protocol. Also, patches should not be installed prior to testing, because patching systems can create new vulnerabilities or impact performance. Block the protocol on the perimeter firewall is incorrect. This does not stop the worm from spreading if it is introduced via portable media. Block the protocol traffic between internal network segments is incorrect. This helps to slow the spread, but also prohibits any software that uses it from working between segments.

Which of the following sampling methods is the MOST appropriate for testing automated invoice authorization controls to ensure that exceptions are not made for specific users? Variable sampling Judgmental sampling Stratified random sampling Systematic sampling

Stratification random sampling is correct. Stratification is the process of dividing a population into subpopulations with similar characteristics explicitly defined, so that each sampling unit can belong to only one stratum. This method of sampling ensures that all sampling units in each subgroup have a known, nonzero chance of selection. It is the most appropriate in this case. Variable sampling is incorrect. This is used for substantive testing to determine the monetary or volumetric impact of characteristics of a population. This is not the most appropriate in this case. Judgmental sampling is incorrect. In judgmental sampling, professionals place a bias on the sample (e.g., all sampling units over a certain value, all for a specific type of exception or all negatives). It should be noted that a judgmental sample is not statistically based, and results should not be extrapolated over the population because the sample is unlikely to be representative of the population. Systematic sampling is incorrect. This involves selecting sampling units using a fixed interval between selections with the first interval having a random start. This is not the most appropriate in this case.

When reviewing the development of information security policies, the PRIMARY focus of an IS auditor should be on assuring that these policies: are aligned with globally accepted industry good practices. are approved by the board of directors and senior management. strike a balance between business and security requirements. provide direction for implementing security procedures.

Strike a balance between business and security requirements is correct. Because information security policies must be aligned with an organization's business and security objectives, this is the primary focus of the IS auditor when reviewing the development of information security policies. Are aligned with globally accepted industry good practices is incorrect. An organization is not required to base its IT policies on industry good practices. Policies must be based on the culture and business requirements of the organization. Are approved by the board of directors and senior management is incorrect. It is essential that policies be approved; however, that is not the primary focus during the development of the policies. Provide direction for implementing security procedures is incorrect. Policies cannot provide direction if they are not aligned with business requirements.

In a risk-based IS audit, where both inherent and control risk have been assessed as high, an IS auditor would MOST likely compensate for this scenario by performing additional: stop-or-go sampling. substantive testing. compliance testing. discovery sampling.

Substantive testing is correct. Because both the inherent and control risk are high in this case, additional testing is required. Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period. Stop-or-go sampling is incorrect. This is used when an IS auditor believes few errors will be found in the population, and, thus, is not the best type of testing to perform in this case. Compliance testing is incorrect. This is evidence gathering for the purpose of testing an enterprise's compliance with control procedures. Although performing compliance testing is important, performing additional substantive testing is more appropriate in this case. Discovery sampling is incorrect. This is a form of attribute sampling that is used to determine a specified probability of finding at least one example of an occurrence (attribute) in a population, typically used to test for fraud or other irregularities. In this case, additional substantive testing is the better option.

The MAJOR advantage of a component-based development approach is the: ability to manage an unrestricted variety of data types. provision for modeling complex relationships. capacity to meet the demands of a changing environment. support of multiple development environments.

Support of multiple development environments is correct. Component-based development that relies on reusable modules can increase the speed of development. Software developers can then focus on business logic. Ability to manage an unrestricted variety of data types is incorrect. The data types must be defined within each component, and it is not sure that any component will be able to handle multiple data types. Provision for modeling complex relationships is incorrect. Component-based development is no better than many other development methods at modeling complex relationships. Capacity to meet the demands of a changing environment is incorrect. Component-based development is one of the methodologies that can be effective at meeting changing requirements, but this is not its primary benefit or purpose.

The MAIN reason for requiring that all computer clocks across an organization are synchronized is to: prevent omission or duplication of transactions. ensure smooth data transition from client machines to servers. ensure that email messages have accurate time stamps. support the incident investigation process.

Support the incident investigation process is correct. During an investigation of incidents, audit logs are used as evidence, and the time stamp information in them is useful. If the clocks are not synchronized, investigations will be more difficult, because a time line of events occurring on different systems might not be easily established. Prevent omission or duplication of transactions is incorrect. The possibility of omission or duplication of transactions will not happen due to lack of clock synchronization. Ensure smooth data transition from client machines to servers is incorrect. Data transfer has nothing to do with the time stamp. Ensure that email messages have accurate time stamps is incorrect. Although the time stamp on an email may not be accurate, this is not a significant issue.

An IS auditor of a large organization is reviewing the roles and responsibilities of the IT function and finds some individuals serving multiple roles. Which one of the following combinations of roles should be of GREATEST concern for the IS auditor? Network administrators are responsible for quality assurance. System administrators are application programmers. End users are security administrators for critical applications. Systems analysts are database administrators.

System administrators are application programmers is correct. When individuals serve multiple roles, this represents a separation-of-duties problem with associated risk. System administrators should not be application programmers, due to the associated rights of both functions. A person with both system and programming rights can do almost anything on a system, including creating a back door. The other combinations of roles are valid from a separation of duties perspective. Network administrators are responsible for quality assurance is incorrect. Ideally, network administrators should not be responsible for quality assurance because they could approve their own work. However, that is not as serious as the combination of system administrator and application programmer, which would allow nearly unlimited abuse of privilege. End users are security administrators for critical applications is incorrect. End users are security administrators for critical applications is incorrect. In some distributed environments, especially with small staffing levels, users may also manage security. Systems analysts are database administrators is incorrect. While a database administrator is a very privileged position it would not be in conflict with the role of a systems analyst.

To verify that the correct version of a data file was used for a production run, an IS auditor should review: operator problem reports. operator work schedules. system logs. output distribution reports.

System logs is correct. These are automated reports which identify most of the activities performed on the computer. Programs that analyze the system log have been developed to report on specifically defined items. The IS auditor can then carry out tests to ensure that the correct file version was used for a production run. Operator problem reports is incorrect. These are used by operators to log computer operation problems. Operator work schedules is incorrect. These are maintained to assist in human resource planning. Output distribution reports is incorrect. These identify all application reports generated and their distribution.

Which of the following controls would provide the GREATEST assurance of database integrity? Audit log procedures Table link/reference checks Query/table access time checks Rollback and rollforward database features

Table link/reference checks is correct. Performing table link/reference checks serves to detect table linking errors (such as completeness and accuracy of the contents of the database), and thus provides the greatest assurance of database integrity. Audit log procedures is incorrect. These enable recording of all events that have been identified and help in tracing the events. However, they only point to the event and do not ensure completeness or accuracy of the database contents. Query/table access time checks is incorrect. Querying/monitoring table access time checks helps designers improve database performance but not integrity. Rollback and rollforward database features is incorrect. These ensure recovery from an abnormal disruption. They assure the integrity of the transaction that was being processed at the time of disruption, but do not provide assurance on the integrity of the contents of the database.

Which of the following is evaluated as a preventive control by an IS auditor performing an audit? Transaction logs Before and after image reporting Table lookups Tracing and tagging

Table lookups is correct. These are preventive controls; input data are checked against predefined tables, which prevent any undefined data to be entered. Transaction logs is incorrect. They are a detective control and provide audit trails. Before and after image reporting is incorrect. This makes it possible to trace the impact that transactions have on computer records. This is a detective control. Tracing and tagging is incorrect. This is used to test application systems and controls but is not a preventive control in itself.

Disaster recovery planning addresses the: technological aspect of business continuity planning (BCP). operational part of BCP. functional aspect of BCP. overall coordination of BCP.

Technological aspect of business continuity planning (BCP) is correct. Disaster recovery planning (DRP) is the technological aspect of BCP that focuses on IT systems and operations. Operational part of BCP is incorrect. Business resumption planning addresses the operational part of BCP. Functional aspect of BCP is incorrect. Disaster recovery addresses the technical components of business recovery. Operational part of BCP overall coordination of BCP is incorrect. The overall coordination of BCP is accomplished through business continuity management and strategic plans. DRP addresses technical aspects of BCP.

An IS auditor is evaluating the effectiveness of the change management process in an organization. What is the MOST important control that the IS auditor should look for to ensure system availability? Changes are authorized by IT managers at all times. User acceptance testing is performed and properly documented. Test plans and procedures exist and are closely followed. Capacity planning is performed as part of each development project.

Test plans and procedures exist and are closely followed is correct. The most important control for ensuring system availability is to implement a sound test plan and procedures that are followed consistently. Changes are authorized by IT managers at all times is incorrect. Changes are usually required to be signed off by a business analyst, member of the change control board or other authorized representative, not necessarily by IT management. User acceptance testing is performed and properly documented is incorrect. User acceptance testing is important but not a critical element of change control and would not usually address the topic of availability as asked in the question. Capacity planning is performed as part of each development project is incorrect. While capacity planning should be considered in each development project, it will not ensure system availability, nor is it part of the change control process.

When identifying an earlier project completion time, which is to be obtained by paying a premium for early completion, the activities that should be selected are those: whose sum of activity time is the shortest. that have zero slack time. that give the longest possible completion time. whose sum of slack time is the shortest.

That have zero slack time is correct. A critical path's activity time is longer than that for any other path through the network. This path is important because if everything goes as scheduled, its length gives the shortest possible completion time for the overall project. Activities on the critical path become candidates for crashing (i.e., for reduction in their time by payment of a premium for early completion). Activities on the critical path have zero slack time and conversely, activities with zero slack time are on a critical path. By successively relaxing activities on a critical path, a curve showing total project costs versus time can be obtained. Whose sum of activity time is the shortest is incorrect. Attention should focus on the tasks within the critical path that have no slack time. That give the longest possible completion time is incorrect. The critical path is the longest time length of the activities but is not based on the longest time of any individual activity. Whose sum of slack time is the shortest is incorrect. A task on the critical path has no slack time.

A top-down approach to the development of operational policies helps to ensure: that they are consistent across the organization. that they are implemented as a part of risk assessment. compliance with all policies. that they are reviewed periodically.

That they are consistent across the organization is correct. Deriving lower-level policies from corporate policies (a top-down approach) aids in ensuring consistency across the organization and consistency with other policies. That they are implemented as a part of risk assessment is incorrect. Policies should be influenced by risk assessment, but the primary reason for a top-down approach is to ensure that the policies are consistent across the organization. Compliance with all policies is incorrect. A top-down approach, of itself, does not ensure compliance. That they are reviewed periodically is incorrect. A top-down approach, of itself, does not ensure that policies are reviewed.

An IS auditor reviewing the implementation of an intrusion detection system (IDS) should be MOST concerned if: IDS sensors are placed outside of the firewall. a behavior-based IDS is causing many false alarms. a signature-based IDS is weak against new types of attacks. the IDS is used to detect encrypted traffic.

The IDS is used to detect encrypted traffic is correct. An IDS cannot detect attacks within encrypted traffic, but there may be good reason to detect the presence of encrypted traffic, such as when a next-generation firewall is configured to terminate encrypted connections at the perimeter. In such cases, detecting encrypted packets flowing past the firewall could indicate improper configuration or even a compromise of the firewall itself. IDS sensors are placed outside of the firewall is incorrect. An organization can place sensors outside of the firewall to detect attacks. These sensors are placed in highly sensitive areas and on extranets. A behavior-based IDS is causing many false alarms is incorrect. An excessive number of false alarms from a behavior-based intrusion detection system (IDS) indicates that additional tuning is needed. False positives cannot be eliminated entirely, but ignoring this warning sign may negate the value of the system by causing those responsible for monitoring its warnings to become convinced that anything reported is false. A signature-based IDS is weak against new types of attacks is incorrect. Being weak against new types of attacks is expected from a signature-based IDS because it can only recognize attacks that have been previously identified.

The final decision to include a material finding in an audit report should be made by the: audit committee. auditee's manager. IS auditor. chief executive officer of the organization.

The IS auditor is correct. The IS auditor should make the final decision about what to include or exclude from the audit report. Audit committee is incorrect. The audit committee should not impair the independence, professionalism and objectivity of the IS auditor by influencing what is included in the audit report. Auditee's manager is incorrect. The IS auditor's manager may recommend what should or should not be included in an audit report, but the auditee's manager should not influence the content of the report. Chief executive officer is incorrect. The CEO must not provide influence over the content of an audit report because that would be a breach of the independence of the audit function.

An IS audit group has been involved in the integration of an automated audit tool kit with an existing enterprise resource planning system. Due to performance issues, the audit tool kit is not permitted to go live. What should the IS auditor's BEST recommendation be? Review the implementation of selected integrated controls. Request additional IS audit resources. Request vendor technical support to resolve performance issues. Review the results of stress tests during user acceptance testing.

The appropriate recommendation is to review the results of stress tests during user acceptance testing that demonstrated the performance issues. Reviewing the implementation of selected integrated controls is incorrect. This validates the technical design and the control objective, but integrated controls over transactional tables consume large resources. They should be reviewed carefully to determine whether they are mandatory or can be implemented and integrated for only specific transactions over the enterprise resource planning application. Request additional IS audit resources is incorrect. The inability to implement the automated tool may necessitate additional audit resources because many audits will require more manual effort; however, the first step should be to try to resolve the performance issues. Request vendor technical support to resolve performance issues is incorrect. This is a good option, but not the first recommendation.

The development of an application has been outsourced to an offshore vendor. Which of the following should be of GREATEST concern to an IS auditor? The right to audit clause was not included in the contract. The business case was not established. There was no source code escrow agreement. The contract does not cover change management procedures.

The business case was not established is correct. Because the business case was not established, it is likely that the business rationale, risk and risk mitigation strategies for outsourcing the application development were not fully evaluated and the appropriate information was not provided to senior management for formal approval. This situation presents the biggest risk to the organization. The right to audit clause was not included in the contract is incorrect. The lack of the right to audit clause presents a risk to the organization; however, the risk is not as consequential as the lack of a business case. There was no source code escrow agreement is incorrect. If the source code is held by the provider and not provided to the organization, the lack of source code escrow presents a risk to the organization; however, the risk is not as consequential as the lack of a business case. The contract does not cover change management procedures is incorrect. The lack of change management procedures presents a risk to the organization, especially with the possibility of extraordinary charges for any required changes; however, the risk is not as consequential as the lack of a business case.

During fieldwork, an IS auditor experienced a system crash caused by a security patch installation. To provide reasonable assurance that this event will not recur, the IS auditor should ensure that: only systems administrators perform the patch process. the client's change management process is adequate. patches are validated using parallel testing in production. an approval process of the patch, including a risk assessment, is developed.

The client's change management process is adequate is correct. The change management process, which would include procedures regarding implementing changes during production hours, helps to ensure that this type of event does not recur. An IS auditor should review the change management process, including patch management procedures, to verify that the process has adequate controls and to make suggestions accordingly. Only systems administrators perform the patch process is incorrect. While system administrators would normally install patches, it is more important that changes be made according to a formal procedure that includes testing and implementing the change during nonproduction times. Patches are validated using parallel testing in production is incorrect. While patches would normally undergo testing, it is often impossible to test all patches thoroughly. It is more important that changes be made during nonproduction times, and that a backout plan is in place in case of problems. An approval process of the patch, including a risk assessment, is developed is incorrect. An approval process alone could not directly prevent this type of incident from happening. There should be a complete change management process that includes testing, scheduling and approval.

An organization is planning to deploy an outsourced cloud-based application that is used to track job applicant data for the human resources department. Which of the following should be the GREATEST concern to an IS auditor? The service level agreement (SLA) ensures strict limits for uptime and performance. The cloud provider will not agree to an unlimited right-to-audit as part of the SLA. The SLA is not explicit regarding the disaster recovery plan capabilities of the cloud provider. The cloud provider's data centers are in multiple cities and countries.

The cloud provider's physical data centers are in multiple cities and countries is correct. Having data in multiple countries is the greatest concern because human resources (HR) applicant data could contain personally identifiable information. There may be legal compliance issues if these data are stored in a country with different laws regarding data privacy. While the organization would be bound by the privacy laws where it is based, it may not have legal recourse if a data breach happens in a jurisdiction where the same laws do not apply. The service level agreement (SLA) ensures strict limits for uptime and performance is incorrect. Although this application may have strict requirements for availability, it is assumed that the service level agreement (SLA) would contain these same elements; therefore, this is not a concern. The cloud provider will not agree to an unlimited right-to-audit as part of the SLA is incorrect. The right-to-audit clause is good to have, but there are limits on how a cloud service provider may interpret this requirement. The task of reviewing and assessing all the controls in place at a multinational cloud provider would likely be a costly and time-consuming exercise; therefore, such a requirement may be of limited value. The SLA is not explicit regarding the disaster recovery plan capabilities of the cloud provider is incorrect. Because the SLA would normally specify uptime requirements, the means used to achieve those goals (which would include the specific disaster recovery plan capabilities of the provider) are typically not reviewed in-depth by the customer, nor are they typically specified in a SLA.

An IS auditor reviewing the application change management process for a large multinational company should be MOST concerned when: test systems run different configurations than do production systems. change management records are paper based. the configuration management database is not maintained. the test environment is installed on the production server.

The configuration management database is not maintained is correct. The configuration management database (CMDB) is used to track configuration items (CIs) and the dependencies between them. An out-of-date CMDB in a large multinational company could result in incorrect approvals being obtained or leave out critical dependencies during the test phase. Test systems run different configurations than do production systems is incorrect. While, ideally, production and test systems should be configured identically, there may be reasons why this does not occur. The more significant concern is whether the configuration management database was not maintained. Change management records are paper based is incorrect. Paper-based change management records are inefficient to maintain and not easy to review in large volumes; however, they do not present a concern from a control point of view as long as they are properly and diligently maintained. The test environment is installed on the production server is incorrect. While it is not ideal to have the test environment installed on the production server, it is not a control-related concern. As long as the test and production environments are kept separate, they can be installed on the same physical server(s).

An IS auditor is assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST? An audit clause is present in all contracts. The service level agreement of each contract is substantiated by appropriate key performance indicators. The contractual warranties of the providers support the business needs of the organization. At contract termination, support is guaranteed by each outsourcer for new outsourcers.

The contractual warranties of the providers support the business needs of the organization is correct. The primary requirement is for the services provided by the outsource supplier to meet the needs of the business. An audit clause is present in all contracts is incorrect. All other choices are important, but the first step is to ensure that the contracts support the business— only then can an audit process be valuable. The service level agreement of each contract is substantiated by appropriate key performance indicators is incorrect. All service level agreements should be measurable and reinforced through key performance indicators—but the first step is to ensure that the SLAs are aligned with business requirements. At contract termination, support is guaranteed by each outsourcer for new outsourcers is incorrect. Having appropriate controls in place for contract termination are important, but first the IS auditor must be focused on the requirement of the supplier to meet business needs.

Which of the following helps an IS auditor evaluate the quality of new software that is developed and implemented? The reporting of the mean time between failures over time The overall mean time to repair failures The first report of the mean time between failures The overall response time to correct failures

The first report of the mean time between failures is correct. The mean time between failures that are first reported represents flaws in the software that are reported by users in the production environment. This information helps the IS auditor in evaluating the quality of the software that is developed and implemented. The reporting of the mean time between failures over time is incorrect. The mean time between failures that are repetitive includes the inefficiency in fixing the first reported failures and is a reflection on the response team or help desk team in fixing the reported issues. The overall mean time to repair failures is incorrect. The mean time to repair is a reflection on the response team or help desk team in addressing reported issues. The overall response time to correct failures is incorrect. The response time reflects the agility of the response team or the help desk team in addressing reported issues.

An IS auditor determined that the IT manager recently changed the vendor that is responsible for performing maintenance on critical computer systems to cut costs. While the new vendor is less expensive, the new maintenance contract specifies a change in incident resolution time specified by the original vendor. Which of the following should be the GREATEST concern to the IS auditor? Disaster recovery plans may be invalid and need to be revised. Transactional business data may be lost in the event of system failure. The new maintenance vendor is not familiar with the organization's policies. Application owners were not informed of the change.

The greatest risk of making a change to the maintenance of critical systems is that the change could have an adverse impact on a critical business process. While there is a benefit in selecting a less expensive maintenance vendor, the resolution time must be aligned with the needs of the business. Disaster recovery plans (DRPs) must support the needs of the business, but the greater risk is that application owners are not aware of the change in resolution time. Transactional business data loss is determined by data backup frequency and, consequently, the backup schedule. The vendor must abide by the terms of the contract and those should include compliance with the privacy policies of the organization, but the lack of application owner involvement is the most important concern.

A new database is being set up in an overseas location to provide information to the general public and to increase the speed at which the information is made available. The overseas database is to be housed at a data center and will be updated in real time to mirror the information stored locally. Which of the following areas of operations should be considered as having the HIGHEST risk? Confidentiality of the information stored in the database The hardware being used to run the database application Backups of the information in the overseas database Remote access to the backup database

The hardware being used to run the database application is correct. The business objective is to make the information available to the public in a timely manner. Because the database is physically located overseas, hardware failures that are left unfixed can reduce the availability of the system to users. Confidentiality of the information stored in the database is incorrect. This is not a major concern, because the information is intended for public use. Backups of the information in the overseas database is incorrect. These are not a major concern, because the overseas database is a mirror of the local database; thus, a backup copy exists locally. Remote access to the backup database is incorrect. This does not impact availability.

When reviewing the configuration of network devices, an IS auditor should FIRST identify: the good practices for the type of network devices deployed. whether components of the network are missing. the importance of the network devices in the topology. whether subcomponents of the network are being used appropriately.

The importance of the network devices in the topology is correct. The first step is to understand the importance and role of the network device within the organization's network topology. The good practices for the type of network devices deployed is incorrect. After understanding the devices in the network, a good practice for using the device should be reviewed to ensure that there are no anomalies within the configuration. Whether components of the network are missing is incorrect. Identification of which component is missing can only be known after reviewing and understanding the topology and a good practice for deployment of the device in the network. Whether subcomponents of the network are being used appropriately is incorrect. Identification of which subcomponent is being used inappropriately can only be known after reviewing and understanding the topology and a good practice for deployment of the device in the network.

Which of the following is an implementation risk within the process of decision support systems? Management control Semistructured dimensions Inability to specify purpose and usage patterns Changes in decision processes

The inability to specify purpose and usage patterns is correct. This is a risk that developers need to anticipate while implementing a DSS. Management control is incorrect. This is not a type of risk, but a characteristic of a decision support system (DSS). Semistructured dimensions is incorrect. This is not a type of risk, but a characteristic of a DSS. Changes in decision processes is incorrect. These are not a type of risk, but a characteristic of a DSS.

The MOST effective biometric control system is the one with: the highest equal-error rate. the lowest equal-error rate. false-rejection rate equal to the false-acceptance rate. a false-rejection rate equal to the failure-to-enroll rate.

The lowest equal-error rate is correct. The EER of a biometric system denotes the percent at which the false-acceptance rate (FAR) is equal to the false-rejection rate (FRR). The biometric that has the lowest EER is the most effective. The highest equal-error rate (EER) is incorrect. The biometric that has the highest EER is the most ineffective. A false-rejection rate equal to the false-acceptance rate is incorrect. For any biometric, there will be a measure at which the FRR will be equal to the FAR. This is the EER. A false-rejection rate equal to the failure-to-enroll (FER) rate is incorrect. FER is an aggregate measure of FRR.

Which of the following should be included in a feasibility study for a project to implement an electronic data interchange process? The encryption algorithm format The detailed internal control procedures The necessary communication protocols The proposed trusted third-party agreement

The necessary communication protocols is correct. The communications protocols must be included because there may be significant cost implications if new hardware and software are involved, and risk implications if the technology is new to the organization. The encryption algorithm format is incorrect. Encryption algorithms are too detailed for this phase. They would only be outlined, and any cost or performance implications shown. The detailed internal control procedures is incorrect. Internal control procedures are too detailed for this phase. They would only be outlined, and any cost or performance implications shown. The proposed trusted third-party agreement is incorrect. Third-party agreements are too detailed for this phase. They would only be outlined, and any cost or performance implications shown.

An IS auditor reviewing the IT project management process is reviewing a feasibility study for a critical project to build a new data center. The IS auditor is MOST concerned about the fact that: it has not been determined how the project fits into the overall project portfolio. the organizational impact of the project has not been assessed. not all IT stakeholders have been given an opportunity to provide input. the environmental impact of the data center has not been considered.

The organizational impact of the project has not been assessed is correct. The feasibility study determines the strategic benefits of the project. Therefore, the result of the feasibility study determines the organizational impact—a comparison report of costs, benefits, risk, etc. The project portfolio is a part of measuring the organizational strategy. It has not been determined how the project fits into the overall project portfolio is incorrect. While projects must be assigned a priority and managed as a portfolio, this most likely occurs after the feasibility study determines that the project is viable. Not all IT stakeholders have been given an opportunity to provide input is incorrect. A feasibility study is ordinarily conducted by those with the knowledge to make the decision because the involvement of the entire IT organization is not needed. The environmental impact of the data center has not been considered is incorrect. The environmental impact should be part of the feasibility study however the organizational impact is more important.

An IS auditor has been assigned to review an organization's information security policy. Which of the following issues represents the HIGHEST potential risk? The policy has not been updated in more than one year. The policy includes no revision history. The policy is approved by the security administrator. The company does not have an information security policy committee.

The policy is approved by the security administrator is correct. The information security policy should have an owner who has management responsibility for the development, review, approval and evaluation of the security policy. The position of security administrator is typically a staff-level position (not management), and therefore does not have the authority to approve the policy. In addition, an individual in a more independent position should also review the policy. Without proper management approval, enforcing the policy may be problematic, leading to compliance or security issues. The policy has not been updated in more than one year is incorrect. Although the information security policy should be updated on a regular basis, the specific time period may vary based on the organization. Although reviewing policies annually is a good practice, the policy may be updated less frequently and still be relevant and effective. An outdated policy is still enforceable, whereas a policy without proper approval is not enforceable. The policy includes no revision history is incorrect. The lack of a revision history with respect to the IS policy document is an issue but not as significant as not having it approved by management. A new policy, for example, may not have been subject to any revisions yet. The company does not have an information security policy committee is incorrect. Although a policy committee drawn from across the company is a good practice and may help write better policies, a good policy can be written by a single person, and the lack of a committee is not a problem by itself.

When reviewing a hardware maintenance program, an IS auditor should assess whether: the schedule of all unplanned maintenance is maintained. it is in line with historical trends. it has been approved by the IS steering committee. the program is validated against vendor specifications.

The program is validated against vendor specifications is correct. Although maintenance requirements vary based on complexity and performance workloads, a hardware maintenance schedule should be validated against the vendor-provided specifications. The schedule of all unplanned maintenance is maintained is incorrect. Unplanned maintenance cannot be scheduled. It is in line with historical trends is incorrect. Hardware maintenance programs do not necessarily need to be in line with historic trends. It has been approved by the IS steering committee is incorrect. Maintenance schedules normally are not approved by the steering committee.

An IS auditor reviewing a cloud computing environment that is managed by a third party should be MOST concerned when: the organization is not permitted to assess the controls in the participating vendor's site. the service level agreement does not address the responsibility of the vendor in the case of a security breach. laws and regulations are different in the countries of the organization and the vendor. the organization is using an older version of a browser and is vulnerable to certain types of security risk.

The service level agreement does not address the responsibility of the vendor in the case of a security breach is correct. Administration of cloud computing occurs over the Internet and involves more than one participating entity. It is the responsibility of each of the partners in the cloud computing environment to take care of security issues in their own environments. When there is a security breach, the party responsible for the breach should be identified and made accountable. This is not possible if the service level agreement (SLA) does not address the responsibilities of the partners during a security breach. The organization is not permitted to assess the controls in the participating vendor's site is incorrect. The IS auditor has no role to play if the contract between the parties does not provide for assessment of controls in the other vendor's site. Laws and regulations are different in the countries of the organization and the vendor is incorrect. The IS auditor should ensure that the contract addresses the differing laws and regulations in the countries of the organization and the vendor, but having different laws and regulations is not a problem. The organization is using an older version of a browser and is vulnerable to certain types of security risk is incorrect. The IS auditor can make suggestions to the audited entity to use appropriate patches or switch over to safer browsers, and then the IS auditor can follow up on the action taken.

An IS auditor of a health care organization is reviewing contractual terms and conditions of a third-party cloud provider being considered to host patient health information. Which of the following contractual terms would be the GREATEST risk to the customer organization? Data ownership is retained by the customer organization. The third-party provider reserves the right to access data to perform certain operations. Bulk data withdrawal mechanisms are undefined. The customer organization is responsible for backup, archive and restore.

The third-party provider reserves the right to access data to perform certain operations is correct. Some service providers reserve the right to access customer information (third-party access) to perform certain transactions and provide certain services. In the case of protected health information, regulations may restrict certain access. Organizations must review the regulatory environment in which the cloud provider operates because it may have requirements or restrictions of its own. Organizations must then determine whether the cloud provider provides appropriate controls to ensure that data are appropriately secure. Data ownership is retained by the customer organization is incorrect. The customer organization would want to retain data ownership and, therefore, this would not be a risk. Bulk data withdrawal mechanisms are undefined is incorrect. An organization may eventually wish to discontinue its service with a third-party cloud-based provider. The organization would then want to remove its data from the system and ensure that the service provider clears the system (including any backups) of its data. Some providers do not offer automated or bulk data withdrawal mechanisms, which the organization needs to migrate its data. These aspects should be clarified prior to using a third-party provider. The customer organization is responsible for backup, archive and restore is incorrect. An organization may need to plan its own data recovery processes and procedures if the service provider does not make this available or the organization has doubts about the service provider's processes. This would only be a risk if the customer organization was unable to perform these activities itself.

Which of the following should be an IS auditor's PRIMARY concern after discovering that the scope of an IS project has changed, and an impact study has not been performed? The time and cost implications caused by the change The risk that regression tests will fail Users not agreeing with the change The project team not having the skills to make the necessary change

The time and cost implications caused by the change is correct. Any scope change might have an impact on duration and cost of the project; that is the reason why an impact study is conducted, and the client is informed of the potential impact on the schedule and cost. The risk that regression tests will fail is incorrect. A change in scope does not necessarily impact the risk that regression tests will fail. Users not agreeing with the change is incorrect. An impact study will not determine whether users will agree with a change in scope. The project team not having the skills to make the necessary change is incorrect. Conducting an impact study could identify a lack of resources such as the project team lacking the skills necessary to make the change; however, this is only part of the impact on the overall time lines and cost to the project due to the change.

A consulting firm has created a File Transfer Protocol (FTP) site for the purpose of receiving financial data and has communicated the site's address, user ID and password to the financial services company in separate email messages. The company is to transmit its data to the FTP site after manually encrypting the data. The IS auditor's GREATEST concern with this process is that: the users may not remember to manually encrypt the data before transmission. the site credentials were sent to the financial services company via email. personnel at the consulting firm may obtain access to sensitive data. the use of a shared user ID to the FTP site does not allow for user accountability.

The users may not remember to manually encrypt the data before transmission is correct. If the data is not encrypted, an unauthorized external party may download sensitive company data. The site credentials were sent to the financial services company via email is incorrect. Even though the possibility exists that the logon information was captured from the emails, data should be encrypted, so the theft of the data would not allow the attacker to read it. Personnel at the consulting firm may obtain access to sensitive data is incorrect. Some of the employees at the consulting firm will have access to the sensitive data and the consulting firm must have procedures in place to protect the data. The use of a shared user ID to the FTP site does not allow for user accountability is incorrect. Tracing accountability is of minimal concern compared to the compromise of sensitive data.

In reviewing the IT short-range (tactical) plan, an IS auditor should determine whether: there is an integration of IT and business personnel within projects. there is a clear definition of the IT mission and vision. a strategic information technology planning scorecard is in place. the plan correlates business objectives to IT goals and objectives.

There is an integration of IT and business personnel within projects is correct. The integration of IT and business personnel in projects is an operational issue and should be considered while reviewing the short-range plan. A strategic plan provides a framework for the IT short-range plan. There is a clear definition of the IT mission and vision is incorrect. A clear definition of the IT mission and vision would be covered by a strategic plan. A strategic information technology planning scorecard is in place is incorrect. A strategic information technology planning scorecard would be covered by a strategic plan. The plan correlates business objectives to IT goals and objectives is incorrect. Business objectives correlating to IT goals and objectives would be covered by a strategic plan.

Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an electronic funds transfer (EFT) system? Three users with the ability to capture and verify their own messages Five users with the ability to capture and send their own messages Five users with the ability to verify other users and to send their own messages Three users with the ability to capture and verify the messages of other users and to send their own messages

Three users with the ability to capture and verify their own messages is correct. The ability of one individual to capture and verify their own messages represents an inadequate segregation because messages can be taken as correct and as if they had already been verified. The verification of messages should not be allowed by the person who sent the message. Five users with the ability to capture and send their own messages is incorrect. Users may have the ability to send messages but should not be able to verify their own messages. Five users with the ability to verify other users and to send their own messages is incorrect. This is an example of separation of duties. A person can send their own message but only verify the messages of other users. Three users with the ability to capture and verify the messages of other users and to send their own messages is incorrect. The ability to capture and verify the messages of others but only send their own messages is acceptable.

Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible? Bottom-up testing Sociability testing Top-down testing System testing

Top-down testing is correct. The top-down approach to testing ensures that interface errors are detected early and that testing of major functions is conducted early. Bottom-up testing is incorrect. A bottom-up approach to testing begins with atomic units, such as programs and modules, and works upward until a complete system test has taken place. Sociability testing is incorrect. This takes place at a later stage in the development process. System testing is incorrect. This takes place at a later stage in the development process.

An IS auditor is reviewing the change management process for an enterprise resource planning application. Which of the following is the BEST method for testing program changes? Select a sample of change tickets and review them for authorization. Perform a walk-through by tracing a program change from start to finish. Trace a sample of modified programs to supporting change tickets. Use query software to analyze all change tickets for missing fields.

Trace a sample of modified programs to supporting change tickets is correct. This is the best way to test change management controls. This method is most likely to identify instances in which a change was made without supporting documentation. Select a sample of change tickets and reviewing them for authorization is incorrect. This helps test for authorization controls; however, it does not identify program changes that were made without supporting change tickets. Perform a walk-through by tracing a program change from start to finish is incorrect. This assists the IS auditor in understanding the process but does not ensure that all changes adhere to the normal process. Use query software to analyze all change tickets for missing fields is incorrect. This does not identify program changes that were made without supporting change tickets.

An IS auditor should ensure that review of online electronic funds transfer reconciliation procedures should include: vouching. authorizations. corrections. tracing.

Tracing is correct. This is a transaction reconciliation effort that involves following the transaction from the original source to its final destination. In electronic funds transfer transactions, the direction on tracing may start from the customer-printed copy of the receipt, proceed to checking the system audit trails and logs, and end with checking the master file records for daily transactions. Vouching is incorrect. This is usually performed during the funds transfer, not during the reconciliation effort. Authorizations is incorrect. In online processing, authorizations are normally done automatically by the system, not during the reconciliation. Corrections are incorrect. These entries should be reviewed during a reconciliation; however, they are normally done by an individual other than the person entrusted to do reconciliations and are not as important as tracing.

Information for detecting unauthorized input from a user workstation would be BEST provided by the: console log printout. transaction journal. automated suspense file listing. user error report.

Transaction journal is correct. The transaction journal records all transaction activity, which then can be compared to the authorized source documents to identify any unauthorized input. A console log printout is incorrect. This is not the best because it does not record activity from a specific terminal. An automated suspense file listing is incorrect. This lists only transaction activity where an edit error occurred. The user error report is incorrect. This lists only input that resulted in an edit error and does not record improper user input.

Which of the following controls would be MOST effective in reducing the risk of loss due to fraudulent online payment requests? Transaction monitoring Protecting web sessions using Secure Sockets Layer Enforcing password complexity for authentication Inputting validation checks on web forms

Transaction monitoring is correct. An electronic payment system could be the target of fraudulent activities. An unauthorized user could potentially enter false transactions. By monitoring transactions, the payment processor could identify potentially fraudulent transactions based on the typical usage patterns, monetary amounts, physical location of purchases, and other data that are part of the transaction process. Protecting web sessions using Secure Sockets Layer is incorrect. Using Secure Sockets Layer would help to ensure the secure transmission of data to and from the user's web browser and help to ensure that the end user has reached the correct web site, but this would not prevent fraudulent transactions. Enforcing password complexity for authentication is incorrect. Online transactions are not necessarily protected by passwords; for example, credit card transactions are not necessarily protected. The use of strong authentication would help to protect users of the system from fraud by attackers guessing passwords, but transaction monitoring would be the better control. Inputting validation checks on web forms is incorrect. This is important to ensure that attackers do not compromise the web site, but transaction monitoring would be the best control.

An IS auditor reviewing database controls discovered that changes to the database during normal working hours were handled through a standard set of procedures. However, changes made after normal hours required only an abbreviated number of steps. In this situation, which of the following would be considered an adequate set of compensating controls? Allow changes to be made only with the database administrator (DBA) user account. Make changes to the database after granting access to a normal user account. Use the DBA user account to make changes, log the changes and review the change log the following day. Use the normal user account to make changes, log the changes and review the change log the following day.

Use the database administrator (DBA) user account to make changes, log the changes and review the change log the following day The use of a DBA user account is normally set up to log all changes made and is most appropriate for changes made outside of normal hours. The use of a log, which records the changes, allows changes to be reviewed. Because an abbreviated number of steps are used, this represents an adequate set of compensating controls. Allow changes to be made only with the DBA user account is incorrect. The use of the database administrator (DBA) user account without logging would permit uncontrolled changes to be made to databases after access to the account was obtained. Make changes to the database after granting access to a normal user account is incorrect. A normal user account should not have access to a database. This would permit uncontrolled changes to any of the databases. Use the normal user account to make changes, log the changes and review the change log the following day is incorrect. Users should not be able to make changes. Logging would only provide information on changes made but would not limit changes to only those who were authorized.

The computer security incident response team of an organization disseminates detailed descriptions of recent threats. An IS auditor's GREATEST concern should be that the users may: use this information to launch attacks. forward the security alert. implement individual solutions. fail to understand the threat.

Use this information to launch attacks is correct. An organization's computer security incident response team (CSIRT) should disseminate recent threats, security guidelines and security updates to the users to assist them in understanding the security risk of errors and omissions. However, this introduces the risk that the users may use this information to launch attacks, directly or indirectly. An IS auditor should ensure that the CSIRT is actively involved with users to assist them in mitigation of risk arising from security failures and to prevent additional security incidents resulting from the same threat. Forward the security alert is incorrect. This is not harmful to the organization. Implement individual solutions is incorrect. This is unlikely and inefficient, but not a serious risk. Fail to understand the threat is incorrect. This would not be a serious concern.

The most common reason for the failure of information systems to meet the needs of users is that: user needs are constantly changing. the growth of system requirements was forecast inaccurately. the hardware system limits the number of concurrent users. user participation in defining the system's requirements was inadequate.

User participation in defining the system's requirements was inadequate is correct. Lack of adequate user involvement, especially in the system's requirements phase, will usually result in a system that does not fully or adequately address the needs of the user. Only users can define what their needs are and, therefore, what the system should accomplish. User needs are constantly changing is incorrect. Although changing user needs has an effect on the success or failure of many projects, the core problem is usually a lack of getting the initial requirements correct at the beginning of the project. The growth of system requirements was forecast inaccurately is incorrect. Projects may fail as the needs of the users increase; however, this can be mitigated through better change control procedures. The hardware system limits the number of concurrent users is incorrect. Rarely do hardware limitations affect the usability of the project as long as the requirements were correctly documented at the beginning of the project.

An IS auditor finds that the data warehouse query performance decreases significantly at certain times of the day. Which of the following controls would be MOST relevant for the IS auditor to review? Permanent table-space allocation Commitment and rollback controls User spool and database limit controls Read/write access log controls

User spool and database limit controls is correct. User spool limits restrict the space available for running user queries. This prevents poorly formed queries from consuming excessive system resources and impacting general query performance. Limiting the space available to users in their own databases prevents them from building excessively large tables. This helps to control space utilization which itself acts to help performance by maintaining a buffer between the actual data volume stored and the physical device capacity. Additionally, it prevents users from consuming excessive resources in ad hoc table builds (as opposed to scheduled production loads that often can run overnight and are optimized for performance purposes). In a data warehouse, because you are not running online transactions, commitment and rollback does not have an impact on performance. Permanent table-space allocation is incorrect. Table-space allocation will not affect performance at different times of the day. Commitment and rollback controls is incorrect. This will only apply to errors or failures and will not affect performance at different times of the day. Read/write access log controls is incorrect. This will not affect performance at different times of the day.

A cyclic redundancy check is commonly used to determine the: accuracy of data input. integrity of a downloaded program. adequacy of encryption. validity of data transfer.

Validity of data transfer is correct. The accuracy of blocks of data transfers, such as data transfer from hard disks, is validated by a cyclic redundancy check. Accuracy of data input is incorrect. This can be enforced by data validation controls, such as picklists, cross checks, reasonableness checks, control totals and allowed character checks. Integrity of a downloaded program is incorrect. A checksum or digital signature is commonly used to validate the integrity of a downloaded program or other transferred data. Adequacy of encryption is incorrect. Encryption adequacy is driven by the sensitivity of the data to be protected and algorithms that determine how long it will take to break a specific encryption method.

An IS auditor is reviewing a new web-based order entry system the week before it goes live. The IS auditor has identified that the application, as designed, may be missing several critical controls regarding how the system stores customer credit card information. The IS auditor should FIRST: determine whether system developers have proper training on adequate security measures. determine whether system administrators have disabled security controls for any reason. verify that security requirements have been properly specified in the project plan. validate whether security controls are based on requirements which are no longer valid.

Verify that security requirements have been properly specified in the project plan is correct. If there are significant security issues identified by an IS auditor, the first question is whether the security requirements were correct in the project plan. Depending on whether the requirements were included in the plan would affect the recommendations the auditor would make. Determine whether system developers have proper training on adequate security measures is incorrect. While it is important for programmers to understand security, it is more important that the security requirements were properly stated in the project plan. Determine whether system administrators have disabled security controls for any reason is incorrect. System administrators may have made changes to the controls, but it is assumed that the auditor is reviewing the system as designed a week prior to implementation so the administrators have not yet configured the system. Validate whether security controls are based on requirements which are no longer valid is incorrect. It is possible that security requirements will change over time based on new threats or vulnerabilities, but if critical controls are missing, this points toward a faulty design that was based on incomplete requirements.

An IS auditor is planning to evaluate the control design effectiveness related to an automated billing process. Which of the following is the MOST effective approach for the auditor to adopt? Interview Inquiry Reperformance Walk-through

Walk-through is correct. Walk-throughs involve a combination of inquiry and inspection of evidence with respect to business process controls. This is the most effective basis for evaluation of the design of the control, because it actually exists. Interview is incorrect. An interview is not as strong an evidence as an observation or walk-throughs. In addition, personnel might add some bias to interviews if they know they are being interviewed for an audit. Inquiry is incorrect. This can be used to understand the controls in a process only if it is accompanied by verification of evidence. However, interviewees might be biased if they know they are being audited. Reperformance is incorrect. This is used to evaluate the operating effectiveness of the control rather than the design of the control.


Ensembles d'études connexes

TestBank 6 (evolution of the brain)

View Set

Layers of the Earth Based on Physical Properties

View Set