MIS 415 exam 1 Questions

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the a. Hardware configuration b. Application development methodology c. Access control software d. Ownership of intellectual property

Ownership of intellectual property

Which of the following processes would be the best candidate for business process reengineering? A. Excluded process B. Nonworking process C. Working process D. Marginal process

Nonworking process

Select the best answer to finish this statement: A is strategic in nature, while the is tactical. A. policy, procedure B. standard, procedure C. procedure, standard D. policy, standard

policy, standard

What is the first priority of management upon the possible detection of an irregular or illegal act? A. Shut down access to the system. B. Aid the process of investigation and inquiry. C. Notify appropriate law enforcement. D. Contact auditors to schedule an audit of the situation

Aid the process of investigation and inquiry.

Which is the primary benefit of using a risk-based approach in audit planning? A. Simplifies resource scheduling. B. Allocates resources to the areas of highest concern. C. Properly trained personnel are available. D. Lowers the overall cost of compliance.

Allocates resources to the areas of highest concern.

Which of the following is the best description of an ongoing audit program for regulatory compliance? a. An audit may be automated by using audit program software. b. An audit is performed once for the entire year and then repeated by using the same information for each successive year. c. An audit is a series of assessments performed by the auditee for the purpose of licensing and regulatory compliance. d. An audit is a series of unique projects of short duration that add up to cover all the steps necessary for annual compliance.

An audit is a series of unique projects of short duration that add up to cover all the steps necessary for annual compliance.

Which of the following is in the BEST position to approve changes to the audit charter? a. Board of directors b. Executive management c. Director of internal audit d. Audit committee

Audit committee

Which of the following is the best example of implementing a detective control via administrative methods? A. Auditing of system configuration and log files B. Running a verification of the backup tape for integrity C. Using an intrusion detection and prevention system (IDPS) D. Restoring a damaged file using a copy from the vendor

Auditing of system configuration and log files

Which of the following is not defined as a nonaudit role? a. System designer b. Operational staff member c. Auditor d. Organizational manager

Auditor

During the performance of an audit, a reportable finding is identified with the auditee. The auditee immediately fixed the problem upon identification. Which of the following is true as a result of this interaction? A. Auditee resolved the problem before the audit report is written, therefore no finding exists. B. Auditor can verify that the corrective action has been taken before the audit report is written, therefore no finding exists. C. Auditor includes the finding in the final audit report as resolved. D. Auditor lists the finding as it existed.

Auditor lists the finding as it existed.

Assessments and audits have several points in common. Which of the following statements provides the best description of an assessment compared to an audit? a. Assessment reports provide a high assurance of the situation. b. Audits are more formal than assessments. c. Both provide reports that can be used for licensing purposes. d. They are similar in nature; the difference is in wording.

Audits are more formal than assessments

Which of the following functions should be separated from the others if segregation of duties cannot be achieved in an automated system? A. Origination B. Authorization C. Reprocessing D. Transaction logging

Authorization

The Software Engineering Institute's Capability Maturity Model (CMM) is best described by which of the following options? a. Documentation of accomplishments achieved during program development b. Baseline of the current progress or regression c. Relationship of application performance to the user's stated requirement d. Measurement of resources necessary to ensure a reduction in coding defects

Baseline of the current progress or regression

Which of the following goals would you expect to find in an organization's strategic plan? a. Become the supplier of choice for the product offered b. Perform an evaluation of information technology needs c. Test a new accounting package d. Implement a new project planning system within the next 12 months

Become the supplier of choice for the product offered

Which of these choices is the best answer regarding who is primarily responsible for providing internal controls to detect, correct, and prevent irregularities or illegal acts? A. Board of directors B. Information technology C. Legal, aka general council D. Human resources

Board of directors

After presenting the report at the conclusion of an audit, the lead auditor discovers the omission of a procedure. What should the auditor do next? A. Log on to CareerBuilder.com and change their current employment status to available. B. Cancel the report if audit alternatives cannot compensate for the deficiency. C. File an incident disclosure report with the audit association to minimize any liability. D. No action is required as long as the omitted procedure is included in the next audit

Cancel the report if audit alternatives cannot compensate for the deficiency.

Which of the following is the best way for an auditor to prove their competence to perform an audit? A. Having prior experience working in information technology B. Citing each point in a regulation with an audit objective and specific test C. Obtaining auditor certification with ongoing training D. Having prior experience in financial auditing

Citing each point in a regulation with an audit objective and specific test

What are three of the four key perspectives on the IT balanced scorecard? A. Business justification, service-level agreements, budget B. Organizational staffing, cost reduction, employee training C. Cost reduction, business process, growth D. Service level, critical success factors, vendor selection

Cost reduction, business process, growth

During the selection of a BPR project, which of the following is the ideal target with the highest return? a. Working process b. Nonworking process c. Marginal process d. Excluded process

Nonworking process

The Capability Maturity Model (CMM) contains five levels of achievement. Which of the following options contains three of the levels in proper sequence? a. Managed, Defined, Repeatable b. Initial, Managed, Repeatable c. Initial, Managed, Defined d. Defined, Managed, Optimized

Defined, Managed, Optimized

Which of the following is not one of the three major control types? A. Detective B. Deterrent C. Preventive D. Corrective

Deterrent

The auditor is permitted to deviate from professional audit standards when they feel it is necessary because of which of the following? A. Standards are designed for discretionary use. B. The unique characteristics of each client will require auditor flexibility. C. Deviating from standards is almost unheard of and would require significant justification. D. Deviation depends on the authority granted in the audit charter

Deviating from standards is almost unheard of and would require significant justification.

An external IS auditor discovers that systems in the scope of the audit were implemented by an associate. In such a circumstance, IS audit management should: a. Remove the IS auditor from the engagement b. Disclose the issue to the client c. Take steps to restore the IS auditor's independence d. Cancel the engagement

Disclose the issue to the client

Which sampling method is used when the likelihood of finding evidence is low? A. Discovery B. Cell C. Random D. Stop and go

Discovery

What is the name of the decentralized control method enabling someone to make a decision based on their own options? a. Detailed b. Executive c. Discretionary d. Mandatory

Discretionary

Which of these is not the purpose of the ISO 15489 standard for a records management system? a. Define the legal definition of the minimum handling requirements for data records. b. Provide a legal standard of negligence and culpability. c. Define governance responsibilities during the life cycle of data. d. Eliminate the need for a detailed classification list of each data set.

Eliminate the need for a detailed classification list of each data set.

When conducting an IT security risk assessment, the IS auditor asked the IT security officer to participate in a risk identification workshop with users and business unit representatives. What is the MOST important recommendation that the IS auditor should make to obtain successful results and avoid future conflicts? a. Ensure that the IT security risk assessment has a clearly defined scope b. Require the IT security officer to approve each risk rating during the workshop c. Suggest that the IT security officer accept the business unit risk and rating d. Select only commonly accepted risk with the highest submitted rating

Ensure that the IT security risk assessment has a clearly defined scope

Which of the following answers contains the steps for business process reengineering (BPR) in proper sequence? A. Diagnose, envision, redesign, reconstruct B. Envision, initiate, diagnose, redesign, reconstruct, evaluate C. Evaluate, envision, redesign, reconstruct, review D. Initiate, evaluate, diagnose, reconstruct, review

Envision, initiate, diagnose, redesign, reconstruct, evaluate

Which of the following options contains the steps for business process reengineering (BPR) in the proper sequence? a. Initiate, evaluate, diagnose, reconstruct, review b. Diagnose, envision, redesign, reconstruct c. Envision, initiate, diagnose, redesign, reconstruct, evaluat d. Evaluate, envision, redesign, reconstruct, review

Envision, initiate, diagnose, redesign, reconstruct, evaluate

Information that proves or disproves a stated issue. Information that an auditor gathers in the course of performing an IS audit; relevant if it pertains to the audit objectives and has a logical relationship to the findings and conclusions it is used to support. a. Control b. Exit Interview c. Audit Evidence d. Evidence

Evidence

A shadow organization refers to two groups performing similar functions under different departments. What does the presence of a shadow organization indicate? a. A relationship of trust and proper delegation of authority b. A sponsor who is cooperating as a team player with separation of duties c. Executive distrust or failure to integrate d. Twice the support coverage

Executive distrust or failure to integrate

Which of the following statements is not true regarding the audit committee? a.Executives can be hired and fired by the audit committee because this committee is responsible for management oversight. b. The audit committee is composed of members from the board of directors. This committee has the authority to hire external auditors, and external auditors may meet with the committee on a quarterly basis without other executives present. c. The audit committee provides senior executives a method of bringing problems into a confidential discussion for the purpose of exploring a resolution. d. Executives inside the organization oversee the audit committee and are responsible for keeping the committee busy working on compliance programs.

Executives inside the organization oversee the audit committee and are responsible for keeping the committee busy working on compliance programs.

Which of the following represents the hierarchy of controls from highest level to lowest level? A. General, pervasive, detailed, application B. Pervasive, general, application, detailed C. Detailed, pervasive, application, detailed D. Application, general, detailed, pervasive

General, pervasive, detailed, application

What term simply means the right people of authority looked at the issue, made an intelligent decision, and took appropriate action? a. Corporate responsibility b. Governance c. Chain of command d. Leadership

Governance

Which of the following nonstatistical audit samples is also known as a judgmental sample? A. Haphazard B. Attribute C. Unstratified mean D. Random

Haphazard

The final decision to include a material finding in an audit report should e made by the a. Chief executive officer (CEO) of the organization b. Auditee's manager c. Audit committee d. IS auditor

IS auditor

The PRIMARY objective of testing a business continuity plan is to: a. Familiarize employees with the business continuity plan b. Exercise all possible disaster scenarios c. Ensure that all residual risk is addressed d. Identify limitations of the business continuity plan

Identify limitations of the business continuity plan

Which of the following assurance methods is acceptable for external use, including licensing? a. Internal audit b. Assessment c. Independent audit d. External audit

Independent Audit

What is the primary technique for reporting compliance with key requirements in operations? a. Technical recommendations from IT b. COBIT performance framework c. Identify business issues and governance objectives d. Individual elements created from contracts and regulations

Individual elements created from contracts and regulations

Which of the following audit tools incorporates dummy transactions into the normal processing on a system? A. Continuous and intermittent simulation (CIS) B. Integrated test facility (ITF) C. Program audit hooks D. Snapshot

Integrated test facility (ITF)

What are common types of audits? a. Financial, SAS-74, compliance, administrative b. Forensic, accounting, verification, regulatory c. Information systems, SAS-70, regulatory, procedural d. Integrated, operational, compliance, administrative

Integrated, operational, compliance, administrative

Which of the following statements is not true concerning the use of a records management system? a. Details the foundation of all security control decisions determined by management b. Contains metadata describing acceptable and unacceptable handling procedures c. Provides a list of each data file to be protected d. Is not necessary for evidence of proper record keeping

Is not necessary for evidence of proper record keeping

Why is change control considered a governance issue? Proper implementation of change control reduces the need for separate test and production systems. b. It allows management to save time by granting more authority to administrators. c. It forces separation of duties to ensure that at least two people agree with the decision. d. Change control increases the trust factor.

It forces separation of duties to ensure that at least two people agree with the decision.

Which of the following is true regarding the principle of auditor independence? A. It is not an issue for auditors working for a consulting company. B. It is required for an external audit to prevent bias. C. An internal auditor must undergo certification training to be independent. D. The audit committee would bestow independence on the auditor.

It is required for an external audit to prevent bias.

Which of the following options is true about the term auditor independence? a. An internal auditor must undergo certification training to be independent. b. It is not an issue for auditors working for a consulting company. c. The audit committee bestows independence upon the auditor. d. It is required for an external audit.

It is required for an external audit.

The most important and relevant controls a. Inherent Risk b. Key Controls c. Control Risk d. Audit Evidence

Key Controls

Which statement about the Capability Maturity Model is not true? a. Level 3 processes have published objectives, measurements, and standards that are in effect across departmental boundaries. b. Level 5 provides maximum control in outsourcing because the definition of requirements is very specific. c. Level 3 provides quantitative measurement of the process output. d. Level 5 maturity converts a product into a commodity and allows a company to pay less and demand unquestionable adherence to management's authority.

Level 3 provides quantitative measurement of the process output.

Which of the following statements is true concerning the role of management and the role of the auditor? A. Management uses the auditor's report before making their assertions. B. Management must make their assertions prior to reading the auditor's report. C. The auditor is able to view only evidence that has been predetermined by management. D. The auditor's opinion will be based on the desire of management

Management must make their assertions prior to reading the auditor's report.

Portfolio management includes all of the following except which one? A. Selection of projects based on the best return on investment B. Centralized control of priorities across the projects C. Management of concurrent projects D. Method of controlling changes in the work breakdown structure

Method of controlling changes in the work breakdown structure

When an organization's disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment approaches is being applied? a. Acceptance b. Avoidance c. Mitigation d. Transfer

Mitigation

What is the correct sequence for benchmark processes in business process reengineering (BPR) projects? a. Observe, research, analyze, adapt, plan, implement b. Plan, research, observe, analyze, adapt, improve c. Plan, observe, analyze, improve, test d. Research, test, plan, adapt, analyze, improve

Plan, research, observe, analyze, adapt, improve

The MOST important reason for an IS auditor to obtain sufficient and appropriate audit evidence is to a. Perform the audit according to the defined scope b. Comply with regulatory requirements c. Provide a basis for drawing reasonable conclusions d. Ensure complete audit coverage

Provide a basis for drawing reasonable conclusions

What is the best definition of auditing? A. Review of past history using evidence to tell the story B. Forecasting compliance generated by a new system preparing to enter production C. Precompliance assessment based on management's intended design D. Certification testing of the system benefits or failures

Review of past history using evidence to tell the story

When segregation of duties concerns exist between IT support staff and end users, what would be a suitable compensating control? a. Reviewing transaction and application logs b. Locking user sessions after a specified period of inactivity c. Performing background checks prior to hiring IT staff d. Restricting physical access to computing equipment

Reviewing transaction and application logs

What would be the area of greatest interest during an audit of a business process reengineering (BPR) project? a. Vendor participation, documentation, installation assistance, and training b. Risk management planning alignment of the project to business objectives. c. Planning methods include Program Evaluation Review Technique (PERT). d. The steering committee approves sufficient controls for fraud detection.

Risk management planning alignment of the project to business objectives.

Which of the following business process reengineering (BPR) risks are likely to occur during the design phase? a. Technical risk, detection risk, audit risk b. Scope risk, skill risk, political risk c. Management risk, technical risk, HR risk d. Transition risk, skill risk, financial risk

Scope risk, skill risk, political risk

What function does the auditor provide? A. Second set of eyes, which are external to the subject under review B. Independent assurance that the claims of management are correct C. Assistance by fixing problems found during the audit D. Adapting standards to fit the needs of the client

Second set of eyes, which are external to the subject under review

Which type of charge?8-back scheme is notorious for violating separation of duties or for attempting to exceed authority? a. Charge back b. Actual usage billing c. Budgeted cost d. Sponsor pays

Sponsor pays

What is the definition of a standard as compared to a guideline? a. Guidelines are recommended controls necessary to support standards, which are discretionary. b. Standards are mandatory controls designed to support a policy. Following guidelines is discretionary. c. Standards are discretionary controls used with guidelines to aid the reader's decision process. d. Guidelines are intended to designate a policy, whereas standards are used in the absence of a policy.

Standards are mandatory controls designed to support a policy. Following guidelines is discretionary.

Which of the following is the best choice to ensure that internal control objectives are met? A. Top executive issues a policy stating compliance objectives. B. Procedures are created to govern employee conduct. C. Suitable systems for tracking and reporting incidents are used. D. The clients operating records are audited annually

Suitable systems for tracking and reporting incidents are used.

Which of the following would be evaluated as a preventive control by an IS auditor performing an audit? a. Tracing and tagging b. Transaction logs c. Before and after image reporting d. Table lookups

Table lookups

Which of the following is not considered a control failure? a. Modifying an ineffective procedure outside of change control b. Implementing a policy or standard without consequences of failure c. Testing to discover how many policy violations have occurred d. Using a policy that lacks a detective mechanism to identify violations

Testing to discover how many policy violations have occurred

A member of the auditee staff offers to loan you an unauthorized copy of software that you need for a short time. What should you, as the auditor, always remember? A. It's okay to borrow the software for one-time use. B. The auditee is not acting in an ethical manner. C. The auditee will usually get amnesty for turning in the auditor or discrediting the auditor. D. Odds of getting caught on this are very low.

The auditee will usually get amnesty for turning in the auditor or discrediting the

Which of the following statements is true concerning the auditor's qualified opinion? A. The auditor has reservations about the findings. B. The auditor is professionally qualified to give an opinion. C. The auditor has no reservations about the findings. D. The auditor has prior experience working in the IT department.

The auditor has reservations about the findings.

How should the auditor assist in the remediation of problems found during the audit? a. The auditor should never take ownership of problems found. Auditors are encouraged to provide general advice to the auditee, including an explanation of what to look for during the audit. b. The auditor should help the auditees. The auditor can add value by defining the specific steps necessary for remediation of the problem. c. The auditor should decide whether the problem is major or minor and then advise the auditee with a specific solution after considering the impact to the business. d. The auditor should take ownership of the issue and participate in designing the plan for fixing the problem.

The auditor should never take ownership of problems found. Auditors are encouraged to provide general advice to the auditee, including an explanation of what to look for during the audit.

Which of the following is true concerning reporting by internal auditors? A. Results can be used for industry licensing. B. The corresponding value of the audit report is high. C. Results can be used for external reporting. D. The corresponding value of the audit report is low.

The corresponding value of the audit report is low

Which of the following is true concerning the roles of data owner, data user, and data custodian? a. The data user implements controls as necessary. b. The data custodian is responsible for specifying acceptable usage. c. The data owner specifies controls. d. The data custodian specifies security classification.

The data owner specifies controls.

Who should issue the organizational policies? Policies should originate from the bottom and move up to the department manager for approval. b. The policy should be signed and enforced by any level of management. c. The policy should be signed and enforced by the highest level of management. d. The auditor should issue the policies in accordance with standards, and they should be authorized by the highest level of management to ensure compliance

The policy should be signed and enforced by the highest level of management.

What is the principal issue surrounding the use of CAAT software? A. The capability of the software vendor B. Documentary evidence is more effective C. Inability of automated tools to consider the human characteristics of the environment D. The possible cost, complexity, and security of output

The possible cost, complexity, and security of output

What is the purpose of the audit committee? A. To provide daily coordination of all audit activities B. To challenge and review assurances C. To assist the managers with training in auditing skills D. To govern, control, and manage the organization

To challenge and review assurances

What is the purpose of ISACA's professional ethics statement? a. To provide procedural advisement to the new IS auditor b. To provide advice on when it is acceptable for the auditor to deviate from audit standards c. To clearly specify acceptable and unacceptable behavior d. To provide instructions on how to deal with irregularities and illegal acts by the client

To clearly specify acceptable and unacceptable behavior

Which of the following is not cited in the text as a reason that balanced scorecard (BSC) implementations could fail? a. Top management providing full support b. Lack of BSC training and awareness c. Politics of losing the department budget d. Empire building by the department head

Top management providing full support

Which of the following would be a concern that the auditor should explain in the audit report along with their findings? A. Lack of a detailed list of audit objectives B. Undue restrictions placed by management on evidence use or audit procedure C. Communicating results directly to the chairperson of the audit committee D. Need by the current auditor to communicate with the prior auditors

Undue restrictions placed by management on evidence use or audit procedure

In regard to the IT governance control objectives, which of the following occurrences would the auditor be most concerned about during execution of the audit? A. Using the practice of self-monitoring to report problems B. Using proper change control C. Conflict in the existing reporting relationship D. Production system without accreditation

Using proper change control

What is the difference between a threat and a vulnerability? a. Vulnerabilities are a path that can be taken by a threat, resulting in a loss. b. Vulnerability is a negative event that will cause a loss if it occurs. c. Threats are risks and become a vulnerability if they occur. d. Threats are the path that can be exploited by a vulnerability.

Vulnerabilities are a path that can be taken by a threat, resulting in a loss

An IS auditor is planning to evaluate the control design effectiveness related to an automated billing process. Which of the following is the MOST effective approach for the auditor to adopt? a. Process narrative b. Reperformance c. Inquiry d. Walk-through

Walk-through

An IS auditor reviewing the process to monitor access logs wishes to evaluate the manual log review process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose? a. Inspection b. Walk-through c. Reperformance d. Inquiry

Walk-through

Who should the auditor notify if an illegal or inappropriate act involves the persons responsible for governance of controls? A. Law enforcement B. Audit committee C. Federal regulators D. Whistle-blower hotline

Whistle-blower hotline


Ensembles d'études connexes

Intro to Business - Ch 6: Business Formation: Choosing the Form that Fits

View Set

HRM 340 Chapter 11 - J. Wanek (Boise State)

View Set

principles of microeconomics final exam- horton

View Set

Chapter 13 : The Basics of Finance

View Set

Earth Science Solar System Quiz Review

View Set

The Businessowners Policy - Module C

View Set