CISA Questions (401 - 500)

The PRIMARY objective of conducting a postimplementation review for a business process automation project is to: Select an answer: A. ensure that the project meets the intended business requirements. B. evaluate the adequacy of controls. C. confirm compliance with technological standards. D. confirm compliance with regulatory requirements.

You answered D. The correct answer is A. A. Ensuring that the project meets the intended business requirements is the primary objective of a postimplementation review. B. Evaluating the adequacy of controls may be part of the review but is not the primary objective. C. Confirming compliance with technological standards is normally not part of the postimplementation review because this should be addressed during the design and development phase. D. Confirming compliance with regulatory requirements is normally not part of the postimplementation review because this should be addressed during the design and development phase.

Once an organization has finished the business process reengineering (BPR) of all its critical operations, an IS auditor would MOST likely focus on a review of: Select an answer: A. pre-BPR process flowcharts. B. post-BPR process flowcharts. C. BPR project plans. D. continuous improvement and monitoring plans.

You answered D. The correct answer is B. A. An IS auditor must review the process as it is today, not as it was in the past. B. An IS auditor's task is to identify and ensure that key controls have been incorporated into the reengineered process. C. Business process reengineering (BPR) project plans are a step within a BPR project. D. Continuous improvement and monitoring plans are steps within a BPR project.

From a risk management point of view, the BEST approach when implementing a large and complex IT infrastructure is: Select an answer: A. a major deployment after proof of concept. B. prototyping and a one-phase deployment. C. a deployment plan based on sequenced phases. D. to simulate the new infrastructure before deployment.

You are correct, the answer is C. A. A major deployment would pose a higher risk of implementation failure. B. Prototyping may reduce development failure, but a large environment will usually require a phased approach. C. When developing a large and complex IT infrastructure, a good practice is to use a phased approach to fit the entire system together. This will provide greater assurance of quality results. D. It is not usually feasible to simulate a large and complex IT infrastructure prior to deployment.

When reviewing the implementation of a local area network (LAN), an IS auditor should FIRST review the: Select an answer: A. node list. B. acceptance test report. C. network diagram. D. users list.

You are correct, the answer is C. A. Verification of nodes from the node list would follow the review of the network diagram. B. The review of the acceptance test report would follow the verification of nodes from the node list. C. To properly review a local area network (LAN) implementation, an IS auditor should first verify the network diagram to identify risk or single points of failure. D. The users list would be reviewed after the acceptance test report.

Which of the following system and data conversion strategies provides the GREATEST redundancy? Select an answer: A. Direct cutover B. Pilot study C. Phased approach D. Parallel run

You are correct, the answer is D. A. Direct cutover is actually quite risky because it does not provide for a "shake down period" nor does it provide an easy fallback option. B. A pilot study approach is performed incrementally, making rollback procedures difficult to execute. C. A phased approach is performed incrementally, making rollback procedures difficult to execute. D. Parallel runs are the safest—though the most expensive—approach because both the old and new systems are run, thus incurring what might appear to be double costs.

Which one of the following could be used to provide automated assurance that proper data files are being used during processing? Select an answer: A. File header record B. Version usage C. Parity checking D. File security controls

You answered B. The correct answer is A. A. A file header record provides assurance that proper data files are being used, and it allows for automatic checking. B. Although version usage provides assurance that the correct file and version are being used, it does not allow for automatic checking. C. Parity checking is a data integrity validation method typically used by a data transfer program. While parity checking may help to ensure that data and program files are transferred successfully, it does not help to ensure that the proper data or program files are being used. D. File security controls cannot be used to provide assurance that proper data files are being used and cannot allow for automatic checking.

An organization is considering using a new IT service provider. From an audit perspective, which of the following would be the MOST important item to review? Select an answer: A. References from other clients for the service provider B. The physical security of the service provider site C. The draft service level agreement (SLA) with the service provider D. Background checks of the service provider's employees

You answered A. The correct answer is C. A. A due diligence activity such as reviewing references from other clients is a good practice, but the service level agreement (SLA) would be most critical because it would define what specific levels of performance would be required and make the provider contractually obligated to deliver what was promised. B. A due diligence activity such as reviewing physical security controls is a good practice, but the SLA would be most critical because it would define what specific levels of security would be required and make the provider contractually obligated to deliver what was promised. C. When contracting with a service provider, it is a good practice to enter into an SLA with the provider. An SLA is a guarantee that the provider will deliver the services according to the contract. The IS auditor will want to ensure that performance and security requirements are clearly stated in the SLA. D. A due diligence activity such as the use of background checks for the service provider's employees is a good practice, but the SLA would be most critical because it would define what specific levels of security and labor practices would be required and make the provider contractually obligated to deliver what was promised.

Which of the following is an object-oriented technology characteristic that permits an enhanced degree of security over data? Select an answer: A. Inheritance B. Dynamic warehousing C. Encapsulation D. Polymorphism

You answered A. The correct answer is C. A. In object-oriented systems an object is called by another module and inherits its data from the calling module. This does not affect security. B. Dynamic warehousing is not related to the security of object-oriented technology. C. Encapsulation is a property of objects, and it prevents accessing either properties or methods that have not been previously defined as public. This means that any implementation of the behavior of an object is not accessible. An object defines a communication interface with the exterior and only that which belongs to that interface can be accessed. D. Polymorphism is the principle of creating different objects that will behave differently depending on the input. This is not a security feature.

At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should: Select an answer: A. report the error as a finding and leave further exploration to the auditee's discretion. B. attempt to resolve the error. C. recommend that problem resolution be escalated. D. ignore the error because it is not possible to get objective evidence for the software error.

You answered A. The correct answer is C. A. Recording it as a minor error and leaving it to the auditee's discretion would be inappropriate. Action should be taken before the application goes into production. B. The IS auditor is not authorized to resolve the error. C. When an IS auditor observes such conditions, it is best to fully apprise the auditee and suggest that further problem resolutions be attempted including escalation if necessary. D. Neglecting the error would indicate that the IS auditor has not taken steps to further probe the issue to its logical end.

Which of the following is the MOST effective when determining the correctness of individual account balances migrated from one database to another? Select an answer: A. Compare the hash total before and after the migration. B. Verify that the number of records is the same for both databases. C. Perform sample testing of the migrated account balances. D. Compare the control totals of all of the transactions.

You answered A. The correct answer is C. A. The hash total will only validate the data integrity at a batch level rather than at a transaction level. B. Databases are composed of records that can contain multiple fields. The number of records will not allow an IS auditor to ascertain whether some of these fields have been successfully migrated. C. Performing sample testing of the migrated account balances will involve the comparison of a selection of individual transactions from the database before and after the migration. D. Comparing the control totals does not imply that the records are complete or that individual values are accurate.

Which of the following helps an IS auditor evaluate the quality of new software that is developed and implemented? Select an answer: A. The reporting of the mean time between failures over time B. The overall mean time to repair failures C. The first report of the mean time between failures D. The overall response time to correct failures

You answered A. The correct answer is C. A. The mean time between failures that are repetitive includes the inefficiency in fixing the first reported failures and is a reflection on the response team or help desk team in fixing the reported issues. B. The mean time to repair is a reflection on the response team or help desk team in addressing reported issues. C. The mean time between failures that are first reported represents flaws in the software that are reported by users in the production environment. This information helps the IS auditor in evaluating the quality of the software that is developed and implemented. D. The response time is a reflection of the agility of the response team or the help desk team in addressing reported issues.

The PRIMARY benefit of an IT manager monitoring technical capacity is to: Select an answer: A. identify the need for new hardware and storage procurement. B. determine the future capacity need based on usage. C. ensure that the service level agreement (SLA) requirements are met. D. ensure that systems operate at optimal capacity.

You answered A. The correct answer is C. A. This is one benefit of monitoring technical capacity because it can help forecast future demands, not just react to system failures. However, the primary responsibility of the IT manager is to meet the overall requirement to ensure that IT is meeting the service level expectations of the business. B. Determining future capacity is one definite benefit of technical capability monitoring. C. Capacity monitoring has multiple objectives; however, the primary objective is to ensure compliance with the internal service level agreement (SLA) between the business and IT. D. IT management is interested in ensuring that systems are operating at optimal capacity, but their primary obligation is to ensure that IT is meeting the service level requirements of the business.

What kind of software application testing is considered the final stage of testing and typically includes users outside the development team? Select an answer: A. Alpha testing B. White box testing C. Regression testing D. Beta testing

You answered A. The correct answer is D. A. Alpha testing is the testing stage just before beta testing. Alpha testing is typically performed by programmers and business analysts, instead of users. Alpha testing is used to identify bugs or glitches that can be fixed before beta testing begins with external users. B. White box testing is performed much earlier in the software development life cycle than alpha or beta testing. White box testing is used to assess the effectiveness of software program logic, where test data are used to determine procedural accuracy of the programs being tested. In other words, does the program operate the way it is supposed to at a functional level? White box testing does not typically involve external users. C. Regression testing is the process of re-running a portion of a test scenario to ensure that changes or corrections have not introduced more errors. In other words, the same tests are run after multiple successive program changes to ensure that the "fix" for one problem did not "break" another part of the program. Regression testing is not the last stage of testing and does not typically involve external users. D. Beta testing is the final stage of testing and typically includes users outside the development area. Beta testing is a form of user acceptance testing (UAT) and generally involves a limited number of users who are external to the development effort.

During an IS audit of a bank, the IS auditor is assessing whether the enterprise properly manages staff member access to the operating system. The IS auditor should determine whether the enterprise performs: Select an answer: A. periodic review of user activity logs. B. verification of user authorization at the field level. C. review of data communication access activity logs. D. periodic review of changing data files.

You answered B. The correct answer is A. A. General operating system access control functions include logging user activities, events, etc. Reviewing these logs may identify users performing activities that should not have been permitted. B. Verification of user authorization at the field level is a database- and/or an application-level access control function and not applicable to an operating system. C. Review of data communication access activity logs is a network control feature. D. Periodic review of changing data files is related to a change control process.

Which of the following types of testing would determine whether a new or modified system can operate in its target environment without adversely impacting other existing systems? Select an answer: A. Parallel testing B. Pilot testing C. Interface/integration testing D. Sociability testing

You answered A. The correct answer is D. A. Parallel testing is the process of feeding data into two systems—the modified system and an alternate system—and comparing the results. In this approach, the old and new systems operate concurrently for a period of time and perform the same processing functions. This allows a new system to be tested without affecting existing systems. B. Pilot testing takes place first at one location and is then extended to other locations. The purpose is to see if the new system operates satisfactorily in one place before implementing it at other locations. In most cases the cutover to the new system will disable existing systems. C. Interface/integration testing is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective is to take unit-tested modules and build an integrated structure. This will not test in a true production environment. D. The purpose of sociability testing is to confirm that a new or modified system can operate in its target environment without adversely impacting existing systems. This should cover the platform that will perform primary application processing and interfaces with other systems, as well as changes to the desktop in a client-server or web development.

An IS audit group has been involved in the integration of an automated audit tool kit with an existing enterprise resource planning (ERP) system. Due to performance issues, the audit tool kit is not permitted to go live. What should the IS auditor's BEST recommendation be? Select an answer: A. Review the implementation of selected integrated controls. B. Request additional IS audit resources. C. Request vendor technical support to resolve performance issues. D. Review the results of stress tests during user acceptance testing (UAT).

You answered A. The correct answer is D. A. Reviewing the implementation of selected integrated controls validates the technical design and the control objective, but integrated controls over transactional tables consume large resources. They should be reviewed carefully to determine whether they are mandatory or can be implemented and integrated for only specific transactions over the enterprise resource planning (ERP) application. B. The inability to implement the automated tool may necessitate additional audit resources because many audits will require more manual effort; however, the first step should be to try to resolve the performance issues. C. Requesting vendor technical support to resolve performance issues is a good option, but not the first recommendation. D. The appropriate recommendation is to review the results of stress tests during user acceptance testing (UAT) that demonstrated the performance issues.

Which of the following reports is the MOST appropriate source of information for an IS auditor to validate that an Internet service provider (ISP) has been complying with an enterprise service level agreement (SLA) for the availability of outsourced telecommunication services? Select an answer: A. Downtime reports on the telecommunication services generated by the ISP B. A utilization report of automatic failover services generated by the enterprise C. A bandwidth utilization report provided by the ISP D. Downtime reports on the telecommunication services generated by the enterprise

You answered A. The correct answer is D. A. The Internet service provider (ISP)-generated downtime reports are produced by the same entity that is being monitored. As a result, it will be necessary to review these reports for possible bias and/or errors against other data. B. The information provided by these reports is indirect evidence of the extent that the backup telecommunication services were used. These reports may not indicate compliance with the service level agreement (SLA), just that the failover systems had been used. C. Utilization reports are used to measure the usage of bandwidth, not uptime. D. The enterprise should use internally generated downtime reports to monitor the service provided by the ISP and, as available, to compare with the reports provided by the ISP.

The MAIN reason for requiring that all computer clocks across an organization be synchronized is to: Select an answer: A. prevent omission or duplication of transactions. B. ensure smooth data transition from client machines to servers. C. ensure that email messages have accurate time stamps. D. support the incident investigation process.

You answered A. The correct answer is D. A. The possibility of omission or duplication of transactions will not happen due to lack of clock synchronization. B. Data transfer has nothing to do with the time stamp. C. While the time stamp on an email may not be accurate, this is not a significant issue. D. During an investigation of incidents, audit logs are used as evidence, and the time stamp information in them is useful. If the clocks are not synchronized, investigations will be more difficult because a time line of events occurring on different systems might not be easily established.

An IS auditor is reviewing database security for an organization. Which of the following is the MOST important consideration for database hardening? Select an answer: A. The default configurations are changed. B. All tables in the database are normalized. C. Stored procedures and triggers are encrypted. D. The service port used by the database server is changed.

You answered B. The correct answer is A. A. Default database configurations, such as default passwords and services, need to be changed; otherwise, the database could be easily compromised by malicious code and by intruders. B. The normalization of a database is related more to performance than to security. C. Limiting access to stored procedures is a valid security consideration but not as critical as changing default configurations. D. Changing the service port used by the database is a component of the configuration changes that could be made to the database, but there are other more critical configuration changes that should be made first.

Which of the following network components is PRIMARILY set up to serve as a security measure by preventing unauthorized traffic between different segments of the network? Select an answer: A. Firewalls B. Routers C. Layer 2 switches D. Virtual local area networks (VLANs)

You answered B. The correct answer is A. A. Firewall systems are the primary tool that enables an organization to prevent unauthorized access between networks. An organization may choose to deploy one or more systems that function as firewalls. B. Routers can filter packets based on parameters, such as source address but are not primarily a security tool. C. Based on Media Access Control (MAC) addresses, layer 2 switches separate traffic without determining whether it is authorized or unauthorized traffic. D. A virtual local area network (VLAN) is a functionality of some switches that allows them to control traffic between different ports even though they are in the same physical local access network (LAN). Nevertheless, they do not effectively deal with authorized versus unauthorized traffic.

During the review of a web-based software development project, an IS auditor realizes that coding standards are not enforced and code reviews are rarely carried out. This will MOST likely increase the likelihood of a successful: Select an answer: A. buffer overflow. B. brute force attack. C. distributed denial-of-service attack (DDoS). D. war dialing attack.

You answered B. The correct answer is A. A. Poorly written code, especially in web-based applications, is often exploited by hackers using buffer overflow techniques. B. A brute force attack is used to crack passwords, but this is not related to coding standards. C. A distributed denial-of-service (DDoS) attack floods its target with numerous packets, to prevent it from responding to legitimate requests. This is not related to coding standards. D. War dialing uses modem-scanning tools to hack private branch exchanges (PBXs) or other telecommunications services.

An IS auditor reviewing a new outsourcing contract with a service provider would be MOST concerned if which of the following was missing? Select an answer: A. A clause providing a "right to audit" the service provider B. A clause defining penalty payments for poor performance C. Predefined service level report templates D. A clause regarding supplier limitation of liability

You answered B. The correct answer is A. A. The absence of a "right to audit" clause or other form of attestation that the supplier was compliant with a certain standard would potentially prevent the IS auditor from investigating any aspect of supplier performance moving forward, including control deficiencies, poor performance and adherence to legal requirements. This would be a major concern for the IS auditor because it would be difficult for the organization to assess whether the appropriate controls had been put in place. B. While a clear definition of penalty payment terms is desirable, not all contracts require the payment of penalties for poor performance, and when performance penalties are required, these penalties are often subject to negotiation on a case-by-case basis. As such, the absence of this information would not be as significant as a lack of right to audit. C. While the inclusion of service level report templates would be desirable, as long as the requirement for service level reporting is included in the contract, the absence of predefined templates for reporting is not a significant concern. D. The absence of a limitation of liability clause for the service provider would, theoretically, expose the provider to unlimited liability. This would be to the advantage of the outsourcing company so, while the IS auditor might highlight the absence of such a clause, it would not constitute a major concern.

During which phase of software application testing should an organization perform the testing of architectural design? Select an answer: A. Acceptance testing B. System testing C. Integration testing D. Unit testing

You answered B. The correct answer is C. A. Acceptance testing determines whether the solution meets the requirements of the business and is performed after system staff has completed the initial system test. This testing includes both quality assurance testing (QAT) and user acceptance testing (UAT), although not combined. B. System testing relates a series of tests by the test team or system maintenance staff to ensure that the modified program interacts correctly with other components. System testing references the functional requirements of the system. C. Integration testing evaluates the connection of two or more components that pass information from one area to another. The objective is to utilize unit-tested modules, thus building an integrated structure according to the design. D. Unit testing references the detailed design of the system and uses a set of cases that focus on the control structure of the procedural design to ensure that the internal operation of the program performs according to specification.

When reviewing the configuration of network devices, an IS auditor should FIRST identify: Select an answer: A. the good practices for the type of network devices deployed. B. whether components of the network are missing. C. the importance of the network devices in the topology. D. whether subcomponents of the network are being used appropriately.

You answered B. The correct answer is C. A. After understanding the devices in the network, a good practice for using the device should be reviewed to ensure that there are no anomalies within the configuration. B. Identification of which component is missing can only be known upon reviewing and understanding the topology and a good practice for deployment of the device in the network. C. The first step is to understand the importance and role of the network device within the organization's network topology. D. Identification of which subcomponent is being used inappropriately can only be known upon reviewing and understanding the topology and a good practice for deployment of the device in the network.

An IS auditor notes that patches for the operating system used by an organization are deployed by the IT department as advised by the vendor. The MOST significant concern an IS auditor should have with this practice is that IT has NOT considered: Select an answer: A. the training needs for users after applying the patch. B. any beneficial impact of the patch on the operational systems. C. delaying deployment until testing the impact of the patch. D. the necessity of advising end users of new patches.

You answered B. The correct answer is C. A. Normally, there is no need for training users when a new operating system patch has been installed. B. Any beneficial impact is less important than the risk of unavailability, which could be avoided with proper testing. C. Deploying patches without testing exposes an organization to the risk of system disruption or failure. D. Normally, there is no need for advising users when a new operating system patch has been installed except to ensure that the patch is applied at a time that will have minimal impact on operations.

During a human resources (HR) audit, an IS auditor is informed that there is a verbal agreement between the IT and HR departments as to the level of IT services expected. In this situation, what should the IS auditor do FIRST? Select an answer: A. Postpone the audit until the agreement is documented. B. Report the existence of the undocumented agreement to senior management. C. Confirm the content of the agreement with both departments. D. Draft a service level agreement (SLA) for the two departments.

You answered B. The correct answer is C. A. There is no reason to postpone an audit because a service agreement is not documented, unless that is all that is being audited. The agreement can be documented after it has been established that there is an agreement in place. B. Reporting to senior management is not necessary at this stage of the audit because this is not a serious immediate vulnerability. C. An IS auditor should first confirm and understand the current practice before making any recommendations. Part of this will be to ensure that both parties are in agreement with the terms of the agreement. D. Drafting a service level agreement (SLA) is not the IS auditor's responsibility.

An IS auditor determined that the IT manager recently changed the vendor that is responsible for performing maintenance on critical computer systems to cut costs. While the new vendor is less expensive, the new maintenance contract specifies a change in incident resolution time specified by the original vendor. Which of the following should be the GREATEST concern to the IS auditor? Select an answer: A. Disaster recovery plans (DRPs) may be invalid and need to be revised. B. Transactional business data may be lost in the event of system failure. C. The new maintenance vendor is not familiar with the organization's policies. D. Application owners were not informed of the change.

You answered B. The correct answer is D. A. Disaster recovery plans (DRPs) must support the needs of the business, but the greater risk is that application owners are not aware of the change in resolution time. B. Transactional business data loss is determined by data backup frequency and, consequently, the backup schedule. C. The vendor must abide by the terms of the contract and those should include compliance with the privacy policies of the organization, but the lack of application owner involvement is the most important concern. D. The greatest risk of making a change to the maintenance of critical systems is that the change could have an adverse impact on a critical business process. While there is a benefit in selecting a less expensive maintenance vendor, the resolution time must be aligned with the needs of the business.

The MAJOR advantage of a component-based development approach is the: Select an answer: A. ability to manage an unrestricted variety of data types. B. provision for modeling complex relationships. C. capacity to meet the demands of a changing environment. D. support of multiple development environments.

You answered B. The correct answer is D. A. The data types must be defined within each component, and it is not sure that any component will be able to handle multiple data types. B. Component-based development is no better than many other development methods at modeling complex relationships. C. Component-based development is one of the methodologies that can be effective at meeting changing requirements, but this is not its primary benefit or purpose. D. Component-based development that relies on reusable modules can increase the speed of development. Software developers can then focus on business logic.

An IS auditor should ensure that review of online electronic funds transfer (EFT) reconciliation procedures should include: Select an answer: A. vouching. B. authorizations. C. corrections. D. tracing.

You answered B. The correct answer is D. A. Vouching is usually performed during the funds transfer, not during the reconciliation effort. B. In online processing, authorizations are normally done automatically by the system, not during the reconciliation. C. Correction entries should be reviewed during a reconciliation; however, they are normally done by an individual other than the person entrusted to do reconciliations and are not as important as tracing. D. Tracing is a transaction reconciliation effort that involves following the transaction from the original source to its final destination. In electronic funds transfer (EFT) transactions, the direction on tracing may start from the customer-printed copy of the receipt, checking the system audit trails and logs, and finally checking the master file records for daily transactions.

An organization is planning to deploy an outsourced cloud-based application that is used to track job applicant data for the human resources (HR) department. Which of the following should be the GREATEST concern to an IS auditor? Select an answer: A. The service level agreement (SLA) ensures strict limits for uptime and performance. B. The cloud provider will not agree to an unlimited right-to-audit as part of the SLA. C. The SLA is not explicit regarding the disaster recovery plan (DRP) capabilities of the cloud provider. D. The cloud provider's data centers are in multiple cities and countries.

You answered B. The correct answer is D. A. While this application may have strict requirements for availability, it is assumed that the service level agreement (SLA) would contain these same elements; therefore, this is not a concern. B. The right-to-audit clause is good to have, but there are limits on how a cloud service provider may interpret this requirement. The task of reviewing and assessing all the controls in place at a multinational cloud provider would likely be a costly and time-consuming exercise; therefore, such a requirement may be of limited value. C. Because the SLA would normally specify uptime requirements, the means used to achieve those goals (which would include the specific disaster recovery plan (DRP) capabilities of the provider) are typically not reviewed in-depth by the customer, nor are they typically specified in a SLA. D. Having data in multiple countries is the greatest concern because human resources (HR) applicant data could contain personally identifiable information (PII). There may be legal compliance issues if these data are stored in a country with different laws regarding data privacy. While the organization would be bound by the privacy laws where it is based, it may not have legal recourse if a data breach happens in a jurisdiction where the same laws do not apply.

Management considered two projections for its disaster recovery plan (DRP): plan A with two months to fully recover and plan B with eight months to fully recover. The recovery point objectives are the same in both plans. It is reasonable to expect that plan B projected higher: Select an answer: A. downtime costs. B. resumption costs. C. recovery costs. D. walk-through costs.

You answered C. The correct answer is A. A. Because management considered a longer time window for recovery in plan B, downtime costs included in the plan are likely to be higher. B. Because the recovery time for plan B is longer, resumption costs can be expected to be lower. C. Because the recovery time for plan B is longer, recovery costs can be expected to be lower. D. Walk-through costs are not a part of disaster recovery.

An organization is migrating from a legacy system to an enterprise resource planning (ERP) system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a: Select an answer: A. correlation of semantic characteristics of the data migrated between the two systems. B. correlation of arithmetic characteristics of the data migrated between the two systems. C. correlation of functional characteristics of the processes between the two systems. D. relative efficiency of the processes between the two systems.

You answered C. The correct answer is A. A. Due to the fact that the two systems could have a different data representation, including the database schema, the IS auditor's main concern should be to verify that the interpretation of the data (structure) is the same in the new as it was in the old system. B. Arithmetic characteristics represent aspects of data structure and internal definition in the database and, therefore, are less important than the semantic characteristics. C. A review of the correlation of the functional characteristics between the two systems is not relevant to a data migration review. D. A review of the relative efficiencies of the processes between the two systems is not relevant to a data migration review.

Which of the following procedures would MOST effectively detect the loading of illegal software packages onto a network? Select an answer: A. The use of diskless workstations B. Periodic checking of hard drives C. The use of current antivirus software D. Policies that result in instant dismissal if violated

You answered C. The correct answer is B. A. Diskless workstations act as a preventive control and are not totally effective in preventing users from accessing illegal software over the network. B. The periodic checking of hard drives would be the most effective method of identifying illegal software packages loaded onto the network. C. Antivirus software will not necessarily identify illegal software, unless the software contains a virus. D. Policies are a preventive control to lay out the rules about loading the software, but will not detect the actual occurrence.

An IS auditor reviewing a cloud computing environment managed by a third party should be MOST concerned when: Select an answer: A. the organization is not permitted to assess the controls in the participating vendor's site. B. the service level agreement (SLA) does not address the responsibility of the vendor in the case of a security breach. C. laws and regulations are different in the countries of the organization and the vendor. D. the organization is using an older version of a browser and is vulnerable to certain types of security risk.

You answered C. The correct answer is B. A. The IS auditor has no role to play if the contract between the parties does not provide for assessment of controls in the other vendor's site. B. Administration of cloud computing occurs over the Internet and involves more than one participating entity. It is the responsibility of each of the partners in the cloud computing environment to take care of security issues in their own environments. When there is a security breach, the party responsible for the breach should be identified and made accountable. This is not possible if the service level agreement (SLA) does not address the responsibilities of the partners during a security breach. C. The IS auditor should ensure that the contract addresses the differing laws and regulations in the countries of the organization and the vendor, but having different laws and regulations is not a problem in itself. D. The IS auditor can make suggestions to the audited entity to use appropriate patches or to switch over to safer browsers, and the IS auditor can follow up on the action taken.

During a postimplementation review, which of the following activities should be performed? Select an answer: A. User acceptance testing (UAT) B. Return on investment (ROI) analysis C. Activation of audit trails D. Updates of the state of enterprise architecture (EA) diagrams

You answered C. The correct answer is B. A. User acceptance testing (UAT) should be performed prior to the implementation (perhaps during the development phase), not after the implementation. B. Following implementation, a cost-benefit analysis or return on investment (ROI) should be re-performed to verify that the original business case benefits are delivered. C. The audit trail should be activated during the implementation of the application. D. While updating the enterprise architecture (EA) diagrams is a good practice, it would not normally be part of a postimplementation review.

A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live? Select an answer: A. IS auditor B. Database administrator C. Project manager D. Data owner

You answered C. The correct answer is D. A. An IS auditor should ensure that there is a review and sign-off by the data owner during the data conversion stage of the project. B. A database administrator's primary responsibility is to maintain the integrity of the database and make the database available to users. A database administrator is not responsible for reviewing migrated data. C. A project manager provides day-to-day management and leadership of the project but is not responsible for the accuracy and integrity of the data. D. During the data conversion stage of a project, the data owner is primarily responsible for reviewing and signing-off that the data are migrated completely and accurately and are valid. An IS auditor is not responsible for reviewing and signing-off on the accuracy of the converted data.

A company is implementing a Dynamic Host Configuration Protocol (DHCP). Given that the following conditions exist, which represents the GREATEST concern? Select an answer: A. Most employees use laptops. B. A packet filtering firewall is used. C. The IP address space is smaller than the number of PCs. D. Access to a network port is not restricted.

You answered C. The correct answer is D. A. Dynamic Host Configuration Protocol (DHCP) provides convenience (an advantage) to the laptop users. B. The existence of a firewall can be a security measure. C. A limited number of IP addresses can be addressed through network address translation (NAT). D. Given physical access to a port, anyone can connect to the internal network. This would allow individuals to connect that were not authorized to be on the corporate network.

While performing a review of a critical third-party application, an IS auditor would be MOST concerned with discovering: Select an answer: A. inadequate procedures for ensuring adequate system portability. B. inadequate operational documentation for the system. C. an inadequate alternate service provider listing. D. an inadequate software escrow agreement.

You answered C. The correct answer is D. A. Procedures to ensure that systems are developed so that they can be ported to other system platforms will help ensure that the system can still continue functioning without affecting the business process if changes to the infrastructure occur. This is less important than availability of the software. B. Inadequate operational documentation is a risk but would be less significant than the risk of unavailability of the software. C. While alternate service providers could be used if a vendor goes out of business, having access to the source code via a software escrow agreement is more important. D. The inclusion of a clause in the agreement that requires software code to be placed in escrow helps to ensure that the customer can continue to use the software and/or obtain technical support if a vendor were to go out of business.

Which of the following would BEST ensure continuity of a wide area network (WAN) across the organization? Select an answer: A. Built-in alternative routing B. Complete full system backup daily C. A repair contract with a service provider D. A duplicate machine alongside each server

You are correct, the answer is A. A. Alternative routing would ensure that the network would continue if a communication device fails or if a link is severed because message rerouting could be automatic. B. System backup will not afford protection for a networking failure. C. The repair contract will almost always result in some lost time and is not as effective as permanent alternative routing. D. Standby servers will not provide continuity if a link is severed.

An IS auditor is reviewing a project that is using an agile software development approach. Which of the following should the IS auditor expect to find? Select an answer: A. Use of a capability maturity model (CMM) B. Regular monitoring of task-level progress against schedule C. Extensive use of software development tools to maximize team productivity D. Postiteration reviews that identify lessons learned for future use in the project

You answered C. The correct answer is D. A. The capability maturity model (CMM) places heavy emphasis on predefined formal processes and formal project management and software development deliverables, while agile software development projects, by contrast, rely on refinement of process as dictated by the particular needs of the project and team dynamics. B. Task-level tracking is not used because daily meetings identify challenges and impediments to the project. C. Agile projects make use of suitable development tools; however, tools are not seen as the primary means of achieving productivity. Team harmony, effective communications and collective ability to solve challenges are of greater importance. D. A key tenet of the agile approach to software project management is ongoing team learning to refine project management and software development processes as the project progresses. One of the best ways to achieve this is that the team considers and documents what worked well and what could have worked better at the end of each iteration and identifies improvements to be implemented in subsequent iterations. Additionally, less importance is placed on formal paper-based deliverables, with the preference being effective informal communication within the team and with key outside contributors. Agile projects produce releasable software in short iterations, typically ranging from four to eight weeks. This, in itself, instills considerable performance discipline within the team. This, combined with short daily meetings to agree on what the team is doing and the identification of any impediments, renders task-level tracking against a schedule redundant.

An advantage of using unshielded twisted-pair (UTP) cable for data communication over other copper-based cables is that UTP cable: Select an answer: A. reduces crosstalk between pairs. B. provides protection against wiretapping. C. can be used in long-distance networks. D. is simple to install.

You answered D. The correct answer is A. A. The use of unshielded twisted-pair (UTP) in copper will reduce the likelihood of crosstalk. B. While the twisted nature of the media will reduce sensitivity to electromagnetic disturbances, an unshielded copper wire does not provide adequate protection against wiretapping. C. Attenuation sets in if copper twisted-pair cable is used for longer than 100 meters, necessitating the use of a repeater. D. The tools and techniques to install UTP are not simpler or easier than other copper-based cables.

An IS auditor discovers that some users have installed personal software on their PCs. This is not explicitly forbidden by the security policy. Of the following, the BEST approach for an IS auditor is to recommend that the: Select an answer: A. IT department implement control mechanisms to prevent unauthorized software installation. B. security policy be updated to include specific language regarding unauthorized software. C. IT department prohibit the download of unauthorized software. D. users obtain approval from an IS manager before installing nonstandard software.

You answered D. The correct answer is B. A. An IS auditor's obligation is to report on observations noted and make the best recommendation, which is to address the situation through policy. The IT department cannot implement controls in the absence of the authority provided through policy. B. Lack of specific language addressing unauthorized software in the acceptable use policy is a weakness in administrative controls. The policy should be reviewed and updated to address the issue—and provide authority for the IT department to implement technical controls. C. Preventing downloads of unauthorized software is not the complete solution. Unauthorized software can be also introduced through compact discs (CDs) and universal serial bus (USB) drives. D. Requiring approval from the IS manager before installation of the nonstandard software is an exception handling control. It would not be effective unless a preventive control to prohibit user installation of unauthorized software is established first.

An organization has outsourced its help desk function. Which of the following indicators would be the BEST to include in the service level agreement (SLA)? Select an answer: A. Overall number of users supported B. Percentage of incidents solved in the first call C. Number of incidents reported to the help desk D. Number of agents answering the phones

You answered D. The correct answer is B. A. The contract price will usually be based on the number of users supported, but the performance metrics should be based on the ability to provide effective support and address user problems rapidly. B. Because it is about service level (performance) indicators, the percentage of incidents solved on the first call is a good way to measure the effectiveness of the supporting organization. C. The number of reported incidents cannot be controlled by the outsource supplier; therefore, that cannot be an effective measure. D. The efficiency and effectiveness of the people answering the calls and being able to address problems rapidly are more important than the number of people answering the calls.

Which of the following would help to ensure the portability of an application connected to a database? Select an answer: A. Verification of database import and export procedures B. Usage of a structured query language (SQL) C. Analysis of stored procedures/triggers D. Synchronization of the entity-relation model with the database physical schema

You answered D. The correct answer is B. A. Verification of import and export procedures with other systems ensures better interfacing with other systems but does not contribute to the portability of an application connecting to a database. B. The use of structured query language (SQL) facilitates portability because it is an industry standard used by many systems. C. Analyzing stored procedures/triggers ensures proper access/performance but does not contribute to the portability of an application connecting to a database. D. Reviewing the design entity-relation model will be helpful but does not contribute to the portability of an application connecting to a database.

An IS auditor is reviewing the software development process for an organization. Which of the following functions would be appropriate for the end users to perform? Select an answer: A. Program output testing B. System configuration C. Program logic specification D. Performance tuning

You are correct, the answer is A. A. A user can test program output by checking the program input and comparing it with the system output. This task, although usually done by the programmer, can also be done effectively by the user. B. System configuration is usually too technical to be accomplished by a user and this situation could create security issues. This could introduce a segregation of duties issue. C. Program logic specification is a very technical task that is normally performed by a programmer. This could introduce a segregation of duties issue. D. Performance tuning also requires high levels of technical skill and will not be effectively accomplished by a user. This could introduce a segregation of duties issue.

An organization has implemented an online customer help desk application using a software as a service (SaaS) operating model. An IS auditor is asked to recommend the best control to monitor the service level agreement (SLA) with the SaaS vendor as it relates to availability. What is the BEST recommendation that the IS auditor can provide? Select an answer: A. Ask the SaaS vendor to provide a weekly report on application uptime. B. Implement an online polling tool to monitor the application and record outages. C. Log all application outages reported by users and aggregate the outage time weekly. D. Contract an independent third party to provide weekly reports on application uptime.

You answered D. The correct answer is B. A. Weekly application availability reports are useful, but these reports represent only the vendor's perspective. While monitoring these reports, the organization can raise concerns of inaccuracy; however, without internal monitoring, such concerns cannot be substantiated. B. Implementing an online polling tool to monitor and record application outages is the best option for an organization to monitor application availability. Comparing internal reports with the vendor's service level agreement (SLA) reports would ensure that the vendor's monitoring of the SLA is accurate and that all conflicts are appropriately resolved. C. Logging the outage times reported by users is helpful, but does not give a true picture of all outages of the online application. Some outages may go unreported, especially if the outages are intermittent. D. Contracting a third party to implement availability monitoring is not a cost-effective option. Additionally, this results in a shift from monitoring the SaaS vendor to monitoring the third party.

Which of the following is an implementation risk within the process of decision support systems (DSSs)? Select an answer: A. Management control B. Semistructured dimensions C. Inability to specify purpose and usage patterns D. Changes in decision processes

You answered D. The correct answer is C. A. Management control is not a type of risk, but a characteristic of a decision support system (DSS). B. Semistructured dimensions is not a type of risk, but a characteristic of a DSS. C. The inability to specify purpose and usage patterns is a risk that developers need to anticipate while implementing a DSS. D. Changes in decision processes are not a type of risk, but a characteristic of a DSS.

Management observed that the initial phase of a multiphase implementation was behind schedule and over budget. Prior to commencing with the next phase, an IS auditor's PRIMARY suggestion for a postimplementation focus should be to: Select an answer: A. assess whether the planned cost benefits are being measured, analyzed and reported. B. review control balances and verify that the system is processing data accurately. C. review the impact of program changes made during the first phase on the remainder of the project. D. determine whether the system's objectives were achieved.

You answered D. The correct answer is C. A. While all choices are valid, the postimplementation focus and primary objective should be understanding the impact of the problems in the first phase on the remainder of the project. B. The review should assess whether the control is working correctly, but should focus on the problems that led to project overruns in budget and time. C. Because management is aware that the project had problems, reviewing the subsequent impact will provide insight into the types and potential causes of the project issues. This will help to identify whether IT has adequately planned for those issues in subsequent projects. D. Ensuring that the system works is a primary objective for the IS auditor, but in this case because the project planning was a failure, the IS auditor should focus on the reasons for, and impact of, the failure.

During the review of an enterprise's preventive maintenance process for systems at a data center, the IS auditor has determined that adequate maintenance is being performed on all critical computing, power and cooling systems. Additionally, it is MOST important for the IS auditor to ensure that the organization: Select an answer: A. has performed background checks on all service personnel. B. escorts service personnel at all times when performing their work. C. performs maintenance during noncritical processing times. D. independently verifies that maintenance is being performed.

You answered D. The correct answer is C. A. While the trustworthiness of the service personnel is important, it is normal practice for these individuals to be escorted and supervised by the data center personnel. It is also expected that the service provider would perform this background check, not the customer. B. Escorting service personnel is common and a good practice, but the greater risk in this case would be if work were performed during critical processing times. C. The biggest risk to normal operations in a data center would be if an incident or mishap were to happen during critical peak processing times; therefore, it would be prudent to ensure that no type of system maintenance be performed at these critical times. D. It is possible that the service provider is performing inadequate maintenance; therefore, this issue may need to be investigated; however, the bigger risk is maintenance being performed at critical processing times.

An IS auditor finds that user acceptance testing of a new system is being repeatedly interrupted by defect fixes from the developers. Which of the following would be the BEST recommendation for an IS auditor to make? Select an answer: A. Consider the feasibility of a separate user acceptance environment. B. Schedule user testing to occur at a given time each day. C. Implement a source code version control tool. D. Only retest high-priority defects.

You are correct, the answer is A. A. A separate environment or environments is normally necessary for testing to be efficient and effective and to ensure the integrity of production code. It is important that the development and test code bases be separate. When defects are identified they can be fixed in the development environment, without interrupting testing, before being migrated in a controlled manner to the test environment. A separate test environment can also be used as the final staging area from which code is migrated to production. This enforces a separation between development and production code. The logistics of setting up and refreshing customized test data is easier if a separate environment is maintained. B. If developers and testers are sharing the same environment, they have to work effectively at separate times of the day. It is unlikely that this would provide optimum productivity. C. Use of a source code control tool is a good practice, but it does not properly mitigate the lack of an appropriate test environment. D. Even low priority fixes run the risk of introducing unintended results when combined with the rest of the system code. To prevent this, regular regression testing covering all code changes should occur. A separate test environment makes the logistics of regression testing easier to manage.

When reviewing an organization's approved software product list, which of the following is the MOST important thing to verify? Select an answer: A. The risk associated with the use of the products is periodically assessed. B. The latest version of software is listed for each product. C. Due to licensing issues, the list does not contain open source software. D. After-hours support is offered.

You are correct, the answer is A. A. Because the business conditions surrounding vendors may change, it is important for an organization to conduct periodic risk assessments of the vendor software list. This may be best incorporated into the IT risk management process. B. The organization may not be using the latest version of a product. C. The list may contain open source software depending on the business requirements and associated risk. D. Support may be provided internally or externally, and technical support should be arranged depending on the criticality of the software.

The reason a certification and accreditation (C&A) process is performed on critical systems is to ensure that: Select an answer: A. security compliance has been technically evaluated. B. data have been encrypted and are ready to be stored. C. the systems have been tested to run on different platforms. D. the systems have followed the phases of a waterfall model.

You are correct, the answer is A. A. Certified and accredited systems are systems that have had their security compliance technically evaluated for running in a specific environment and configuration. B. Certification tests security functionality, including encryption where that is required, but that is not the primary objective of the certification and accreditation (C&A) process. C. Certified systems are evaluated to run in a specific environment. D. A waterfall model is a software development methodology and not a reason for performing a C&A process.

Which of the following represents the GREATEST risk created by a reciprocal agreement for disaster recovery made between two companies? Select an answer: A. Developments may result in hardware and software incompatibility. B. Resources may not be available when needed. C. The recovery plan cannot be tested. D. The security infrastructures in each company may be different.

You are correct, the answer is A. A. If one organization updates its hardware and software configuration, it may mean that it is no longer compatible with the systems of the other party in the agreement. This may mean that each company is unable to use the facilities at the other company to recover their processing following a disaster. B. Resources being unavailable when needed are an intrinsic risk in any reciprocal agreement, but this is a contractual matter and is not the greatest risk. C. The plan can be tested by paper-based walk-throughs and possibly by agreement between the companies. D. The difference in security infrastructures, while a risk, is not insurmountable.

During a data center audit, an IS auditor observes that some parameters in the tape management system are set to bypass or ignore tape header records. Which of the following is the MOST effective compensating control for this weakness? Select an answer: A. Staging and job setup B. Supervisory review of logs C. Regular backup of tapes D. Offsite storage of tapes

You are correct, the answer is A. A. If the IS auditor finds that there are effective staging and job setup processes, this can be accepted as a compensating control. Not reading header records may otherwise result in loading the wrong tape and deleting or accessing data on the loaded tape. B. Supervisory review of logs is a detective control that would not prevent loading of the wrong tapes. C. Regular tape backup is not related to bypassing tape header records. D. Offsite storage of tapes would not prevent loading the wrong tape because of bypassing header records.

Which of the following situations would increase the likelihood of fraud? Select an answer: A. Application programmers are implementing changes to production programs. B. Administrators are implementing vendor patches to vendor-supplied software without following change control procedures. C. Operations support staff members are implementing changes to batch schedules. D. Database administrators are implementing changes to data structures.

You are correct, the answer is A. A. Production programs are used for processing an enterprise's data. It is imperative that controls on changes to production programs are stringent. Lack of control in this area could result in application programs being modified to manipulate the data. B. The lack of change control is a serious risk—but if the changes are only vendor-supplied patches to vendor software then the risk is minimal. C. The implementation of changes to batch schedules by operations support staff will affect the scheduling of the batches only; it does not impact the live data unless jobs are run in the wrong sequence. D. Database administrators are required to implement changes to data structures. This is required for reorganization of the database to allow for additions, modifications or deletions of fields or tables in the database.

During a postimplementation review of an enterprise resource management system, an IS auditor would MOST likely: Select an answer: A. review access control configuration. B. evaluate interface testing. C. review detailed design documentation. D. evaluate system testing.

You are correct, the answer is A. A. Reviewing access control configuration would be the first task performed to determine whether security has been appropriately mapped in the system. B. Because a postimplementation review is done after user acceptance testing and actual implementation, one would not engage in interface testing or detailed design documentation. Evaluating interface testing would be part of the implementation process. C. The issue of reviewing detailed design documentation is not generally relevant to an enterprise resource management system because these are usually vendor packages with user manuals. System testing should be performed before final user signoff. Further, because the system has been implemented, the IS auditor would only check the detailed design if there appeared to be a gap between design and functionality. D. System testing should be performed before final user signoff. The IS auditor should not need to review the system tests postimplementation

Normally, it would be essential to involve which of the following stakeholders in the initiation stage of a project? Select an answer: A. System owners B. System users C. System designers D. System builders

You are correct, the answer is A. A. System owners are the information systems (project) sponsors or chief advocates. They normally are responsible for initiating and funding projects to develop, operate and maintain information systems. B. System users are the individuals who use or are affected by the information system. Their requirements are crucial in the requirements definition, design and testing stages of a project. C. System designers translate business requirements and constraints into technical solutions. D. System builders construct the system based on the specifications from the systems designers. In most cases, the designers and builders are one and the same.

An IS auditor is to assess the suitability of a service level agreement (SLA) between the organization and the supplier of outsourced services. To which of the following observations should the IS auditor pay the MOST attention? The SLA does not contain a: Select an answer: A. transition clause from the old supplier to a new supplier in the case of expiration or termination. B. late payment clause between the customer and the supplier. C. contractual commitment for service improvement. D. dispute resolution procedure between the contracting parties.

You are correct, the answer is A. A. The delivery of IT services for a specific customer always implies a close linkage between the client and the supplier of the service. If there are no contract terms to specify how the transition to a new supplier may be performed, there is the risk that the old supplier may simply "pull the plug" if the contract expires or is terminated or may not make data available to the outsourcing organization or new supplier. This would be the greatest risk to the organization. B. Contractual issues regarding payment, service improvement and dispute resolution are important but not as critical as ensuring that service disruption, data loss, data retention, or other significant events occur in the event that the organization switches to a new firm providing outsourced services. C. The service level agreement (SLA) should address performance requirements and metrics to report on the status of services provided, but it does not necessarily address commitment for performance improvement. D. The SLA should address a dispute resolution procedure and specify the jurisdiction in case of a legal dispute, but this is not the most critical part of an SLA.

Which of the following would be the BEST approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing? Select an answer: A. Requirements should be tested in terms of importance and frequency of use. B. Test coverage should be restricted to functional requirements. C. Automated tests should be performed through the use of scripting. D. The number of required test runs should be reduced by retesting only defect fixes.

You are correct, the answer is A. A. The idea is to maximize the usefulness of testing by concentrating on the most important aspects of the system and on the areas where defects represent the greatest risk to user acceptance. A further extension of this approach is to also consider the technical complexity of requirements because complexity tends to increase the likelihood of defects. B. The problem with testing only functional requirements is that nonfunctional requirement areas, such as usability and security, which are important to the overall quality of the system, are ignored. C. Increasing the efficiency of testing by automating test execution is a good idea. However, by itself, this approach does not ensure the appropriate targeting of test coverage and so is not as effective an alternative. D. Retesting only defect fixes has a considerable risk that it will not detect instances in which defect fixes may have caused the system to regress (i.e., introduced errors in parts of the system that were previously working correctly). For this reason, it is a good practice to undertake formal regression testing after defect fixes have been implemented.

An IS auditor is evaluating a virtual machine-based (VM-based) architecture used for all programming and testing environments. The production architecture is a three-tier physical architecture. What is the MOST important IT control to test to ensure availability and confidentiality of the web application in production? Select an answer: A. Server configuration has been hardened appropriately. B. Allocated physical resources are available. C. System administrators are trained to use the virtual machine (VM) architecture. D. The VM server is included in the disaster recovery plan (DRP).

You are correct, the answer is A. A. The most important control to test in this configuration is the server configuration hardening. It is important to patch known vulnerabilities and to disable all non-required functions before production, especially when production architecture is different from development and testing architecture. B. The greatest risk is associated with the difference between the testing and production environments. Ensuring that physical resources are available is a relatively low risk and easily addressed. C. Virtual machines (VMs) are often used for optimizing programming and testing infrastructure. In this scenario, the development environment (VM architecture) is different from the production infrastructure (physical three-tier). Because the VMs are not related to the web application in production, there is no real requirement for the system administrators to be familiar with a virtual environment. D. Because the VMs are only used in a development environment and not in production, it may not be necessary to include VMs in the disaster recovery plan (DRP).

The PRIMARY objective of service-level management (SLM) is to: Select an answer: A. define, agree on, record and manage the required levels of service. B. ensure that services are managed to deliver the highest achievable level of availability. C. keep the costs associated with any service at a minimum. D. monitor and report any legal noncompliance to business management.

You are correct, the answer is A. A. The objective of service-level management (SLM) is to negotiate, document and manage (i.e., provide and monitor) the services in the manner in which the customer requires those services. B. SLM does not necessarily ensure that services are delivered at the highest achievable level of availability (e.g., redundancy and clustering). Although maximizing availability might be necessary for some critical services, it cannot be applied as a general rule of thumb. C. SLM cannot ensure that costs for all services will be kept at a low or minimum level because costs associated with a service will directly reflect the customer's requirements. D. Monitoring and reporting legal noncompliance is not a primary objective of SLM.

Determining the service delivery objective (SDO) should be based PRIMARILY on: Select an answer: A. the minimum acceptable operational capability. B. the cost-effectiveness of the restoration process. C. meeting the recovery time objectives (RTOs). D. the allowable interruption window (AIW).

You are correct, the answer is A. A. The service delivery objective (SDO) is the level of service to be reached during the alternate process mode until the normal situation is restored. This is directly related to the business needs. B. The cost-effectiveness of the restoration process is not the main consideration of determining the SDO. C. Meeting the recovery time objectives (RTO) may be one of the considerations in determining the SDO, but it is a secondary factor. D. The allowable interruption window (AIW) may be one of the factors secondary to determining the SDO.

Due to a reorganization, a business application system will be extended to other departments. Which of the following should be of the GREATEST concern for an IS auditor? Select an answer: A. Process owners have not been identified. B. The billing cost allocation method has not been determined. C. Multiple application owners exist. D. A training program does not exist.

You are correct, the answer is A. A. When one application is expanded to multiple departments, it is important to ensure the mapping between the process owner and system functions. In the absence of a defined process owner, there may be issues in respect to monitoring or authorization controls. B. The allocation method of application usage cost is of less importance. C. The fact that multiple application owners exist is not a concern for an IS auditor as long as process owners have been identified. D. The fact that a training program does not exist would only be a minor concern for the IS auditor.

Which of the following assures an enterprise of the existence and effectiveness of internal controls relative to the service provided by a third party? Select an answer: A. The current service level agreement (SLA) B. A recent external audit report C. The current business continuity plan (BCP) procedures D. A recent disaster recovery plan (DRP) test report

You are correct, the answer is B. A. A service level agreement (SLA) defines the contracted level of service; however, it would not provide assurance related to internal controls. B. An independent third-party audit report such as Statements on Standards for Attestation Engagements (SSAE) 16 would provide assurance of the existence and effectiveness of internal controls at the third party. C. While a business continuity plan (BCP) is essential, it would not provide assurance related to internal controls. D. While a disaster recovery plan (DRP) is essential, it would not provide assurance related to internal controls.

There are several methods of providing telecommunication continuity. The method of routing traffic through split cable or duplicate cable facilities is called: Select an answer: A. alternative routing. B. diverse routing. C. long-haul network diversity. D. last-mile circuit protection.

You are correct, the answer is B. A. Alternative routing is a method of routing information via an alternate medium such as copper cable or fiber optics. This involves the use of different networks, circuits or end points should the normal network be unavailable. B. Diverse routing routes traffic through split-cable facilities or duplicate-cable facilities. This can be accomplished with different and/or duplicate cable sheaths. If different cable sheaths are used, the cable may be in the same conduit and, therefore, subject to the same interruptions as the cable it is backing up. The communication service subscriber can duplicate the facilities by having alternate routes, although the entrance to and from the customer premises may be in the same conduit. The subscriber can obtain diverse routing and alternate routing from the local carrier, including dual-entrance facilities. This type of access is time consuming and costly. C. Long-haul network diversity is a diverse, long-distance network utilizing different packet switching circuits among the major long-distance carriers. It ensures long-distance access should any carrier experience a network failure. D. Last-mile circuit protection is a redundant combination of local carrier T-1s (E-1s in Europe), microwave and/or coaxial cable access to the local communications loop. This enables the facility to have access during a local carrier communication disaster. Alternate local-carrier routing is also utilized.

An IS auditor evaluating the resilience of a high-availability network should be MOST concerned if: Select an answer: A. the setup is geographically dispersed. B. the network servers are clustered in one site. C. a hot site is ready for activation. D. diverse routing is implemented for the network.

You are correct, the answer is B. A. Dispersed geographic locations provide backup if a site has been destroyed. B. A clustered setup in one location makes the entire network vulnerable to natural disasters or other disruptive events. C. A hot site would also be a good alternative for a single point-of-failure site. D. Diverse routing provides telecommunications backup if a network is not available.

An IS auditor discovers that some hard drives disposed of by an enterprise were not sanitized in a manner that would reasonably ensure the data could not be recovered. In addition, the enterprise does not have a written policy on data disposal. The IS auditor should FIRST: Select an answer: A. draft an audit finding and discuss it with the auditor in charge. B. determine the sensitivity of the information on the hard drives. C. discuss with the IT manager the good practices in data disposal. D. develop an appropriate data disposal policy for the enterprise.

You are correct, the answer is B. A. Drafting a finding without a quantified risk would be premature. B. Even though a policy is not available, the IS auditor should make a determination as to the nature of the information on the hard drives to quantify, as much as possible, the risk. C. It would be premature to discuss good practices with the IT manager until the extent of the incident has been quantified. D. An IS auditor should not develop policies.

Which of the following processes will be MOST effective in reducing the risk that unauthorized software on a backup server is distributed to the production server? Select an answer: A. Manually copy files to accomplish replication. B. Review changes in the software version control system. C. Ensure that developers do not have access to the backup server. D. Review the access control log of the backup server.

You are correct, the answer is B. A. Even if replication is be conducted manually with due care, there still remains a risk to copying unauthorized software from one server to another. B. It is common practice for software changes to be tracked and controlled using version control software. An IS auditor should review reports or logs from this system to identify the software that is promoted to production. Only moving the versions on the version control system (VCS) program will prevent the transfer of development or earlier versions. C. If unauthorized code was introduced onto the backup server by developers, controls on the production server and the software version control system should mitigate this risk. D. Review of the access log will identify staff access or the operations performed; however, it may not provide enough information to detect the release of unauthorized software.

Which of the following BEST reduces the ability of one device to capture the packets that are meant for another device? Select an answer: A. Hubs B. Switches C. Routers D. Firewalls

You are correct, the answer is B. A. Hubs will broadcast all data to all network ports. B. Switches are at a low level of network security and transmit a packet to the device to which it is addressed. This reduces the ability of one device to capture the packets that are meant for another device. C. Routers allow packets to be given or denied access based on the addresses of the sender and receiver, and the type of packet. D. Firewalls are a collection of computer and network equipment used to allow communications to flow out of the organization and restrict communications flowing into the organization.

The knowledge base of an expert system that uses questionnaires to lead the user through a series of choices before a conclusion is reached is known as: Select an answer: A. rules. B. decision trees. C. semantic nets. D. dataflow diagrams.

You are correct, the answer is B. A. Rules refer to the expression of declarative knowledge through the use of if-then relationships. B. Decision trees use questionnaires to lead a user through a series of choices until a conclusion is reached. C. Semantic nets consist of a graph in which nodes represent physical or conceptual objects and the arcs describe the relationship between the nodes. D. A dataflow diagram is used to map the progress of data through a system and examine logic, error handling and data management.

Following good practices, formal plans for implementation of new information systems are developed during the: Select an answer: A. development phase. B. design phase. C. testing phase. D. deployment phase.

You are correct, the answer is B. A. The implementation plans are updated during the development of the system, but the plans were already addressed during the design phase. B. The method of implementation may affect the design of the system. Therefore, planning for implementation should begin well in advance of the actual implementation date. A formal implementation plan should be constructed in the design phase and revised as the development progresses. C. The testing phase focuses on testing the system and is not concerned with implementation planning. D. The deployment phase implements the system according to the plans set out earlier in the design phase.

An organization is replacing a payroll program that it developed in-house, with the relevant subsystem of a commercial enterprise resource planning (ERP) system. Which of the following would represent the HIGHEST potential risk? Select an answer: A. Undocumented approval of some project changes B. Faulty migration of historical data from the old system to the new system C. Incomplete testing of the standard functionality of the ERP subsystem D. Duplication of existing payroll permissions on the new ERP subsystem

You are correct, the answer is B. A. Undocumented changes (leading to scope creep) are a risk, but the greatest risk is the loss of data integrity when migrating data from the old system to the new system. B. The most significant risk after a payroll system conversion is loss of data integrity and not being able to pay employees in a timely and accurate manner or have records of past payments. As a result, maintaining data integrity and accuracy during migration is paramount. C. A lack of testing is always a risk; however, in this case, the new payroll system is a subsystem of an existing commercially available (and therefore probably well-tested) system. D. Setting up the new system, including access permissions and payroll data, always presents some level of risk; however, the greatest risk is related to the migration of data from the old system to the new system.

An IS auditor is conducting a postimplementation review of an enterprise's network. Which of the following findings would be of MOST concern? Select an answer: A. Wireless mobile devices are not password-protected. B. Default passwords are not changed when installing network devices. C. An outbound web proxy does not exist. D. All communication links do not utilize encryption.

You are correct, the answer is B. A. While mobile devices that are not password-protected would be a risk, it would not be as significant as unsecured network devices. B. The most significant risk in this case would be if the factory default passwords are not changed on critical network equipment. This could allow anyone to change the configurations of network equipment. C. The use of a web proxy is a good practice but may not be required depending on the enterprise. D. Encryption is a good control for data security but is not appropriate to use for all communication links due to cost and complexity.

During the system testing phase of an application development project the IS auditor should review the: Select an answer: A. conceptual design specifications. B. vendor contract. C. error reports. D. program change requests.

You are correct, the answer is C. A. A conceptual design specification is a document prepared during the requirements definition phase. The system testing will be based on a test plan. B. A vendor contract is prepared during a software acquisition process and may be reviewed to ensure that all the deliverables in the contract have been delivered, but the most important area of review is the error reports. C. Testing is crucial in determining that user requirements have been validated. The IS auditor should be involved in this phase and review error reports for their precision in recognizing erroneous data and review the procedures for resolving errors. D. Program change requests would be reviewed normally as a part of the postimplementation phase.

Which of the following recovery strategies is MOST appropriate for a business having multiple offices within a region and a limited recovery budget? Select an answer: A. A hot site maintained by the business B. A commercial cold site C. A reciprocal arrangement between its offices D. A third-party hot site

You are correct, the answer is C. A. A hot site maintained by the business would be a costly solution but would provide a high degree of confidence. B. Multiple cold sites leased for the multiple offices would lead to an ineffective solution with poor availability. C. For a business having many offices within a region, a reciprocal arrangement among its offices would be most appropriate. Each office could be designated as a recovery site for some other office. This would be the least expensive approach and would provide an acceptable level of confidence. D. A third-party facility for recovery is provided by a traditional hot site. This would be a costly approach providing a high degree of confidence.

When two or more systems are integrated, the IS auditor must review input/output controls in the: Select an answer: A. systems receiving the output of other systems. B. systems sending output to other systems. C. systems sending and receiving data. D. interfaces between the two systems.

You are correct, the answer is C. A. A responsible control is to protect downstream systems from contamination from an upstream system. This requires a system that sends data to review its output and the receiving system to review its input. B. Systems sending data to other systems should ensure that the data they send are correct, but that would not protect the receiving system from transmission errors. C. Both of the systems must be reviewed for input/output controls because the output for one system is the input for the other. D. The interfaces must be set up correctly and provide error controls, but good practice is also to review the data before sending and after receipt.

An appropriate control for ensuring the authenticity of orders received in an electronic data interchange (EDI) system application is to: Select an answer: A. acknowledge receipt of electronic orders with a confirmation message. B. perform reasonableness checks on quantities ordered before filling orders. C. verify the identity of senders and determine if orders correspond to contract terms. D. encrypt electronic orders.

You are correct, the answer is C. A. Acknowledging the receipt of electronic orders with a confirming message is good practice but will not authenticate orders from customers. B. Performing reasonableness checks on quantities ordered before placing orders is a control for ensuring the correctness of the company's orders, not the authenticity of its customers' orders. C. An electronic data interchange (EDI) system is subject not only to the usual risk exposures of computer systems but also to those arising from the potential ineffectiveness of controls on the part of the trading partner and the third-party service provider, making authentication of users and messages a major security concern. D. Encrypting sensitive messages is an appropriate step but does not prove authenticity of messages received.

An organization is implementing a new system to replace a legacy system. Which of the following conversion practices creates the GREATEST risk? Select an answer: A. Pilot B. Parallel C. Direct cutover D. Phased

You are correct, the answer is C. A. All other alternatives are done gradually and, thus, provide greater recoverability and are less risky. A pilot implementation is the implementation of the system at a single location or region and then a rollout of the system to the rest of the organization after the application and implementation plan have been proven to work correctly at the pilot location. B. A parallel test requires running both the old and new system in parallel for a time period. This would highlight any problems or inconsistencies between the old and new systems. C. Direct cutover implies switching to the new system immediately, usually without the ability to revert to the old system in the event of problems. This is the riskiest approach and may cause a significant impact on the organization. D. A phased approach is used to implement the system in phases or sections—this minimizes the overall risk by only affecting one area at a time.

When reviewing the desktop software compliance of an organization, the IS auditor should be MOST concerned if the installed software: A. was installed, but not documented in the IT department records. B. was being used by users not properly trained in its use. C. is not listed in the approved software standards document. D. license will expire in the next 15 days.

You are correct, the answer is C. A. All software, including licenses, should be documented in IT department records, but this is not as serious as the violation of policy in installing unapproved software. B. Discovering that users have not been formally trained in the use of a software product is common, and while not ideal, most software includes help files and other tips that can assist in learning how to use the software effectively. C. The installation of software that is not allowed by policy is a serious violation and could put the organization at security, legal and financial risk. Any software that is allowed should be part of a standard software list. This is the first thing to review because this would also indicate compliance with policies. D. A software license that is about to expire is not a risk if there is a process in place to renew it.

An IS auditor is assessing services provided by an Internet service provider (ISP) during an IS compliance audit of a nationwide corporation that operates a governmental program. Which of the following is MOST important? Select an answer: A. Review the request for proposal (RFP). B. Review monthly performance reports generated by the ISP. C. Review the service level agreement (SLA). D. Research other clients of the ISP.

You are correct, the answer is C. A. Because the request for proposal (RFP) is not the contracted agreement, it is more relevant to review the terms of the SLA. B. The reports from the Internet service provider (ISP) are indirect evidence that may require further review to ensure accuracy and completeness. C. A service level agreement (SLA) provides the basis for an adequate assessment of the degree to which the provider is meeting the level of agreed-on service. D. The services provided to other clients of the ISP are irrelevant to the IS auditor.

To verify that the correct version of a data file was used for a production run, an IS auditor should review: Select an answer: A. operator problem reports. B. operator work schedules. C. system logs. D. output distribution reports.

You are correct, the answer is C. A. Operator problem reports are used by operators to log computer operation problems. B. Operator work schedules are maintained to assist in human resource planning. C. System logs are automated reports which identify most of the activities performed on the computer. Programs that analyze the system log have been developed to report on specifically defined items. The IS auditor can then carry out tests to ensure that the correct file version was used for a production run. D. Output distribution reports identify all application reports generated and their distribution.

Responsibility and reporting lines cannot always be established when auditing automated systems because: Select an answer: A. diversified control makes ownership irrelevant. B. staff traditionally changes jobs with greater frequency. C. ownership is difficult to establish where resources are shared. D. duties change frequently in the rapid development of technology.

You are correct, the answer is C. A. Ownership is required to ensure that someone has responsibility for the secure and proper operation of a system and the protection of data. B. The movement of staff is not a serious issue because the responsibility should be linked to a job description, not an individual. C. The actual data and/or application owner may be hard to establish because of the complex nature of both data and application systems and many systems support more than one business department. D. Duties may change frequently, but that does not absolve the organization of having a declared owner for systems and data.

The IS auditor is reviewing a recently completed conversion to a new enterprise resource planning (ERP) system. As the final stage of the conversion process, the organization ran the old and new systems in parallel for 30 days before allowing the new system to run on its own. What is the MOST significant advantage to the organization by using this strategy? Select an answer: A. Significant cost savings over other testing approaches B. Assurance that new, faster hardware is compatible with the new system C. Assurance that the new system meets functional requirements D. Increased resiliency during the parallel processing time

You are correct, the answer is C. A. Parallel operation provides a high level of assurance that the new system functions properly compared to the old system. Parallel operation is generally expensive and would not provide a cost savings over most other testing approaches. In many cases, parallel operation is the most expensive form of system testing due to the need for dual data entry, dual sets of hardware, dual maintenance and dual backups—it is twice the amount of work as running a production system and, therefore, costs more time and money. B. Hardware compatibility should be determined and tested much earlier in the conversion project and is not an advantage of parallel operation. Compatibility is generally determined based on the application's published specifications and on system testing in a lab environment. Parallel operation is designed to test the application's effectiveness and integrity of application data, not hardware compatibility. In general, hardware compatibility relates more to the operating system level than to a particular application. While new hardware in a system conversion must be tested under a real production load, this can be done without parallel systems. C. Parallel operation is designed to provide assurance that a new system meets its functional requirements. This is the safest form of system conversion testing because, if the new system fails, the old system is still available for production use. In addition, this form of testing allows the application developers and administrators to simultaneously run operational tasks (batch jobs, backups) on both systems to ensure that the new system is reliable before unplugging the old system. D. Increased resiliency during parallel processing is a legitimate outcome from this scenario, but the advantage it provides is temporary and minor, so this is not the correct answer.

In a contract with a hot, warm or cold site, contractual provisions should PRIMARILY cover which of the following considerations? Select an answer: A. Physical security measures B. Total number of subscribers C. Number of subscribers permitted to use a site at one time D. References by other users

You are correct, the answer is C. A. Physical security measures are not always part of the contract, although they are an important consideration when choosing a third-party site. B. The total number of subscribers is a consideration, but more important is whether the agreement limits the number of subscribers in a building or in a specific area. It is also good to know if other subscribers are competitors. C. The contract should specify the number of subscribers permitted to use the site at any one time. The contract can be written to give preference to certain subscribers. D. The references that other users can provide are a consideration taken before signing the contract; it is by no means part of the contractual provisions.

Which of the following BEST ensures the integrity of a server's operating system (OS)? Select an answer: A. Protecting the server in a secure location B. Setting a boot password C. Hardening the server configuration D. Implementing activity logging

You are correct, the answer is C. A. Protecting the server in a secure location is a good practice, but it does not ensure that a user will not try to exploit logical vulnerabilities and compromise the operating system (OS). B. Setting a boot password is a good practice but does not ensure that a user will not try to exploit logical vulnerabilities and compromise the OS. C. Hardening a system means to configure it in the most secure manner (install latest security patches, properly define access authorization for users and administrators, disable insecure options and uninstall unused services) to prevent nonprivileged users from gaining the right to execute privileged instructions and, thus, take control of the entire machine, jeopardizing the integrity of the OS. D. Activity logging has two weaknesses in this scenario—it is a detective control (not a preventive one), and the attacker who already gained privileged access can modify logs or disable them.

A financial institution that processes millions of transactions each day has a central communications processor (switch) for connecting to automated teller machines (ATMs). Which of the following would be the BEST contingency plan for the communications processor? Select an answer: A. Reciprocal agreement with another organization B. Alternate processor in the same location C. Alternate processor at another network node D. Installation of duplex communication links

You are correct, the answer is C. A. Reciprocal agreements make an organization dependent on the other organization and raise privacy, competition and regulatory issues. B. Having an alternate processor in the same location resolves the equipment problem, but would not be effective if the failure was caused by environmental conditions (i.e., power disruption). C. The unavailability of the central communications processor would disrupt all access to the banking network. This could be caused by an equipment, power or communications failure. Having a duplicate processor in another location that could be used for alternate processing is the best solution. D. The installation of duplex communication links would only be appropriate if the failure were limited to the communication link.

Which of the following issues should be a MAJOR concern to an IS auditor who is reviewing a service level agreement (SLA)? Select an answer: A. A service adjustment resulting from an exception report took a day to implement. B. The complexity of application logs used for service monitoring made the review difficult. C. Performance measures were not included in the SLA. D. The document is updated on an annual basis.

You are correct, the answer is C. A. Resolving issues related to exception reports is an operational issue that should be addressed in the service level agreement (SLA); however, a response time of one day may be acceptable depending on the terms of the SLA. B. The complexity of application logs is an operational issue, which is not related to the SLA. C. Lack of performance measures will make it difficult to gauge the efficiency and effectiveness of the IT services being provided. D. While it is important that the document be current, depending on the term of the agreement, it may not be necessary to change the document more frequently than annually.

An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation? Select an answer: A. Log all table update transactions. B. Implement before-and-after image reporting. C. Use tracing and tagging. D. Implement integrity constraints in the database.

You are correct, the answer is D. A. Logging all table update transactions is a detective control that would not help avoid invalid data entry. B. Implementing before-and-after image reporting is a detective control that would not help avoid the situation. C. Tracing and tagging are used to test application systems and controls and could not prevent out-of-range data. D. Implementing integrity constraints in the database is a preventive control because data are checked against predefined tables or rules, preventing any undefined data from being entered.

Two months after a major application implementation, management, who assume that the project went well, requests that an IS auditor perform a review of the completed project. The IS auditor's PRIMARY focus should be to: Select an answer: A. determine user feedback on the system has been documented. B. assess whether the planned cost benefits are being measured, analyzed and reported. C. review controls built into the system to assure that they are operating as designed. D. review subsequent program change requests.

You are correct, the answer is C. A. The IS auditor should check whether user feedback has been provided, but this is not the most important area for audit. B. It is important to assess the effectiveness of the project; however, assuring that the production environment is adequately controlled after the implementation is of primary concern. C. Because management is assuming that the implementation went well, the primary focus of the IS auditor is to test the controls built into the application to assure that they are functioning as designed. D. Reviewing change requests may be a good idea, but this is more important if the application is perceived to have a problem.

The specific advantage of white box testing is that it: Select an answer: A. verifies a program can operate successfully with other parts of the system. B. ensures a program's functional operating effectiveness without regard to the internal program structure. C. determines procedural accuracy or conditions of a program's specific logic paths. D. examines a program's functionality by executing it in a tightly controlled or virtual environment with restricted access to the host system.

You are correct, the answer is C. A. Verifying the program can operate successfully with other parts of the system is sociability testing. B. Testing the program's functionality without knowledge of internal structures is black box testing. C. White box testing assesses the effectiveness of software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program's logic paths. D. Controlled testing of programs in a semi-debugged environment, either heavily controlled step-by-step or via monitoring in virtual machines, is sand box testing.

An IS auditor is reviewing a new web-based order entry system the week before it goes live. The IS auditor has identified that the application, as designed, may be missing several critical controls regarding how the system stores customer credit card information. The IS auditor should FIRST: Select an answer: A. determine whether system developers have proper training on adequate security measures. B. determine whether system administrators have disabled security controls for any reason. C. verify that security requirements have been properly specified in the project plan. D. validate whether security controls are based on requirements which are no longer valid.

You are correct, the answer is C. A. While it is important for programmers to understand security, it is more important that the security requirements were properly stated in the project plan. B. System administrators may have made changes to the controls, but it is assumed that the auditor is reviewing the system as designed a week prior to implementation so the administrators have not yet configured the system. C. If there are significant security issues identified by an IS auditor, the first question is whether the security requirements were correct in the project plan. Depending on whether the requirements were included in the plan would affect the recommendations the auditor would make. D. It is possible that security requirements will change over time based on new threats or vulnerabilities, but if critical controls are missing, this points toward a faulty design that was based on incomplete requirements.

Which of the following BEST helps an IS auditor assess and measure the value of a newly implemented system? Select an answer: A. Review of business requirements B. System certification C. Postimplementation review D. System accreditation

You are correct, the answer is C. A. While reviewing the business requirements is important, only a postimplementation review provides evidence that the project met the business requirements. B. System certification involves performing a comprehensive assessment against a standard of management, operational and technical controls in an information system to examine the level of compliance in meeting certain requirements such as standards, policies, processes, procedures, work instructions and guidelines. C. One key objective of a postimplementation review is to evaluate the projected cost-benefits or the return on investment (ROI) measurements. D. System accreditation is an official management decision to authorize operation of an information system and to explicitly accept the risk to the organization's operations, assets or individuals based on the implementation of an agreed-on set of requirements and security controls.

An enterprise uses privileged accounts to process configuration changes for mission-critical applications. Which of the following would be the BEST and appropriate control to limit the risk in such a situation? Select an answer: A. Ensure that audit trails are accurate and specific. B. Ensure that personnel have adequate training. C. Ensure that personnel background checks are performed for critical personnel. D. Ensure that supervisory approval and review are performed for critical changes.

You are correct, the answer is D. A. Audit trails are a detective control and, in many cases, can be altered by those with privileged access. B. Staff proficiency is important and good training may be somewhat of a deterrent, but supervisory approval and review is the best choice. C. Performing background checks is a very basic control and will not effectively prevent or detect errors or malfeasance. D. Supervisory approval and review of critical changes by the accountable managers in the enterprise are required to avoid and detect any unauthorized change. In addition to authorization, supervision enforces a separation of duties and prevents an unauthorized attempt by any single employee.

During an application audit, an IS auditor is asked to provide assurance of the database referential integrity. Which of the following should be reviewed? Select an answer: A. Field definition B. Master table definition C. Composite keys D. Foreign key structure

You are correct, the answer is D. A. Field definitions describe the layout of the table but are not directly related to referential integrity. B. Master table definition describes the structure of the database but is not directly related to referential integrity. C. Composite keys describe how the keys are created but are not directly related to referential integrity. D. Referential integrity in a relational database refers to consistency between coupled (linked) tables. Referential integrity is usually enforced by the combination of a primary key or candidate key (alternate key) and a foreign key. For referential integrity to hold, any field in a table that is declared a foreign key should contain only values from a parent table's primary key or a candidate key.

Which of the following should be of PRIMARY concern to an IS auditor reviewing the management of external IT service providers? Select an answer: A. Minimizing costs for the services provided B. Prohibiting the provider from subcontracting services C. Evaluating the process for transferring knowledge to the IT department D. Determining if the services were provided as contracted

You are correct, the answer is D. A. Minimizing costs, if applicable and achievable (depending on the customer's need), is traditionally not part of an IS auditor's job. This would normally be done by a line management function within the IT department. Furthermore, during an audit, it is too late to minimize the costs for existing provider arrangements. B. Subcontracting providers could be a concern but would not be the primary concern. This should be addressed in the contract. C. Transferring knowledge to the internal IT department might be desirable under certain circumstances, but should not be the primary concern of an IS auditor when auditing IT service providers and the management thereof. D. From an IS auditor's perspective, the primary objective of auditing the management of service providers should be to determine if the services that were requested were provided in a way that is acceptable, seamless and in line with contractual agreements.

Which of the following carries the LOWEST risk when managing failures while transitioning from legacy applications to new applications? Select an answer: A. Phased changeover B. Abrupt changeover C. Rollback procedure D. Parallel changeover

You are correct, the answer is D. A. Phased changeover involves the changeover from the old system to the new system in a phased manner. Therefore, at no time will the old system and the new system both be fully operational as one integrated system. B. In abrupt changeover, the new system is changed from the old system on a cutoff date and time, and the old system is discontinued after changeover to the new system takes place. Therefore, the old system is not available as a backup if there are problems when the new system is implemented. C. Rollback procedures involve restoring all systems to their previous working state; however, parallel changeover is the better strategy. D. Parallel changeover involves first running the old system, then running both the old and new systems in parallel, and finally fully changing to the new system after gaining confidence in the functionality of the new system.

The application systems of an organization using open-source software have no single recognized developer producing patches. Which of the following would be the MOST secure way of updating open-source software? Select an answer: A. Rewrite the patches and apply them. B. Review the code and application of available patches. C. Develop in-house patches. D. Identify and test suitable patches before applying them.

You are correct, the answer is D. A. Rewriting the patches and applying them would require skilled resources and time to rewrite the patches. B. Code review could be possible, but tests need to be performed before applying the patches. C. Because the system was developed outside the organization, the IT department may not have the necessary skills and resources to develop patches. D. Suitable patches from the existing developers should be selected and tested before applying them.

An IS auditor is reviewing system development for a health care organization with two application environments—production and test. During an interview, the auditor notes that production data are used in the test environment to test program changes. What is the MOST significant potential risk from this situation? Select an answer: A. The test environment may not have adequate controls to ensure data accuracy. B. The test environment may produce inaccurate results due to use of production data. C. Hardware in the test environment may not be identical to the production environment. D. The test environment may not have adequate access controls implemented to ensure data confidentiality.

You are correct, the answer is D. A. The accuracy of data used in the test environment is not of significant concern as long as these data are representative of the production environment. B. Using production data in the test environment would not cause test results to be inaccurate. If anything, using production data would improve the accuracy of testing processes because the data would most closely mirror the production environment. In spite of that fact, the risk of data disclosure or unauthorized access in the test environment is still significant and, as a result, production data should not be used in the test environment. This is especially important in a health care organization where patient data confidentiality is critical and privacy laws in many countries impose strict penalties on misuse of these data. C. Hardware in the test environment should mirror the production environment to ensure that testing is reliable. However, this does not relate to the risk from using live data in a test environment. This is not the correct answer because it does not relate to the risk presented in the scenario. D. In many cases, the test environment is not configured with the same access controls that are enabled in the production environment. For example, programmers may have privileged access to the test environment (for testing), but not to the production environment. If the test environment does not have adequate access control, the production data are subject to risk of unauthorized access and/or data disclosure. This is the most significant risk of the choices listed.

Which of the following line media would provide the BEST security for a telecommunication network? Select an answer: A. Broadband network digital transmission B. Baseband network C. Dial-up D. Dedicated lines

You are correct, the answer is D. A. The secure use of broadband communications is subject to whether the network is shared with other users, the data are encrypted and the risk of network interruption. B. A baseband network is one that is usually shared with many other users and requires encryption of traffic but still may allow some traffic analysis by an attacker. C. A dial-up line is fairly secure because it is a private connection, but it is too slow to be considered for most commercial applications today. D. Dedicated lines are set apart for a particular user or organization. Because there is no sharing of lines or intermediate entry points, the risk of interception or disruption of telecommunications messages is lower.

Which of the following reports should an IS auditor use to check compliance with a service level agreement's (SLA) requirement for uptime? Select an answer: A. Utilization reports B. Hardware error reports C. System logs D. Availability reports

You are correct, the answer is D. A. Utilization reports document the use of computer equipment, and can be used by management to predict how, where and/or when resources are required. B. Hardware error reports provide information to aid in detecting hardware failures and initiating corrective action. These error reports may not indicate actual system uptime. C. System logs are used for recording the system's activities. They may not indicate availability. D. IS inactivity, such as downtime, is addressed by availability reports. These reports provide the time periods during which the computer was available for utilization by users or other processes.