Domain 3

Which of the following would an IS auditor consider to be the MOST helpful when evaluating the effectiveness and adequacy of a computer preventive maintenance program? A. A system downtime log B. Vendors reliability figures C. Regularly scheduled maintenance log D. A written preventive maintenance schedule

A. A system downtime log Explanation: A system downtime log provides information regarding the effectiveness and adequacy of computer preventive maintenance programs.

****Time constraints and expanded needs have been found by an IS auditor to be the root causes for recent violations of corporate data definition standards in a new business intelligence project. Which of the following is the MOST appropriate suggestion for an auditor to make? A. Achieve standards alignment through an increase of resources devoted to the project B. Align the data definition standards after completion of the project C. Delay the project until compliance with standards can be achieved D. Enforce standard compliance by adopting punitive measures against violators

A. Achieve standards alignment through an increase of resources devoted to the project Explanation: Provided that data architecture, technical, and operational requirements are sufficiently documented, the alignment to standards could be treated as a specific work package assigned to new project resources. The usage of nonstandard data definitions would lower the efficiency of the new development, and increase the risk of errors in critical business decisions. To change data definition standards after project conclusion (choice B) is risky and is not a viable solution. On the other hand, punishing the violators (choice D) or delaying the project (choice C) would be an inappropriate suggestion because of the likely damage to the entire project profitability.

Which of the following situations would increase the likelihood of fraud? A. Application programmers are implementing changes to production programs. B. Application programmers are implementing changes to test programs. C. Operations support staff are implementing changes to batch schedules. D. Database administrators are implementing changes to data structures.

A. Application programmers are implementing changes to production programs. Explanation: Production programs are used for processing an enterprises data. It is imperative that controls on changes to production programs are stringent. Lack of control in this area could result in application programs being modified to manipulate the data. Application programmers are required to implement changes to test programs. These are used only in development and do not directly impact the live processing of data. The implementation of changes to batch schedules by operations support staff will affect the scheduling of the batches only; it does not impact the live data. Database administrators are required to implement changes to data structures. This is required for reorganization of the database to allow for additions, modifications or deletions of fields or tables in the database.

****Which of the following is a prevalent risk in the development of end-user computing (EUC) applications? A. Applications may not be subject to testing and IT general controls B. increased development and maintenance costs C. increased application development time D. Decision-making may be impaired due to diminished responsiveness to requests for information

A. Applications may not be subject to testing and IT general controls Explanation: End-user developed applications may not be subjected to an independent outside review by systems analysts and frequently are not created in the context of a formal development methodology. These applications may lack appropriate standards, controls, quality assurance procedures, and documentation. A risk of end-user applications is that management may rely on them as much as traditional applications. End-user computing (EUC) systems typically result in reduced application development and maintenance costs, and a reduced development cycle time. EUC systems normally increase flexibility and responsiveness to managements information requests.

An IS auditor is performing an audit of a network operating system. Which of the following is a user feature the IS auditor should review? A. Availability of online network documentation B. Support of terminal access to remote hosts C. Handling file transfer between hosts and interuser communications D. Performance management, audit and control

A. Availability of online network documentation Explanation: Network operating system user features include online availability of network documentation. Other features would be user access to various resources of network hosts, user authorization to access particular resources, and the network and host computers used without special user actions or commands. Choices B, C and D are examples of network operating systems functions.

****An IS auditor finds that user acceptance testing of a new system is being repeatedly interrupted as defect fixes are implemented by developers. Which of the following would be the BEST recommendation for an IS auditor to make? A. Consider feasibility of a separate user acceptance environment B. Schedule user testing to occur at a given time each day C. implement a source code version control tool D. Only retest high priority defects

A. Consider feasibility of a separate user acceptance environment Explanation: A separate environment or environments is normally necessary for testing to be efficient and effective, and to ensure the integrity of production code, it is important that the development and testing code base be separate. When defects are identified they can be fixed in the development environment, without interrupting testing, before being migrated in a controlled manner to the test environment. A separate test environment can also be used as the final staging area from which code is migrated to production. This enforces a separation between development and production code. The logistics of setting up and refreshing customized test data is easier if a separate environment is maintained. If developers and testers are sharing the same environment, they have to work effectively at separate times of the day. It is unlikely that this would provide optimum productivity. Use of a source code control tool is a good practice, but it does not properly mitigate the lack of an appropriate testing environment. Even low priority fixes run the risk of introducing unintended results when combined with the rest of the system code. To prevent this, regular regression testing covering all code changes should occur. A separate test environment makes the logistics of regression testing easier to manage.

________________ (fill in the blank) should be implemented as early as data preparation to support data integrity at the earliest point possible. A. Control totals B. Authentication controls C. Parity bits D. Authorization controls

A. Control totals

@@Business units are concerned about the performance of a newly implemented system. Which of the following should an IS auditor recommend? A. Develop a baseline and monitor system usage. B. Define alternate processing procedures. C. Prepare the maintenance manual. D. implement the changes users have suggested.

A. Develop a baseline and monitor system usage. Explanation: An IS auditor should recommend the development of a performance baseline and monitor the systems performance, against the baseline, to develop empirical data upon which decisions for modifying the system can be made. Alternate processing procedures and a maintenance manual will not alter a systems performance. Implementing changes without knowledge of the cause(s) for the perceived poor performance may not result in a more efficient system.

@@An IS auditor observes a weakness in the tape management system at a data center in that some parameters are set to bypass or ignore tape header records. Which of the following is the MOST effective compensating control for this weakness? A. Staging and job set up B. Supervisory review of logs C. Regular back-up of tapes D. Offsite storage of tapes

A. Staging and job set up Explanation: If the IS auditor finds that there are effective staging and job set up processes, this can be accepted as a compensating control. Choice B is a detective control while choices C and D are corrective controls, none of which would serve as good compensating controls.

In an audit of an inventory application, which approach would provide the BEST evidence that purchase orders are valid? A. Testing whether inappropriate personnel can change application parameters B. Tracing purchase orders to a computer listing C. Comparing receiving reports to purchase order details D. Reviewing the application documentation

A. Testing whether inappropriate personnel can change application parameters Explanation: To determine purchase order validity, testing access controls will provide the best evidence. Choices B and C are based on after-the-fact approaches, while choice D does not serve the purpose because what is in the system documentation may not be the same as what is happening.

****A company has implemented a new client-server enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are entered accurately and the corresponding products are produced? A. Verifying production to customer orders B. Logging all customer orders in the ERP system C. Using hash totals in the order transmitting process D. Approving (production supervisor) orders prior to production

A. Verifying production to customer orders Explanation: Verification will ensure that production orders match customer orders. Logging can be used to detect inaccuracies, but does not in itself guarantee accurate processing. Hash totals will ensure accurate order transmission, but not accurate processing centrally. Production supervisory approval is a time consuming, manual process that does not guarantee proper control.

Passwords should be: A. assigned by the security administrator for first time logon. B. changed every 30 days at the discretion of the user. C. reused often to ensure the user does not forget the password. D. displayed on the screen so that the user can ensure that it has been entered properly.

A. assigned by the security administrator for first time logon. Explanation: Initial password assignment should be done discretely by the security administrator. Passwords should be changed often (e.g., every 30 days); however, changing should not be voluntary, it should be required by the system. Systems should not permit previous passwords to be used again. Old passwords may have been compromised and would thus permit unauthorized access. Passwords should not be displayed in any form.

An IS auditor has been asked to participate in project initiation meetings for a critical project. The IS auditors MAIN concern should be that the: A. complexity and risks associated with the project have been analyzed. B. resources needed throughout the project have been determined. C. project deliverables have been identified. D. a contract for external parties involved in the project has been completed.

A. complexity and risks associated with the project have been analyzed. Explanation: Understanding complexity and risk, and actively managing these throughout a project are critical to a successful outcome. The other choices, while important during the course of the project, cannot be fully determined at the time the project is initiated, and are often contingent upon the risk and complexity of the project.

An organization is migrating from a legacy system to an enterprise resource planning (ERP) system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a: A. correlation of semantic characteristics of the data migrated between the two systems. B. correlation of arithmetic characteristics of the data migrated between the two systems. C. correlation of functional characteristics of the processes between the two systems. D. relative efficiency of the processes between the two systems.

A. correlation of semantic characteristics of the data migrated between the two systems. Explanation: Due to the fact that the two systems could have a different data representation, including the database schema, the IS auditors main concern should be to verify that the interpretation of the data is the same in the new as it was in the old system. Arithmetic characteristics represent aspects of data structure and internal definition in the database, and therefore are less important than the semantic characteristics. A review of the correlation of the functional characteristics or a review of the relative efficiencies of the processes between the two systems is not relevant to a data migration review.

In the process of evaluating program change controls, an IS auditor would use source code comparison software to: A. examine source program changes without information from IS personnel. B. detect a source program change made between acquiring a copy of the source and the comparison run. C. confirm that the control copy is the current version of the production program. D. ensure that all changes made in the current source copy are detected.

A. examine source program changes without information from IS personnel. Explanation: An IS auditor has an objective, independent and relatively complete assurance of program changes because the source code comparison will identify changes. Choice B is incorrect, because the changes made since the acquisition of the copy are not included in the copy of the software. Choice C is incorrect, as an IS auditor will have to gain this assurance separately. Choice D is incorrect, because any changes made between the time the control copy was acquired and the source code comparison is made will not be detected.

Functionality is a characteristic associated with evaluating the quality of software products throughout their life cycle, and is BEST described as the set of attributes that bear on the: A. existence of a set of functions and their specified properties. B. ability of the software to be transferred from one environment to another. C. capability of software to maintain its level of performance under stated conditions. D. relationship between the performance of the software and the amount of resources used.

A. existence of a set of functions and their specified properties. Explanation: Functionality is the set of attributes that bears on the existence of a set of functions and their specified properties. The functions are those that satisfy stated or implied needs. Choice B refers to portability; choice C refers to reliability and choice D refers to efficiency.

A company uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (e.g., hourly rate changes, terminations) are completed and delivered to the bank, which prepares checks (cheques) and reports for distribution. To BEST ensure payroll data accuracy: A. payroll reports should be compared to input forms. B. gross payroll should be recalculated manually. C. checks (cheques) should be compared to input forms. D. checks (cheques) should be reconciled with output reports.

A. payroll reports should be compared to input forms. Explanation: The best way to confirm data accuracy, when input is provided by the company and output is generated by the bank, is to verify the data input (input forms) with the results of the payroll reports. Hence, comparing payroll reports with input forms is the best mechanism of verifying data accuracy. Recalculating gross payroll manually would only verify whether the processing is correct and not the data accuracy of inputs. Comparing checks (cheques) to input forms is not feasible as checks (cheques)have the processed information and input forms have the input data. Reconciling checks (cheques) with output reports only confirms that checks (cheques) have been issued as per output reports.

During a postimplementation review of an enterprise resource management system, an IS auditor would MOST likely: A. review access control configuration B. evaluate interface testing. C. review detailed design documentation. D. evaluate system testing.

A. review access control configuration Explanation: Reviewing access control configuration would be the first task performed to determine whether security has been appropriately mapped in the system. Since a postimplementation review is done after user acceptance testing and actual implementation, one would not engage in interface testing or detailed design documentation. Evaluating interface testing would be part of the implementation process. The issue of reviewing detailed design documentation is not generally relevant to an enterprise resource management system, since these are usually vendor packages with user manuals. System testing should be performed before final user signoff.

***An IS auditor reviewing an organization's data privacy controls observes that privacy notices do not clearly state how the organization uses customer data for its processing operations. Which of the following data protection principles MUST be implemented to address this gap? A . Maintenance of data integrity B . Access to collected data C . Retention of consent documentation D . Purpose for data collection

B . Access to collected data

Processing controls ensure that data is accurate and complete, and is processed only through which of the following? A. Documented routines B. Authorized routines C. Accepted routines D. Approved routines

B. Authorized routines

Which of the following processes are performed during the design phase of the systems development life cycle (SDLC) model? A. Develop test plans. B. Baseline procedures to prevent scope creep. C. Define the need that requires resolution, and map to the major requirements of the solution. D. Program and test the new system. The tests verify and validate what has been developed.

B. Baseline procedures to prevent scope creep.

Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs? A. System log analysis B. Compliance testing C. Forensic analysis D. Analytical review

B. Compliance testing Explanation: Determining that only authorized modifications are made to production programs would require the change management process be reviewed to evaluate the existence of a trail of documentary evidence. Compliance testing would help to verify that the change management process has been applied consistently. It is unlikely that the system log analysis would provide information about the modification of programs. Forensic analysis is a specialized technique for criminal investigation. An analytical review assesses the general control environment of an organization.

Parity bits are a control used to validate: A. Data authentication B. Data completeness C. Data source D. Data accuracy

B. Data completeness Explanation: Parity bits are a control used to validate data completeness

Which of the following will BEST ensure the successful offshore development of business applications? A. Stringent contract management practices B. Detailed and correctly applied specifications C. Awareness of cultural and political differences d. Post implementation reviews

B. Detailed and correctly applied specifications Explanation: When dealing with offshore operations, it is essential that detailed specifications be created. Language differences and a lack of interaction between developers and physically remote end users could create gaps in communication in which assumptions and modifications may not be adequately communicated. Contract management practices, cultural and political differences, and post implementation reviews, although important, are not as pivotal to the success of the project.

Which of the following should an IS auditor review to understand project progress in terms of time, budget and deliverables for early detection of possible overruns and for projecting estimates at completion (EACs)? A. Function point analysis B. Earned value analysis C. Cost budget D. Program Evaluation and Review Technique

B. Earned value analysis Explanation: Earned value analysis (EVA) is an industry standard method for measuring a projects progress at any given point in time, forecasting its completion date and final cost, and analyzing variances in the schedule and budget as the project proceeds. It compares the planned amount of work with what has actually been completed, to determine if the cost, schedule and work accomplished are progressing in accordance with the plan. EVA works most effectively if a well-formed work breakdown structure exists. Function point analysis (FPA) is an indirect measure of software size and complexity and, therefore, does not address the elements of time and budget. Cost budgets do not address time. PERT aids in time and deliverables management, but lacks projections for estimates at completion (EACs) and overall financial management.

An organization has an integrated development environment (IDE) on which the program libraries reside on the server, but modification/development and testing are done from PC workstations. Which of the following would be a strength of an IDE? A. Controls the proliferation of multiple versions of programs B. Expands the programming resources and aids available C. Increases program and processing integrity D. Prevents valid changes from being overwritten by other changes

B. Expands the programming resources and aids available Explanation: A strength of an IDE is that it expands the programming resources and aids available. The other choices are IDE weaknesses.

At the completion of a system development project, a post project review should include which of the following? A. Assessing risks that may lead to downtime after the production release B. Identifying lessons learned that may be applicable to future projects C. Verifying the controls in the delivered system are working D. Ensuring that test data are deleted

B. Identifying lessons learned that may be applicable to future projects

Which of the following controls would provide the GREATEST assurance of database integrity? A. Audit log procedures B. Table link/reference checks C. Query/table access time checks D. Rollback and roll forward database features

B. Table link/reference checks Explanation: Performing table link/reference checks serves to detect table linking errors (such as completeness and accuracy of the contents of the database), and thus provides the greatest assurance of database integrity. Audit log procedures enable recording of all events that have been identified and help in tracing the events. However, they only point to the event and do not ensure completeness or accuracy of the database-s contents. Querying/monitoring table access time checks helps designers improve database performance, but not integrity. Rollback and roll forward database features ensure recovery from an abnormal disruption. They assure the integrity of the transaction that was being processed at the time of disruption, but do not provide assurance on the integrity of the contents of the database.

Run-to-run totals can verify data through which stage(s) of application processing? A. Initial B. Various C. Final D. Output

B. Various Explanation: Run-to-run totals can verify data through various stages of application processing.

The PRIMARY benefit of implementing a security program as part of a security governance framework is the: A. alignment of the IT activities with IS audit recommendations. B. enforcement of the management of security risks. C. implementation of the chief information security officers (CISO) recommendations. D. reduction of the cost for IT security.

B. enforcement of the management of security risks. Explanation: The major benefit of implementing a security program is managements assessment of risk and its mitigation to an appropriate level of risk, and the monitoring of the remaining residual risks. Recommendations, visions and objectives of the auditor and the chief information security officer (CISO) are usually included within a security program, but they would not be the major benefit. The cost of IT security may or may not be reduced.

The PRIMARY objective of a logical access control review is to: A. review access controls provided through software. B. ensure access is granted per the organizations authorities. C. walk through and assess the access provided in the IT environment. D. provide assurance that computer hardware is adequately protected against abuse.

B. ensure access is granted per the organizations authorities. Explanation: The scope of a logical access control review is primarily to determine whether or not access is granted per the organizations authorizations. Choices A and C relate to procedures of a logical access control review, rather than objectives. Choice D is relevant to a physical access control review.

When reviewing input controls, an IS auditor observes that, in accordance with corporate policy, procedures allow supervisory override of data validation edits. The IS auditor should: A. not be concerned since there may be other compensating controls to mitigate the risks. B. ensure that overrides are automatically logged and subject to review. C. verify whether all such overrides are referred to senior management for approval. D. recommend that overrides not be permitted.

B. ensure that overrides are automatically logged and subject to review. Explanation: If input procedures allow overrides of data validation and editing, automatic logging should occur. A management individual who did not initiate the override should review this log. An IS auditor should not assume that compensating controls exist. As long as the overrides are policy- compliant, there is no need for senior management approval or a blanket prohibition.

Which of the following would be the MOST cost-effective recommendation for reducing the number of defects encountered during software development projects? A. increase the time allocated for system testing B. implement formal software inspections C. increase the development staff D. Require the sign-off of all project deliverables

B. implement formal software inspections Explanation: Inspections of code and design are a proven software quality technique. An advantage of this approach is that defects are identified before they propagate through the development life cycle. This reduces the cost of correction as less rework is involved. Allowing more time for testing may discover more defects; however, little is revealed as to why the quality problems are occurring and the cost of the extra testing, and the cost of rectifying the defects found will be greater than if they had been discovered earlier in the development process. The ability of the development staff can have a bearing on the quality of what is produced; however, replacing staff can be expensive and disruptive, and the presence of a competent staff cannot guarantee quality in the absence of effective quality management processes. Sign-off of deliverables may help detect defects if signatories are diligent about reviewing deliverable content; however, this is difficult to enforce. Deliverable reviews normally do not go down to the same level of detail as software inspections.

An IS auditor attempting to determine whether access to program documentation is restricted to authorized persons would MOST likely: A. evaluate the record retention plans for off-premises storage. B. interview programmers about the procedures currently being followed. C. compare utilization records to operations schedules. D. review data file access records to test the librarian function.

B. interview programmers about the procedures currently being followed. Explanation: Asking programmers about the procedures currently being followed is useful in determining whether access to program documentation is restricted to authorized persons. Evaluating the record retention plans for off-premises storage tests the recovery procedures, not the access control over program documentation. Testing utilization records or data files will not address access security over program documentation.

****An IS auditor is reviewing a project to implement a payment system between a parent bank and a subsidiary. The IS auditor should FIRST verify that the: A. technical platforms between the two companies are interoperable. B. parent bank is authorized to serve as a service provider. C. security features are in place to segregate subsidiary trades. D. subsidiary can join as a co-owner of this payment system.

B. parent bank is authorized to serve as a service provider. Explanation: Even between parent and subsidiary companies, contractual agreement(s) should be in place to conduct shared services. This is particularly important in highly regulated organizations such as banking. Unless granted to serve as a service provider, it may not be legal for the bank to extend business to the subsidiary companies. Technical aspects should always be considered; however, this can be initiated after confirming that the parent bank can serve as a service provider. Security aspects are another important factor; however, this should be considered after confirming that the parent bank can serve as a service provider. The ownership of the payment system is not as important as the legal authorization to operate the system.

Change control for business application systems being developed using prototyping could be complicated by the: A. iterative nature of prototyping. B. rapid pace of modifications in requirements and design. C. emphasis on reports and screens. D. lack of integrated tools.

B. rapid pace of modifications in requirements and design. Explanation: Changes in requirements and design happen so quickly that they are seldom documented or approved. Choices A, C and D are characteristics of prototyping, but they do not have an adverse effect on change control.

An IS auditor has identified the lack of an authorization process for users of an application. The IS auditors main concern should be that: A. more than one individual can claim to be a specific user. B. there is no way to limit the functions assigned to users. C. user accounts can be shared. D. users have a need-to-know privilege.

B. there is no way to limit the functions assigned to users Explanation: Without an appropriate authorization process, it will be impossible to establish functional limits and accountability. The risk that more than one individual can claim to be a specific user is associated with the authentication processes, rather than with authorization. The risk that user accounts can be shared is associated with identification processes, rather than with authorization. The need-to-know basis is the best approach to assigning privileges during the authorization process.

Information for detecting unauthorized input from a terminal would be BEST provided by the: A. console log printout. B. transaction journal. C. automated suspense file listing. D. user error report.

B. transaction journal. Explanation: The transaction journal would record all transaction activity, which then could be compared to the authorized source documents to identify any unauthorized input. A console log printout is not the best, because it would not record activity from a specific terminal. An automated suspense file listing would only list transaction activity where an edit error occurred, while the user error report would only list input that resulted in an edit error.

Which of the following is the BEST type of program for an organization to implement to aggregate, correlate and store different log and event files, and then produce weekly and monthly reports for IS auditors? A. A security information event management (SIEM) product B. An open-source correlation engine C. A log management tool D. An extract, transform, load (ETL) system

C. A log management tool Explanation: A log management tool is a product designed to aggregate events from many log files (with distinct formats and from different sources), store them and typically correlate them offline to produce many reports (e.g., exception reports showing different statistics including anomalies and suspicious activities), and to answer time-based queries (e.g., how many users have entered the system between 2 a.m. and 4 a.m. over the past three weeks?). A SIEM product has some similar features. It correlates events from log files, but does it online and normally is not oriented to storing many weeks of historical information and producing audit reports. A correlation engine is part of a SIEM product. It is oriented to making an online correlation of events. An extract, transform, load (ETL) is part of a business intelligence system, dedicated to extracting operational or production data, transforming that data and loading them to a central repository (data warehouse or data mart); an ETL does not correlate data or produce reports, and normally it does not have extractors to read log file formats.

***An IS auditor finds that client requests were processed multiple times when received from different independent departmental databases, which are synchronized weekly. What would be the BEST recommendation? A. increase the frequency for data replication between the different department systems to ensure timely updates. B. Centralize all request processing in one department to avoid parallel processing of the same request. C. Change the application architecture so that common data are held in just one shared database for all departments. D. implement reconciliation controls to detect duplicates before orders are processed in the systems.

C. Change the application architecture so that common data are held in just one shared database for all departments. Explanation: Keeping the data in one place is the best way to ensure that data are stored without redundancy and that all users have the same data on their systems. Although increasing the frequency may help to minimize the problem, the risk of duplication cannot be eliminated completely because parallel data entry is still possible. Business requirements will most likely dictate where data processing activities are performed. Changing the business structure to solve an IT problem is not practical or politically feasible. Detective controls do not solve the problem of duplicate processing, and would require that an additional process be implemented to handle the discovered duplicates.

Which of the following is the GREATEST risk to the effectiveness of application system controls? A. Removal of manual processing steps B. inadequate procedure manuals C. Collusion between employees D. Unresolved regulatory compliance issues

C. Collusion between employees Explanation: Collusion is an active attack that can be sustained and is difficult to identify since even well-thought-out application controls may be circumvented. The other choices do not impact well-designed application controls.

After installing a network, an organization installed a vulnerability assessment tool or security scanner to identify possible weaknesses. Which is the MOST serious risk associated with such tools? A. Differential reporting B. False-positive reporting C. False-negative reporting D. Less-detail reporting

C. False-negative reporting Explanation: False-negative reporting on weaknesses means the control weaknesses in the network are not identified and therefore may not be addressed, leaving the network vulnerable to attack. False- positive reporting is one in which the controls are in place, but are evaluated as weak, which should prompt a rechecking of the controls. Less-detail reporting and differential reporting functions provided by these tools compare scan results over a period of time.

What is used as a control to detect loss, corruption, or duplication of data? A. Redundancy check B. Reasonableness check C. Hash totals D. Accuracy check

C. Hash totals

***Which of the following should an IS auditor recommend to BEST enforce alignment of an IT project portfolio with strategic organizational priorities? A. Define a balanced scorecard (BSC) for measuring performance B. Consider user satisfaction in the key performance indicators (KPIs) C. Select projects according to business benefits and risks D. Modify the yearly process of defining the project portfolio

C. Select projects according to business benefits and risks Explanation: Prioritization of projects on the basis of their expected benefit(s) to business, and the related risks, is the best measure for achieving alignment of the project portfolio to an organizations strategic priorities. Modifying the yearly process of the projects portfolio definition might improve the situation, but only if the portfolio definition process is currently not tied to the definition of corporate strategies; however, this is unlikely since the difficulties are in maintaining the alignment, and not in setting it up initially. Measures such as balanced scorecard (BSC) and key performance indicators (KPIs) are helpful, but they do not guarantee that the projects are aligned with business strategy.

The GREATEST advantage of using web services for the exchange of information between two systems is: A. secure communications. B. improved performance. C. efficient interfacing. D. enhanced documentation.

C. efficient interfacing. Explanation: Web services facilitate the exchange of information between two systems, regardless of the operating system or programming language used. Communication is not necessarily securer or faster, and there is no documentation benefit in using web services.

A decision support system (DSS): A. is aimed at solving highly structured problems. B. combines the use of models with nontraditional data access and retrieval functions. C. emphasizes flexibility in the decision making approach of users. D. supports only structured decision making tasks.

C. emphasizes flexibility in the decision making approach of users. Explanation: DSS emphasizes flexibility in the decision making approach of users. It is aimed at solving less structured problems, combines the use of models and analytic techniques with traditional data access and retrieval functions, and supports semi structured decision making tasks.

During the system testing phase of an application development project the IS auditor should review the: A. conceptual design specifications. B. vendor contract. C. error reports. D. program change requests.

C. error reports. Explanation: Testing is crucial in determining that user requirements have been validated. The IS auditor should be involved in this phase and review error reports for their precision in recognizing erroneous data and review the procedures for resolving errors. A conceptual design specification is a document prepared during the requirements definition phase. A vendor contract is prepared during a software acquisition process. Program change requests would normally be reviewed as a part of the postimplementation phase.

An advantage in using a bottom-up vs. a top-down approach to software testing is that: A. interface errors are detected earlier. B. confidence in the system is achieved earlier. C. errors in critical modules are detected earlier. D. major functions and processing are tested earlier.

C. errors in critical modules are detected earlier. Explanation: The bottom-up approach to software testing begins with the testing of atomic units, such as programs and modules, and works upward until a complete system testing has taken place. The advantages of using a bottom-up approach to software testing are the fact that there is no need for stubs or drivers and errors in critical modules are found earlier. The other choices in this question all refer to advantages of a top-down approach, which follows the opposite path, either in depth-first or breadth-first search order.

A manager of a project was not able to implement all audit recommendations by the target date. The IS auditor should: A. recommend that the project be halted until the issues are resolved. B. recommend that compensating controls be implemented. C. evaluate risks associated with the unresolved issues. D. recommend that the project manager reallocate test resources to resolve the issues.

C. evaluate risks associated with the unresolved issues. Explanation: It is important to evaluate what the exposure would be when audit recommendations have not been completed by the target date. Based on the evaluation, management can accordingly consider compensating controls, risk acceptance, etc. All other choices might be appropriate only after the risks have been assessed.

***When implementing an application software package, which of the following presents the GREATEST risk? A. Uncontrolled multiple software versions B. Source programs that are not synchronized with object code C. incorrectly set parameters D. Programming errors.

C. incorrectly set parameters Explanation: Parameters that are not set correctly would be the greatest concern when implementing an application software package. The other choices, though important, are a concern of the provider, not the organization that is implementing the software itself.

The reason for establishing a stop or freezing point on the design of a new system is to: A. prevent further changes to a project in process. B. indicate the point at which the design is to be completed. C. require that changes after that point be evaluated for cost-effectiveness. D. provide the project management team with more control over the project design.

C. require that changes after that point be evaluated for cost-effectiveness. Explanation: Projects often have a tendency to expand, especially during the requirements definition phase. This expansion often grows to a point where the originally anticipated cost-benefits are diminished because the cost of the project has increased. When this occurs, it is recommended that the project be stopped or frozen to allow a review of all of the cost- benefits and the payback period.

An IS auditor analyzing the audit log of a database management system (DBMS) finds that some transactions were partially executed as a result of an error, and are not rolled back. Which of the following transaction processing features has been violated? A. Consistency B. Isolation C. Durability D. Atomicity

D. Atomicity Explanation: Atomicity guarantees that either the entire transaction is processed or none of it is. Consistency ensures that the database is in a legal state when the transaction begins and ends, isolation means that, while in an intermediate state, the transaction data is invisible to external operations. Durability guarantees that a successful transaction will persist, and cannot be undone.

Which of the following controls will MOST effectively detect the presence of bursts of errors in network transmissions? A. Parity check B. Echo check C. Block sum check D. Cyclic redundancy check

D. Cyclic redundancy check Explanation: The cyclic redundancy check (CRC) can check for a block of transmitted data. The workstations generate the CRC and transmit it with the data. The receiving workstation computes a CRC and compares it to the transmitted CRC. if both of them are equal. Then the block is assumed error free, in this case (such as in parity error or echo check), multiple errors can be detected. In general, CRC can detect all single-bit and bubble-bit errors. Parity check (known as vertical redundancy check) also involves adding a bit (known as the parity bit) to each character during transmission. In this case, where there is a presence of bursts of errors (i.e., impulsing noise during high transmission rates), it has a reliability of approximately 50 percent. Inhigher transmission rates, this limitation is significant. Echo checks detect line errors by retransmitting data to the sending device for comparison with the original transmission.

What should regression testing use to obtain accurate conclusions regarding the effects of changes or corrections to a program, and ensuring that those changes and corrections have not introduced new errors? A. Contrived data B. Independently created data C. Live data D. Data from previous tests

D. Data from previous tests

A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live? A. IS auditor B. Database administrator C. Project manager D. Data owner

D. Data owner Explanation: During the data conversion stage of a project, the data owner is primarily responsible for reviewing and signing-off that the data are migrated completely, accurately and are valid. An IS auditor is not responsible for reviewing and signing-off on the accuracy of the converted data. However, an IS auditor should ensure that there is a review and sign-off by the data owner during the data conversion stage of the project. A database administrators primary responsibility is to maintain the integrity of the database and make the database available to users. A database administrator is not responsible for reviewing migrated data. A project manager provides day-to- day management and leadership of the project, but is not responsible for the accuracy and integrity of the data.

@@Which of the following controls would be MOST effective in ensuring that production source code and object code are synchronized? A. Release-to-release source and object comparison reports B. Library control software restricting changes to source code C. Restricted access to source code and object code D. Date and time-stamp reviews of source and object code

D. Date and time-stamp reviews of source and object code Explanation: Date and time-stamp reviews of source and object code would ensure that source code, which has been compiled, matches the production object code. This is the most effective way to ensure that the approved production source code is compiled and is the one being used.

Most important factor in quantitative risk analysis process is: A. Net Present Value (NPV) B. Earned Value Analysis (EVA) C. Decision Support System D. Expected Monetary Value (EMV)

D. Expected Monetary Value (EMV) NPV is used for calculating present value for future cash flow. EVA is used for monitoring the progress of the project. DDS helps in supporting the decision making by providing detailed analysis

Which of the following would BEST determine whether a post implementation review (PIR) performed by the project management office (PMO) was effective? A. Lessons learned were implemented. B. Management approved the PIR report. C. The review was performed by an external provider. D. Project outcomes have been realized.

D. Project outcomes have been realized.

Which of the following types of testing would determine whether a new or modifies system can operate in its target environment without adversely impacting other existing systems? A. Parallel testing B. Pilot testing C. Interface/integration testing D. Sociability testing

D. Sociability testing

****An IS auditor reviewing digital rights management (DRM) applications should expect to find an extensive use for which of the following technologies? A. Digitalized signatures B. Hashing C. Parsing D. Steganography

D. Steganography Explanation: Steganography is a technique for concealing the existence of messages or information. An increasingly important stenographical technique is digital watermarking, which hides data within data, e.g., by encoding rights information in a picture or music file without altering the picture or musics perceivable aesthetic qualities. Digitalized signatures are not related to digital rights management. Hashing creates a message hash or digest, which is used to ensure the integrity of the message; it is usually considered a part of cryptography. Parsing is the process of splitting up a continuous stream of characters for analytical purposes, and is widely applied in the design of programming languages or in data entry editing.

****After discovering a security vulnerability in a third-party application that interfaces with several external systems, a patch is applied to a significant number of modules. Which of the following tests should an IS auditor recommend? A. Stress B. Black box C. Interface D. System

D. System Explanation: Given the extensiveness of the patch and its interfaces to external systems, system testing is most appropriate. Interface testing is not enough, and stress or black box testing are inadequate in these circumstances.

****To determine which users can gain access to the privileged supervisory state, which of the following should an IS auditor review? A. System access log files B. Enabled access control software parameters C. Logs of access control violations D. System configuration files for control options used

D. System configuration files for control options used Explanation: A review of system configuration files for control options used would show which users have access to the privileged supervisory state. Both systems access log files and logs of access violations are detective in nature. Access control software is run under the operating system.

****What should an organization do before providing an external agency physical access to its information processing facilities (IPFs)? A. The processes of the external agency should be subjected to an IS audit by an independent agency. B. Employees of the external agency should be trained on the security procedures of the organization. C. Any access by an external agency should be limited to the demilitarized zone (DMZ). D. The organization should conduct a risk assessment and design and implement appropriate controls.

D. The organization should conduct a risk assessment and design and implement appropriate controls. Explanation: Physical access of information processing facilities (IPFs) by an external agency introduces additional threats into an organization. Therefore, a risk assessment should be conducted and controls designed accordingly. The processes of the external agency are not of concern here. It is the agencys interaction with the organization that needs to be protected. Auditing their processes would not be relevant in this scenario. Training the employees of the external agency may be one control procedure, but could be performed after access has been granted. Sometimes an external agency may require access to the processing facilities beyond the demilitarized zone (DMZ). For example, an agency which undertakes maintenance of servers may require access to the main server room. Restricting access within the DMZ will not serve the purpose.

***During the audit of an acquired software package, an IS auditor learned that the software purchase was based on information obtained through the Internet, rather than from responses to a request for proposal (RFP). The IS auditor should FIRST: A. test the software for compatibility with existing hardware. B. perform a gap analysis. C. review the licensing policy. D. ensure that the procedure had been approved.

D. ensure that the procedure had been approved. Explanation: In the case of a deviation from the predefined procedures, an IS auditor should first ensure that the procedure followed for acquiring the software is consistent with the business objectives and has been approved by the appropriate authorities. The other choices are not the first actions an IS auditor should take. They are steps that may or may not be taken after determining that the procedure used to acquire the software had been approved.

An example of a direct benefit to be derived from a proposed IT-related business investment is: A. enhanced reputation. B. enhanced staff morale. C. the use of new technology. D. increased market penetration.

D. increased market penetration. Explanation: A comprehensive business case for any proposed IT-related business investment should have clearly defined business benefits to enable the expected return to be calculated. These benefits usually fall into two categories: direct and indirect, or soft. Direct benefits usually comprise the quantifiable financial benefits that the new system is expected to generate. The potential benefits of enhanced reputation and enhanced staff morale are difficult to quantify, but should be quantified to the extent possible. IT investments should not be made just for the sake of new technology but should be based on a quantifiable business need.

@@To prevent unauthorized entry to the data maintained in a dial-up, fast response system, an IS auditor should recommend: A. online terminals are placed in restricted areas. B. online terminals are equipped with key locks. C. ID cards are required to gain access to online terminals. D. online access is terminated after a specified number of unsuccessful attempts.

D. online access is terminated after a specified number of unsuccessful attempts. Explanation: The most appropriate control to prevent unauthorized entry is to terminate connection after a specified number of attempts. This will deter access through the guessing of IDs and passwords. The other choices are physical controls, which are not effective in deterring unauthorized accesses via telephone lines.

An existing system is being extensively enhanced by extracting and reusing design and program components. This is an example of: A. reverse engineering. B. prototyping. C. software reuse. D. reengineering.

D. reengineering. Explanation: Old (legacy) systems that have been corrected, adapted and enhanced extensively require reengineering to remain maintainable. Reengineering is a rebuilding activity to incorporate new technologies into existing systems. Using program language statements, reverse engineering involves reversing a programs machine code into the source code in which it was written to identify malicious content in a program, such as a virus, or to adapt a program written for use with one processor for use with a differently designed processor. Prototyping is the development of a system through controlled trial and error. Software reuse is the process of planning, analyzing and using previously developed software components. The reusable components are integrated into the current software product systematically.

**The MAJOR advantage of a component-based development approach is the: A. ability to manage an unrestricted variety of data types. B. provision for modeling complex relationships. C. capacity to meet the demands of a changing environment. D. support of multiple development environments.

D. support of multiple development environments. Explanation: Components written in one language can interact with components written in other languages or running on other machines, which can increase the speed of development. Software developers can then focus on business logic. The other choices are not the most significant advantages of a component-based development approach.

An advantage of using sanitized live transactions in test data is that: A. all transaction types will be included. B. every error condition is likely to be tested. C. no special routines are required to assess the results. D. test transactions are representative of live processing.

D. test transactions are representative of live processing. Explanation: Test data will be representative of live processing; however, it is unlikely that all transaction types or error conditions will be tested in this way.

**The most common reason for the failure of information systems to meet the needs of users is that: A. user needs are constantly changing. B. the growth of user requirements was forecast inaccurately. C. the hardware system limits the number of concurrent users. D. user participation in defining the systems requirements was inadequate.

D. user participation in defining the systems requirements was inadequate. Explanation: Lack of adequate user involvement, especially in the systems requirements phase, will usually result in a system that does not fully or adequately address the needs of the user. Only users can define what their needs are, and therefore what the system should accomplish.

Which of the following terms refers to systems designed to detect and prevent the unauthorized transmission of information from the computer systems of an organization to outsiders? A. ILD&P B. ICT&P C. ILP&C D. ILR&D

Explanation: Information Leakage Detection and Prevention (ILD&P) is a computer security term referring to systems designed to detect and prevent the unauthorized transmission of information from the computer systems of an organization to outsiders. Network ILD&P are gateway-based systems installed on the organizations internet network connection and analyze network traffic to search for unauthorized information transmissions. Host Based ILD&P systems run on end-user workstations to monitor and control access to physical devices and access information before it has been encrypted.

@@After the merger of two organizations, multiple self-developed legacy applications from both companies are to be replaced by a new common platform. Which of the following would be the GREATEST risk? A. Project management and progress reporting is combined in a project management office which is driven by external consultants. B. The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach. C. The resources of each of the organizations are inefficiently allocated while they are being familiarized with the other companys legacy systems. D. The new platform will force the business areas of both organizations to change their work processes, which will result in extensive training needs.

The efforts should be consolidated to ensure alignment with the overall strategy of the post-merger organization. If resource allocation is not centralized, the separate projects are at risk of overestimating the availability of key knowledge resources for the in-house developed legacy applications. In post-merger integration programs, it is common to form project management offices to ensure standardized and comparable information levels in the planning and reporting structures, and to centralize dependencies of project deliverables or resources. The experience of external consultants can be valuable since project management practices do not require in-depth knowledge of the legacy systems. This can free up resources for functional tasks. It is a good idea to first get familiar with the old systems, to understand what needs to be done in a migration and to evaluate the implications of technical decisions. In most cases, mergers result in application changes and thus in training needs as organizations and processes change to leverage the intended synergy effects of the merger.