1. complexity D. Regulatory agency involvement Answer:
1. An audit charter should: A. be dynamic and change often to coincide with the changing nature of technology and the audit profession. B. clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls. C.
document the audit procedures designed to achieve the planned audit objectives. D. Outline the overall authority, scope and responsibilities of the audit function. Answer:_____D______________________ 2. Which of the following criteria for selecting the applications to be audited is LEAST likely to be used? A. Materiality of audit riskB. Sensitivity of transactions C.
Technological complexity D. Regulatory agency involvement Answer: _________C__________________ 3. Which of the following is the MOST likely reason why e-mail systems have become a useful source of evidence for litigation? A. Multiple cycles of backup files remain available B. Access controls establish accountability for e-mail activity C.
Data classification regulates what information should be communicated via e-mail D. Within the enterprise, a clear policy for using e-mail ensures that evidence is available Answer:______A_____________________ 4.While planning an audit, an assessment of risk should be made to provide: NAME: ______________________________________ A. Reasonable assurance that the audit will cover material items. B. Definite assurance that material items will be covered during the audit work. C.
Reasonable assurance that all items will be covered by the audit. D. Sufficient assurance that all items will be covered during the audit work. Answer:______A_____________________ 5. When evaluating the collective effect of preventive, detective or corrective controls within a process, an IS auditor should be aware of which of the following? A.The point at which controls are exercised as data flow through the system B. Only preventive and detective controls are relevant C.
Corrective controls can only be regarded as compensating D. Classification allows an IS auditor to determine which controls are missing Answer: ____A_______________________ 6. During an implementation review of a multiuser distributed application, an IS auditor finds minor weaknesses in three areas—the initial setting of parameters is improperly installed, weak passwords are being used and some vital reports are not being checked properly.
While preparing the audit report, the IS auditor should:A. Record the observations separately with the impact of each of them marked against each respective finding. B. Advise the manager of probable risks without recording the observations since the control weaknesses are minor ones. C. Record the observations and the risk arising from the collective weaknesses. D.
Apprise the departmental heads concerned with each observation and properly document it in the report. Answer:_______C____________________ 7. When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that: A.
controls needed to mitigate risks are in place.B. vulnerabilities and threats are identified. C. audit risks are considered. D.
a gap analysis is appropriate. Answer:______B_____________________ 8. The success of control self-assessment (CSA) depends highly on: A.
Having line managers assume a portion of the responsibility for control monitoring. B. Assigning staff managers the responsibility for building, but not monitoring, controls. C.
The implementation of a stringent control policy and rule-driven controls. NAME: ______________________________________ D. The implementation of supervision and the monitoring of controls of assigned duties.
Answer: ________A___________________ 9. A long-term IS employee has asked to transfer to IS auditing. The individual has a strong technical background and broad managerial experience. According to ISACA’s General Standards for IS Auditing, consideration should be given to the candidate’s: A Length of service since this will help ensure technical competence B. IS knowledge since this will bring enhanced credibility to the audit function C. Existing IS relationships and ability to retain audit independence D.
Age as training in audit techniques may be practical Answer:________C___________________ 0. Which of the following audit techniques would BEST aid an auditor in determining whether there have been unauthorized program changes since the last authorized program update? A. Test data run B. Code review C. Automated code comparison D. Review of code migration procedures Answer:__________C_________________ 11.
The IT balanced scorecard (BSC) is a business governance tool intended to monitor IT performance evaluation indicators other than: A. Financial results. B. Customer satisfaction. C. Internal process efficiency.
D. Innovation capacity. Answer:_______A____________________ 12.
Which of the following is the initial step in creating a firewall policy? A. A cost-benefit analysis of methods for securing the applications B. Identification of network applications to be externally accessed C.
Identification of vulnerabilities associated with network applications to be externally accessed D. Creation of an applications traffic matrix showing protection methods Answer:________B___________________ NAME: ______________________________________ 13. The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program?A. Utilization of an intrusion detection system to report incidents B. Mandating the use of passwords to access all software C. Installing an efficient user log system to track the actions of each user D.
Training provided on a regular basis to all current and new employees Answer:_______D____________________ 14. IT control objectives are useful to IS auditors since they provide the basis for understanding the: A. Desired result or purpose of implementing specific control procedures. B. Best IT security control practices relevant to a specific entity.
C. Techniques for securing information.D. Security policy. Answer:_____A______________________ 15.
Which of the following is the MOST important function to be performed by IS management when a service has been outsourced? A. Ensuring that invoices are paid to the provider B. Participating in systems design with the provider C. Renegotiating the provider’s fees D.
Monitoring the outsourcing provider’s performance Answer:______D_____________________ 16. Is it appropriate for an IS auditor from a company that is considering outsourcing its IS processing to request and review a copy of each vendor’s business continuity plan?A. Yes, because an IS auditor will evaluate the adequacy of the service bureau’s plan and assist their company in implementing a complementary plan. B.
Yes, because based on the plan, an IS auditor will evaluate the financial stability of the service bureau and its ability to fulfill the contract. C. No, because the backup to be provided should be specified adequately in the contract. D. No, because the service bureau’s business continuity plan is proprietary information.
Answer:______A_____________________ 17. An IS auditor was hired to review e-business security.The IS auditor’s first task was to examine each existing e-business application, looking for vulnerabilities. What would be the next task? A. Immediately report the risks to the CIO and CEO NAME: ______________________________________ B. Examine e-business application in development C. Identify threats and likelihood of occurrence D.
Check the budget available for risk management Answer: ___________C________________ 18. In an organization, the responsibilities for IT security are clearly assigned and enforced, and an IT security risk and impact analysis is consistently performed.This represents which level of ranking in the information security governance maturity model? A. Optimized B.
Managed C. Defined D. Repeatable Answer:______B_____________________ 19. Which of the following IT governance best practices improves strategic alignment? A. Supplier and partner risks are managed. B. A knowledge base on customers, products, markets and processes is in place.
C. A structure is provided that facilitates the creation and sharing of business information. D. Top management mediate between the imperatives of business and technology. Answer:______D_____________________ 0.
A top-down approach to the development of operational policies will help ensure: A. That they are consistent across the organization. B. That they are implemented as a part of risk assessment. C. Compliance with all policies.
D. That they are reviewed periodically. Answer:_______A____________________ 21. Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? A.
Overlapping controls B. Boundary controls C. Access controls D.
Compensating controls Answer:____D_______________________ 22.Which of the following reduces the potential impact of social engineering attacks? NAME: ______________________________________ A. Compliance with regulatory requirements B. Promoting ethical understanding C. Security awareness programs D. Effective performance incentives Answer:__________C_________________ 23.
Which of the following is the MOST important element for the successful implementation of IT governance? A. Implementing an IT scorecard B. Identifying organizational strategies C. Performing a risk assessment D. Creating a formal security policy Answer:____B_______________________ 4.
A benefit of open system architecture is that it: A. facilitates interoperability. B.
facilitates the integration of proprietary components. C. will be a basis for volume discounts from equipment vendors. D. allows for the achievement of more economies of scale for equipment. Answer:_________A__________________ 25.
A retail outlet has introduced radio frequency identification (RFID) tags to create unique serial numbers for all products. Which of the following is the PRIMARY concern associated with this initiative? A. Issues of privacy B. Wavelength can be absorbed by the human body C.RFID tags may not be removable D. RFID eliminates line-of-sight reading Answer:______A_____________________ 26. Which of the following is the MOST important criterion when selecting a location for an offsite storage facility for IS backup files? The offsite facility must be: A.
physically separated from the data center and not subject to the same risks. B. Given the same level of protection as that of the computer data center.
C. outsourced to a reliable third party. D.
equipped with surveillance capabilities. Answer:_______A____________________ NAME: ______________________________________ 7. Which of the following findings should an IS auditor be MOST concerned about when performing an audit of backup and recovery and the offsite storage vault? A. There are three individuals with a key to enter the area B. Paper documents are also stored in the offsite vault C.
Data files that are stored in the vault are synchronized D. The offsite vault is located in a separate facility Answer:_______C____________________ 28. Which of the following represents the GREATEST risk created by a reciprocal agreement for disaster recovery made between two companies? A.
Developments may result in hardware and software incompatibility B. Resources may not be available when needed C. The recovery plan cannot be tested D.
The security infrastructures in each company may be different Answer:________A___________________ 29. Which of the following disaster recovery/continuity plan components provides the GREATEST assurance of recovery after a disaster? A. The alternate facility will be available until the original information processing facility is restored.
B. User management is involved in the identification of critical systems and their associated critical recovery times.C. Copies of the plan are kept at the homes of key decision-making personnel. D. Feedback is provided to management, assuring them that the business continuity plans are, indeed, workable and that the procedures are current. Answer:______A_____________________ 30.
Which of the following would have the HIGHEST priority in a business continuity plan? A. Resuming critical processes B. Recovering sensitive processes C.
Restoring the site D. Relocating operations to an alternative site Answer:______A_____________________ 31. An IS auditor has audited a business continuity plan.Which of the following findings is the MOST critical? A. Nonavailability of an alternate private branch exchange (PBX) system NAME: ______________________________________ B. Absence of a backup for the network backbone C. Lack of backup systems for the users’ PCs D.
Failure of the access card system Answer:_____B______________________ 32. During a business continuity audit, an IS auditor found that the business continuity plan covered only critical processes. The IS auditor should: A. Recommend that the business continuity plan cover all business processes. B.
Assess the impact of the processes not covered.C. Report the findings to the IT manager.
D. Redefine critical processes. Answer:______B_____________________ 33.
An IS auditor noted that an organization had adequate business continuity plans for each individual process, but no comprehensive business continuity plan. Which would be the BEST course of action for the IS auditor? A. Recommend that an additional comprehensive business continuity plan be developed. B. Determine whether the business continuity plans are consistent.
C. Accept the business continuity plans as written. D. Recommend the creation of a single business continuity plan.Answer: _____B______________________ 34. Which of the following is MOST important when there is a lack of adequate fire detection and control equipment in the computer areas? A. Adequate fire insurance B. Regular hardware maintenance C. Off-site storage of transaction and master files D. Fully tested backup processing facilities Answer: _______C____________________ 35. When developing a business continuity plan, which of the following tools should be used to gain an understanding of the organization’s business processes? A. Business continuity self-audit B. Resource recovery analysis C. Business Impact analysisD. Gap analysis Answer: ________C_______________ NAME: ______________________________________ 36. The PRIMARY objective of testing a business continuity plan is to: A. Familiarize employees with the business continuity plan. B. Ensure that all residual risks are addressed. C. Exercise all possible disaster scenarios. D. Identify limitations of the business continuity plan. Answer:__________D_________________ 37. In determining the acceptable time period for the resumption of critical business processes: A. only downtime costs need to be considered. B. recovery operations should be analyzed. C. oth downtime costs and recovery costs need to be evaluated. D. indirect downtime costs should be ignored. Answer:________________C___________ 38. Separation of duties between computer operators and other data processing personnel is intended to: A. Prevent unauthorized modifications to program or data. B. Reduce overall cost of operations. C. Allow operators to concentrate on their assigned duties. D. Restrict operator access to data. Answer: ______A_____________________ 39. During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined.The MAJOR risk associated with this is that: A. assessment of the situation may be delayed. B. execution of the disaster recovery plan could be impacted. C. notification of the teams might not occur. D. potential crisis recognition might be ineffective. Answer: _____B______________________ 40. Which of the following pairs of job functions/duties would an organization MOST likely keep separate? A. Operations and Programming. B. Systems Analysis and Programming. C. Database Administration and IS Management. D. Tape Librarian and Program Librarian. Answer: ______A____________________