Question;1. An audit charter should;A. be dynamic and;change often to coincide with the changing nature of technology and the audit;profession.;B. clearly state;audit objectives for, and the delegation of, authority to the maintenance and;review of internal controls.;C. document the;audit procedures designed to achieve the planned audit objectives.;D. Outline the;overall authority, scope and responsibilities of the audit function.;Answer;2. Which of the;following criteria for selecting the applications to be audited is LEAST likely;to be used?;A. Materiality of;audit risk;B. Sensitivity of;transactions;C. Technological;complexity;D. Regulatory agency;involvement;Answer;3. Which of the;following is the MOST likely reason why e-mail systems have become a useful;source of evidence for litigation?;A. Multiple cycles;of backup files remain available;B. Access controls;establish accountability for e-mail activity;C. Data;classification regulates what information should be communicated via e-mail;D. Within the;enterprise, a clear policy for using e-mail ensures that evidence is available;Answer;4. While planning an;audit, an assessment of risk should be made to provide: 2;NAME;A.;Reasonable assurance that the audit will cover material items.;B.;Definite assurance that material items will be covered during the audit work.;C.;Reasonable assurance that all items will be covered by the audit.;D.;Sufficient assurance that all items will be covered during the audit work.;Answer;5.;When evaluating the collective effect of preventive, detective or corrective;controls within a process, an IS auditor should be aware of which of the;following?;A.;The point at which controls are exercised as data flow through the system;B.;Only preventive and detective controls are relevant;C.;Corrective controls can only be regarded as compensating;D.;Classification allows an IS auditor to determine which controls are missing;Answer;6.;During an implementation review of a multiuser distributed application, an IS;auditor finds minor weaknesses in three areas?the initial setting of parameters;is improperly installed, weak passwords are being used and some vital reports;are not being checked properly. While preparing the audit report, the IS;auditor should;A.;Record the observations separately with the impact of each of them marked;against each respective finding.;B.;Advise the manager of probable risks without recording the observations since;the control weaknesses are minor ones.;C.;Record the observations and the risk arising from the collective weaknesses.;D.;Apprise the departmental heads concerned with each observation and properly;document it in the report.;Answer;7.;When developing a risk-based audit strategy, an IS auditor should conduct a;risk assessment to ensure that;A.;controls needed to mitigate risks are in place.;B.;vulnerabilities and threats are identified.;C.;audit risks are considered.;D.;a gap analysis is appropriate.;Answer;8.;The success of control self-assessment (CSA) depends highly on;A.;Having line managers assume a portion of the responsibility for control;monitoring.;B.;Assigning staff managers the responsibility for building, but not monitoring;controls.;C.;The implementation of a stringent control policy and rule-driven controls.;NAME;3;D. The implementation of supervision;and the monitoring of controls of assigned duties.;Answer;9.;A long-term IS employee has asked to transfer to IS auditing. The individual;has a strong technical background and broad managerial experience. According to;ISACA?s General Standards for IS Auditing, consideration should be given to the;candidate?s;A;Length of service since this will help ensure technical competence;B.;IS knowledge since this will bring enhanced credibility to the audit function;C.;Existing IS relationships and ability to retain audit independence;D.;Age as training in audit techniques may be practical;Answer;10.;Which of the following audit techniques would BEST aid an auditor in;determining whether there have been unauthorized program changes since the last;authorized program update?;A.;Test data run;B.;Code review;C.;Automated code comparison;D.;Review of code migration procedures;Answer;11.;The IT balanced scorecard (BSC) is a business governance tool intended to;monitor IT performance evaluation indicators other than;A.;Financial results.;B.;Customer satisfaction.;C.;Internal process efficiency.;D.;Innovation capacity.;Answer;12.;Which of the following is the initial step in creating a firewall policy?;A.;A cost-benefit analysis of methods for securing the applications;B.;Identification of network applications to be externally accessed;C.;Identification of vulnerabilities associated with network applications to be;externally accessed;D.;Creation of an applications traffic matrix showing protection methods;Answer;NAME;4;13. The management of an organization;has decided to establish a security awareness program. Which of the following;would MOST likely be a part of the program?;A.;Utilization of an intrusion detection system to report incidents;B.;Mandating the use of passwords to access all software;C.;Installing an efficient user log system to track the actions of each user;D.;Training provided on a regular basis to all current and new employees;Answer;14.;IT control objectives are useful to IS auditors since they provide the basis;for understanding the;A.;Desired result or purpose of implementing specific control procedures.;B.;Best IT security control practices relevant to a specific entity.;C.;Techniques for securing information.;D.;Security policy.;Answer;15.;Which of the following is the MOST important function to be performed by IS;management when a service has been outsourced?;A.;Ensuring that invoices are paid to the provider;B.;Participating in systems design with the provider;C.;Renegotiating the provider?s fees;D.;Monitoring the outsourcing provider?s performance;Answer;16.;Is it appropriate for an IS auditor from a company that is considering;outsourcing its IS processing to request and review a copy of each vendor?s;business continuity plan?;A.;Yes, because an IS auditor will evaluate the adequacy of the service bureau?s;plan and assist their company in implementing a complementary plan.;B.;Yes, because based on the plan, an IS auditor will evaluate the financial;stability of the service bureau and its ability to fulfill the contract.;C.;No, because the backup to be provided should be specified adequately in the;contract.;D.;No, because the service bureau?s business continuity plan is proprietary;information.;Answer;17.;An IS auditor was hired to review e-business security. The IS auditor?s first;task was to examine each existing e-business application, looking for;vulnerabilities. What would be the next task?;A.;Immediately report the risks to the CIO and CEO;NAME;5;B. Examine e-business application in;development;C.;Identify threats and likelihood of occurrence;D.;Check the budget available for risk management;Answer;18.;In an organization, the responsibilities for IT security are clearly assigned;and enforced, and an IT security risk and impact analysis is consistently;performed. This represents which level of ranking in the information security;governance maturity model?;A.;Optimized;B.;Managed;C.;Defined;D.;Repeatable;Answer;19.;Which of the following IT governance best practices improves strategic;alignment?;A.;Supplier and partner risks are managed.;B.;A knowledge base on customers, products, markets and processes is in place.;C.;A structure is provided that facilitates the creation and sharing of business;information.;D.;Top management mediates between the imperatives of business and technology.;Answer;20.;A top-down approach to the development of operational policies will help;ensure;A.;That they are consistent across the organization.;B.;That they are implemented as a part of risk assessment.;C.;Compliance with all policies.;D.;That they are reviewed periodically.;Answer;21.;Which of the following controls would an IS auditor look for in an environment;where duties cannot be appropriately segregated?;A.;Overlapping controls;B.;Boundary controls;C.;Access controls;D.;Compensating controls;Answer;22.;Which of the following reduces the potential impact of social engineering;attacks?;NAME;6;A. Compliance with regulatory;requirements;B.;Promoting ethical understanding;C.;Security awareness programs;D.;Effective performance incentives;Answer;23.;Which of the following is the MOST important element for the successful;implementation of IT governance?;A.;Implementing an IT scorecard;B.;Identifying organizational strategies;C.;Performing a risk assessment;D.;Creating a formal security policy;Answer;24.;A benefit of open system architecture is that it;A.;facilitates interoperability.;B.;facilitates the integration of proprietary components.;C.;will be a basis for volume discounts from equipment vendors.;D.;allows for the achievement of more economies of scale for equipment.;Answer;25.;A retail outlet has introduced radio frequency identification (RFID) tags to create;unique serial numbers for all products. Which of the following is the PRIMARY;concern associated with this initiative?;A.;Issues of privacy;B.;Wavelength can be absorbed by the human body;C.;RFID tags may not be removable;D.;RFID eliminates line-of-sight reading;Answer;26.;Which of the following is the MOST important criterion when selecting a;location for an offsite storage facility for IS backup files? The offsite;facility must be;A.;physically separated from the data center and not subject to the same risks.;B.;Given the same level of protection as that of the computer data center.;C.;outsourced to a reliable third party.;D.;equipped with surveillance capabilities.;Answer;NAME;7;27. Which of the following findings;should an IS auditor be MOST concerned about when performing an audit of backup;and recovery and the offsite storage vault?;A.;There are three individuals with a key to enter the area;B.;Paper documents are also stored in the offsite vault;C.;Data files that are stored in the vault are synchronized;D.;The offsite vault is located in a separate facility;Answer;28.;Which of the following represents the GREATEST risk created by a reciprocal;agreement for disaster recovery made between two companies?;A.;Developments may result in hardware and software incompatibility;B.;Resources may not be available when needed;C.;The recovery plan cannot be tested;D.;The security infrastructures in each company may be different;Answer;29.;Which of the following disaster recovery/continuity plan components provides;the GREATEST assurance of recovery after a disaster?;A.;The alternate facility will be available until the original information;processing facility is restored.;B.;User management is involved in the identification of critical systems and their;associated critical recovery times.;C.;Copies of the plan are kept at the homes of key decision-making personnel.;D.;Feedback is provided to management, assuring them that the business continuity;plans are, indeed, workable and that the procedures are current.;Answer;30.;Which of the following would have the HIGHEST priority in a business continuity;plan?;A.;Resuming critical processes;B.;Recovering sensitive processes;C.;Restoring the site;D.;Relocating operations to an alternative site;Answer;31.;An IS auditor has audited a business continuity plan. Which of the following;findings is the MOST critical?;A.;Nonavailability of an alternate private branch exchange (PBX) system;NAME;8;B. Absence of a backup for the;network backbone;C.;Lack of backup systems for the users? PCs;D.;Failure of the access card system;Answer;32.;During a business continuity audit, an IS auditor found that the business;continuity plan covered only critical processes. The IS auditor should;A.;Recommend that the business continuity plan cover all business processes.;B.;Assess the impact of the processes not covered.;C.;Report the findings to the IT manager.;D.;Redefine critical processes.;Answer;33.;An IS auditor noted that an organization had adequate business continuity plans;for each individual process, but no comprehensive business continuity plan.;Which would be the BEST course of action for the IS auditor?;A.;Recommend that an additional comprehensive business continuity plan be;developed.;B.;Determine whether the business continuity plans are consistent.;C.;Accept the business continuity plans as written.;D.;Recommend the creation of a single business continuity plan.;Answer;34.;Which of the following is MOST important when there is a lack of adequate fire;detection and control equipment in the computer areas?;A.;Adequate fire insurance;B.;Regular hardware maintenance;C.;Off-site storage of transaction and master files;D.;Fully tested backup processing facilities;Answer;35.;When developing a business continuity plan, which of the following tools should;be used to gain an understanding of the organization?s business processes?;A.;Business continuity self-audit;B.;Resource recovery analysis;C.;Business Impact analysis;D.;Gap analysis;Answer;NAME;9;36. The PRIMARY objective of testing;a business continuity plan is to;A.;Familiarize employees with the business continuity plan.;B.;Ensure that all residual risks are addressed.;C.;Exercise all possible disaster scenarios.;D.;Identify limitations of the business continuity plan.;Answer;37.;In determining the acceptable time period for the resumption of critical;business processes;A.;only downtime costs need to be considered.;B.;recovery operations should be analyzed.;C.;both downtime costs and recovery costs need to be evaluated.;D.;indirect downtime costs should be ignored.;Answer;38.;Separation of duties between computer operators and other data processing;personnel is intended to;A.;Prevent unauthorized modifications to program or data.;B.;Reduce overall cost of operations.;C.;Allow operators to concentrate on their assigned duties.;D.;Restrict operator access to data.;Answer;39.;During a review of a business continuity plan, an IS auditor noticed that the;point at which a situation is declared to be a crisis has not been defined. The;MAJOR risk associated with this is that;A.;assessment of the situation may be delayed.;B.;execution of the disaster recovery plan could be impacted.;C.;notification of the teams might not occur.;D.;potential crisis recognition might be ineffective.;Answer;40.;Which of the following pairs of job functions/duties would an organization MOST;likely keep separate?;A.;Operations and Programming.;B.;Systems Analysis and Programming.;C.;Database Administration and IS Management.;D.;Tape Librarian and Program Librarian.
Paper#43411 | Written in 18-Jul-2015Price : $37