PRE-COURSE 1. Which of the following is the MOST important skill an IS auditor should develop to understand the constraints of conducting an audit? A. Contingency planning B. IS management resource allocation C. Project management D. Knowledge of internal controls C is the correct answer. Justification: A. Contingency planning is often associated with the organization’s operations. IS auditors should have knowledge of contingency planning techniques, but this is not essential regarding constraints on the conduct of the audit. B. IS managers are responsible for resource management of their departments. IS auditors do not manage IS resources. C. Audits often involve resource management, deliverables, scheduling and deadlines similar to project management best practices. D. Knowledge of internal controls is fundamental to IS auditors. Professional competence is an auditing standard. A lack of understanding of the control environment would be a constraint on the effectiveness of the audit, but is not the most important skill needed by the IS auditor. 2. During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization’s operational risk documentation only contains a few broadly described types of IT risk. What is the MOST appropriate recommendation in this situation? A. Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts. B. Use common industry standard aids to divide the existing risk documentation into several individual types of risk which will be easier to handle. C. No recommendation is necessary because the current approach is appropriate for a medium-sized organization. D. Establish regular IT risk management meetings to identify and assess risk, and create a mitigation plan as input to the organization’s risk management. D is the correct answer. Justification: A. A medium-sized organization would normally not have a separate IT risk management department. Moreover, the risk is usually manageable enough so that external help would not be needed. B. While common risk may be covered by industry standards, they cannot address the specific situation of an organization. Individual types of risk will not be discovered without a detailed assessment from within the organization. Splitting the one risk position into several is not sufficient to manage IT risk. C. The auditor should recommend a formal IT risk management effort because the failure to demonstrate responsible IT risk management may be a liability for the organization. D. Establishing regular IT risk management meetings is the best way to identify and assess ITrelated risk in a medium-sized organization, to address responsibilities to the respective management and to keep the risk register and mitigation plans up to date. 3. An IS auditor is evaluating a virtual machine–based (VM-based) architecture used for all programming and testing environments. The production architecture is a three-tier physical architecture. What is the MOST important IT control to test to ensure availability and confidentiality of the web application in production? A. Server configuration has been hardened appropriately. B. Allocated physical resources are available. C. System administrators are trained to use the virtual machine (VM) architecture. D. The VM server is included in the disaster recovery plan (DRP). A is the correct answer. Justification: A. The most important control to test in this configuration is the server configuration hardening. It is important to patch known vulnerabilities and to disable all non-required functions before production, especially when production architecture is different from development and testing architecture. B. The greatest risk is associated with the difference between the testing and production environments. Ensuring that physical resources are available is a relatively low risk and easily addressed. C. Virtual machines (VMs) are often used for optimizing programming and testing infrastructure. In this scenario, the development environment (VM architecture) is different from the production infrastructure (physical three-tier). Because the VMs are not related to the web application in production, there is no real requirement for the system administrators to be familiar with a virtual environment. D. Because the VMs are only used in a development environment and not in production, it may not be necessary to include VMs in the disaster recovery plan (DRP). 4. A database administrator has detected a performance problem with some tables, which could be solved through denormalization. This situation will increase the risk of: A. concurrent access. B. deadlocks. C. unauthorized access to data. D. a loss of data integrity. D is the correct answer. Justification: A. Denormalization will have no effect on concurrent access to data in a database; concurrent access is resolved through locking. B. Deadlocks are a result of locking of records. This is not related to normalization. C. Access to data is controlled by defining user rights to information and is not affected by denormalization. D. Normalization is the removal of redundant data elements from the database structure. Disabling normalization in relational databases will create redundancy and a risk of not maintaining consistency of data, with the consequent loss of data integrity. 5. Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an electronic funds transfer (EFT) system? A. Three users with the ability to capture and verify their own messages B. Five users with the ability to capture and send their own messages C. Five users with the ability to verify other users and to send their own messages D. Three users with the ability to capture and verify the messages of other users and to send their own messages A is the correct answer. Justification: A. The ability of one individual to capture and verify their own messages represents an inadequate segregation because messages can be taken as correct and as if they had already been verified. The verification of messages should not be allowed by the person who sent the message. B. Users may have the ability to send messages but should not be able to verify their own messages. C. This is an example of separation of duties. A person can send their own message but only verify the messages of other users. D. The ability to capture and verify the messages of others but only send their own messages is acceptable. DOMAIN 1 The Process of Auditing Information Systems 1. Due to resource constraints of the IS audit team, the audit plan as originally approved cannot be completed. Assuming that the situation is communicated in the audit report, which course of action is MOST acceptable? A. Test the adequacy of the control design. B. Test the operational effectiveness of controls. C. Focus on auditing high-risk areas. D. Rely on management testing of controls. C is the correct answer. Justification: A. Testing the adequacy of control design is not the best course of action because this does not ensure that controls operate effectively as designed. B. Testing control operating effectiveness will not ensure that the audit plan is focused on areas of greatest risk. C. Reducing the scope and focusing on auditing high-risk areas is the best course of action. D. The reliance on management testing of controls will not provide an objective verification of the control environment. 2. Due to resource constraints of the IS audit team, the audit plan as originally approved cannot be completed. Assuming that the situation is communicated in the audit report, which course of action is MOST acceptable? A. Test the adequacy of the control design. B. Test the operational effectiveness of controls. C. Focus on auditing high-risk areas. D. Rely on management testing of controls. C is the correct answer. Justification: A. Testing the adequacy of control design is not the best course of action because this does not ensure that controls operate effectively as designed. B. Testing control operating effectiveness will not ensure that the audit plan is focused on areas of greatest risk. C. Reducing the scope and focusing on auditing high-risk areas is the best course of action. D. The reliance on management testing of controls will not provide an objective verification of the control environment. 3. Although management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should FIRST: A. include the statement from management in the audit report. B. verify the software is in use through testing. C. include the item in the audit report. D. discuss the issue with senior management because it could have a negative impact on the organization. B is the correct answer. Justification: A. The statement from management may be included in the audit report, but the auditor should independently validate the statements made by management to ensure completeness and accuracy. B. When there is an indication that an organization might be using unlicensed software, the IS auditor should obtain sufficient evidence before including it in report. C. With respect to this matter, representations obtained from management cannot be independently verified. D. If the organization is using software that is not licensed, the IS auditor, to maintain objectivity and independence, must include this in the report, but the IS auditor should verify that this is in fact the case before presenting it to senior management. 4. The internal IS audit team is auditing controls over sales returns and is concerned about fraud. Which of the following sampling methods would BEST assist the IS auditors? A. Stop-or-go B. Classical variable C. Discovery D. Probability-proportional-to-size C is the correct answer. Justification: A. Stop-or-go is a sampling method that helps limit the size of a sample and allows the test to be stopped at the earliest possible moment. B. Classical variable sampling is associated with dollar amounts and has a sample based on a representative sample of the population but is not focused on fraud. C. Discovery sampling is used when an IS auditor is trying to determine whether a type of event has occurred, and therefore it is suited to assess the risk of fraud and to identify whether a single occurrence has taken place. D. Probability-proportional-to-size sampling is typically associated with cluster sampling when there are groups within a sample. The question does not indicate that an IS auditor is searching for a threshold of fraud. 5. An IS auditor is determining the appropriate sample size for testing the existence of program change approvals. Previous audits did not indicate any exceptions, and management has confirmed that no exceptions have been reported for the review period. In this context, the IS auditor can adopt a: A. lower confidence coefficient, resulting in a smaller sample size. B. higher confidence coefficient, resulting in a smaller sample size. C. higher confidence coefficient, resulting in a larger sample size. D. lower confidence coefficient, resulting in a larger sample size. A is the correct answer. Justification: A. When internal controls are strong, a lower confidence coefficient can be adopted, which will enable the use of a smaller sample size. B. A higher confidence coefficient will result in the use of a larger sample size. C. A higher confidence coefficient need not be adopted in this situation because internal controls are strong. D. A lower confidence coefficient will result in the use of a smaller sample size. 6. Which of the following is the BEST factor for determining the required extent of data collection during the planning phase of an IS compliance audit? A. Complexity of the organization’s operation B. Findings and issues noted from the prior year C. Purpose, objective and scope of the audit D. Auditor’s familiarity with the organization C is the correct answer. Justification: A. The complexity of the organization’s operation is a factor in the planning of an audit, but does not directly affect the determination of how much data to collect. Extent of data collection is subject to the intensity, scope and purpose of the audit. B. Prior findings and issues are factors in the planning of an audit, but do not directly affect the determination of how much data to collect. Data must be collected outside of areas of previous findings. C. The extent to which data will be collected during an IS audit is related directly to the purpose, objective and scope of the audit. An audit with a narrow purpose and limited objective and scope is most likely to result in less data collection than an audit with a wider purpose and scope. Statistical analysis may also determine the extent of data collection such as sample size or means of data collection. D. An auditor’s familiarity with the organization is a factor in the planning of an audit, but does not directly affect the determination of how much data to collect. The audit must be based on sufficient evidence of the monitoring of controls and not unduly influenced by the auditor’s familiarity with the organization. Which of the following does a lack of adequate controls represent? A. An impact B. A vulnerability C. An asset D. A threat B is the correct answer. Justification: A. Impact is the measure of the consequence (including financial loss, reputational damage, loss of customer confidence) that a threat event may have. B. The lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers, employee error, environmental threat or equipment failure. This could result in a loss of sensitive information, financial loss, legal penalties or other losses. C. An asset is something of either tangible or intangible value worth protecting, including people, systems, infrastructure, finances and reputation. D. A threat is a potential cause of an unwanted incident. 7. Which of the following is the PRIMARY requirement in reporting results of an IS audit? The report is: A. prepared according to a predefined and standard template. B. backed by sufficient and appropriate audit evidence. C. comprehensive in coverage of enterprise processes. D. reviewed and approved by audit management. B is the correct answer. Justification: A. Preparation of the IS audit report according to a predefined and standard template may be useful in ensuring that all key aspects are provided in a uniform structure, but this does not demonstrate that audit findings are based on evidence that can be proven, if required. B. ISACA IS audit standards require that reports should be backed by sufficient and appropriate audit evidence so that they demonstrate the application of the minimum standard of performance and the findings and recommendations can be validated, if required. C. The scope and coverage of IS audit is defined by a risk assessment process, which may not always provide comprehensive coverage of processes of the enterprise. D. While from an operational standpoint an audit report should be reviewed and approved by audit management, the more critical consideration is that all conclusions are backed by sufficient and appropriate audit evidence. 8. The MOST appropriate action for an IS auditor to take when shared user accounts are discovered is to: A. inform the audit committee of the potential issue. B. review audit logs for the IDs in question. C. document the finding and explain the risk of using shared IDs. D. request that the IDs be removed from the system. C is the correct answer. Justification: A. It is not appropriate for an IS auditor to report findings to the audit committee before conducting a more detailed review and presenting them to management for a response. B. Review of audit logs would not be useful because shared IDs do not provide for individual accountability. C. An IS auditor’s role is to detect and document findings and control deficiencies. Part of the audit report is to explain the reasoning behind the findings. The use of shared IDs is not recommended because it does not allow for accountability of transactions. An IS auditor would defer to management to decide how to respond to the findings presented. D. It is not the role of an IS auditor to request the removal of IDs from the system. 9. An IS auditor is reviewing security controls for a critical web-based system prior to implementation. The results of the penetration test are inconclusive, and the results will not be finalized prior to implementation. Which of the following is the BEST option for the IS auditor? A. Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing. B. Publish a report omitting the areas where the evidence obtained from testing was inconclusive. C. Request a delay of the implementation date until additional security testing can be completed and evidence of appropriate controls can be obtained. D. Inform management that audit work cannot be completed prior to implementation and recommend that the audit be postponed. A is the correct answer. Justification: A. If the IS auditor cannot gain sufficient assurance for a critical system within the agreed-on time frame, this fact should be highlighted in the audit report and follow-up testing should be scheduled for a later date. Management could then determine whether any of the potential weaknesses identified were significant enough to delay the go-live date for the system. B. It is not acceptable for the IS auditor to ignore areas of potential weakness because conclusive evidence could not be obtained within the agreed-on audit time frame. ISACA IS Audit and Assurance Standards would be violated if these areas were omitted from the audit report. C. Extending the time frame for the audit and delaying the go-live date is unlikely to be acceptable in this scenario where the system involved is business-critical. In any case, a delay to the go-live date must be the decision of business management, not the IS auditor. In this scenario, the IS auditor should present business management with all available information by the agreed-on date. D. Failure to obtain sufficient evidence in one part of an audit engagement does not justify cancelling or postponing the audit; this would violate the audit guideline concerning due professional care. 10.The PRIMARY objective of performing a postincident review is that it presents an opportunity to: A. improve internal control procedures. B. harden the network to industry good practices. C. highlight the importance of incident response management to management. D. improve employee awareness of the incident response process. A is the correct answer. Justification: A. A postincident review examines both the cause and response to an incident. The lessons learned from the review can be used to improve internal controls. Understanding the purpose and structure of postincident reviews and follow-up procedures enables the information security manager to continuously improve the security program. Improving the incident response plan based on the incident review is an internal (corrective) control. B. A postincident review may result in improvements to controls, but its primary purpose is not to harden a network. C. The purpose of postincident review is to ensure that the opportunity is presented to learn lessons from the incident. It is not intended as a forum to educate management. D. An incident may be used to emphasize the importance of incident response, but that is not the intention of the postincident review. 11.An internal IS audit function is planning a general IS audit. Which of the following activities takes place during the FIRST step of the planning phase? A. Development of an audit program B. Review of the audit charter C. Identification of key information owners D. Development of a risk assessment D is the correct answer. Justification: A. The results of the risk assessment are used for the input for the audit program. B. The audit charter is prepared when the audit department is established or as updates are needed. Creation of the audit charter is not related to the audit planning phase because it is part of the internal audit governance structure that provides independence for the function. C. A risk assessment must be performed prior to identifying key information owners. Key information owners are generally not directly involved during the planning process of an audit. D. A risk assessment should be performed to determine how internal audit resources should be allocated in order to ensure that all material items will be addressed. 12.Which of the following should an IS auditor use to detect duplicate invoice records within an invoice master file? A. Attribute sampling B. Computer-assisted audit techniques (CAATs) C. Compliance testing D. Integrated test facility (ITF) B is the correct answer. Justification: A. Attribute sampling would aid in identifying records meeting specific conditions but would not compare one record to another to identify duplicates. To detect duplicate invoice records, the IS auditor should check all of the items that meet the criteria and not just a sample of the items. B. Computer-assisted audit techniques (CAATs) would enable the IS auditor to review the entire invoice file to look for those items that meet the selection criteria. C. Compliance testing determines whether controls procedures are adhered to, and using CAATs is the better option as it would most likely be more efficient to search for duplicates. D. An integrated test facility (ITF) allows the IS auditor to test transactions through the production system but would not compare records to identify duplicates. DOMAIN 2 Governance and Management of IT 1. Which of the following choices is the PRIMARY benefit of requiring a steering committee to oversee IT investment? A. To conduct a feasibility study to demonstrate IT value B. To ensure that investments are made according to business requirements C. To ensure that proper security controls are enforced D. To ensure that a standard development methodology is implemented B is the correct answer. Justification: A. A steering committee may use a feasibility study in its reviews; however, it is not responsible for performing/conducting the study. B. A steering committee consists of representatives from the business and IT and ensures that IT investment is based on business objectives rather than on IT priorities. C. The steering committee is not responsible for enforcing security controls. D. The steering committee is not responsible for implementing development methodologies. 2. As an outcome of information security governance, strategic alignment provides: A. security requirements driven by enterprise requirements. B. baseline security following good practices. C. institutionalized and commoditized solutions. D. an understanding of risk exposure. A is the correct answer. Justification: A. Information security governance, when properly implemented, should provide four basic outcomes: strategic alignment, value delivery, risk management and performance measurement. Strategic alignment provides input for security requirements driven by enterprise requirements. B. Strategic alignment ensures that security aligns with business goals. Providing a standard set of security practices (i.e., baseline security following good practices or institutionalized and commoditized solutions) is a part of value delivery. C. Value delivery addresses the effectiveness and efficiency of solutions, but is not a result of strategic alignment. D. Risk management is a primary goal of IT governance, but strategic alignment is not focused on understanding risk exposure. 3. An IS auditor is evaluating the IT governance framework of an organization. Which of the following would be the GREATEST concern? A. Senior management has limited involvement. B. Return on investment (ROI) is not measured. C. Chargeback of IT cost is not consistent. D. Risk appetite is not quantified. A is the correct answer. Justification: A. To ensure that the IT governance framework is effectively in place, senior management must be involved and aware of roles and responsibilities. Therefore, it is most essential to ensure the involvement of senior management when evaluating the soundness of IT governance. B. Ensuring revenue management is a part of the objectives in the IT governance framework. Therefore, it is not effective in verifying the soundness of IT governance. C. Introduction of a cost allocation system is part of the objectives in an IT governance framework. Therefore, it is not effective in verifying the soundness of IT governance. D. Estimation of risk appetite is important; however, at the same time, management should ensure that controls are in place. Therefore, checking only on risk appetite does not verify soundness of IT governance. 4. Which of the following IT governance good practices improves strategic alignment? A. Supplier and partner risk is managed. B. A knowledge base on customers, products, markets and processes is in place. C. A structure is provided that facilitates the creation and sharing of business information. D. Top management mediates between the imperatives of business and technology. D is the correct answer. Justification: A. Supplier and partner risk being managed is a risk management good practice but not a strategic function. B. A knowledge base on customers, products, markets and processes being in place is an IT value delivery good practice but does not ensure strategic alignment. C. An infrastructure being provided to facilitate the creation and sharing of business information is an IT value delivery and risk management good practice, but is not as effective as top management involvement in business and technology alignment. D. Top management mediating between the imperatives of business and technology is an IT strategic alignment good practice. 5. An IS auditor reviewing an organization that uses cross-training practices should assess the risk of: A. dependency on a single person. B. inadequate succession planning. C. one person knowing all parts of a system. D. a disruption of operations. C is the correct answer. Justification: A. Cross-training helps decrease dependence on a single person. B. Cross-training assists in succession planning. C. Cross-training is a process of training more than one individual to perform a specific job or procedure. However, in using this approach, it is prudent to have first assessed the risk of any person knowing all parts of a system and the related potential exposures related to abuse of privilege. D. Cross-training provides for the backup of personnel in the event of an absence and, thereby, provides for the continuity of operations. 6. Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? A. Overlapping controls B. Boundary controls C. Access controls D. Compensating controls D is the correct answer. Justification: A. Overlapping controls are two controls addressing the same control objective or exposure. Because primary controls cannot be achieved when duties cannot or are not appropriately segregated, it is difficult to install overlapping controls. B. Boundary controls establish the interface between the would-be user of a computer system and the computer system itself and are individual-based, not role-based, controls. C. Access controls for resources are based on individuals and not on roles. A lack of segregation of duties would mean that the IS auditor would expect to find that a person has higher levels of access than would be ideal. This would mean the IS auditor wants to find compensating controls to address this risk. D. Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated. 7. When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is the MOST appropriate? A. Review the strategic alignment of IT with the business. B. Implement accountability rules within the organization. C. Ensure that independent IS audits are conducted periodically. D. Create a chief risk officer (CRO) role in the organization. B is the correct answer. Justification: A. While the strategic alignment of IT with the business is important, it is not directly related to the gap identified in this scenario. B. IT risk is managed by embedding accountability into the enterprise. The IS auditor should recommend the implementation of accountability rules to ensure that all responsibilities are defined within the organization. Note that this question asks for the best recommendation—not about the finding itself. C. Performing more frequent IS audits is not helpful if the accountability rules are not clearly defined and implemented. D. Recommending the creation of a new role (CRO) is not helpful if the accountability rules are not clearly defined and implemented. 8. When auditing the archiving of the company’s email communications, the IS auditor should pay the MOST attention to: A. the existence of a data retention policy. B. the storage capacity of the archiving solution. C. the level of user awareness concerning email use. D. the support and stability of the archiving solution manufacturer. A is the correct answer. Justification: A. Without a data retention policy that is aligned to the company’s business and compliance requirements, the email archive may not preserve and reproduce the correct information when required. B. The storage capacity of the archiving solution would be irrelevant if the proper email messages have not been properly preserved and others have been deleted. C. The level of user awareness concerning email use would not directly affect the completeness and accuracy of the archived email. D. The support and stability of the archiving solution manufacturer is secondary to the need to ensure a retention policy. Vendor support would not directly affect the completeness and accuracy of the archived email. 9. Which of the following situations is addressed by a software escrow agreement? A. The system administrator requires access to software to recover from a disaster. B. A user requests to have software reloaded onto a replacement hard drive. C. The vendor of custom-written software goes out of business. D. An IS auditor requires access to software code written by the organization. C is the correct answer. Justification: A. Access to software should be managed by an internally managed software library. Escrow refers to the storage of software with a third party—not the internal libraries. B. Providing the user with a backup copy of software is not escrow. Escrow requires that a copy be kept with a trusted third party. C. A software escrow is a legal agreement between a software vendor and a customer, to guarantee access to source code. The application source code is held by a trusted third party, according to the contract. This agreement is necessary in the event that the software vendor goes out of business, there is a contractual dispute with the customer or the software vendor fails to maintain an update of the software as promised in the software license agreement. D. Software escrow is used to protect the intellectual property of software developed by one organization and sold to another organization. This is not used for software being reviewed by an auditor of the organization that wrote the software. 10.Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider: A. claims to meet or exceed industry security standards. B. agrees to be subject to external security reviews. C. has a good market reputation for service and experience. D. complies with security policies of the organization. B is the correct answer. Justification: A. Compliance with security standards is important, but there is no way to verify or prove that is the case without an independent review. B. It is critical that an independent security review of an outsourcing vendor be obtained because customer credit information will be kept there. C. Though long experience in business and good reputation is an important factor to assess service quality, the business cannot outsource to a provider whose security control is weak. D. Compliance with organizational security policies is important, but there is no way to verify or prove that that is the case without an independent review. 11.After the merger of two organizations, multiple self-developed legacy applications from both organizations are to be replaced by a new common platform. Which of the following would be the GREATEST risk? A. Project management and progress reporting is combined in a project management office which is driven by external consultants. B. The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach. C. The resources of each of the organizations are inefficiently allocated while they are being familiarized with the other company’s legacy systems. D. The new platform will force the business areas of both organizations to change their work processes, which will result in extensive training needs. B is the correct answer. Justification: A. In postmerger integration programs, it is common to form project management offices (often staffed with external experts) to ensure standardized and comparable information levels in the planning and reporting structures, and to centralize dependencies of project deliverables or resources. B. The efforts should be consolidated to ensure alignment with the overall strategy of the postmerger organization. If resource allocation is not centralized, the separate projects are at risk of overestimating the availability of key knowledge resources for the in-house developed legacy applications. C. The development of new integrated systems can require some knowledge of the legacy systems to gain an understanding of each business process. D. In most cases, mergers result in application changes and thus in training needs as organizations and processes change to leverage the intended synergy effects of the merger. 12.To gain an understanding of the effectiveness of an organization’s planning and management of investments in IT assets, an IS auditor should review the: A. enterprise data model. B. IT balanced scorecard (BSC). C. IT organizational structure. D. historical financial statements. B is the correct answer. Justification: A. An enterprise data model is a document defining the data structure of an organization and how data interrelate. It is useful, but it does not provide information on investments in IT assets. B. The IT balanced scorecard (BSC) is a tool that provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. In this way the auditor can measure the success of the IT investment and strategy. C. The IT organizational structure provides an overview of the functional and reporting relationships in an IT entity, but does not ensure effectiveness of IT investment. D. Historical financial statements do not provide information about planning and lack sufficient detail to enable one to fully understand management’s activities regarding IT assets. Past costs do not necessarily reflect value, and assets such as data are not represented on the books of accounts. 13.Which of the following factors should an IS auditor PRIMARILY focus on when determining the appropriate level of protection for an information asset? A. Results of a risk assessment B. Relative value to the business C. Results of a vulnerability assessment D. Cost of security controls A is the correct answer. Justification: A. The appropriate level of protection for an asset is determined based on the risk associated with the asset. The results of the risk assessment are, therefore, the primary information that the IS auditor should review. B. The relative value of an asset to the business is one element considered in the risk assessment; this alone does not determine the level of protection required. C. The results of a vulnerability assessment would be useful when creating the risk assessment; however, this would not be the primary focus. D. The cost of security controls is not a primary factor to consider because the expenditures on these controls are determined by the value of the information assets being protected. 14.When an organization’s disaster recovery plan (DRP) has a reciprocal agreement, which of the following risk treatment approaches is being applied? A. Transfer B. Mitigation C. Avoidance D. Acceptance B is the correct answer. Justification: A. Risk transfer is the transference of risk to a third party (e.g., buying insurance for activities that pose a risk). B. A reciprocal agreement in which two organizations agree to provide computing resources to each other in the event of a disaster is a form of risk mitigation. This usually works well if both organizations have similar information processing facilities. Because the intended effect of reciprocal agreements is to have a functional disaster recovery plan (DRP), it is a risk mitigation strategy. C. Risk avoidance is the decision to cease operations or activities that give rise to a risk. For example, a company may stop accepting credit card payments to avoid the risk of credit card information disclosure. D. Risk acceptance occurs when an organization decides to accept the risk as it is and to do nothing to mitigate or transfer it. 15.An IS auditor is performing a review of the software quality management process in an organization. The FIRST step should be to: A. verify how the organization follows the standards. B. identify and report the controls currently in place. C. review the metrics for quality evaluation. D. request all standards that have been adopted by the organization. D is the correct answer. Justification: A. The auditor needs to know what standards the organization has adopted and then measure compliance with those standards. Determining how the organization follows the standards is secondary to knowing what the standards are. The other items listed—verifying how well standards are being followed, identifying relevant controls and reviewing the quality metrics—are secondary to the identification of standards. B. The first step is to know the standards and what policies and procedures are mandated for the organization, then to document the controls and measure compliance. C. The metrics cannot be reviewed until the auditor has a copy of the standards that describe or require the metrics. D. Because an audit measures compliance with the standards of the organization, the first step of the review of the software quality management process should be to determine the evaluation criteria in the form of standards adopted by the organization. The evaluation of how well the organization follows their own standards cannot be performed until the IS auditor has determined what standards exist. 16.When developing a formal enterprise security program, the MOST critical success factor (CSF) would be the: A. establishment of a review board. B. creation of a security unit. C. effective support of an executive sponsor. D. selection of a security process owner. C is the correct answer. Justification: A. Establishment of a review board is not effective without visible sponsorship of top management. B. The creation of a security unit is not effective without visible sponsorship of top management. C. The executive sponsor would be in charge of supporting the organization’s strategic security program and would aid in directing the organization’s overall security management activities. Therefore, support by the executive level of management is the most critical success factor (CSF). D. The selection of a security process owner is not effective without visible sponsorship of top management. 17.While reviewing a quality management system (QMS) the IS auditor should PRIMARILY focus on collecting evidence to show that: A. quality management systems (QMSs) comply with good practices. B. continuous improvement targets are being monitored. C. standard operating procedures of IT are updated annually. D. key performance indicators (KPIs) are defined. B is the correct answer. Justification: A. Generally, good practices are adopted according to business requirements, and therefore, conforming to good practices may or may not be a requirement of the business. B. Continuous and measurable improvement of quality is the primary requirement to achieve the business objective for the quality management system (QMS). C. Updating operating procedures is part of implementing the QMS; however, it must be part of change management and not an annual activity. D. Key performance indicators (KPIs) may be defined in a QMS, but they are of little value if they are not being monitored. 18.Before implementing an IT balanced scorecard (BSC), an organization must: A. deliver effective and efficient services. B. define key performance indicators. C. provide business value to IT projects. D. control IT expenses. B is the correct answer. Justification: A. A balanced scorecard (BSC) is a method of specifying and measuring the attainment of strategic results. It will measure the delivery of effective and efficient services, but an organization may not have those in place prior to using a BSC. B. Because a BSC is a way to measure performance, a definition of key performance indicators is required before implementing an IT BSC. C. A BSC will measure the value of IT to business, not the other way around. D. A BSC will measure the performance of IT, but the control over IT expenses is not a key requirement for implementing a BSC. 19.During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that: A. assessment of the situation may be delayed. B. execution of the disaster recovery plan could be impacted. C. notification of the teams might not occur. D. potential crisis recognition might be delayed. B is the correct answer. Justification: A. Problem and severity assessment would provide information necessary in declaring a disaster, but the lack of a crisis declaration point would not delay the assessment. B. Execution of the business continuity and disaster recovery plans would be impacted if the organization does not know when to declare a crisis. C. After a potential crisis is recognized, the teams responsible for crisis management need to be notified. Delaying the declaration of a disaster would impact or negate the effect of having response teams, but this is only one part of the larger impact. D. Potential crisis recognition is the first step in recognizing or responding to a disaster and would occur prior to the declaration of a disaster. 20.An IS auditor is reviewing an organization’s recovery from a disaster in which not all the critical data needed to resume business operations were retained. Which of the following was incorrectly defined? A. The interruption window B. The recovery time objective (RTO) C. The service delivery objective (SDO) D. The recovery point objective (RPO) D is the correct answer. Justification: A. The interruption window is defined as the amount of time during which the organization is unable to maintain operations from the point of failure to the time that the critical services/applications are restored. B. The recovery time objective (RTO) is determined based on the acceptable downtime in the case of a disruption of operations. C. The service delivery objective (SDO) is directly related to the business needs. SDO is the level of services to be reached during the alternate process mode until the normal situation is restored. D. The recovery point objective (RPO) is determined based on the acceptable data loss in the case of a disruption of operations. RPO defines the point in time from which it is necessary to recover the data and quantifies, in terms of time, the permissible amount of data loss in the case of interruption. 21.When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is the MOST appropriate? A. Review the strategic alignment of IT with the business. B. Implement accountability rules within the organization. C. Ensure that independent IS audits are conducted periodically. D. Create a chief risk officer (CRO) role in the organization. B is the correct answer. Justification: A. While the strategic alignment of IT with the business is important, it is not directly related to the gap identified in this scenario. B. IT risk is managed by embedding accountability into the enterprise. The IS auditor should recommend the implementation of accountability rules to ensure that all responsibilities are defined within the organization. Note that this question asks for the best recommendation—not about the finding itself. C. Performing more frequent IS audits is not helpful if the accountability rules are not clearly defined and implemented. D. Recommending the creation of a new role (CRO) is not helpful if the accountability rules are not clearly defined and implemented. 22.To optimize an organization’s BCP, an IS auditor should recommend a BIA to determine: A. the business processes that generate the most financial value for the organization and, therefore, must be recovered first B. the priorities and order for recovery to ensure alignment with the organization’s business strategy C. the business processes that must be recovered following a disaster to ensure the organization’s survival D. the priorities and order of recovery, which will recover the greatest number of systems in the shortest time frame C is the correct answer. Justification: A. It is a common mistake to overemphasize financial value rather than urgency. For example, while the processing of incoming mortgage loan payments is important from a financial perspective, it could be delayed for a few days in the event of a disaster. On the other hand, wiring funds to close on a loan, while not generating direct revenue, is far more critical because of the possibility of regulatory problems, customer complaints and reputation issues. B. The business strategy (which is often a long-term view) does not have a direct impact at this point in time. C. To ensure the organization’s survival following a disaster, it is important to recover the most critical business processes first. D. The mere number of recovered systems does not have a direct impact at this point in time. The importance is to recover systems that would impact business survival. DOMAIN 3 Information Systems Acquisition, Development and Implementation 1. Normally, it would be essential to involve which of the following stakeholders in the initiation stage of a project? A. System owners B. System users C. System designers D. System builders A is the correct answer. Justification: A. System owners are the information systems (project) sponsors or chief advocates. They normally are responsible for initiating and funding projects to develop, operate and maintain information systems. B. System users are the individuals who use or are affected by the information system. Their requirements are crucial in the requirements definition, design and testing stages of a project. C. System designers translate business requirements and constraints into technical solutions. D. System builders construct the system based on the specifications from the systems designers. In most cases, the designers and builders are one and the same. 2. When reviewing an active project, an IS auditor observed that the business case was no longer valid because of a reduction in anticipated benefits and increased costs. The IS auditor should recommend that the: A. project be discontinued. B. business case be updated and possible corrective actions be identified. C. project be returned to the project sponsor for reapproval. D. project be completed and the business case be updated later. B is the correct answer. Justification: A. An IS auditor should not recommend discontinuing or completing the project before reviewing an updated business case. B. The IS auditor should recommend that the business case be kept current throughout the project because it is a key input to decisions made throughout the life of any project. C. The project cannot be returned to the sponsor until the business case has been updated. D. An IS auditor should not recommend completing the project before reviewing an updated business case and ensuring approval from the project sponsor. 3. During the audit of an acquired software package, an IS auditor finds that the software purchase was based on information obtained through the Internet, rather than from responses to a request for proposal (RFP). The IS auditor should FIRST: A. test the software for compatibility with existing hardware. B. perform a gap analysis. C. review the licensing policy. D. ensure that the procedure had been approved. D is the correct answer. Justification: A. Because the software package has already been acquired, it is most likely that it is in use and therefore compatible with existing hardware. Further, the first responsibility of the IS auditor is to ensure that the purchasing procedures have been approved. B. Because there was no request for proposal (RFP), there may be no documentation of the expectations of the product and nothing to measure a gap against. The first task for the IS auditor is to ensure that the purchasing procedures were approved. C. The licensing policy should be reviewed to ensure proper licensing but only after the purchasing procedures are checked. D. In the case of a deviation from the predefined procedures, an IS auditor should first ensure that the procedure followed for acquiring the software is consistent with the business objectives and has been approved by the appropriate authorities. 4. A company has contracted with an external consulting firm to implement a commercial financial system to replace its existing system developed in-house. In reviewing the proposed development approach, which of the following would be of GREATEST concern? A. Acceptance testing is to be managed by users. B. A quality plan is not part of the contracted deliverables. C. Not all business functions will be available on initial implementation. D. Prototyping is being used to confirm that the system meets business requirements. B is the correct answer. Justification: A. Acceptance is normally managed by the user area because users must be satisfied that the new system will meet their requirements. B. A quality plan is an essential element of all projects. It is critical that the contracted supplier be required to produce such a plan. The quality plan for the proposed development contract should be comprehensive and encompass all phases of the development and include which business functions will be included and when. C. If the system is large, a phased-in approach to implementing the application is a reasonable approach. D. Prototyping is a valid method of ensuring that the system will meet business requirements. 5. An organization is implementing an enterprise resource planning (ERP) application. Of the following, who is PRIMARILY responsible for overseeing the project to ensure that it is progressing in accordance with the project plan and that it will deliver the expected results? A. Project sponsor B. System development project team (SDPT) C. Project steering committee D. User project team (UPT) C is the correct answer. Justification: A. A project sponsor is typically the senior manager in charge of the primary business unit that the application will support. The sponsor provides funding for the project and works closely with the project manager to define the critical success factors or metrics for the project. The project sponsor is not responsible for reviewing the progress of the project. B. A system development project team (SDPT) completes the assigned tasks, works according to the instructions of the project manager and communicates with the user project team. The SDPT is not responsible for overseeing the progress of the project. C. A project steering committee that provides an overall direction for the enterprise resource planning (ERP) implementation project is responsible for reviewing the project’s progress to ensure that it will deliver the expected results. D. A user project team (UPT) completes the assigned tasks, communicates effectively with the system development team and works according to the advice of the project manager. A UPT is not responsible for reviewing the progress of the project. 6. While evaluating software development practices in an organization, an IS auditor notes that the quality assurance (QA) function reports to project management. The MOST important concern for an IS auditor is the: A. effectiveness of the QA function because it should interact between project management and user management. B. efficiency of the QA function because it should interact with the project implementation team. C. effectiveness of the project manager because the project manager should interact with the QA function. D. efficiency of the project manager because the QA function will need to communicate with the project implementation team. A is the correct answer. Justification: A. To be effective, the quality assurance (QA) function should be independent of project management. If not, project management may put pressure on the QA function to approve an inadequate product. B. The efficiency of the QA function would not be impacted by interacting with the project implementation team. The QA team would not release a product for implementation until it had met QA requirements. C. The project manager will respond to the issues raised by the QA team. This will not impact the effectiveness of the project manager. D. The QA function’s interaction with the project implementation team should not impact the efficiency of the project manager. 7. Which of the following would BEST help to prioritize project activities and determine the time line for a project? A. A Gantt chart B. Earned value analysis (EVA) C. Program evaluation review technique (PERT) D. Function point analysis (FPA) A is the correct answer. Justification: A. Provided that data architecture, technical and operational requirements are sufficiently documented, the alignment to standards could be treated as a specific work package assigned to new project resources. B. The usage of nonstandard data definitions would lower the efficiency of the new development, and increase the risk of errors in critical business decisions. To change data definition standards after project conclusion is risky and is not a viable solution. C. Delaying the project would be an inappropriate suggestion because of business requirements or the likely damage to entire project profitability. D. Punishing the violators would be outside the authority of the auditor and inappropriate until the reason for the violations have be determined. 8. An IS auditor has found time constraints and expanded needs to be the root causes for recent violations of corporate data definition standards in a new business intelligence project. Which of the following is the MOST appropriate suggestion for an auditor to make? A. Achieve standards alignment through an increase of resources devoted to the project. B. Align the data definition standards after completion of the project. C. Delay the project until compliance with standards can be achieved. D. Enforce standard compliance by adopting punitive measures against violators. A is the correct answer. Justification: A. Provided that data architecture, technical and operational requirements are sufficiently documented, the alignment to standards could be treated as a specific work package assigned to new project resources. B. The usage of nonstandard data definitions would lower the efficiency of the new development, and increase the risk of errors in critical business decisions. To change data definition standards after project conclusion is risky and is not a viable solution. C. Delaying the project would be an inappropriate suggestion because of business requirements or the likely damage to entire project profitability. D. Punishing the violators would be outside the authority of the auditor and inappropriate until the reason for the violations have be determined. 9. Which of the following would be the BEST approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing? A. Requirements should be tested in terms of importance and frequency of use. B. Test coverage should be restricted to functional requirements. C. Automated tests should be performed through the use of scripting. D. The number of required test runs should be reduced by retesting only defect fixes. A is the correct answer. Justification: A. The idea is to maximize the usefulness of testing by concentrating on the most important aspects of the system and on the areas where defects represent the greatest risk to user acceptance. A further extension of this approach is to also consider the technical complexity of requirements because complexity tends to increase the likelihood of defects. B. The problem with testing only functional requirements is that nonfunctional requirement areas, such as usability and security, which are important to the overall quality of the system, are ignored. C. Increasing the efficiency of testing by automating test execution is a good idea. However, by itself, this approach does not ensure the appropriate targeting of test coverage and so is not as effective an alternative. D. Retesting only defect fixes has a considerable risk that it will not detect instances in which defect fixes may have caused the system to regress (i.e., introduced errors in parts of the system that were previously working correctly). For this reason, it is a good practice to undertake formal regression testing after defect fixes have been implemented. 10.Who should review and approve system deliverables as they are defined and accomplished to ensure the successful completion and implementation of a new business system application? A. User management B. Project steering committee C. Senior management D. Quality assurance staff A is the correct answer. Justification: A. User management assumes ownership of the project and resulting system, allocates qualified representatives to the team and actively participates in system requirements definition, acceptance testing and user training. User management should review and approve system deliverables as they are defined and accomplished or implemented. B. A project steering committee provides overall direction, ensures appropriate representation of the major stakeholders in the project’s outcome, reviews project progress regularly and holds emergency meetings when required. A project steering committee is ultimately responsible for all deliverables, project costs and schedules. C. Senior management demonstrates commitment to the project and approves the necessary resources to complete the project. This commitment from senior management helps ensure involvement by those who are needed to complete the project. D. Quality assurance staff review results and deliverables within each phase, and at the end of each phase confirm compliance with standards and requirements. The timing of reviews depends on the system development life cycle, the impact of potential deviation methodology used, the structure and magnitude of the system and the impact of potential deviation. 11.An IS auditor is reviewing the software development process for an organization. Which of the following functions would be appropriate for the end users to perform? A. Program output testing B. System configuration C. Program logic specification D. Performance tuning A is the correct answer. Justification: A. A user can test program output by checking the program input and comparing it with the system output. This task, although usually done by the programmer, can also be done effectively by the user. B. System configuration is usually too technical to be accomplished by a user and this situation could create security issues. This could introduce a segregation of duties issue. C. Program logic specification is a very technical task that is normally performed by a programmer. This could introduce a segregation of duties issue. D. Performance tuning also requires high levels of technical skill and will not be effectively accomplished by a user. This could introduce a segregation of duties issue. 12.From a risk management point of view, the BEST approach when implementing a large and complex IT infrastructure is: A. a major deployment after proof of concept. B. prototyping and a one-phase deployment. C. a deployment plan based on sequenced phases. D. to simulate the new infrastructure before deployment. C is the correct answer. Justification: A. A major deployment would pose a higher risk of implementation failure. B. Prototyping may reduce development failure, but a large environment will usually require a phased approach. C. When developing a large and complex IT infrastructure, a good practice is to use a phased approach to fit the entire system together. This will provide greater assurance of quality results. D. It is not usually feasible to simulate a large and complex IT infrastructure prior to deployment. 13.During a postimplementation review, which of the following activities should be performed? A. User acceptance testing (UAT) B. Return on investment (ROI) analysis C. Activation of audit trails D. Updates of the state of enterprise architecture (EA) diagrams B is the correct answer. Justification: A. User acceptance testing (UAT) should be performed prior to the implementation (perhaps during the development phase), not after the implementation. B. Following implementation, a cost-benefit analysis or return on investment (ROI) should be re-performed to verify that the original business case benefits are delivered. C. The audit trail should be activated during the implementation of the application. D. While updating the enterprise architecture (EA) diagrams is a best practice, it would not normally be part of a postimplementation review. 14.The PRIMARY objective of conducting a postimplementation review for a business process automation project is to: A. ensure that the project meets the intended business requirements. B. evaluate the adequacy of controls. C. confirm compliance with technological standards. D. confirm compliance with regulatory requirements. A is the correct answer. Justification: A. Ensuring that the project meets the intended business requirements is the primary objective of a postimplementation review. B. Evaluating the adequacy of controls may be part of the review but is not the primary objective. C. Confirming compliance with technological standards is normally not part of the postimplementation review because this should be addressed during the design and development phase. D. Confirming compliance with regulatory requirements is normally not part of the postimplementation review because this should be addressed during the design and development phase. 15.A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live? A. IS auditor B. Database administrator C. Project manager D. Data owner D is the correct answer. Justification: A. An IS auditor should ensure that there is a review and sign-off by the data owner during the data conversion stage of the project. B. A database administrator’s primary responsibility is to maintain the integrity of the database and make the database available to users. A database administrator is not responsible for reviewing migrated data. C. A project manager provides day-to-day management and leadership of the project but is not responsible for the accuracy and integrity of the data. D. During the data conversion stage of a project, the data owner is primarily responsible for reviewing and signing-off that the data are migrated completely and accurately and are valid. An IS auditor is not responsible for reviewing and signing-off on the accuracy of the converted data. 16.An IS auditor should ensure that review of online electronic funds transfer (EFT) reconciliation procedures should include: A. vouching. B. authorizations. C. corrections. D. tracing. D is the correct answer. Justification: A. Vouching is usually performed during the funds transfer, not during the reconciliation effort. B. In online processing, authorizations are normally done automatically by the system not during the reconciliation. C. Correction entries should be reviewed during a reconciliation; however, they are normally done by an individual other than the person entrusted to do reconciliations and are not as important as tracing. D. Tracing is a transaction reconciliation effort that involves following the transaction from the original source to its final destination. In electronic funds transfer (EFT) transactions, the direction on tracing may start from the customer-printed copy of the receipt, checking the system audit trails and logs, and finally checking the master file records for daily transactions. DOMAIN 4 Information Systems Operations, Maintenance and Service Management 1. Which of the following issues should be a MAJOR concern to an IS auditor who is reviewing a service level agreement (SLA)? A. A service adjustment resulting from an exception report took a day to implement. B. The complexity of application logs used for service monitoring made the review difficult. C. Performance measures were not included in the SLA. D. The document is updated on an annual basis. C is the correct answer. Justification: A. Resolving issues related to exception reports is an operational issue that should be addressed in the service level agreement (SLA); however, a response time of one day may be acceptable depending on the terms of the SLA. B. The complexity of application logs is an operational issue, which is not related to the SLA. C. Lack of performance measures will make it difficult to gauge the efficiency and effectiveness of the IT services being provided. D. While it is important that the document be current, depending on the term of the agreement, it may not be necessary to change the document more frequently than annually. 2. During a human resources (HR) audit, an IS auditor is informed that there is a verbal agreement between the IT and HR departments as to the level of IT services expected. In this situation, what should the IS auditor do FIRST? A. Postpone the audit until the agreement is documented. B. Report the existence of the undocumented agreement to senior management. C. Confirm the content of the agreement with both departments. D. Draft a service level agreement (SLA) for the two departments. C is the correct answer. Justification: A. There is no reason to postpone an audit because a service agreement is not documented, unless that is all that is being audited. The agreement can be documented after it has been established that there is an agreement in place. B. Reporting to senior management is not necessary at this stage of the audit because this is not a serious immediate vulnerability. C. An IS auditor should first confirm and understand the current practice before making any recommendations. Part of this will be to ensure that both parties are in agreement with the terms of the agreement. D. Drafting a service level agreement (SLA) is not the IS auditor’s responsibility. 3. Which of the following is the BEST reference for an IS auditor to determine a vendor’s ability to meet service level agreement (SLA) requirements for a critical IT security service? A. Compliance with the master agreement B. Agreed-on key performance metrics C. Results of business continuity tests D. Results of independent audit reports B is the correct answer. Justification: A. The master agreement typically includes terms, conditions and costs but does not typically include service levels. B. Metrics allow for a means to measure performance. Service level agreements (SLAs) are statements related to expected service levels. For example, an Internet service provider (ISP) may guarantee that their service will be available 99.99 percent of the time. C. If applicable to the service, results of business continuity tests are typically included as part of the due diligence review. D. Independent audits report on the financial condition of an organization or the control environment. Reviewing audit reports is typically part of the due diligence review. Even audits must be performed against a set of standards or metrics to validate compliance. 4. When reviewing the configuration of network devices, an IS auditor should FIRST identify: A. the good practices for the type of network devices deployed. B. whether components of the network are missing. C. the importance of the network devices in the topology. D. whether subcomponents of the network are being used appropriately. C is the correct answer. Justification: A. After understanding the devices in the network, a good practice for using the device should be reviewed to ensure that there are no anomalies within the configuration. B. Identification of which component is missing can only be known upon reviewing and understanding the topology and a good practice for deployment of the device in the network. C. The first step is to understand the importance and role of the network device within the organization’s network topology. D. Identification of which subcomponent is being used inappropriately can only be known upon reviewing and understanding the topology and a good practice for deployment of the device in the network. 5. Which of the following processes should an IS auditor recommend to assist in the recording of baselines for software releases? A. Change management B. Backup and recovery C. Incident management D. Configuration management D is the correct answer. Justification: A. Change management is important to control changes to the configuration, but the baseline itself refers to a standard configuration. B. Backup and recovery of the configuration are important, but not used to create the baseline. C. Incident management will determine how to respond to an adverse event, but is not related to recording baseline configurations. D. The configuration management process may include automated tools that will provide an automated recording of software release baselines. Should the new release fail, the baseline will provide a point to which to return. 6. An IS auditor is evaluating network performance for an organization that is considering increasing its Internet bandwidth due to a performance degradation during business hours. Which of the following is MOST likely the cause of the performance degradation? A. Malware on servers B. Firewall misconfiguration C. Increased spam received by the email server D. Unauthorized network activities D is the correct answer. Justification: A. The existence of malware on the organization’s server could contribute to network performance issues, but the degraded performance would not likely be restricted to business hours. B. Firewall misconfiguration could contribute to network performance issues, but the degraded performance would not likely be restricted to business hours. C. The existence of spam on the organization’s email server could contribute to network performance issues, but the degraded performance would not likely be restricted to business hours. D. Unauthorized network activities—such as employee use of file or music sharing sites or online gambling or personal email containing large files or photos—could contribute to network performance issues. Because the IS auditor found the degraded performance during business hours, this is the most likely cause. 7. During fieldwork, an IS auditor experienced a system crash caused by a security patch installation. To provide reasonable assurance that this event will not recur, the IS auditor should ensure that: A. only systems administrators perform the patch process. B. the client’s change management process is adequate. C. patches are validated using parallel testing in production. D. an approval process of the patch, including a risk assessment, is developed. B is the correct answer. Justification: A. While system administrators would normally install patches, it is more important that changes be made according to a formal procedure that includes testing and implementing the change during nonproduction times. B. The change management process, which would include procedures regarding implementing changes during production hours, helps to ensure that this type of event does not recur. An IS auditor should review the change management process, including patch management procedures, to verify that the process has adequate controls and to make suggestions accordingly. C. While patches would normally undergo testing, it is often impossible to test all patches thoroughly. It is more important that changes be made during nonproduction times, and that a backout plan is in place in case of problems. D. An approval process alone could not directly prevent this type of incident from happening. There should be a complete change management process that includes testing, scheduling and approval. 8. Which of the following ways is the BEST for an IS auditor to verify that critical production servers are running the latest security updates released by the vendor? A. Ensure that automatic updates are enabled on critical production servers. B. Verify manually that the patches are applied on a sample of production servers. C. Review the change management log for critical production servers. D. Run an automated tool to verify the security patches on production servers. D is the correct answer. Justification: A. Ensuring that automatic updates are enabled on production servers may be a valid way to manage the patching process; however, this would not provide assurance that all servers are being patched appropriately. B. Verifying patches manually on a sample of production servers will be less effective than automated testing and introduces a significant audit risk. Manual testing is also difficult and time consuming. C. The change management log may not be updated on time and may not accurately reflect the patch update status on servers. A better testing strategy is to test the server for patches, rather than examining the change management log. D. An automated tool can immediately provide a report on which patches have been applied and which are missing. 9. The database administrator (DBA) suggests that database efficiency can be improved by denormalizing some tables. This would result in: A. loss of confidentiality. B. increased redundancy. C. unauthorized accesses. D. application malfunctions. B is the correct answer. Justification: A. Denormalization should not cause loss of confidentiality even though confidential data may be involved. The database administrator (DBA) should ensure that access controls to the databases remain effective. B. Normalization is a design or optimization process for a relational database that minimizes redundancy; therefore, denormalization would increase redundancy. Redundancy, which is usually considered positive when it is a question of resource availability, is negative in a database environment because it demands additional and otherwise unnecessary data handling efforts. Denormalization is sometimes advisable for functional reasons. C. Denormalization pertains to the structure of the database, not the access controls. It should not result in unauthorized access. D. Denormalization may require some changes to the calls between databases and applications, but should not cause application malfunctions. 10.Segmenting a highly sensitive database results in: A. reduced exposure. B. reduced threat. C. less criticality. D. less sensitivity. A is the correct answer. Justification: A. Segmenting data reduces the quantity of data exposed as a result of a particular event. B. The threat may remain constant, but each segment may represent a different vector against which it must be directed. C. Criticality (availability) of data is not affected by the manner in which it is segmented. D. Sensitivity of data is not affected by the manner in which it is segmented. 11.An IS auditor observed that users are occasionally granted the authority to change system data. This elevated system access is not consistent with company policy yet is required for smooth functioning of business operations. Which of the following controls would the IS auditor MOST likely recommend for long-term resolution? A. Redesign the controls related to data authorization. B. Implement additional segregation of duties controls. C. Review policy to see if a formal exception process is required. D. Implement additional logging controls. C is the correct answer. Justification: A. Data authorization controls should be driven by the policy. While there may be some technical controls that could be adjusted, if the data changes happen infrequently, then an exception process would be the better choice. B. While adequate segregation of duties is important, it is simpler to fix the policy versus adding additional controls to enforce segregation of duties. C. If the users are granted access to change data in support of the business requirements, but the policy forbids this, then perhaps the policy needs some adjustment to allow for policy exceptions to occur. D. Audit trails are needed, but this is not the best long-term solution to address this issue. Additional resources would be required to review logs. 12.Which of the following choices BEST ensures accountability when updating data directly in a production database? A. Before and after screen images B. Approved implementation plans C. Approved validation plan D. Data file security A is the correct answer. Justification: A. Creating before and after images is the best way to ensure that the appropriate data have been updated in a direct data change. The screen shots would include the data prior to and after the change. B. Having approved implementation plans would verify that the change was approved to be implemented but will not ensure that the appropriate change was made. C. Having an approved validation plan will ensure that the data change had a validation plan designed prior to the data change but will not ensure that the data change was appropriate and correct. D. Data file security would only ensure that the user making the data change was appropriate. It would not ensure that the data change was correct. 13.Which of the following specifically addresses how to detect cyberattacks against an organization’s IT systems and how to recover from an attack? A. An incident response plan (IRP) B. An IT contingency plan C. A business continuity plan (BCP) D. A continuity of operations plan (COOP) A is the correct answer. Justification: A. The incident response plan (IRP) determines the information security responses to incidents such as cyberattacks on systems and/or networks. This plan establishes procedures to enable security personnel to identify, mitigate and recover from malicious computer incidents such as unauthorized access to a system or data, denial-of-service (DoS) or unauthorized changes to system hardware or software. B. The IT contingency plan addresses IT system disruptions and establishes procedures for recovering from a major application or general support system failure. The contingency plan deals with ways to recover from an unexpected failure, but it does not address the identification or prevention of cyberattacks. C. The business continuity plan (BCP) addresses business processes and provides procedures for sustaining essential business operations while recovering from a significant disruption. While a cyberattack could be severe enough to require use of the BCP, the IRP would be used to determine which actions should be taken—both to stop the attack as well as to resume normal operations after the attack. D. The continuity of operations plan (COOP) addresses the subset of an organization’s missions that are deemed most critical and contains procedures to sustain these functions at an alternate site for a short time period. 14.The PRIMARY objective of performing a postincident review is that it presents an opportunity to: A. improve internal control procedures. B. harden the network to industry good practices. C. highlight the importance of incident response management to management. D. improve employee awareness of the incident response process. A is the correct answer. Justification: A. A postincident review examines both the cause and response to an incident. The lessons learned from the review can be used to improve internal controls. Understanding the purpose and structure of postincident reviews and follow-up procedures enables the information security manager to continuously improve the security program. Improving the incident response plan based on the incident review is an internal (corrective) control. B. A postincident review may result in improvements to controls, but its primary purpose is not to harden a network. C. The purpose of postincident review is to ensure that the opportunity is presented to learn lessons from the incident. It is not intended as a forum to educate management. D. An incident may be used to emphasize the importance of incident response, but that is not the intention of the postincident review. 15.In a small organization, developers may release emergency changes directly to production. Which of the following will BEST control the risk in this situation? A. Approve and document the change the next business day. B. Limit developer access to production to a specific time frame. C. Obtain secondary approval before releasing to production. D. Disable the compiler option in the production machine. A is the correct answer. Justification: A. It may be appropriate to allow programmers to make emergency changes as long as they are documented and approved after the fact. B. Restricting release time frame may help somewhat; however, it would not apply to emergency changes and cannot prevent unauthorized release of the programs. C. Obtaining secondary approval before releasing to production is not relevant in an emergency situation. D. Disabling the compiler option in the production machine is not relevant in an emergency situation. 16.During an audit of a small enterprise, the IS auditor noted that the IS director has superuserprivilege access that allows the director to process requests for changes to the application access roles (access types). Which of the following should the IS auditor recommend? A. Implement a properly documented process for application role change requests. B. Hire additional staff to provide a segregation of duties (SoD) for application role changes. C. Implement an automated process for changing application roles. D. Document the current procedure in detail, and make it available on the enterprise intranet. A is the correct answer. Justification: A. The IS auditor should recommend implementation of processes that could prevent or detect improper changes from being made to the major application roles. The application role change request process should start and be approved by the business owner; then, the IS director can make the changes to the application. B. While it is preferred that a strict segregation of duties (SoD) be adhered to and that additional staff be recruited, this practice is not always possible in small enterprises. The IS auditor must look at recommended alternative processes. C. An automated process for managing application roles may not be practical to prevent improper changes being made by the IS director, who also has the most privileged access to the application. D. Making the existing process available on the enterprise intranet would not provide any value to protect the system. 17.An IS auditor discovers that some users have installed personal software on their PCs. This is not explicitly forbidden by the security policy. Of the following, the BEST approach for an IS auditor is to recommend that the: A. IT department implement control mechanisms to prevent unauthorized software installation. B. security policy be updated to include specific language regarding unauthorized software. C. IT department prohibit the download of unauthorized software. D. users obtain approval from an IS manager before installing nonstandard software. B is the correct answer. Justification: A. An IS auditor’s obligation is to report on observations noted and make the best recommendation, which is to address the situation through policy. The IT department cannot implement controls in the absence of the authority provided through policy. B. Lack of specific language addressing unauthorized software in the acceptable use policy is a weakness in administrative controls. The policy should be reviewed and updated to address the issue—and provide authority for the IT department to implement technical controls. C. Preventing downloads of unauthorized software is not the complete solution. Unauthorized software can be also introduced through compact discs (CDs) and universal serial bus (USB) drives. D. Requiring approval from the IS manager before installation of the nonstandard software is an exception handling control. It would not be effective unless a preventive control to prohibit user installation of unauthorized software is established first. 18.Which of the following is a prevalent risk in the development of end-user computing (EUC) applications? A. Applications may not be subject to testing and IT general controls. B. Development and maintenance costs may be increased. C. Application development time may be increased. D. Decision-making may be impaired due to diminished responsiveness to requests for information. A is the correct answer. Justification: A. End-user computing (EUC) is defined as the ability of end users to design and implement their own information system utilizing computer software products. End-user developed applications may not be subjected to an independent outside review by systems analysts and frequently are not created in the context of a formal development methodology. These applications may lack appropriate standards, controls, quality assurance procedures, and documentation. A risk of end-user applications is that management may rely on them as much as traditional applications. B. EUC systems typically result in reduced application development and maintenance costs. C. EUC systems typically result in a reduced development cycle time. D. EUC systems normally increase flexibility and responsiveness to management’s information requests because the system is being developed directly by the user community. 19.During an IS audit of the disaster recovery plan (DRP) of a global enterprise, the IS auditor observes that some remote offices have very limited local IT resources. Which of the following observations would be the MOST critical for the IS auditor? A. A test has not been made to ensure that local resources could maintain security and service standards when recovering from a disaster or incident. B. The corporate business continuity plan (BCP) does not accurately document the systems that exist at remote offices. C. Corporate security measures have not been incorporated into the test plan. D. A test has not been made to ensure that tape backups from the remote offices are usable. A is the correct answer. Justification: A. Regardless of the capability of local IT resources, the most critical risk would be the lack of testing, which would identify quality issues in the recovery process. B. The corporate business continuity plan (BCP) may not include disaster recovery plan (DRP) details for remote offices. It is important to ensure that the local plans have been tested. C. Security is an important issue because many controls may be missing during a disaster. However, not having a tested plan is more important. D. The backups cannot be trusted until they have been tested. However, this should be done as part of the overall tests of the DRP. 20.Which of the following is the BEST indicator of the effectiveness of backup and restore procedures while restoring data after a disaster? A. Members of the recovery team were available. B. Recovery time objectives (RTOs) were met. C. Inventory of backup tapes was properly maintained. D. Backup tapes were completely restored at an alternate site. B is the correct answer. Justification: A. The availability of key personnel does not ensure that backup and restore procedures will work effectively. B. The effectiveness of backup and restore procedures is best ensured by recovery time objectives (RTOs) being met because these are the requirements that are critically defined during the business impact analysis stage, with the inputs and involvement of all business process owners. C. The inventory of the backup tapes is only one element of the successful recovery. D. The restoration of backup tapes is a critical success, but only if they were able to be restored within the time frames set by the RTO. 21.An IS auditor is reviewing the most recent disaster recovery plan (DRP) of an organization. Which approval is the MOST important when determining the availability of system resources required for the plan? A. Executive management B. IT management C. Board of directors D. Steering committee B is the correct answer. Justification: A. Although executive management’s approval is essential, the IT department is responsible for managing system resources and their availability as related to disaster recovery (DR). B. Because a disaster recovery plan (DRP) is based on the recovery and provisioning of IT services, IT management’s approval would be most important to verify that the system resources will be available in the event that a disaster event is triggered. C. The board of directors may review and approve the DRP, but the IT department is responsible for managing system resources and their availability as related to DR. D. The steering committee would determine the requirements for disaster recovery (recovery time objective [RTO] and recovery point objective [RPO]); however, the IT department is responsible for managing system resources and their availability as related to DR. 22.Which of the following is the MOST efficient way to test the design effectiveness of a change control process? A. Test a sample population of change requests B. Test a sample of authorized changes C. Interview personnel in charge of the change control process D. Perform an end-to-end walk-through of the process D is the correct answer. Justification: A. Testing a sample population of changes is a test of compliance and operating effectiveness to ensure that users submitted the proper documentation/requests. It does not test the effectiveness of the design. B. Testing changes that have been authorized may not provide sufficient assurance of the entire process because it does not test the elements of the process related to authorization or detect changes that bypassed the controls. C. Interviewing personnel in charge of the change control process is not as effective as a walkthrough of the change controls process because people may know the process but not follow it. D. Observation is the best and most effective method to test changes to ensure that the process is effectively designed. 23.Which of the following is the GREATEST risk of an organization using reciprocal agreements for disaster recovery between two business units? A. The documents contain legal deficiencies. B. Both entities are vulnerable to the same incident. C. IT systems are not identical. D. One party has more frequent disruptions than the other. B is the correct answer. Justification: A. Inadequate agreements between two business units is a risk, but generally a lesser one than the risk that both organizations will suffer a disaster at the same time. B. The use of reciprocal disaster recovery is based on the probability that both organizations will not suffer a disaster at the same time. C. While incompatible IT systems could create problems, it is a less significant risk than both organizations suffering from the same disaster at the same time. D. While one party may utilize the other’s resources more frequently, this can be addressed by contractual provisions and is not a major risk. DOMAIN 5 Protection of Information Assets 1. An information security policy stating that “the display of passwords must be masked or suppressed” addresses which of the following attack methods? A. Piggybacking B. Dumpster diving C. Shoulder surfing D. Impersonation C is the correct answer. Justification: A. Piggybacking refers to unauthorized persons following, either physically or virtually, authorized persons into restricted areas. Masking the display of passwords would not prevent someone from tailgating an authorized person. B. This policy only refers to “the display of passwords,” not dumpster diving (looking through an organization’s trash for valuable information). C. If a password is displayed on a monitor, any person or camera nearby could look over the shoulder of the user to obtain the password. D. Impersonation refers to someone acting as an employee in an attempt to retrieve desired information. 2. With the help of a security officer, granting access to data is the responsibility of: A. data owners. B. programmers. C. system analysts. D. librarians. A is the correct answer. Justification: A. Data owners are responsible for the access to and use of data. Written authorization for users to gain access to computerized information should be provided by the data owners. Security administration with the owners’ approval sets up access rules stipulating which users or group of users are authorized to access data or files and the level of authorized access (e.g., read or update). B. Programmers will develop the access control software that will regulate the ways that users can access the data (update, read, delete, etc.), but the programmers do not have responsibility for determining who gets access to data. C. Systems analysts work with the owners and programmers to design access controls according to the rules set by the owners. D. The librarians enforce the access control procedures they have been given but do not determine who gets access. 3. Which of the following environmental controls is appropriate to protect computer equipment against short-term reductions in electrical power? A. Power line conditioners B. Surge protective devices C. Alternative power supplies D. Interruptible power supplies A is the correct answer. Justification: A. Power line conditioners are used to compensate for peaks and valleys in the power supply and reduce peaks in the power flow to what is needed by the machine. Any valleys are removed by power stored in the equipment. B. Surge protection devices protect against high-voltage bursts. C. Alternative power supplies are intended for power failures that last for longer periods and are normally coupled with other devices such as an uninterruptible power supply (UPS) to compensate for the power loss until the alternate power supply becomes available. D. An interruptible power supply would cause the equipment to come down whenever there was a power failure. 4. An IS auditor is reviewing the physical security measures of an organization. Regarding the access card system, the IS auditor should be MOST concerned that: A. nonpersonalized access cards are given to the cleaning staff, who use a sign-in sheet but show no proof of identity. B. access cards are not labeled with the organization’s name and address to facilitate easy return of a lost card. C. card issuance and rights administration for the cards are done by different departments, causing unnecessary lead time for new cards. D. the computer system used for programming the cards can only be replaced after three weeks in the event of a system failure. A is the correct answer. Justification: A. Physical security is meant to control who is entering a secured area, so identification of all individuals is of utmost importance. It is not adequate to trust unknown external people by allowing them to write down their alleged name without proof, e.g., identity card, driver’s license. B. Having the name and address of the organization on the card may be a concern because a malicious finder could use a lost or stolen card to enter the organization’s premises. C. Separating card issuance from technical rights management is a method to ensure the proper segregation of duties so that no single person can produce a functioning card for a restricted area within the organization’s premises. The long lead time is an inconvenience but not a serious audit risk. D. System failure of the card programming device would normally not mean that the readers do not function anymore. It simply means that no new cards can be issued, so this option is minor compared to the threat of improper identification. 5. The PRIMARY purpose of installing data leak prevention (DLP) software is to control which of the following choices? A. Access privileges to confidential files stored on servers B. Attempts to destroy critical data on the internal network C. Which external systems can access internal resources D. Confidential documents leaving the internal network D is the correct answer. Justification: A. Access privileges to confidential files stored on the server will be controlled through digital rights management (DRM) software. B. Potential attacks to systems on the internal network would normally be controlled through an intrusion detection system (IDS) and intrusion prevention system (IPS) as well as by security controls of the systems themselves. Data leak prevention (DLP) systems focus on data leaving the enterprise. C. Controlling what external systems can access internal resources is the function of a firewall rather than a DLP system. D. A server running a DLP software application uses predefined criteria to check whether any confidential documents or data are leaving the internal network. 6. Neural networks are effective in detecting fraud because they can: A. discover new trends because they are inherently linear. B. solve problems where large and general sets of training data are not obtainable. C. attack problems that require consideration of a large number of input variables. D. make assumptions about the shape of any curve relating variables to the output. C is the correct answer. Justification: A. Neural networks are inherently nonlinear. B. Neural networks will not work well at solving problems for which sufficiently large and general sets of training data are not obtainable. C. Neural networks can be used to attack problems that require consideration of numerous input variables. They are capable of capturing relationships and patterns often missed by other statistical methods, but they will not discover new trends. D. Neural networks make no assumption about the shape of any curve relating variables to the output. 7. The FIRST step in data classification is to: A. establish ownership. B. perform a criticality analysis. C. define access rules. D. create a data dictionary. A is the correct answer. Justification: A. Data classification is necessary to define access rules based on a need-to-do and need-to know basis. The data owner is responsible for defining the access rules; therefore, establishing ownership is the first step in data classification. B. A criticality analysis is required to determine the appropriate levels of protection of data, according to the data classification. C. Access rules are set up dependent on the data classification. D. Input for a data dictionary is prepared from the results of the data classification process. 8. From a control perspective, the PRIMARY objective of classifying information assets is to: A. establish guidelines for the level of access controls that should be assigned. B. ensure access controls are assigned to all information assets. C. assist management and auditors in risk assessment. D. identify which assets need to be insured against losses. A is the correct answer. Justification: A. Information has varying degrees of sensitivity and criticality in meeting business objectives. By assigning classes or levels of sensitivity and criticality to information resources, management can establish guidelines for the level of access controls that should be assigned. End user management and the security administrator will use these classifications in their risk assessment process to assign a given class to each asset. B. Not all information needs to be protected through access controls. Overprotecting data would be expensive. C. The classification of information is usually based on the risk assessment, not the other way around. D. Insuring assets is valid; however, this is not the primary objective of information classification. 9. When reviewing the procedures for the disposal of computers, which of the following should be the GREATEST concern for the IS auditor? A. Hard disks are overwritten several times at the sector level but are not reformatted before leaving the organization. B. All files and folders on hard disks are separately deleted, and the hard disks are formatted before leaving the organization. C. Hard disks are rendered unreadable by hole-punching through the platters at specific positions before leaving the organization. D. The transport of hard disks is escorted by internal security staff to a nearby metal recycling company, where the hard disks are registered and then shredded. B is the correct answer. Justification: A. Overwriting a hard disk at the sector level would completely erase data, directories, indices and master file tables. Reformatting is not necessary because all contents are destroyed. Overwriting several times makes useless some forensic measures, which are able to reconstruct former contents of newly overwritten sectors by analyzing special magnetic features of the platter’s surface. B. Deleting and formatting does not completely erase the data but only marks the sectors that contained files as being free. There are tools available over the Internet which allow one to reconstruct most of a hard disk’s contents. C. While hole-punching does not delete file contents, the hard disk cannot be used anymore, especially when head parking zones and track zero information are impacted. Reconstructing data would be extremely expensive because all analysis must be performed under a clean room atmosphere and is only possible within a short time frame or until the surface is corroded. D. Data reconstruction from shredded hard disks is virtually impossible, especially when the scrap is mixed with other metal parts. If the transport can be secured and the destruction be proved as described in the option, this is a valid method of disposal. 10.The risk of dumpster diving is BEST mitigated by: A. implementing security awareness training. B. placing shred bins in copy rooms. C. developing a media disposal policy. D. placing shredders in individual offices. A is the correct answer. Justification: A. Dumpster diving is used to steal documents or computer media that were not properly discarded. Users should be educated to know the risk of carelessly discarding sensitive documents and other items. B. The shred bins may not be properly used if users are not aware of proper security techniques. C. A media disposal policy is a good idea; however, if users are not aware of the policy it may not be effective. D. The shredders may not be properly used if users are not aware of proper security techniques. 11.Which of the following is the BEST way for an IS auditor to determine the effectiveness of a security awareness and training program? A. Review the security training program. B. Ask the security administrator. C. Interview a sample of employees. D. Review the security reminders to employees. C is the correct answer. Justification: A. A security training program may be well designed, but the results of the program will be determined by employee awareness. B. Asking the security administrator would not show the effectiveness of a security awareness and training program because such a program should target more than just the administrator. C. Interviewing a sample of employees is the best way to determine the effectiveness of a security awareness and training program because overall awareness must be determined and effective security is dependent on people. Reviewing the security training program would not be the ultimate indicator of the effectiveness of the awareness training. D. Reviewing the security reminders to the employees is not the best way to find out the effectiveness of the training awareness because sending reminders may result in little actual awareness. 12.Which of the following is the MAIN reason an organization should have an incident response plan? The plan helps to: A. ensure prompt recovery from system outages. B. contain costs related to maintaining DRP capabilities. C. ensure that customers are promptly notified of issues such as security breaches. D. minimize the impact of an adverse event. D is the correct answer. Justification: A. Incident response plans generally deal with a wide range of possible issues, but are not a replacement for a DRP or business continuity plan (BCP). The primary focus of a DRP, not the incident response plan, is to restore IT systems to a working state. B. An effective incident response plan could minimize damage to the organization, which minimizes costs, but the main purpose of the incident response plan is to minimize damage. Possible damage could include nonfinancial metrics, such as damage to a company’s reputation. C. While an incident response plan includes elements such as when and how to contact customers about a significant incident, the primary purpose of the plan is to minimize the impact. D. An incident response plan helps minimize the impact of an incident because it provides a controlled response to incidents. The phases of the plan include planning, detection, evaluation, containment, eradication, escalation, response, recovery, reporting, postincident review and a review of lessons learned. 13.The CSIRT of an organization disseminates detailed descriptions of recent threats. An IS auditor’s GREATEST concern should be that the users may: A. use this information to launch attacks. B. forward the security alert. C. implement individual solutions. D. fail to understand the threat. A is the correct answer. Justification: A. An organization’s computer security incident response team (CSIRT) should disseminate recent threats, security guidelines and security updates to the users to assist them in understanding the security risk of errors and omissions. However, this introduces the risk that the users may use this information to launch attacks, directly or indirectly. An IS auditor should ensure that the CSIRT is actively involved with users to assist them in mitigation of risk arising from security failures and to prevent additional security incidents resulting from the same threat. B. Forwarding the security alert is not harmful to the organization. C. Implementing individual solutions is unlikely and inefficient, but not a serious risk. D. Users failing to understand the threat would not be a serious concern. 14.An IS audit department considers implementing continuous auditing techniques for a multinational retail enterprise that requires high availability of its key systems. A PRIMARY benefit of continuous auditing is that: A. effective preventive controls are enforced. B. system integrity is ensured. C. errors can be corrected in a timely fashion. D. fraud can be detected more quickly. D is the correct answer. Justification: A. Continuous monitoring is detective in nature and, therefore, does not necessarily assist the IS auditor in monitoring for preventive controls. The approach will detect and monitor for errors that have already occurred. In addition, continuous monitoring will benefit the internal audit function in reducing the use of auditing resources and in the timely reporting of errors or inconsistencies. B. System integrity is typically associated with preventive controls such as input controls and quality assurance reviews. These controls do not typically benefit an internal auditing function implementing continuous monitoring. Continuous monitoring benefits the internal audit function because it reduces the use of auditing resources. C. Continuous audit will detect errors but not correct them. Correcting errors is the function of the organization's management and not the internal audit function. Continuous auditing benefits the internal audit function because it reduces the use of auditing resources to create a more efficient auditing function. D. Continuous auditing techniques assist the auditing function in reducing the use of auditing resources through continuous collection of evidence. This approach assists the IS auditors in identifying fraud in a timely fashion and allows the auditors to focus on relevant data. 15.The internal audit department has written some scripts that are used for continuous auditing of some information systems. The IT department has asked for copies of the scripts so that they can use them for setting up a continuous monitoring process on key systems. Would sharing these scripts with IT affect the ability of the IS auditors to independently and objectively audit the IT function? A. Sharing the scripts is not permitted because it would give IT the ability to pre-audit systems and avoid an accurate, comprehensive audit. B. Sharing the scripts is required because IT must have the ability to review all programs and software that runs on IS systems regardless of audit independence. C. Sharing the scripts is permissible as long as IT recognizes that audits may still be conducted in areas not covered in the scripts. D. Sharing the scripts is not permitted because it would mean that the IS auditors who wrote the scripts would not be permitted to audit any IS systems where the scripts are being used for monitoring. C is the correct answer. Justification: A. The ability of IT to continuously monitor and address any issues on IT systems would not affect the ability of IS audit to perform a comprehensive audit. B. Sharing the scripts may be required by policy for the sake of quality assurance and configuration management, but that would not impair the ability to audit. C. IS audit can still review all aspects of the systems. They may not be able to review the effectiveness of the scripts themselves, but they can still audit the systems. D. An audit of an IS system would encompass more than just the controls covered in the scripts. 16.The success of control self-assessment (CSA) depends highly on: A. having line managers assume a portion of the responsibility for control monitoring. B. assigning staff managers the responsibility for building, but not monitoring, controls. C. the implementation of a stringent control policy and rule-driven controls. D. the implementation of supervision and the monitoring of controls of assigned duties. A is the correct answer. Justification: A. The primary objective of a control self-assessment (CSA) program is to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional area line managers. The success of a CSA program depends on the degree to which line managers assume responsibility for controls. This enables line managers to detect and respond to control errors promptly. B. CSA requires managers to participate in the monitoring of controls. C. The implementation of stringent controls will not ensure that the controls are working correctly. D. Better supervision is a compensating and detective control and may assist in ensuring control effectiveness, but would work best when used in a formal process such as CSA. 17.When conducting an IT security risk assessment, the IS auditor asked the IT security officer to participate in a risk identification workshop with users and business unit representatives. What is the MOST important recommendation that the IS auditor should make to obtain successful results and avoid future conflicts? A. Ensure that the IT security risk assessment has a clearly defined scope. B. Require the IT security officer to approve each risk rating during the workshop. C. Suggest that the IT security officer accept the business unit risk and rating. D. Select only commonly accepted risk with the highest submitted rating. A is the correct answer. Justification: A. The IT risk assessment should have a clearly defined scope to be efficient and meet the objectives of risk identification. The IT risk assessment should include relationships with risk assessments in other areas, if appropriate. B. It is most likely that the IT security officer is not in a position to approve risk ratings, and the results of the workshop may need to be compiled and analyzed following the workshop, making approval during the workshop improbable. C. The facilitator of the workshop should encourage input from all parties without causing embarrassment or intimidation. However, the IT security officer is not expected to accept risk—that is a senior management function. D. The purpose of a workshop is to brainstorm and draw out the input of all participants, not just to address commonly accepted risk. 18.An IS auditor is performing an audit in the data center when the fire alarm begins sounding. The audit scope includes disaster recovery, so the auditor observes the data center staff response to the alarm. Which of the following is the MOST important action for the data center staff to complete in this scenario? A. Notify the local fire department of the alarm condition. B. Prepare to activate the fire suppression system. C. Ensure that all persons in the data center are evacuated. D. Remove all backup tapes from the data center. C is the correct answer. Justification: A. Life safety is always the first priority, and notifying the fire department of the alarm is not typically necessary because most data center alarms are configured to automatically report to the local authorities. B. Fire suppression systems are designed to operate automatically, and activating the system when staff are not yet evacuated could create confusion and panic, leading to injuries or even fatalities. Manual triggering of the system could be necessary under certain conditions, but only after all other data center personnel are safely evacuated. C. In an emergency, safety of life is always the first priority; therefore, the complete and orderly evacuation of the facility staff would be the most important activity. D. Removal of backup tapes from the data center is not an appropriate action because it could delay the evacuation of personnel. Most companies would have copies of backup tapes in offsite storage to mitigate the risk of data loss for this type of disaster. 19.When evaluating the controls of an electronic data interchange (EDI) application, an IS auditor should PRIMARILY be concerned with the risk of: A. excessive transaction turnaround time. B. application interface failure. C. improper transaction authorization. D. nonvalidated batch totals. C is the correct answer. Justification: A. An excessive turnaround time is an inconvenience, but not a serious risk. B. The failure of the application interface is a risk, but not the most serious issue. Usually such a problem is temporary and easily fixed. C. Foremost among the risk associated with electronic data interchange (EDI) is improper transaction authorization. Because the interaction with the parties is electronic, there is no inherent authentication. Improper authentication would pose a serious risk of financial loss. D. The integrity of EDI transactions is important, but not as significant as the risk of unauthorized transactions. 20.An organization is replacing a payroll program that it developed in-house, with the relevant subsystem of a commercial enterprise resource planning (ERP) system. Which of the following would represent the HIGHEST potential risk? A. Undocumented approval of some project changes B. Faulty migration of historical data from the old system to the new system C. Incomplete testing of the standard functionality of the ERP subsystem D. Duplication of existing payroll permissions on the new ERP subsystem B is the correct answer. Justification: A. Undocumented changes (leading to scope creep) are a risk, but the greatest risk is the loss of data integrity when migrating data from the old system to the new system. B. The most significant risk after a payroll system conversion is loss of data integrity and not being able to pay employees in a timely and accurate manner or have records of past payments. As a result, maintaining data integrity and accuracy during migration is paramount. C. A lack of testing is always a risk; however, in this case, the new payroll system is a subsystem of an existing commercially available (and therefore probably well-tested) system. D. Setting up the new system, including access permissions and payroll data, always presents some level of risk; however, the greatest risk is related to the migration of data from the old system to the new system. 21.An IS auditor reviewing a series of completed projects finds that the implemented functionality often exceeded requirements and most of the projects ran significantly over budget. Which of these areas of the organization’s project management process is the MOST likely cause of this issue? A. Project scope management B. Project time management C. Project risk management D. Project procurement management A is the correct answer. Justification: A. Because the implemented functionality is greater than what was required, the most likely cause of the budget issue is failure to effectively manage project scope. Project scope management is defined as the processes required to ensure that the project includes all of the required work, and only the required work, to complete the project. B. Project time management is defined as the processes required to ensure timely completion of the project. The issue noted in the question does not mention whether projects were completed on time, so this is not the most likely cause. C. Project risk management is defined as the processes concerned with identifying, analyzing and responding to project risk. Although the budget overruns mentioned above represent one form of project risk, they appear to be caused by implementing too much functionality, which relates more directly to project scope. D. Project procurement management is defined as the processes required to acquire goods and services from outside the performing organization. Although purchasing goods and services that are too expensive can cause budget overruns, in this case the key to the question is that implemented functionality is greater than what was required, which is more likely related to project scope. 22.Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date? A. Estimation of the actual end date based on the completion percentages and estimated time to complete, taken from status reports B. Confirmation of the target date based on interviews with experienced managers and staff involved in the completion of the project deliverables C. Extrapolation of the overall end date based on completed work packages and current resources D. Calculation of the expected end date based on current resources and remaining available project budget C is the correct answer. Justification: A. The IS auditor cannot count on the accuracy of data in status reports for reasonable assurance. B. Interviews are a valuable source of information, but will not necessarily identify any project challenges because the people being interviewed are involved in project. C. Direct observation of results is better than estimations and qualitative information gained from interviews or status reports. Project managers and involved staff tend to underestimate the time needed for completion and the necessary time buffers for dependencies between tasks, while overestimating the completion percentage for tasks underway (i.e., 80:20 rule). D. The calculation based on remaining budget does not take into account the speed at which the project has been progressing. 23.An IS auditor has been asked to participate in project initiation meetings for a critical project. The IS auditor’s MAIN concern should be that the: A. complexity and risk associated with the project have been analyzed. B. resources needed throughout the project have been determined. C. technical deliverables have been identified. D. a contract for external parties involved in the project has been completed. A is the correct answer. Justification: A. Understanding complexity and risk, and actively managing these throughout a project are critical to a successful outcome. B. The resources needed will be dependent on the complexity of the project. C. It is too early to identify the technical deliverables. D. Not all projects will require contracts with external parties. 24.The PRIMARY objective of service-level management (SLM) is to: A. define, agree on, record and manage the required levels of service. B. ensure that services are managed to deliver the highest achievable level of availability. C. keep the costs associated with any service at a minimum. D. monitor and report any legal noncompliance to business management. A is the correct answer. Justification: A. The objective of service-level management (SLM) is to negotiate, document and manage (i.e., provide and monitor) the services in the manner in which the customer requires those services. B. SLM does not necessarily ensure that services are delivered at the highest achievable level of availability (e.g., redundancy and clustering). Although maximizing availability might be necessary for some critical services, it cannot be applied as a general rule of thumb. C. SLM cannot ensure that costs for all services will be kept at a low or minimum level because costs associated with a service will directly reflect the customer’s requirements. D. Monitoring and reporting legal noncompliance is not a primary objective of SLM. 25.The BEST audit procedure to determine if unauthorized changes have been made to production code is to: A. examine the change control system records and trace them forward to object code files. B. review access control permissions operating within the production program libraries. C. examine object code to find instances of changes and trace them back to change control records. D. review change approved designations established within the change control system. C is the correct answer. Justification: A. Checking the change control system will not detect changes that were not recorded in the control system. B. Reviewing access control permissions will not identify unauthorized changes made previously. C. The procedure of examining object code files to establish instances of code changes and tracing these back to change control system records is a substantive test that directly addresses the risk of unauthorized code changes. D. Reviewing change approved designations will not identify unauthorized changes. 26.Which of the following is the BEST method for determining the criticality of each application system in the production environment? A. Interview the application programmers. B. Perform a gap analysis. C. Review the most recent application audits. D. Perform a business impact analysis (BIA). D is the correct answer. Justification: A. Interviews with the application programmers will provide limited information related to the criticality of the systems. B. A gap analysis is relevant to system development and project management but does not determine application criticality. C. The audits may not contain the required information about application criticality or may not have been done recently. D. A business impact analysis (BIA) will give the impact of the loss of each application. A BIA is conducted with representatives of the business that can accurately describe the criticality of a system and its importance to the business. 27.Which of the following issues should be the GREATEST concern to the IS auditor when reviewing an IT disaster recovery test? A. Due to the limited test time window, only the most essential systems were tested. The other systems were tested separately during the rest of the year. B. During the test, some of the backup systems were defective or not working, causing the test of these systems to fail. C. The procedures to shut down and secure the original production site before starting the backup site required far more time than planned. D. Every year, the same employees perform the test. The recovery plan documents are not used because every step is well known by all participants. B is the correct answer. Justification: A. This is not a concern because over the course of the year, all the systems were tested. B. The purpose of the test is to test the backup plan. When the backup systems are not working then the plan cannot be counted on in a real disaster. This is the most serious problem. C. In a real disaster, there is no need for a clean shutdown of the original production environment because the first priority is to bring the backup site up. D. A disaster recovery test should test the plan, processes, people and IT systems. Therefore, if the plan is not used, its accuracy and adequacy cannot be verified. Disaster recovery should not rely on key staff because a disaster can occur when they are not available. However, the fact that the test works is less serious than the failure of the systems and infrastructure that the recovery plan counts on. Good practice would rotate different people through the test and ensure that the plan itself is followed and tested. 28.Which of the following groups is the BEST source of information for determining the criticality of application systems as part of a business impact analysis (BIA)? A. Business processes owners B. IT management C. Senior business management D. Industry experts A is the correct answer. Justification: A. Business process owners have the most relevant information to contribute because the business impact analysis (BIA) is designed to evaluate criticality and recovery time lines, based on business needs. B. While IT management must be involved, they may not be fully aware of the business processes that need to be protected. C. While senior management must be involved, they may not be fully aware of the criticality of applications that need to be protected. D. The BIA is dependent on the unique business needs of the organization and the advice of industry experts is of limited value. 29.While designing the business continuity plan (BCP) for an airline reservation system, the MOST appropriate method of data transfer/backup at an offsite location would be: A. shadow file processing. B. electronic vaulting. C. hard-disk mirroring. D. hot-site provisioning. A is the correct answer. Justification: A. In shadow file processing, exact duplicates of the files are maintained at the same site or at a remote site. The two files are processed concurrently. This is used for critical data files such as airline booking systems. B. Electronic vaulting electronically transmits data either to direct access storage, an optical disc or another storage medium; this is a method used by banks. This is not usually in real time as much as a shadow file system is. C. Hard-disk mirroring provides redundancy in case the primary hard disk fails. All transactions and operations occur on two hard disks in the same server. D. A hot site is an alternate site ready to take over business operations within a few hours of any business interruption and is not a method for backing up data. 30.The information security policy that states “each individual must have his/her badge read at every controlled door” addresses which of the following attack methods? A. Piggybacking B. Shoulder surfing C. Dumpster diving D. Impersonation A is the correct answer. Justification: A. Piggybacking refers to unauthorized persons following authorized persons, either physically or virtually, into restricted areas. This policy addresses the polite behavior problem of holding doors open for a stranger. If every employee must have their badge read at every controlled door, no unauthorized person could enter the sensitive area. B. Shoulder surfing (looking over the shoulder of a person to view sensitive information on a screen or desk) would not be prevented by the implementation of this policy. C. Dumpster diving, looking through an organization’s trash for valuable information, could be done outside the company’s physical perimeter; therefore, this policy would not address this attack method. D. Impersonation refers to a social engineer acting as an employee, trying to retrieve the desired information. Some forms of social engineering attacks could join an impersonation attack and piggybacking, but this information security policy does not address the impersonation attack. 31.An IS auditor discovers that uniform resource locators (URLs) for online control self-assessment questionnaires are sent using URL shortening services. The use of URL shortening services would MOST likely increase the risk of which of the following attacks? A. Internet protocol (IP) spoofing B. Phishing C. Structured query language (SQL) injection D. Denial-of-service (DoS) B is the correct answer. Justification: A. The URL is based on Hypertext Transmission Protocol (HTTP); IP spoofing is used to change the source IP address in a transmission control protocol/Internet protocol (TCP/IP) packet, not in the HTTP protocol. B. URL shortening services have been adopted by hackers to fool users and spread malware, i.e., phishing. C. Although URL shortening services can be used to perform structured query language (SQL) injections, their primary risk is being used for phishing. D. Denial-of-service (DoS) attacks are not affected by URL shortening services. 32.A company is planning to install a network-based intrusion detection system (IDS) to protect the web site that it hosts. Where should the device be installed? A. On the local network B. Outside the firewall C. In the demilitarized zone (DMZ) D. On the server that hosts the web site C is the correct answer. Justification: A. While an intrusion detection system (IDS) can be installed on the local network to ensure that systems are not subject to internal attacks, a company’s public web server would not normally be installed on the local network, but rather in the demilitarized zone (DMZ). B. It is not unusual to place a network IDS outside of the firewall just to watch the traffic that is reaching the firewall, but this would not be used to specifically protect the web application. C. Network-based IDSs detect attack attempts by monitoring network traffic. A public web server is typically placed on the protected network segment known as the demilitarized zone (DMZ). An IDS installed in the DMZ detects and reports on malicious activity originating from the Internet as well as the internal network, thus allowing the administrator to take action. D. A host-based IDS would be installed on the web server, but a network-based IDS would not. 33.What would be the MOST effective control for enforcing accountability among database users accessing sensitive information? A. Implement a log management process. B. Implement a two-factor authentication. C. Use table views to access sensitive data. D. Separate database and application servers. A is the correct answer. Justification: A. Accountability means knowing what is being done by whom. The best way to enforce the principle is to implement a log management process that would create and store logs with pertinent information such as user name, type of transaction and hour. B. Implementing a two-factor authentication would prevent unauthorized access to the database, but would not record the activity of the user when using the database. C. Using table views would restrict users from seeing data that they should not be able to see, but would not record what users did with data they were allowed to see. D. Separating database and application servers may help in better administration or even in implementing access controls, but does not address the accountability issues. 34.What is the BEST approach to mitigate the risk of a phishing attack? A. Implementation of an intrusion detection system (IDS) B. Assessment of web site security C. Strong authentication D. User education D is the correct answer. Justification: A. Intrusion detection systems (IDSs) will capture network or host traffic for analysis and may detect malicious activity but are not effective against phishing attacks. B. Assessing web site security does not mitigate the risk. Phishing is based on social engineering and often distributed through email. Web site security is only a small part of the problem. C. Phishing attacks can be mounted in various ways, often through email; strong two-factor authentication cannot mitigate most types of phishing attacks. D. The best way to mitigate the risk of phishing is to educate users to take caution with suspicious Internet communications and not to trust them until verified. Users require adequate training to recognize suspicious web pages and email. 35.Which of the following BEST encrypts data on mobile devices? A. Elliptical curve cryptography (ECC) B. Data encryption standard (DES) C. Advanced encryption standard (AES) D. The Blowfish algorithm A is the correct answer. Justification: A. Elliptical curve cryptography (ECC) requires limited bandwidth resources and is suitable for encrypting mobile devices. B. Data encryption standard (DES) uses less processing power when compared with advanced encryption standard (AES), but ECC is more suitable for encrypting data on mobile devices. C. AES is a symmetric algorithm and has the problem of key management and distribution. ECC is an asymmetric algorithm and is better suited for a mobile environment. D. The use of the Blowfish algorithm consumes too much processing power. 36.When protecting an organization’s IT systems, which of the following is normally the next line of defense after the network firewall has been compromised? A. Personal firewall B. Antivirus programs C. Intrusion detection system (IDS) D. Virtual local area network (VLAN) configuration C is the correct answer. Justification: A. Personal firewalls would be later in the defensive strategy, being located on the endpoints. B. Antivirus programs would be installed on endpoints as well as on the network, but the next layer of defense after a firewall is an intrusion detection system (IDS)/intrusion protection system (IPS). C. An IDS would be the next line of defense after the firewall. It would detect anomalies in the network/server activity and try to detect the perpetrator. D. Virtual local area network (VLAN) configurations are not intended to compensate for a compromise of the firewall. They are an architectural best practice. 37.Which of the following would MOST effectively enhance the security of a challenge-response based authentication system? A. Selecting a more robust algorithm to generate challenge strings B. Implementing measures to prevent session hijacking attacks C. Increasing the frequency of associated password changes D. Increasing the length of authentication strings B is the correct answer. Justification: A. Selecting a more robust algorithm will enhance the security; however, this may not be as important in terms of risk mitigation when compared to man-in-the-middle attacks. B. Challenge response-based authentication is prone to session hijacking or man-in-themiddle attacks. Security management should be aware of this and engage in risk assessment and control design such as periodic authentication when they employ this technology. C. Frequently changing passwords is a good security practice; however, the exposures lurking in communication pathways may pose a greater risk. D. Increasing the length of authentication strings will not prevent man-in-the-middle or session hijacking attacks. 38.An IS auditor is reviewing a software-based firewall configuration. Which of the following represents the GREATEST vulnerability? The firewall software: A. is configured with an implicit deny rule as the last rule in the rule base. B. is installed on an operating system with default settings. C. has been configured with rules permitting or denying access to systems or networks. D. is configured as a virtual private network (VPN) endpoint. B is the correct answer. Justification: A. Configuring a firewall with an implicit deny rule is common practice. B. Default settings of most equipment—including operating systems—are often published and provide an intruder with predictable configuration information, which allows easier system compromise. To mitigate this risk, firewall software should be installed on a system using a hardened operating system that has limited functionality, providing only the services necessary to support the firewall software. C. A firewall configuration should have rules allowing or denying access according to policy. D. A firewall is often set up as the endpoint for a virtual private network (VPN). |
Which of the following choices best ensures accountability when updating data directly in a production database?
Related Posts
Copyright © 2024 SignalDuo Inc.
