the Information Technology Governance and Information Audit vol 2

Control objectives are defined in an audit program to

Select one:

a. Give the auditor a view of the big picture of what the key control issue are based on the risk and management input

b. Keep the management from changing the scope of the audit

c. Enable the auditor to scope the audit to only those issues identified in the control objective

d. Define what testing steps need to be performed in the program  

When reviewing a business and systems recovery plan, which of the following will be most important to find within the contents of the plan?

Select one:

a. Call trees depicting the recovery teams and their contact information

b. Change control information related to what has changed since the last plan update

c. Inventories of hardware and equipment used on-site

d. Simple checklists depicting the steps that need to be taken to affect a recovery 

 One of the most important reasons for having the audit organization report to the audit committee of the board is because

Select one:

a. The internal audit function is to assist all parts of the organization and no one reporting manager should get priority on this help and support

b. The departments resources cannot easily be redirected and used for other projects

c. The audit organization must be independent from influence from reporting structures that do not enable them to communicate directly with the audit committee

d. Their budgets are more easily managed separate from the other budgets of the organization 

Which of the following is not a reason to be concerned about auditor independence?

Select one:

a. The auditor is working as consultant for the implementation portion of the project being audited.

b. The auditor used to manage the same business process at a different company.

c. The auditor starts dating the change control librarian.

d. The auditor invests in the business spin-off of the company. 

 Which of the following is not a guideline published for giving direction to IS auditors?

Select one:

a. Auditing IT governance

b. Completion of the audits when your independence is compromised

c. The IT auditor's role in dealing with illegal acts and irregularities

d. Third-party service provider's effect on IT controls  

What are the qualifications of the incident commander when responding to a crisis?

Select one:

a. First person on scene

b. First responder

c. Member of management

d. Trained crisis manager  

Which of the following controls is not an example of a pervasive general control?

Select one:

a. IS security policy

b. IS strategic direction, mission, and vision statements

c. System-wide change control procedures

d. Humidity controls in the data center 

  How should management act to best deal with emergency changes?

Select one:

a. Emergency changes cannot be made without advance testing.

b. Emergency changes are not allowed under any condition.

c. All changes should still undergo review.

d. The change control process does not apply to emergency conditions. 

Which of the following statements is true concerning the role of management and the role of the auditor?

Select one:

a. Management must make their assertions prior to reading the auditor's report.

b. The auditor is able to view only evidence that has been predetermined by management.

c. Management uses the auditor's report before making their assertions.

d. The auditor's opinion will be based on the desire of management.

Which of the following is not a method to identify risks?

Select one:

a. Identify the risks, then determine the likelihood of occurrence and cost of a loss.

b. Seek managements risk tolerance and determine what threats exist that exceed that tolerance.

c. Identify the threats, their associated vulnerabilities, and the cost of losses.

d. Identify the vulnerabilities and effort to correct based on the industry's best practices.

The most important aspect of a recovery plan in the initial hours of a recovery process will be that

Select one:

a. Call lists and rosters are included for contacting the recovery teams

b. Testing results have been included to show current recoverability

c. A disaster is declared by management and the EOC is activated as a control center

d. People have been trained what to do and where to meet to gather and begin recovery without the documented plan

Which of the following statements is not true regarding d t evices or systems that routinely allow unknown or unauthenticated users access to use the CPU, memory, or hard drive storage?

Select one:

a. Unknown/anonymous users can upload or download data from the web server database. Unintended data or configuration settings may be revealed or executable code with escalation attack commands may be uploaded.

b. Unknown/anonymous users can access the LAN printer/multi-function device (MFP) to spool, print, fax, or receive files or remotely manipulate device settings.

c. Unknown/anonymous users can be sales prospects, so the risk is acceptable because security controls must be cost effective and not interrupt revenue activities.

d. Unknown/anonymous users can remotely alter startup settings or boot file images without the knowledge of system administrators.

Which of the following is the best way for an auditor to prove their competence to perform an audit?

Select one:

a. Having prior experience working in information technology

b. Citing each point in a regulation with an audit objective and specific test

c. Obtaining auditor certification with ongoing training

d. Having prior experience in financial auditing

During the performance of an audit, a reportable finding is identified with the auditee. The auditee immediately fixed the problem upon identification. Which of the following is true as a result of this interaction?

Select one:

a. Auditee resolved the problem before the audit report is written, therefore no finding exists.

b. Auditor lists the finding as it existed.

c. Auditor includes the finding in the final audit report as resolved.

d. Auditor can verify that the corrective action has been taken before the audit report is written, therefore no finding exists.

In regard to the IT governance control objectives, which of the following occurrences would the auditor be most concerned about during execution of the audit?

Select one:

a. Production system without accreditation

b. Using proper change control

c. Using the practice of self-monitoring to report problems

d. Conflict in the existing reporting relationship

The primary thing to consider when planning for the use of CAATs in an audit program is

Select one:

a. Whether the sampling error will be at an unacceptable level

b. The extent of the invasive access necessary to the production environment

c. Whether you can trust the programmer who developed the tools of the CAATs

d. Whether the source and object codes of the programs of the CAATs match

When reviewing a systems disaster recovery plan, an IS auditor should look for operations procedures that

Select one:

a. Follow the procedures used by the IS organization in normal production

b. Describe how to perform the successful operation of the recovered subset of operations

c. Describe all aspects of the current process in detail

d. Have been approved by senior management

When reviewing a systems disaster recovery plan, an IS auditor should look for operations procedures that

Select one:

a. Follow the procedures used by the IS organization in normal production

b. Describe how to perform the successful operation of the recovered subset of operations

c. Describe all aspects of the current process in detail

d. Have been approved by senior management

What is the principle purpose of using function point analysis?

Select one:

a. Estimate the complexity involved in software development

b. Verify the integrity of financial transaction algorithms in a program

c. Review the results of automated transactions meeting criteria for the audit

d. Provide system boundary data during the Requirements Definition phase

Which of the following answers contains the steps for business process reengineering (BPR) in proper sequence?

Select one:

a. Evaluate, envision, redesign, reconstruct, review

b. Initiate, evaluate, diagnose, reconstruct, review

c. Envision, initiate, diagnose, redesign, reconstruct, evaluate

d. Diagnose, envision, redesign, reconstruct, evaluate

Which step is necessary before moving into the next phase when using the System Development Life Cycle?

Select one:

a. Phase meeting

b. Change control

c. Formal approval

d. Review meeting

Which of the following represents the hierarchy of controls from highest level to lowest level?

Select one:

a. General, pervasive, detailed, application

b. Detailed, pervasive, application, detailed

c. Application, general, detailed, pervasive

d. Pervasive, general, application, detailed

Select the best answer to finish this statement: A _______ is strategic in nature, while the _______ is tactical.

Select one:

a. policy, procedure

b. policy, standard

c. procedure, standard

d. standard, procedure

What is the purpose behind system accreditation?

Select one:

a. Make the user responsible for their use of the system

b. Hold management responsible for fitness of use and any failures

c. Improve the accuracy of forecasting in IT budgets

d. Provide formal sign-off on the results of certification tests

When reviewing the recovery testing reports to management, an IS auditor will be most concerned if the following is not part of the report:

Select one:

a. A comprehensive list of all of the problems and the resultant assigned action items

b. A list of planned goals or milestones with an analysis of the ones that were achieved and those that were not successfully tested

c. A description of the process used to test the recovery, depicting the assumptions made about the recovery situation that was being tested

d. An assessment of the time it takes to recover compared to the management expectations for recovery and a gap analysis of the potential impact that any shortfall may have on management's risk or loss expectations

What is the primary purpose of the audit charter?

Select one:

a. Specify the mutually agreed-upon procedures that will be used during the audit

b. Serve as a record for the agreed-upon terms of the engagement with external auditors

c. Assign the auditor responsibility, authority, and accountability

d. Specify the scope of the audit

Which of the following is true concerning reporting by internal auditors?

Select one:

a. Results can be used for industry licensing.

b. The corresponding value of the audit report is high.

c. The corresponding value of the audit report is low.

d. Results can be used for external reporting.

What is the best statement regarding the purpose of using the OSI model?

Select one:

a. To define separation of duties, controls, and boundaries

b. To define the differences between OSI and IP protocols

c. To define how networking protocols work for IT professionals

d. To define which level of program-to-program gateways operate

What is the principal issue surrounding the use of CAAT software?

Select one:

a. Inability of automated tools to consider the human characteristics of the environment

b. The capability of the software vendor

c. Documentary evidence is more effective

d. The possible cost, complexity, and security of output

Which of the following is not one of the three major control types?

Select one:

a. Preventive

b. Corrective

c. Detective

d. Deterrent

An IS auditor is reviewing an organization's contingency planning and recoverability. What is the most important factor to consider for the success of the recovery plan?

Select one:

a. The plan has identified all of the critical applications required to be covered for the business to survive.

b. The plan is stored off-site.

c. Back ups are made and moved off-site regularly.

d. The process is supported by senior management and funded adequately.

What is the first priority of management upon the possible detection of an irregular or illegal act?

Select one:

a. Shut down access to the system.

b. Contact auditors to schedule an audit of the situation.

c. Aid the process of investigation and inquiry.

d. Notify appropriate law enforcement.

Which of the following is the best representation of a soft token used for two-factor authentication?

Select one:

a. Digital certificate

b. Digital hash

c. Digital signature

d. Digital identity

Which of the following situations does not t represent a reporting conflict?

Select one:

a. Self-monitoring and reporting of violations

b. IT security reporting to the chief information officer

c. Employee reporting violations to their boss, who is also in charge of compliance

d. Information security manager reporting to internal auditors