the Information Technology Governance and Information Audit voll 3

An IS auditor determines that external consulting was used to create a recovery plan. Which of the following actions would be most appropriate for the IS auditor to take?

Select one:

a. Ensure that the decisions made by the consultant seemed reasonable for the given business and organizational structure.

b. Review the costs and contract deliverables for the consulting engagement and assess the adequacy of the contract.

c. Review the methodology used by the firm and assess its appropriateness for the engaged organization.

d. Review the resultant plan and ensure that the business and IS staff were involved in inputting to the final product.

In using public-key interchange (PKI) encryption, which key is not used by the recipient for decrypting a message?

Select one:

a. Sender's private key

b. Recipient's public key

c. Recipient's private key

d. Sender's public key

Portfolio management includes all of the following except which one?

Select one:

a. Centralized control of priorities across the projects

b. Management of concurrent projects

c. Method of controlling changes in the work breakdown structure

d. Selection of projects based on the best return on investment

In a risk-based audit approach, an IS auditor must consider the inherent risk and

Select one:

a. Whether the risk is material, regardless of management's tolerance for risk

b. The balance of the loss potential and the cost to implement controls

c. How to eliminate the risk through an application of controls

d. Residual risk being higher than the insurance coverage purchased

Which of the following application attributes are not relevant when determining the priority order for recovery?

Select one:

a. How much downtime is acceptable to the users of this the application

b. The dependency of the critical applications on the output of this particular application

c. The importance of this application to the business processing needs

d. The need for critical applications to be recovered in order to supply input to this application

Control objectives are defined in an audit program to

Select one:

a. Define what testing steps need to be performed in the program

b. Give the auditor a view of the big picture of what the key control issue are based on the risk and management input

c. Keep the management from changing the scope of the audit

d. Enable the auditor to scope the audit to only those issues identified in the control objective

What is the primary purpose of using the root kit?

Select one:

a. System administration tool used by the superuser, also known as the server agent

b. Method for tracing source problems in determining cause-and-effect analysis

c. Camouflage technique designed to hide certain details from view

d. Covert method of remotely compromising the operating system kernel

The primary reason for reviewing audit work is to

Select one:

a. Ensure that the findings are sufficient to warrant the final report rating.

b. Ensure that the conclusions, testing, and results were performed with due professional care.

c. Ensure that all of the work is completed and checked by a supervisor.

d. Ensure that all of the audits are consistent in style and technique.

Which of the following systems uses heuristic techniques to make decisions on behalf of the user?

Select one:

a. Decision support system (DSS)

b. Expert system

c. Associate decision mart

d. Data warehouse

Segregation or separation of duties may not be practical in a small environment. A single employee may be performing the combined functions of server operator and application programmer. The IS auditor should recommend controls for which of the following?

Select one:

a. Procedures that verify that only approved program changes are implemented

b. Automated controls to prevent the operator logon ID from making program modifications

c. Automated logging of changes made to development libraries

d. Hiring additional technical staff to force segregation of duties

Due care can best be described as

Select one:

a. A guarantee that no wrong conclusions are made during the course of the audit work

b. Someone with lesser skill level that provides a similar level of detail or quality of work

c. A level of diligence that a prudent and competent person would exercise under a given set of circumstances

d. A level of best effort provided by applying professional judgment

What is the purpose of using the ACID principle with database applications?

Select one:

a. To provide environmental protection to safeguard the server to ensure maximum uptime

b. To write the entire transaction to the master file or discard without making any changes

c. To step-link each data transaction to ensure consistency

d. To remove unnecessary data from the database for better performance

What are three of the four key perspectives on the IT balanced scorecard?

Select one:

a. Service level, critical success factors, vendor selection

b. Business justification, service-level agreements, budget

c. Cost reduction, business process, growth

d. Organizational staffing, cost reduction, employee training

Which of the following statements is true concerning a software worm?

Select one:

a. Is a synonym for a malicious virus appending itself to data files

b. Uses authentication defects to freely travel to infect other systems

c. Attaches itself to programs and data by the opening and closing of files

d. Must be executed by opening a file

What is one of the bigger concerns regarding asset disposal?

Select one:

a. Employees taking disposed property home

b. Environmental regulations

c. Residual asset value

d. Standing data

Complete the following statement: A _______ must be used to prevent ________ of the hard-disk evidence during the collection phase of forensic investigations.

Select one:

a. data analyzer, destruction

b. write blocker, contamination

c. immunizer, corruption

d. forensic specialist, analysis

Using public-key interchange (PKI) encryption, which key is used by the sender for authentication of the receiving party?

Select one:

a. Sender's private key

b. Recipient's public key

c. Sender's public key

d. Recipient's private key

When auditing the use of encryption, which of the following would be the primary concern of the auditor?

Select one:

a. Key sizes used in the encryption and decryption process

b. Management's level of control over the use of encryption

c. Strength of encryption algorithm in use

d. Using the correct encryption method for compliance

During a business continuity audit, it is discovered that the business impact analysis (BIA) was not performed even though an initial feasibility review of the financial statement was performed. What would this indicate to the auditor?

Select one:

a. The customer was able to get their plan in place without using the BIA technique.

b. Risk analysis and the customer's selection of the strategy fulfill their most important objectives.

c. It's not necessary to perform a business impact analysis because financial feasibility was performed.

d. The business continuity plan is likely to be a failure.

Which backup method will copy only changed files without resetting the archive bit (archive flag)?

Select one:

a. Full

b. Incremental

c. Differential

d. Physical

One of the most important reasons for having the audit organization report to the audit committee of the board is because

Select one:

a. The audit organization must be independent from influence from reporting structures that do not enable them to communicate directly with the audit committee

b. Their budgets are more easily managed separate from the other budgets of the organization

c. The internal audit function is to assist all parts of the organization and no one reporting manager should get priority on this help and support

d. The departments resources cannot easily be redirected and used for other projects

Which of the following statements is true concerning asymmetric key cryptography?

Select one:

a. The sender and receiver have different keys.

b. Asymmetric keys cannot be used for digital signatures.

c. The sender and receiver use the same key.

d. The sender encrypts the files by using the recipient's private key.

Implementing a strong external boundary is a successful method to prevent hackers and thieves from accessing your internal computer systems provided you are using which of the following technologies?

Select one:

a. Antivirus software with malware detection capabilities

b. Strong administrative policy controls with harsh sanctions that include termination and/or criminal liability

c. The elimination of shared access accounts and static passwords, including those shared for mandatory administrative access

d. Internet firewalls and intrusion detection systems with prevention capabilities (an IDPS) to prevent ingress

Which of the following is the most significant issue to consider regarding insurance coverage?

Select one:

a. Premiums may be very expensive.

b. Coverage must include all business assets.

c. Salvage, rather than replacement, may be dictated.

d. Insurance can pay for all the costs of recovery.

When reviewing the information recovery procedures, an IS auditor would be least concerned with finding procedures that

Select one:

a. Use the best information available and reconcile the inventories to understand the transactions that may have been lost during the disaster or disruption

b. Lay down the last complete back up and then all of the subsequent incremental back ups that are available

c. Recover all available information from the available back up tapes and move forward with the available information

d. Use hard copy transaction records to return the transactions processing history to the time of disaster from the last available back up

What part of the audited businesses background is least likely to be relevant when assessing risk and planning an IS audit?

Select one:

a. The company's reputation for customer satisfaction and the amount of booked business in the processing queue

b. The type of business and the appropriate model of transaction processing typically used in this type of business

c. The management structure and culture and their relative depth and knowledge of the business processes

d. A mature technology set in place to perform the business processing functions

Which of the following nonstatistical audit samples is also known as a judgmental sample?

Select one:

a. Attribute

b. Random

c. Unstratified mean

d. Haphazard

Which of the following best describes how a CISA should treat guidance from the IS audit standards?

Select one:

a. IS audit standards are to be treated as guidelines for building binding audit work when applicable.

b. A CISA should provide input to the audit process when defendable audit work is required.

c. IS audit standards are necessary only when regulatory or legal requirements dictate that they must be applied.

d. IS audit standards are mandatory requirements, unless justification exists for deviating from the standards.

An audit charter serves the following primary purpose:

Select one:

a. To document the mission and business plan of the audit department

b. To explain the code of ethics used by the auditor

c. To provide a clear mandate to perform the audit function in terms of authority and responsibilities

d. To describe the audit process used by the auditors

Some things to consider when determining what reportable findings should be are

Select one:

a. Whether the test samples were sufficient to support the conclusions

b. The materiality of the findings in relevance to the audit objectives and management's tolerance for risk

c. How many findings there are and how long the report would be if all findings were included

d. How the recommendations will affect the process and future audit work

Which of the following would be a concern that the auditor should explain in the audit report along with their findings?

Select one:

a. Need by the current auditor to communicate with the prior auditors

b. Lack of a detailed list of audit objectives

c. Undue restrictions placed by management on evidence use or audit procedure

d. Communicating results directly to the chairperson of the audit committee

In order to meet the requirements of audit, evidence sampling must be

Select one:

a. Of a 95 percent or higher confidence level, based on repeated pulls of similar sample sizes

b. Sufficient, reliable, relevant, and useful, and supported by the appropriate analysis

c. A random selection of the population in which every item has an equal chance of being selected

d. Within two standard deviations of the mean for the entire population of the data

Which method of backup should be used on a computer hard disk or flash media prior to starting a forensic investigation?

Select one:

a. Full

b. Differential

c. Logical

d. Bitstream

Which of the following is the best choice to ensure that internal control objectives are met?

Select one:

a. The clients operating records are audited annually.

b. Procedures are created to govern employee conduct.

c. Top executive issues a policy stating compliance objectives.

d. Suitable systems for tracking and reporting incidents are used.

you can see the other quis on the Information Technology Governance and Information Audit