1. A data administrator is responsible for: A. maintaining database system software. B. defining data elements, data names and their relationship. C. developing physical database structures. D. developing data dictionary system software. The correct answer is: B. defining data elements, data names and their relationship. Explanation: A data administrator is responsible for defining data elements, data names and their relationship. Choices A, C and D are functions of a database administrator (DBA) 2. The rate of change in technology increases the importance of: A. outsourcing the IS function. B. implementing and enforcing good processes. C. hiring personnel willing to make a career within the organization. D. meeting user requirements. The correct answer is: B. implementing and enforcing good processes. Explanation: Change requires that good change management processes be implemented and enforced. Outsourcing the IS function is not directly related to the rate of technological change. Personnel in a typical IS department are highly qualified and educated, usually they do not feel their jobs are at risk and are prepared to switch jobs frequently. Although meeting user requirements is important, it is not directly related to the rate of technological change in the IS environment. 3. Accountability for the maintenance of appropriate security measures over information assets resides with the: A. security administrator. B. systems administrator. C. data and systems owners. D. systems operations group. The correct answer is: C. data and systems owners. Explanation: Management should ensure that all information assets (data and systems) have an appointed owner who makes decisions about classification and access rights. System owners typically delegate day-to-day custodianship to the systems delivery/operations group and security responsibilities to a security administrator. Owners, however, remain accountable for the maintenance of appropriate security measures. 4. An IS steering committee should: A. include a mix of members from different departments and staff levels. B. ensure that IS security policies and procedures have been executed properly. C. have formal terms of reference and maintain minutes of its meetings. D. be briefed about new trends and products at each meeting by a vendor. The correct answer is: C. have formal terms of reference and maintain minutes of its meetings. Explanation: It is important to keep detailed steering committee minutes to document the decisions and activities of the IS steering committee, and the board of directors should be informed on a timely basis. Choice A is incorrect because only senior management, or high staff levels should be members of this committee because of its strategic mission. Choice B is not a responsibility of this committee but the responsibility of the security administrator. Choice D is incorrect because a vendor should be invited to meetings only when appropriate. 5. An organization has outsourced its software development. Which of the following is the responsibility of the organization's IT management? A. Paying for provider services B. Participating in systems design with the provider C. Managing compliance with the contract for the outsourced services D. Negotiating contractual agreement with the provider The correct answer is: C. Managing compliance with the contract for the outsourced services Explanation: Actively managing compliance with the contract terms for the outsourced services is the responsibility of IT management. Payment of invoices is a finance responsibility. Negotiation of the contractual agreement would have already taken place and is usually a shared responsibility of the legal department and other departments, such as IT. 6. In an organization where an IT security baseline has been defined, the IS auditor should FIRST ensure: A. implementation. B. compliance. C. documentation. D. sufficiency. The correct answer is: D. sufficiency. Explanation: The auditor should first evaluate the definition of the minimum baseline level by ensuring the sufficiency of controls. Documentation, implementation and compliance are further steps. 7. The MOST likely affect of the lack of senior management commitment to IT strategic planning is: A. a lack of investment in technology. B. a lack of a methodology for systems development. C. that the technology will not be aligned with the organization's objectives. D. an absence of control over technology contracts. The correct answer is: C. that the technology will not be aligned with the organization's objectives. Explanation: A steering committee should exist to ensure that the IT strategies support the organization's goals. The absence of an information technology committee or a committee not composed of senior managers would be an indication of a lack of top-level management commitment. This condition would increase the risk that IT would not be aligned with the organization's strategy. 8. The PRIMARY objective of an audit of IT security policies is to ensure that: A. they are distributed and available to all staff. B. security and control policies support business and IT objectives. C. there is a published organizational chart with functional descriptions. D. duties are appropriately segregated. The correct answer is: B. security and control policies support business and IT objectives. Explanation: Business orientation should be the main theme in implementing security. Hence, an IS audit of IT security policies should primarily focus on whether the IT and related security and control policies support business and IT objectives. Reviewing whether policies are available to all is an objective, but distribution does not ensure compliance. Availability of organizational charts with functional descriptions and segregation of duties might be included in the review, but are not the primary objective of an audit of security policies. 9. Which of the following reports should an IS auditor use to check compliance with a service level agreement's (SLA) requirement for uptime? A. Utilization reports B. Hardware error reports C. System logs D. Availability reports The correct answer is: D. Availability reports Explanation: IS inactivity, such as downtime, is addressed by availability reports. These reports provide the time periods during which the computer was available for utilization by users or other processes. Utilization reports document the use of computer equipment, and can be used by management to predict how/where/when resources are required. Hardware error reports provide information to aid in detecting hardware failures and initiating corrective action. System logs are a recording of the system's activities. 10. An IS auditor reviewing an organization's IT strategic plan should FIRST review: A. the existing IT environment. B. the business plan. C. the present IT budget. D. current technology trends. The correct answer is: B. the business plan. Explanation: The IT strategic plan exists to support the organization's business plan. To evaluate the IT strategic plan, the IS auditor would first need to familiarize him/herself with the business plan. 11. Involvement of senior management is MOST important in the development of: A. strategic plans. B. IS policies. C. IS procedures. D. standards and guidelines. The correct answer is: A. strategic plans. Explanation: Strategic plans provide the basis for ensuring that the enterprise meets its goals and objectives. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives. IS policies, procedures, standards and guidelines are all structured to support the overall strategic plan. 12. Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems? A. User management coordination does not exist. B. Specific user accountability cannot be established. C. Unauthorized users may have access to originate, modify or delete data. D. Audit recommendations may not be implemented. The correct answer is: C. Unauthorized users may have access to originate, modify or delete data. Explanation: Without a policy defining who has the responsibility for granting access to specific systems, there is an increased risk that one could gain (be given) system access when they should not have authorization. By assigning authority to grant access to specific users, there is a better chance that business objectives will be properly supported. 13. IT operations for a large organization have been outsourced. An IS auditor reviewing the outsourced operation should be MOST concerned about which of the following findings? A. The outsourcing contract does not cover disaster recovery for the outsourced IT operations. B. The service provider does not have incident handling procedures. C. Recently a corrupted database could not be recovered because of library management problems. D. Incident logs are not being reviewed. The correct answer is: A. The outsourcing contract does not cover disaster recovery for the outsourced IT operations. Explanation: The lack of a disaster recovery provision presents a major business risk. Incorporating such a provision into the contract will provide the outsourcing organization leverage over the service provider. Choices B, C and D are problems that should be addressed by the service provider, but are not as important as contract requirements for disaster recovery. 14. Which of the following functions should be performed by the application owners to ensure an adequate segregation of duties between IS and end users? A. System analysis B. Authorization of access to data C. Application programming D. Data administration The correct answer is: B. Authorization of access to data Explanation: The application owner is responsible for authorizing access to data. Application development and programming are functions of the IS department. Similarly, system analysis should be performed by qualified persons in IS who have knowledge of IS and user requirements. Data administration is a specialized function related to database management systems and should be performed by qualified database administrators. 15. An organization acquiring other businesses continues using its legacy EDI systems and uses three separate value-added network (VAN) providers. No written VAN agreements exist. The IS auditor should recommend that management: A. obtains independent assurance of the third-party service providers. B. sets up a process for monitoring the service delivery of the third party. C. ensures that formal contracts are in place. D. considers agreements with third-party service providers in the development of continuity plans. The correct answer is: C. ensures that formal contracts are in place. Explanation: Written agreements would assist management in ensuring compliance with external requirements. While management should obtain independent assurance of compliance, this cannot be achieved until there is a contract in place. One aspect of managing third-party services is to provide monitoring; however, this cannot be achieved until there is a contract. Ensuring that VAN agreements are available for review may assist in the development of continuity plans, if they are deemed critical IT resources. However, this cannot be achieved until a contract is in place. 16. Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to: A. ensure the employee maintains a quality of life, which will lead to greater productivity. B. reduce the opportunity for an employee to commit an improper or illegal act. C. provide proper cross-training for another employee. D. eliminate the potential disruption caused when an employee takes vacation one day at a time. The correct answer is: B. reduce the opportunity for an employee to commit an improper or illegal act. Explanation: Required vacations/holidays of a week or more duration in which someone other than the regular employee performs the job function is often mandatory for sensitive positions. This reduces the opportunity to commit improper or illegal acts, and during this time it may be possible to discover any fraudulent activity that was taking place. Choices A, C and D could all be organizational benefits from a mandatory vacation policy, but they are not the reason why the policy is established. 17. The implementation of cost-effective controls in an automated system is ultimately the responsibility of the: A. system administrator. B. quality assurance function. C. business unit management. D. chief of internal audit. The correct answer is: C. business unit management. Explanation: It is the business unit management's responsibility to implement cost-effective controls in an automated system. They are the best group in an organization to know which information assets need to be secured in terms of availability, confidentiality and integrity. System administrators take care of services related to the system requirements of the user management group. The quality assurance function addresses the overall quality of the systems. The audit group will assess or examine the compliance level of the controls with written policies, procedures or practices. 18. The quality assurance group is typically responsible for: A. ensuring that the output received from system processing is complete. B. monitoring the execution of computer processing tasks. C. ensuring that programs and program changes and documentation adhere to established standards. D. designing procedures to protect data against accidental disclosure, modification or destruction. The correct answer is: C. ensuring that programs and program changes and documentation adhere to established standards. Explanation: The quality assurance group is typically responsible for ensuring that programs, program changes and documentation adhere to established standards. Choice A is the responsibility of the data control group, choice B is the responsibility of computer operations, and choice D is the responsibility of data security. 19. Which of the following is a function of an IS steering committee? A. Monitoring vendor controlled change control and testing B. Ensuring a separation of duties within the information's processing environment C. Approving and monitoring major projects, the status of IS plans and budgets D. Liaising between the IS department and the end users The correct answer is: C. Approving and monitoring major projects, the status of IS plans and budgets Explanation: The IS steering committee typically serves as a general review board for major IS projects and should not become involved in routine operations; therefore, one of its functions is to approve and monitor major projects, the status of IS plans and budgets. Vendor change control is an outsourcing issue and should be monitored by IS management. Ensuring a separation of duties within the information's processing environment is an IS management responsibility. Liaising between the IS department and the end users is a function of the individual parties and not a committee. 20. Which of the following duties would be a concern if performed along with systems administration? A. Access rule maintenance B. System audit trail review C. Data librarian D. Performance monitoring The correct answer is: B. System audit trail review Explanation: A system administrator performs various functions by using the admin/root or an equivalent login. This login enables the system administrator to have unlimited access to the system resources. The only control over the system administrator's activities is the system audit trail; hence, it should be reviewed by someone other than the system administrator. Maintenance of access rules, data librarian functions and performance monitoring can be assigned to the system administrator. 21. Which of the following data entry controls provides the GREATEST assurance that the data are entered correctly? A. Using key verification B. Segregating the data entry function from data entry verification C. Maintaining a log/record that details the time, date, employee's initials/user ID and progress of various data preparation and verification tasks D. Adding check digits The correct answer is: A. Using key verification Explanation: Key verification or one-to-one verification will yield the highest degree of confidence that data entered are error-free. However, this could be impractical for large amounts of data. The segregation of the data entry function from data entry verification is an additional data entry control but does not address accuracy. Maintaining a log/record that details the time, date, employee's initials/user ID and progress of various data preparation and verification tasks provides an audit trail. A check digit is added to data to ensure that original data have not been altered. If a check digit is wrongly keyed, this would lead to accepting incorrect data but would only apply to those data elements with a check digit. 22. Which of the following goals would you expect to find in an organization's strategic plan? A. Test a new accounting package. B. Perform an evaluation of information technology needs. C. Implement a new project planning system within the next 12 months. D. Become the supplier of choice for the product offered. The correct answer is: D. Become the supplier of choice for the product offered. Explanation: Strategic planning sets corporate or departmental objectives into motion. Comprehensive planning helps ensure an effective and efficient organization. Strategic planning is time- and project-oriented, but also must address and help determine priorities to meet business needs. Long- and short-range plans should be consistent with the organization's broader plans for attaining their goals. Choice D represents a business objective that is intended to focus the overall direction of the business and would thus be a part of the organization's strategic plan. The other choices are project-oriented and do not address business objectives. 23. Which of the following is the BEST way to handle obsolete magnetic tapes before disposing of them? A. Overwriting the tapes B. Initializing the tape labels C. Degaussing the tapes D. Erasing the tapes The correct answer is: C. Degaussing the tapes Explanation: The best way to handle obsolete magnetic tapes is to degauss them. This action leaves a very low residue of magnetic induction, essentially erasing the data from the tapes. Overwriting or erasing the tapes may cause magnetic errors but would not remove the data completely. Initializing the tape labels would not remove the data that follows the label. 24. Implementation of access control FIRST requires: A. a classification of IS resources. B. the labeling of IS resources. C. the creation of an access control list. D. an inventory of IS resources. The correct answer is: D. an inventory of IS resources. Explanation: The first step in implementing access control is an inventory of IS resources, which is the basis for classification. Labeling of resources cannot be done without first determining the resources' classifications. The access control list (ACL) would not be done without a meaningful classification of resources. 25. Which of the following would be a compensating control to mitigate risks resulting from an inadequate segregation of duties? A. Sequence check B. Check digit C. Source documentation retention D. Batch control reconciliations The correct answer is: D. Batch control reconciliations Explanation: Batch control reconciliations are an example of compensating controls. Other examples of compensating controls are transaction logs, reasonableness tests, independent reviews and audit trails, such as console logs, library logs and job accounting date. Sequence checks and check digits are data validation edits, and source documentation retention is an example of a data file control. 26. Is it appropriate for an IS auditor from a company that is considering outsourcing its IS processing to request and review a copy of each vendor's business continuity plan? A. Yes, because the IS auditor will evaluate the adequacy of the service bureau's plan and assist his/her company in implementing a complementary plan. B. Yes, because based on the plan, the IS auditor will evaluate the financial stability of the service bureau and its ability to fulfill the contract. C. No, because the backup to be provided should be specified adequately in the contract. D. No, because the service bureau's business continuity plan is proprietary information. The correct answer is: A. Yes, because the IS auditor will evaluate the adequacy of the service bureau's plan and assist his/her company in implementing a complementary plan. Explanation: The primary responsibility of the IS auditor is to assure that the company assets are being safeguarded. This is true even if the assets do not reside on the immediate premises. Reputable service bureaus will have a well-designed and tested business continuity plan. 27. An IS auditor is reviewing the database administration (DBA) function to ascertain whether adequate provision has been made for controlling data. The IS auditor should determine that the: A. function reports to data processing operations. B. responsibilities of the function are well defined. C. database administrator is a competent systems programmer. D. audit software has the capability of efficiently accessing the database. The correct answer is: B. responsibilities of the function are well defined. Explanation: The IS auditor should determine that the responsibilities of the DBA function are not only well defined but also assure that the DBA reports directly to the IS manager or executive to provide independence, authority and responsibility. The DBA should not report to either data processing operations or systems development management. The DBA need not be a competent systems programmer. Choice D is not as important as choice A. 28. An organization has outsourced IT operations to a service provider. The organization's IS auditor makes the following observations: Key servers located at the outsourcing organization are about to be moved to the service provider. Critical systems are backed up, but recovery is inefficient. Disaster recovery is not covered by the outsourcing contract. The service provider backs up data to the building next to it. Which of the following should the IS auditor recommend be done immediately? A. Improve the backup of critical systems. B. Delay moving the servers. C. Incorporate disaster recovery in the contract. D. Back up data to a location further away from the service provider. The correct answer is: B. Delay moving the servers. Explanation: Moving the servers may cause a business interruption and should be postponed until disaster recovery is included in the outsourcing contract. Choices A, C and D should be addressed during the development of viable disaster recovery provisions and after the server move is postponed. 29. The advantage of a bottom-up approach to the development of organizational policies is that the policies: A. are developed for the organization as a whole. B. are more likely to be derived as a result of a risk assessment. C. will not conflict with overall corporate policy. D. ensure consistency across the organization. The correct answer is: B. are more likely to be derived as a result of a risk assessment. Explanation: A bottom-up approach begins by defining operational-level requirements and policies, which are derived and implemented as the result of risk assessments. Enterprise-level policies are subsequently developed based on a synthesis of existing operational policies. Choices A, C and D are advantages of a top-down approach for developing organizational policies. This approach ensures that the policies will not be in conflict with overall corporate policy and ensure consistency across the organization. 30. Responsibility and reporting lines cannot always be established when auditing automated systems since: A. diversified control makes ownership irrelevant. B. staff traditionally changes jobs with greater frequency. C. ownership is difficult to establish where resources are shared. D. duties change frequently in the rapid development of technology. The correct answer is: C. ownership is difficult to establish where resources are shared. Explanation: Because of the diversified nature of both data and application systems, the actual owner of data and applications may be hard to establish. 31. The initial step in establishing an information security program is the: A. development and implementation of an information security standards manual. B. performance of a comprehensive security control review by the IS auditor. C. adoption of a corporate information security policy statement. D. purchase of security access control software. The correct answer is: C. adoption of a corporate information security policy statement. Explanation: A policy statement reflects the intent and support provided by executive management for proper security and establishes a starting point for developing the security program. 32. Which of the following would normally be found in application run manuals? A. Details of source documents B. Error codes and their recovery actions C. Program flowcharts and file definitions D. Change records for the application source code The correct answer is: B. Error codes and their recovery actions Explanation: Application run manuals should include actions to be taken by an operator when an error occurs. Source documents and source code are irrelevant to the operator. Although dataflow diagrams may be useful, detailed program diagrams and file definitions are not. 33. An IS auditor performing a review of the IS department discovers that formal project approval procedures do not exist. In the absence of these procedures, the IS manager has been arbitrarily approving projects that can be completed in a short duration and referring other, more complicated projects to higher levels of management for approval. The IS auditor should recommend as a FIRST course of action that: A. users participate in the review and approval process. B. formal approval procedures be adopted and documented. C. projects be referred to appropriate levels of management for approval. D. the IS manager's job description be changed to include approval authority. The correct answer is: B. formal approval procedures be adopted and documented. Explanation: It is imperative that formal, written approval procedures be established to set accountability. This is true of the IS manager and higher levels of management. Choices A, C and D would be subsequent recommendations once authority has been established. 34. Which of the following should be included in an organization's IS security policy? A. A list of key IT resources to be secured B. The basis for access authorization C. Identity of sensitive security features D. Relevant software security features The correct answer is: B. The basis for access authorization Explanation: The security policy provides the broad framework of security, as laid down and approved by the senior management. It includes a definition of those authorized to grant access and the basis for granting the access. Choices A, B and C are more detailed than that which should be included in a policy. 35. Which of the following programs would a sound information security policy MOST likely include to handle suspected intrusions? A. Response B. Correction C. Detection D. Monitoring The correct answer is: A. Response Explanation: A sound IS security policy will most likely outline a response program to handle suspected intrusions. Correction, detection and monitoring programs are all aspects of information security, but will not likely be included in an IS security policy statement. 36. To support an organization's goals, the IS department should have: A. a low-cost philosophy. B. long- and short-range plans. C. leading-edge technology. D. planned to acquire new hardware and software. The correct answer is: B. long- and short-range plans. Explanation: To ensure its contribution to the realization of an organization's overall goals, the IS department should have long- and short-range plans that are consistent with the organization's broader plans for attaining its goals. Choices A and C are objectives, and plans would be needed to delineate how each of the objectives would be achieved. Choice D could be a part of the overall plan but would be required only if hardware or software is needed to achieve the organizational goals. 37. Which of the following is the MOST important function to be performed by IS management when a service has been outsourced? A. Ensuring that invoices are paid to the provider B. Participating in systems design with the provider C. Renegotiating the provider's fees D. Monitoring the outsourcing provider's performance The correct answer is: D. Monitoring the outsourcing provider's performance Explanation: In an outsourcing environment, the company is dependent on the performance of the service provider. Therefore, it is critical the outsourcing provider's performance be monitored to ensure that services are delivered to the company as required. Payment of invoices is a finance function, which would be completed per contractual requirements. Participating in systems design is a by-product of monitoring the outsourcing provider's performance, while renegotiating fees is usually a one-time activity. 38. From a control perspective, the key element in job descriptions is that they: A. provide instructions on how to do the job and define authority. B. are current, documented and readily available to the employee. C. communicate management's specific job performance expectations. D. establish responsibility and accountability for the employee's actions. The correct answer is: D. establish responsibility and accountability for the employee's actions. Explanation: From a control perspective, a job description should establish responsibility and accountability. This will aid in ensuring that users are given system access in accordance with their defined job responsibilities. The other choices are not directly related to controls. Providing instructions on how to do the job and defining authority addresses the managerial and procedural aspects of the job. It is important that job descriptions are current, documented and readily available to the employee, but this in itself is not a control. Communication of management's specific expectations for job performance outlines the standard of performance and would not necessarily include controls. 39. The risks associated with electronic evidence gathering would MOST likely be reduced by an e-mail: A. destruction policy. B. security policy. C. archive policy. D. audit policy. The correct answer is: C. archive policy. Explanation: With a policy of well-archived e-mail records, access to or retrieval of specific e-mail records is possible without disclosing other confidential e-mail records. Security and/or audit policies would not address the efficiency of record retrieval, and destroying e-mails may be an illegal act. 40. An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the: A. hardware configuration. B. access control software. C. ownership of intellectual property. D. application development methodology. The correct answer is: C. ownership of intellectual property. Explanation: Of the choices, the hardware and access control software is generally irrelevant as long as the functionality, availability and security can be affected, which are specific contractual obligations. Similarly, the development methodology should be of no real concern. The contract must, however, specify who owns the intellectual property (i.e., information being processed, application programs). Ownership of intellectual property will have a significant cost and is a key aspect to be defined in an outsourcing contract. 41. In reviewing the IS short-range (tactical) plan, the IS auditor should determine whether: A. there is an integration of IS and business staffs within projects. B. there is a clear definition of the IS mission and vision. C. there is a strategic information technology planning methodology in place. D. the plan correlates business objectives to IS goals and objectives. The correct answer is: A. there is an integration of IS and business staffs within projects. Explanation: The integration of IS and business staff in projects is an operational issue and should be considered while reviewing the short-range plan. A strategic plan would provide a framework for the IS short-range plan. Choices B, C and D are areas covered by a strategic plan. 42. When an employee is terminated from service, the MOST important action is to: A. hand over all of the employee's files to another designated employee. B. complete a back up of the employee's work. C. notify other employees of the termination. D. disable the employee's logical access. The correct answer is: D. disable the employee's logical access. Explanation: There is a probability that a terminated employee may misuse access rights; therefore, disabling the terminated employee's logical access is the most important action to take. All the work of the terminated employee needs to be handed over to a designated employee; however, this should be performed after implementing choice D. All the work of the terminated employee needs to be backed up and the employees need to be notified of the termination of the employee, but this should not precede the action in choice D. 43. A local area network (LAN) administrator normally would be restricted from: A. having end-user responsibilities. B. reporting to the end-user manager. C. having programming responsibilities. D. being responsible for LAN security administration. The correct answer is: C. having programming responsibilities. Explanation: A LAN administrator should not have programming responsibilities but may have end-user responsibilities. The LAN administrator may report to the director of the IPF or, in a decentralized operation, to the end-user manager. In small organizations, the LAN administrator may also be responsible for security administration over the LAN. 44. Which of the following situations would increase the likelihood of fraud? A. Application programmers are implementing changes to production programs. B. Application programmers are implementing changes to test programs. C. Operations support staff are implementing changes to batch schedules. D. Database administrators are implementing changes to data structures. The correct answer is: A. Application programmers are implementing changes to production programs. Explanation: Production programs are used for processing an enterprise's data. It is imperative that controls on changes to production programs be stringent. Lack of control in this area could result in application programs being modified to manipulate the data. Application programmers are required to implement changes to test programs. These are used only in development and do not directly impact the live processing of data. The implementation of changes to batch schedules by operations support staff will affect the scheduling of the batches only; it does not impact the live data. Database administrators are required to implement changes to data structures. This is required for reorganization of the database to allow for additions, modifications or deletions of fields or tables in the database. 45. Which of the following is the PRIMARY objective of an IT performance measurement process? A. Minimize errors. B. Gather performance data. C. Establish performance baselines. D. Optimize performance. The correct answer is: D. Optimize performance. Explanation: An IT performance measurement process can be used to optimize performance, measure and manage products/services, assure accountability and make budget decisions. Minimizing errors is an aspect of performance, but not the primary objective of performance management. Gathering performance data is a phase of the IT measurement process and would be used to evaluate the performance against previously established performance baselines. 46. Which of the following would an IS auditor consider to be the MOST important when evaluating an organization's IS strategy? That it: A. has been approved by line management. B. does not vary from the IS department's preliminary budget. C. complies with procurement procedures. D. supports the business objectives of the organization. The correct answer is: D. supports the business objectives of the organization. Explanation: Strategic planning sets corporate or department objectives into motion. Both long-term and short-term strategic plans should be consistent with the organization's broader plans and business objectives for attaining these goals. Answer A is incorrect since line management prepared the plans. 47. An IS auditor reviews an organizational chart PRIMARILY for: A. an understanding of workflows. B. investigating various communication channels. C. understanding the responsibilities and authority of individuals. D. investigating the network connected to different employees. The correct answer is: C. understanding the responsibilities and authority of individuals. Explanation: An organizational chart provides information about the responsibilities and authority of individuals in the organization. This helps the IS auditor to know if there is a proper segregation of functions. A workflow chart would provide information about the roles of different employees. A network diagram will provide information about the usage of various communication channels and will indicate the connection of users to the network. 48. The general ledger setup function in an enterprise resource package (ERP) allows for setting accounting periods. Access to this function has been permitted to users in finance, the warehouse and order entry. The MOST likely reason for such broad access is the: A. need to change accounting periods on a regular basis. B. requirement to post entries for a closed accounting period. C. lack of policies and procedures for the proper segregation of duties. D. need to create/modify the chart of accounts and its allocations. The correct answer is: C. lack of policies and procedures for the proper segregation of duties. Explanation: Setting of accounting periods is one of the critical activities of the finance function. Granting access to this function to warehouse and order entry personnel could be a result of a lack of proper policies and procedures for the adequate segregation of duties. Accounting periods should not be changed at regular intervals, but established permanently. The requirement to post entries for a closed accounting period is a risk. If necessary, this should be done by someone in the finance or accounting area. The need to create/modify the chart of accounts and its allocations is the responsibility of the finance department and is not a function that should be performed by warehouse or order entry personnel. 49. When reviewing IS strategies, the IS auditor can BEST assess whether IS strategy supports the organizations' business objectives by determining if IS: A. has all the personnel and equipment it needs. B. plans are consistent with management strategy. C. uses its equipment and personnel efficiently and effectively. D. has sufficient excess capacity to respond to changing directions. The correct answer is: B. plans are consistent with management strategy. Explanation: Determining if the IS plan is consistent with management strategy relates IS/IT planning to business plans. Choices A, C and D are effective methods for determining the alignment of IS plans with business objectives and the organization's strategies. 50. Which of the following is MOST important when assessing services provided by an Internet service provider (ISP)? A. Performance reports generated by the ISP B. The service level agreement (SLA) C. Interviews with the provider D. Interviews with other clients of the ISP The correct answer is: B. The service level agreement (SLA) Explanation: A service level agreement provides the basis for an adequate assessment of the degree to which the provider is meeting the level of agreed service. Choices A, C and D would not be the basis for an independent evaluation of the service. 51. A long-term IS employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be based on the individual's experience and: A. the length of service since this will help ensure technical competence. B. age as training in audit techniques may be impractical. C. IS knowledge since this will bring enhanced credibility to the audit function. D. ability, as an IS auditor, to be independent of existing IS relationships. The correct answer is: D. ability, as an IS auditor, to be independent of existing IS relationships. Explanation: Independence should be continually assessed by the auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and responsibilities. The fact that the employee has worked in IS for many years may not in itself ensure credibility. The audit department's needs should be defined and any candidate should be evaluated against those requirements. In addition, the length of service will not ensure technical competency, and evaluating an individual's qualifications based on the age of the individual is not a good criterion and is illegal in many parts of the world. 52. An IS auditor should expect which of the following items to be included in the request for proposal (RFP) when IS is procuring services from an independent service provider (ISP)? A. References from other customers B. Service level agreement (SLA) template C. Maintenance agreement D. Conversion plan The correct answer is: A. References from other customers Explanation: The IS auditor should look for an independent verification that the ISP can perform the tasks being contracted. References from other customers would provide an independent, external review and verification of procedures and processes the ISP follows-issues which would be of concern to the IS auditor. Checking references is a means of obtaining an independent verification that the vendor can perform the services it says it can. A maintenance agreement relates more to equipment than to services, and a conversion plan, while important, is less important than verification that the ISP can provide the services they propose. 53. A probable advantage to an organization that has outsourced its data processing services is that: A. needed IS expertise can be obtained from the outside. B. greater control can be exercised over processing. C. processing priorities can be established and enforced internally. D. greater user involvement is required to communicate user needs. The correct answer is: A. needed IS expertise can be obtained from the outside. Explanation: Outsourcing is a contractual arrangement whereby the organization relinquishes control over part or all of the information processing to an external party. This is frequently done to acquire additional resources or expertise that is not obtainable from inside the organization. 54. An IS auditor finds that not all employees are aware of the enterprise's information security policy. The IS auditor should conclude that: A. this lack of knowledge may lead to unintentional disclosure of sensitive information B. information security is not critical to all functions. C. IS audit should provide security training to the employees. D. the audit finding will cause management to provide continuous training to staff. The correct answer is: A. this lack of knowledge may lead to unintentional disclosure of sensitive information Explanation: All employees should be aware of the enterprise's information security policy to prevent unintentional disclosure of sensitive information. Training is a preventive control. Security awareness programs for employees can prevent unintentional disclosure of sensitive information to outsiders. 55. A database administrator is responsible for: A. defining data ownership. B. establishing operational standards for the data dictionary. C. creating the logical and physical database. D. establishing ground rules for ensuring data integrity and security. The correct answer is: C. creating the logical and physical database. Explanation: A database administrator is responsible for creating and controlling the logical and physical database. Defining data ownership resides with the head of the user department or top management if the data is common to the organization. IS management and the data administrator are responsible for establishing operational standards for the data dictionary. Establishing ground rules for ensuring data integrity and security in line with the corporate security policy is a function of the security administrator. 56. Which of the following is a control over database administration activities? A. A database checkpoint to restart processing after a system failure B. Database compression to reduce unused space C. Supervisory review of access logs D. Backup and recovery procedures to ensure database availability The correct answer is: C. Supervisory review of access logs Explanation: To ensure management approval of database administration activities and to exercise control over the use of database tools, there should be a supervisory review of access logs. Database administration activities include among others, database checkpoints, database compression techniques, and data backup and recovery procedures established and implemented to ensure database availability. 57. Which of the following would provide a mechanism whereby IS management can determine if the activities of the organization have deviated from the planned or expected levels? A. Quality management B. IS assessment methods C. Management principles D. Industry standards/benchmarking The correct answer is: B. IS assessment methods Explanation: Assessment methods provide a mechanism, whereby IS management can determine if the activities of the organization have deviated from planned or expected levels. These methods include IS budgets, capacity and growth planning, industry standards/benchmarking, financial management practices, and goal accomplishment. Quality management is the means by which the IS department processes are controlled, measured and improved. Management principles focus on areas such as people, change, processes and security. Industry standards/benchmarking provide a means of determining the level of performance provided by similar information processing facility environments. 58. An IS auditor should be concerned when a telecommunication analyst: A. monitors systems performance and tracks problems resulting from program changes. B. reviews network load requirements in terms of current and future transaction volumes. C. assesses the impact of the network load on terminal response times and network data transfer rates. D. recommends network balancing procedures and improvements. The correct answer is: A. monitors systems performance and tracks problems resulting from program changes. Explanation: The responsibilities of a telecommunications analyst include reviewing network load requirements in terms of current and future transaction volumes (choice B), assessing the impact of network load or terminal response times and network data transfer rates (choice C) and recommending network balancing procedures and improvements (choice D). Monitoring systems performance and tracking problems as a result of program changes (choice A) would put the analyst in a self-monitoring role. 59. When an information security policy has been designed, it is MOST important that the information security policy be: A. stored offsite. B. written by IS management. C. circulated to users. D. updated frequently. The correct answer is: C. circulated to users. Explanation: To be effective, an information security policy should reach all members of the staff. Storing the security policy offsite or in a safe place may be desirable but of little value if its contents are not known to the organization's employees. The information security policy should be written by business unit managers including IS, but not exclusively IS managers. Updating the information security policy is important but will not assure its dissemination. 60. An IT steering committee should review information systems PRIMARILY to assess: A. whether IT processes support business requirements. B. if proposed system functionality is adequate. C. the stability of existing software. D. the complexity of installed technology. The correct answer is: A. whether IT processes support business requirements. Explanation: The role of an IT steering committee is to ensure that the IS department is in harmony with the organization's mission and objectives. To ensure this, the committee must determine whether IS processes support the business requirements. Assessing proposed additional functionality and evaluating software stability and the complexity of technology are too narrow in scope to ensure that IT processes are, in fact, supporting the organization's goals. 61. Which of the following would an IS auditor consider the MOST relevant to short-term planning for the IS department? A. Allocating resources B. Keeping current with technology advances C. Conducting control self-assessment D. Evaluating hardware needs The correct answer is: A. Allocating resources Explanation: The IS department should specifically consider the manner in which resources are allocated in the short term. Investments in IT need to be aligned with top management strategies, rather than focusing on technology for technology's sake. Conducting control self-assessments and evaluating hardware needs are not as critical as allocating resources during short-term planning for the IS department 62. A comprehensive and effective e-mail policy should address the issues of e-mail structure, policy enforcement, monitoring and: A. recovery. B. retention. C. rebuilding. D. reuse. The correct answer is: B. retention. Explanation: Besides being a good practice, laws and regulations may require that an organization keep information that has an impact on the financial statements. The prevalence of lawsuits in which e-mail communication is held in the same regard as the official form of classic "paper" makes the retention of corporate e-mail a necessity. All e-mail generated on an organization's hardware is the property of the organization, and an e-mail policy should address the retention of messages, considering both known and unforeseen litigation. The policy should also address the destruction of e-mails after a specified time to protect the nature and confidentiality of the messages themselves. Addressing the retention issue in the e-mail policy would facilitate recovery, rebuilding and reuse. 63. The development of an IS security policy is ultimately the responsibility of the: A. IS department. B. security committee. C. security administrator. D. board of directors. The correct answer is: D. board of directors. Explanation: Normally the designing of an information systems security policy is the responsibility of top management or the board of directors. The IS department is responsible for the execution of the policy, having no authority in framing the policy. The security committee also functions within the broad security policy framed by the board of directors. The security administrator is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized. 64. Which of the following would BEST provide assurance of the integrity of new staff? A. Background screening B. References C. Bonding D. Qualifications listed on a resumé The correct answer is: A. Background screening Explanation: A background screening is the primary method for assuring the integrity of a prospective staff member. References are important and would need to be verified, but they are not as reliable as background screening. Bonding is directed at due-diligence compliance, not at integrity, and qualifications listed on a resumé may not be accurate. 65. In a small organization, an employee performs computer operations and, when the situation demands, program modifications. Which of the following should the IS auditor recommend? A. Automated logging of changes to development libraries B. Additional staff to provide separation of duties C. Procedures that verify that only approved program changes are implemented D. Access controls to prevent the operator from making program modifications The correct answer is: C. Procedures that verify that only approved program changes are implemented Explanation: While it would be preferred that strict separation of duties be adhered to and that additional staff is recruited, as suggested in choice B, this practice is not always possible in small organizations. The IS auditor must look at recommended alternative processes. Of the choices, C is the only practical one that has an impact. The IS auditor should recommend processes that detect changes to production source and object code, such as code comparisons, so the changes can be reviewed on a regular basis by a third party. This would be a compensating control process. Choice A, involving logging of changes to development libraries, would not detect changes to production libraries. Choice D is in effect requiring a third party to do the changes, which may not be practical in a small organization. 66. IT control objectives are useful to IS auditors, as they provide the basis for understanding the: A. desired result or purpose of implementing specific control procedures. B. best IT security control practices relevant to a specific entity. C. techniques for securing information. D. security policy. The correct answer is: A. desired result or purpose of implementing specific control procedures. Explanation: An IT control objective is defined as the statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity. They provide the actual objectives for implementing controls and may or may not be the best practices. Techniques are the means of achieving an objective, and a security policy is a subset of IT control objectives. 67. An IS auditor has recently discovered that because of a shortage of skilled operations personnel, the security administrator has agreed to work one late-night shift a month as the senior computer operator. The MOST appropriate course of action for the IS auditor is to: A. advise senior management of the risk involved. B. agree to work with the security officer on these shifts as a form of preventative control. C. develop a computer-assisted audit technique to detect instances of abuses of this arrangement. D. review the system log for each of the late-night shifts to determine whether any irregular actions occurred. The correct answer is: A. advise senior management of the risk involved. Explanation: The IS auditor's first and foremost responsibility is to advise senior management of the risk involved in having the security administrator perform an operations function. This is a violation of separation of duties. The IS auditor should not get involved in processing. 68. Without compensating controls, which of the following functions would represent a risk if combined with that of a systems analyst? A. Application programming B. Data entry C. Quality assurance D. Database administrator The correct answer is: C. Quality assurance Explanation: A systems analyst should not perform quality assurance (QA) duties as independence would be impaired, since the systems analyst is part of the team developing/designing the software. A systems analyst can perform the other functions. The best example is a citizen programmer. A citizen programmer (name related to citizen, since they have the right to do anything and everything) who has access to development tools can perform all activities while developing software (including design, development, testing, implementation). Only good compensatory controls would be able to monitor/control these activities. Compensating controls will ensure these functions have been effectively performed. If an analyst compromises on functions in these roles, it can be immediately detected with the help of compensating controls. However, a system analyst should be discouraged from performing the role of QA, because quality assurance levels could be compromised if the agreed standards are not met. 69. An IS auditor performing a general controls review of IS management practices relating to personnel should pay particular attention to: A. mandatory vacation policies and compliance. B. staff classifications and fair compensation policies. C. staff training. D. the functions assigned to staff. The correct answer is: D. the functions assigned to staff. Explanation: When performing a general controls review it is important for an IS auditor to pay attention to the issue of segregation of duties, which is affected by vacation/holiday practices. Mandatory vacation policies and compliance may vary depending on the country and industry. Staff classifications and fair compensation policies may be a morale issue, not a controls issue. Staff training is desirable, but not as critical as an appropriate segregation of duties. 70. Which of the following procedures would MOST effectively detect the loading of illegal software packages onto a network? A. The use of diskless workstations B. Periodic checking of hard drives C. The use of current antivirus software D. Policies that result in instant dismissal if violated The correct answer is: B. Periodic checking of hard drives Explanation: The periodic checking of hard drives would be the most effective method of identifying illegal software packages loaded to the network. Antivirus software will not necessarily identify illegal software unless the software contains a virus. Diskless workstations act as a preventative control and are not effective since users could still download software from other than diskless workstations. Policies lay out the rules about loading the software, but will not detect the actual occurrence. 71. To ensure an organization is complying with privacy requirements, the IS auditor should FIRST review: A. the IT infrastructure. B. the organization's policies, standards and procedures. C. legal and regulatory requirements. D. the adherence to the organizational policies, standards and procedures. The correct answer is: C. legal and regulatory requirements. Explanation: To ensure that the organization is complying with privacy issues, an IS auditor should address legal and regulatory requirements first. To comply with legal and regulatory requirements, organizations need to adopt the appropriate infrastructure. After understanding the legal and regulatory requirements, the IS auditor should evaluate organizational policies, standards and procedures to determine whether they adequately address the privacy requirements, and then review the adherence to these specific policies, standards and procedures.