A4-1 -258

Question 1

An organization is considering using a new IT service provider. From an audit perspective, which of the following would be the MOST important item to review?

A. References from other clients for the service providers
B. The physical security of the service provider site
C. The proposed service level agreement with the service provider.
D. Background checks of the service provider’s employees.

Answer 1

C. The proposed service level agreement with the service provider.

Question 2

An IS auditor is to assess the suitability of a service level agreement (SLA) between the organization and the supplier of the outsources services. To which of the following observations should the IS auditor pay the MOST attention? The SLA does not contain a:

A. transition clause from the old supplier to a new supplier or back to internal in case of expiration or termination.
B. late payment clause between the customer and the supplier.
C. contractual commitment between the customer and the supplier
D. Dispute resolution procedure between the contracting parties.

Answer 2

A. transition clause from the old supplier to a new supplier or back to internal in case of expiration or termination.

Question 3

An IS auditor reviewing a new outsourcing contract with a service provider would be MOST concerned if which of the following was missing?

A. a clause providing a “right to audit” the service provider
B. A clause providing penalty payments for poor performance.
C. Predefined service level report templates
D. a clause regarding supplier limitation of liability.

Answer 3

A. a clause providing a “right to audit” the service provider

Question 4

When reviewing the desktop software compliance of an organization, the IS auditor should be MOST concerned if the installed software:

A. was installed, but not documented in the IT department records.
B. was being used by users not properly trained in its use.
C. is not listed in the approved software standards document.
D. license will expire in the next 15 days.

Answer 4

C. is not listed in the approved software standards document.

Question 5

An IS auditor of a health care organization is reviewing contractual terms and conditions of a third-party cloud provider being considered to host patient health information. Which of the following contractual terms would be the GREATEST risk to the customer organization?

A. Data ownership is retained by the customer organization
B. The third-party provider reserves the right to access data to perform certain operations.
C. Bulk data withdrawal mechanisms are undermined.
D. The customer organization is responsible for backup, archive, and restore.

Answer 5

B. The third-party provider reserves the right to access data to perform certain operations.

Question 6

Which of the following recovery strategies is MOST appropriate for a business having multiple offices within a region and a .limited recovery budget?

A. A hot site maintained by the business
B. A commercial cold site
C. A reciprocal arrangement between its offices
D. A third-party hot site

Answer 6

C. A reciprocal arrangement between its offices

Question 7

During an application audit, an IS auditor is asked to provide assurance of the database referential integrity. Which of the following should be reviewed?

A. Field definition
B. Master table definition
C. Composite keys
D. Foreign Key structure

Answer 7

D. Foreign Key structure

Question 8

An IS auditor is reviewing database security for an organization. Which of the following is the MOST important consideration for database hardening?

A. The default configurations are changed
B. All tables in the database are denormalized.
C. Stored procedures and triggers are encrypted
D. The service port used by the database os changed.

Answer 8

A. The default configurations are changed.

Question 9

In auditing a database environment, an IS auditor will be MOST concerned if the database administrator is performing which of the following functions?

A. Performing database changes according to change management procedures
B. Installing patches or upgrades to the operating system
C. Sizing table space and consulting on table join limitations
D. Performing backup and recovery procedures.

Answer 9

B. Installing patches or upgrades to the operating system

Question 10

Which of the following is the MOST reasonable option for recovering a non-critical system?

A. Warm site
B. Mobile site
C. Hot site
D. Cold site

Answer 10

D. Cold site

Question 11

An IS auditor is evaluating the effectiveness of the change management process in an organization. What is the MOST important control that the IS auditor should look for to ensure system availability?

A. Changes are authorized by IT managers at all times.
B. User acceptance testing is performed and properly documented.
C. Test plans and procedures exist and are closely followed.
D. Capacity planning is performed as part of each development project.

Answer 11

C. Test plans and procedures exist and are closely followed.

Question 12

Data flow diagrams are used by IS auditors to:

A. identify key controls
B. highlight high-level data definitions
C. graphically summarize data paths and storage
D. portray step-by-step details of data generation.

Answer 12

C. graphically summarize data paths and storage

Question 13

Which of the following statement is useful while drafting a disaster recovery plan?

A. Downtime costs decrease as the recovery point objective increases
B. Downtime costs increase with time.
C. Recovery costs are independent of time
D. Recovery costs can only be controlled on a short-term basis.

Answer 13

B. Downtime costs increase with time.

Question 14

Although management has stated otherwise, an IS auditor has reasons to believe that the organization is using software that is not licensed. In this situation, the IS auditor should FIRST:

A. include the statement from management in the audit report.
B. verify the software is in use through testing.
C. include the item in the audit report.
D. discuss the issue with senior management because it could have a negative impact on the organization.

Answer 14

B. verify the software is in use through testing.

Question 15

An advantage of using unshielded twisted paid (UTP) cable for data communication over the copper based cables is the UTP cable:

A. reduces crosstalk between pairs.
B. provides protection against wiretapping.
C. can be used in long-distant networks.
D. is simple to install.

Answer 15

A. reduces crosstalk between pairs.

Question 16

Which of the following is the MOST critical element to effectively execute a disaster recovery plan?

A. Offsite storage of backup data
B. Up-to-date list of key disaster recovery contacts
C. Availability of a replacement data center
D. Clearly defined recovery time objective

Answer 16

A. Offsite storage of backup data

Question 17

While reviewing the process for continuous monitoring of the capacity and performance of IT resources, as IS auditor should PRIMARILY ensure that the process is focused on:

A. adequately monitoring service levels of IT resources and services.
B. providing data to enable timely planning for capacity and performance requirements
C. providing accurate feedback on IT resource capacity.
D. properly forecasting performance, capacity and throughput of IT resources.

Answer 17

C. providing accurate feedback on IT resource capacity.

Question 18

Which of the following groups is the BEST source of information for determining the criticality of application systems as part of a business impact analysis?

A. Business processes owners
B. IT management
C. Senior business management
D. Industry experts

Answer 18

A. Business processes owners

Question 19

An IS auditor is reviewing an organization’s disaster recovery plan (RDP) implementation. The project was completed on time and on budget. During the review, the auditor uncovers several areas of concern. Which of the following presents the GREATEST risk?

A. Testing of the DRP has not been performed.
B. The disaster recovery strategy does not specify use of a hot site.
C. The business impact analysis was conducted, but the results were not used.
D. The disaster recovery project manager for the implementation has recently left the organization.

Answer 19

C. The business impact analysis was conducted, but the results were not used.

Question 20

A vendor has released several critical security patches over the past few months and this has put a strain on the ability of the administrators to keep the patches tested and deployed in a a timely manner. The administrators have asked if they could reduce the testing of the patches. What is the BEST approach the organization should take?

A. Continue the current process of testing and applying patches.
B. Reduce testing and ensure that an adequate blackout plan is in place.
C. Delay patching until resources for testing are available.
D. Rely on the vendor’s testing of the patches.

Answer 20

n place.

A. Continue the current process of testing and applying patches.

Question 21

Which of the following should be a MAJOR concern to an IS auditor who is reviewing a service level agreement (SLA)?

A. A service adjustment resulting from an exception report took a day to implement.
B. The complexity of application logs used for service monitoring made the review difficult.
C. Service measures were not included in the SLA.
D. The document is updated on an annual basis.

Answer 21

C. Service measures were not included in the SLA.

Question 22

During an IS audit of the disaster recovery plan of a global enterprise, the auditor observers that some remote offices have very limited local IT resources. Which of the following observations would be the MOST critical for the IS auditor?

A. A test has not been made to ensure that local resources could maintain security and service standards when recovering from a disaster or incident.
B. The corporate business continuity plan does not accurately document the systems that exist at remote offices.
C. Corporate security measure shave not been incorporated into the test plan.
D. A test has not been made to ensure that tape backups from the remote offices are usable.

Answer 22

A. A test has not been made to ensure that local resources could maintain security and service standards when recovering from a disaster or incident.

Question 23

Which of the following reports should an IS auditor use to check compliance with a service level agreements (SLA) requirement for uptime?

A. Utilization reports
B. Hardware error reports
C. System logs
D. Availability reports

Answer 23

D. Availability reports

Question 24

Which of the following would an IS auditor use to determine if unauthorized modifications were made to production programs?

A. System log analysis
B. Compliance testing
C. Forensic analysis
D. Analytical review

Answer 24

B. Compliance testing

Question 25

During a change control audit of a production system, an IS auditor finds that the change management process is not formally documented and that some migration procedures failed. What should the IS auditor do NEXT?

A. Recommend redesigning the change management process.
B. Gain more assurance on the findings through root cause analysis.
C. Recommend that program migration be stopped until the change management process is documented.
D. Document the finding and present it to management.

Answer 25

B. Gain more assurance on the findings through root cause analysis.