ISACA 901-1000 Flashcards by Host Mom

Assignment of process ownership is essential in system development projects because it:

A. enables the tracking of the development completion percentage.
B. optimizes the design cost of user acceptance test (UAT) cases.
C. minimizes the gaps between requirements and functionalities.
D. ensures that system design is based on business needs.

D. ensures that system design is based on business needs.

How well did you know this?

Not at all

Perfectly

A batch transaction job failed in production; however, the same job returned no issues during user acceptance testing (UAT). Analysis of the production batch job indicates that it was altered after UAT. Which of the following ways would be the BEST to mitigate this risk in the future?

A. Improve regression test cases.
B. Activate audit trails for a limited period after release.
C. Conduct an application user access review.
D. Ensure that developers do not have access to code after testing.

D. Ensure that developers do not have access to code after testing.

How well did you know this?

Not at all

Perfectly

A business unit has selected a new accounting application and did not consult with IT early in the selection process. The PRIMARY risk is that:

A. the security controls of the application may not meet requirements.
B. the application may not meet the requirements of the business users.
C. the application technology may be inconsistent with the enterprise architecture (EA).
D. the application may create unanticipated support issues for IT.

C. the application technology may be inconsistent with the enterprise architecture (EA).

How well did you know this?

Not at all

Perfectly

A centralized antivirus system determines whether each personal computer has the latest signature files and installs the latest signature files before allowing a PC to connect to the network. This is an example of a:

A. directive control.
B. corrective control.
C. compensating control.
D. detective control.

B. corrective control.

How well did you know this?

Not at all

Perfectly

Code erroneously excluded from a production release was subsequently moved into the production environment, bypassing normal change procedures. Which of the following choices is of MOST concern to the IS auditor performing a postimplementation review?

A. The code was missed during the initial implementation.
B. The change did not have management approval.
C. The error was discovered during the postimplementation review.
D. The release team used the same change order number.

B. The change did not have management approval.

How well did you know this?

Not at all

Perfectly

A company determined that its web site was compromised and a rootkit was installed on the server hosting the application. Which of the following choices would have MOST likely prevented the incident?

A. A host-based intrusion prevention system (IPS)
B. A network-based intrusion detection system (IDS)
C. A firewall
D. Operating system (OS) patching

A. A host-based intrusion prevention system (IPS)

How well did you know this?

Not at all

Perfectly

A company is planning to install a network-based intrusion detection system (IDS) to protect the web site that it hosts. Where should the device be installed?

A. On the local network
B. Outside the firewall
C. In the demilitarized zone (DMZ)
D. On the server that hosts the web site

C. In the demilitarized zone (DMZ)

How well did you know this?

Not at all

Perfectly

A company with a limited budget has a recovery time objective (RTO) of 72 hours and a recovery point objective (RPO) of 24 hours. Which of the following would BEST meet the requirements of the business?

A. A hot site
B. A cold site
C. A mirrored site
D. A warm site

D. A warm site

How well did you know this?

Not at all

Perfectly

Company XYZ has outsourced production support to service provider ABC located in another country. The ABC service provider personnel remotely connect to the corporate network of the XYZ outsourcing entity over the Internet. Which of the following would BEST provide assurance that transmission of information is secure while the production support team at ABC is providing support to XYZ?

A. Secret key encryption
B. Dynamic Internet protocol (IP) address and port
C. Hash functions
D. Virtual private network (VPN) tunnel

D. Virtual private network (VPN) tunnel

How well did you know this?

Not at all

Perfectly

Company XYZ has outsourced production support to service provider ABC located in another country. The ABC service provider personnel remotely connect to the corporate network of the XYZ outsourcing entity over the Internet. Which of the following would provide the BEST assurance that only authorized users of ABC connect over the Internet for production support to XYZ?

A. Single sign-on authentication
B. Password complexity requirements
C. Two-factor authentication
D. Internet protocol (IP) address restrictions

C. Two-factor authentication

How well did you know this?

Not at all

Perfectly

Due to resource constraints, a developer requires full access to production data to support certain problems reported by production users. Which of the following choices would be a good compensating control for controlling unauthorized changes in production?

A. Provide and monitor separate login IDs that the developer will use for programming and for production support.
B. Capture activities of the developer in the production environment by enabling audit trails.
C. Back up all affected records before allowing the developer to make production changes.
D. Ensure that all changes are approved by the change manager.

A. Provide and monitor separate login IDs that the developer will use for programming and for production support.

How well did you know this?

Not at all

Perfectly

Due to resource constraints of the IS audit team, the audit plan as originally approved cannot be completed. Assuming that the situation is communicated in the audit report, which course of action is MOST acceptable?

A. Test the adequacy of the control design.
B. Test the operational effectiveness of controls.
C. Focus on auditing high-risk areas.
D. Rely on management testing of controls.

C. Focus on auditing high-risk areas.

How well did you know this?

Not at all

Perfectly

During an assessment of software development practices, an IS auditor finds that open source software components were used in an application designed for a client. What is the GREATEST concern the auditor would have about the use of open source software?

A. The client did not pay for the open source software components.
B. The organization and client must comply with open source software license terms.
C. Open source software has security vulnerabilities.
D. Open source software is unreliable for commercial use.

B. The organization and client must comply with open source software license terms.

How well did you know this?

Not at all

Perfectly

During an implementation review of a recent application deployment, it was determined that several incidents were assigned incorrect priorities and, because of this, failed to meet the business service level agreement (SLA). What is the GREATEST concern?

A. The support model was not approved by senior management.
B. The incident resolution time specified in the SLA is not realistic.
C. There are inadequate resources to support the applications.
D. The support model was not properly developed and implemented.

D. The support model was not properly developed and implemented.

How well did you know this?

Not at all

Perfectly

During an IS audit, which is the BEST method for an IS auditor to evaluate the implementation of segregation of duties within an IT department?

A. Discuss it with the IT managers.
B. Review the job descriptions of the IT functions.
C. Research past IS audit reports.
D. Evaluate the organizational structure.

A. Discuss it with the IT managers.

How well did you know this?

Not at all

Perfectly

During the course of an application software review, an IS auditor identified minor weaknesses in a relevant database environment that is out of scope for the audit. The BEST option is to:

A. include a review of the database controls in the scope.
B. document for future review.
C. work with database administrators to correct the issue.
D. report the weaknesses as observed.

D. report the weaknesses as observed.

How well did you know this?

Not at all

Perfectly

During the course of an audit, the IS auditor discovers that the human resources (HR) department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following choices is of MOST concern?

A. Maximum acceptable downtime metrics have not been defined in the contract.
B. The IT department does not manage the relationship with the cloud vendor.
C. The help desk call center is in a different country, with different privacy requirements.
D. Company-defined security policies are not applied to the cloud application.

D. Company-defined security policies are not applied to the cloud application.

How well did you know this?

Not at all

Perfectly

During the requirements definition stage of a proposed enterprise resource planning (ERP) system, the project sponsor requests that the procurement and accounts payable modules be linked. Which of the following test methods would be the BEST to perform?

A. Unit testing
B. Integration testing
C. Sociability testing
D. Quality assurance (QA) testing

B. Integration testing

How well did you know this?

Not at all

Perfectly

A financial institution with multiple branch offices has an automated control that requires the branch manager to approve transactions more than a certain amount. What type of audit control is this?

A.Detective
B. Preventive
C. Corrective
D. Directive

B. Preventive

How well did you know this?

Not at all

Perfectly

From an IT governance perspective, what is the PRIMARY responsibility of the board of directors? To ensure that the IT strategy:

A. is cost-effective.
B. is future thinking and innovative.
C. is aligned with the business strategy.
D. has the appropriate priority level assigned.

C. is aligned with the business strategy.

How well did you know this?

Not at all

Perfectly

The GREATEST benefit of having well- defined data classification policies and procedures is:

A. a more accurate inventory of information assets.
B. a decreased cost of controls.
C. a reduced risk of inappropriate system access.
D. an improved regulatory compliance.

C. a reduced risk of inappropriate system access.

How well did you know this?

Not at all

Perfectly

In a risk-based IS audit, where both inherent and control risk have been assessed as high, an IS auditor would MOST likely compensate for this scenario by performing additional:

A. stop-or-go sampling.
B. substantive testing.
C. compliance testing.
D. discovery sampling.

B. substantive testing.

How well did you know this?

Not at all

Perfectly

An internal audit function is reviewing an internally developed common gateway interface (CGI) script for a web application. The IS auditor discovers that the script was not reviewed and tested by the quality control function. Which of the following types of risk is of GREATEST concern?

A. System unavailability
B. Exposure to malware
C. Unauthorized access
D. System integrity

C. Unauthorized access

How well did you know this?

Not at all

Perfectly

An IS auditor discovers that several IT-based projects were implemented that were not approved by the steering committee. What is the GREATEST concern for the IS auditor?

A. IT projects will not be adequately funded.
B. IT projects are not following the system development life cycle (SDLC) process.
C. IT projects are not consistently formally approved.
D. The IT department may not be working toward a common goal.

D. The IT department may not be working toward a common goal.

How well did you know this?

Not at all

Perfectly

An IS auditor discovers that the disaster recovery plan (DRP) for a company does not include a critical application that is hosted in the cloud. Management's response states that the cloud vendor is responsible for disaster recovery (DR) and DR-related testing. What is the NEXT course of action for the IS auditor to pursue? A. Plan an audit of the cloud vendor. B. Review the vendor contract to determine its DR capabilities. C. Review an independent auditor's report of the cloud vendor. D. Request a copy of the DRP from the cloud vendor.

B. Review the vendor contract to determine its DR capabilities.

An IS auditor finds that database administrators (DBAs) have access to the log location on the database server and the ability to purge logs from the system. What is the BEST audit recommendation to ensure that DBA activity is effectively monitored? A. Change permissions to prevent DBAs from purging logs. B. Forward database logs to a centralized log server. C. Require that critical changes to the database are formally approved. D. Back up database logs to tape.

B. Forward database logs to a centralized log server.

An IS auditor has been asked to review a contract for a vendor being considered to provide data center services. Which is the BEST way to determine whether the terms of the contract are adhered to after the contract is signed? A. Require the vendor to provide monthly status reports. B. Have periodic meetings with the client IT manager. C. Conduct periodic audit reviews of the vendor. D. Require that performance parameters be stated within the contract.

C. Conduct periodic audit reviews of the vendor.

An IS auditor has discovered that a new patch is available for an application, but the IT department has decided that the patch is not needed because other security controls are in place. What should the IS auditor recommend? A. Apply the patch anyway, after it can be tested. B. Implement a host-based intrusion detection system (IDS). C. Implement firewall rules to further protect the application server. D. Assess the overall risk, then decide whether to deploy the patch.

D. Assess the overall risk, then decide whether to deploy the patch.

An IS auditor has found that employees are emailing sensitive company information to public web-based email domains. Which of the following is the BEST remediation option for the IS auditor to recommend? A. Encrypted mail accounts B. Training and awareness C. Activity monitoring D. Data loss prevention (DLP)

D. Data loss prevention (DLP)

An IS auditor is assessing a biometric system used to protect physical access to a data center containing regulated data. Which of the following observations is the GREATEST concern to the auditor? A. Administrative access to the biometric scanners or the access control system is permitted over a virtual private network (VPN). B. Biometric scanners are not installed in restricted areas. C. Data transmitted between the biometric scanners and the access control system do not use a securely encrypted tunnel. D. Biometric system risk analysis was last conducted three years ago.

An IS auditor is assisting in the design of the emergency change control procedures for an organization with a limited budget. Which of the following recommendations BEST helps to establish accountability for the system support personnel? A.Production access is granted to the individual support ID when needed. B.Developers use a firefighter ID to promote code to production. C. A dedicated user promotes emergency changes to production. D. Emergency changes are authorized prior to promotion.

A.Production access is granted to the individual support ID when needed.

An IS auditor is auditing an IT disaster recovery plan (DRP). The IS auditor should PRIMARILY ensure that the plan covers: A. a resilient IT infrastructure. B. alternate site information. C. documented disaster recovery (DR) test results. D. analysis and prioritization of business functions.

D. analysis and prioritization of business functions.

An IS auditor is conducting a review of the disaster recovery (DR) procedures for a data center. Which of the following indicators is the BEST to show that the procedures meet the requirements? A. Documented procedures were approved by management. B. Procedures were reviewed and compared with industry good practices. C. A tabletop exercise using the procedures was conducted. D. Recovery teams and their responsibilities are documented.

C. A tabletop exercise using the procedures was conducted.

An IS auditor is evaluating a newly developed IT policy for an organization. Which of the following factors would the IS auditor consider MOST important to facilitate compliance with the policy upon its implementation? A. Existing IT mechanisms that enable compliance B. Alignment of the policy to the business strategy C. Current and future technology initiatives D. Regulatory compliance objectives that are defined in the policy

A. Existing IT mechanisms that enable compliance

An IS auditor is evaluating network performance for an organization that is considering increasing its Internet bandwidth due to a performance degradation during business hours. Which of the following is MOST likely the cause of the performance degradation? A. Malware on servers B. Firewall misconfiguration C. Increased spam received by the email server D. Unauthorized network activities

D. Unauthorized network activities

An IS auditor is performing a postimplementation review of an organization's system and identifies output errors within an accounting application. The IS auditor determined this was caused by input errors. Which of the following controls should the IS auditor recommend to management? A. Recalculations B. Limit checks C. Run-to-run totals D. Reconciliations

B. Limit checks

An IS auditor is reviewing a manufacturing company and finds that mainframe users at a remote site connect to the mainframe at headquarters over the Internet via Telnet. Which of the following is the BEST recommendation to ensure proper security controls? A. Use of a point-to-point leased line B. Use of a firewall rule to allow only the Internet Protocol (IP) address of the remote site C. Use of two-factor authentication D. Use of a nonstandard port for Telnet

A. Use of a point-to-point leased line

An IS auditor is reviewing an organization's network operations center (NOC). Which of the following choices is of the GREATEST concern? The use of: A. a wet pipe-based fire suppression system. B. a rented rack space in the NOC. C. a carbon dioxide-based fire suppression system. D. an uninterrupted power supply (UPS) with 10 minutes of backup power.

C. a carbon dioxide-based fire suppression system.

An IS auditor is reviewing an organization to ensure that evidence related to a data breach case is preserved. Which of the following choices would be of MOST concern to the IS auditor? A. End users are not aware of incident reporting procedures. B. Log servers are not on a separate network. C. Backups are not performed consistently. D. There is no chain of custody policy

D. There is no chain of custody policy

An IS auditor is reviewing a third-party agreement for a new cloud-based accounting service provider. Which of the following considerations is the MOST important with regard to the privacy of the accounting data? A. Data retention, backup and recovery B. Return or destruction of information C. Network and intrusion detection D. A patch management process

B. Return or destruction of information

An IS auditor is reviewing Secure Sockets Layer (SSL) enabled web sites for the company. Which of the following choices would be the HIGHEST risk? A. Expired digital certificates B. Self-signed digital certificates C. Using the same digital certificate for multiple web sites D. Using 56-bit digital certificates

B. Self-signed digital certificates

An IS auditor is reviewing security incident management procedures for the company. Which of the following choices is the MOST important consideration? A. Chain of custody of electronic evidence B. System breach notification procedures C. Escalation procedures to external agencies D. Procedures to recover lost data

A. Chain of custody of electronic evidence

An IS auditor is reviewing the most recent disaster recovery plan (DRP) of an organization. Which approval is the MOST important when determining the availability of system resources required for the plan? A. Executive management B. IT management C. Board of directors D. Steering committee

B. IT management

An IS auditor is reviewing the network infrastructure of a call center and determines that the internal telephone system is based on Voice-over Internet Protocol (VoIP) technology. Which of the following is the GREATEST concern? A. Voice communication uses the same equipment that is used for data communication. B. Ethernet switches are not protected by uninterrupted power supply (UPS) units. C. Voice communication is not encrypted on the local network. D. The team that supports the data network also is responsible for the telephone system.

B. Ethernet switches are not protected by uninterrupted power supply (UPS) units.

An IS auditor is reviewing the physical security controls of a data center and notices several areas for concern. Which of the following areas is the MOST important? A. The emergency power off button cover is missing. B. Scheduled maintenance of the fire suppression system was not performed. C. There are no security cameras inside the data center. D. The emergency exit door is blocked.

D. The emergency exit door is blocked.

An IS auditor is reviewing the software development capabilities of an organization that has adopted the agile methodology. The IS auditor would be the MOST concerned if: A. certain project iterations produce proof-of-concept deliverables and unfinished code. B. application features and development processes are not extensively documented. C. software development teams continually re-plan each step of their major projects. D. project managers do not manage project resources, leaving that to project team members.

A. certain project iterations produce proof-of-concept deliverables and unfinished code.

An IS auditor observed that users are occasionally granted the authority to change system data. This elevated system access is not consistent with company policy yet is required for smooth functioning of business operations. Which of the following controls would the IS auditor MOST likely recommend for long-term resolution? A. Redesign the controls related to data authorization. B. Implement additional segregation of duties controls. C. Review policy to see if a formal exception process is required. D. Implement additional logging controls.

C. Review policy to see if a formal exception process is required.

An IS auditor of a health care organization is reviewing contractual terms and conditions of a third-party cloud provider being considered to host patient health information (PHI). Which of the follow contractual terms would be the GREATEST risk to the customer organization? A. Data ownership is retained by the customer organization. B. The third-party provider reserves the right to access data to perform certain operations. C. Bulk data withdrawal mechanisms are undefined. D. The customer organization is responsible for backup, archive and restore.

B. The third-party provider reserves the right to access data to perform certain operations.

An IS auditor performing an audit has determined that developers have been granted administrative access to the virtual machine (VM) management console to manage their own servers used for software development and testing. Which of the following choices would be of MOST concern for the IS auditor? A. Developers have the ability to create or de- provision servers. B. Developers could gain elevated access to production servers. C. Developers can affect the performance of production servers with their applications. D. Developers could install unapproved applications to any servers.

A. Developers have the ability to create or de- provision servers.

An IS auditor performing an audit of the newly installed Voice-over Internet Protocol (VoIP) system was inspecting the wiring closets on each floor of a building. What would be the GREATEST concern? A. The local area network (LAN) switches are not connected to uninterruptible power supply (UPS) units. B. Network cabling is disorganized and not properly labeled. C. The telephones are using the same cable used for LAN connections. D. The wiring closet also contains power lines and breaker panels.

A. The local area network (LAN) switches are not connected to uninterruptible power supply (UPS) units.

An IS auditor performing an audit of the newly installed Voice-over Internet Protocol(VoIP) system was inspecting the wiring closets on each floor of a building. What would be the GREATEST concern? A. The local area network (LAN) switches are not connected to uninterruptible power supply (UPS) units. B. Network cabling is disorganized and not properly labeled. C. The telephones are using the same cable used for LAN connections. D. The wiring closet also contains power lines and breaker panels.

A. The local area network (LAN) switches are not connected to uninterruptible power supply (UPS) units.

An IS auditor reviewing a network log discovers that an employee ran elevated commands on his/her PC by invoking the task scheduler to launch restricted applications. This is an example what type of attack? A. A race condition B. A privilege escalation C. A buffer overflow D. An impersonation

B. A privilege escalation

An IS auditor reviewing the application change management process for a large multinational company should be MOST concerned when: A. test systems run different configurations than do production systems. B. change management records are paper based. C. the configuration management database is not maintained. D. the test environment is installed on the production server.

C. the configuration management database is not maintained.

A new application has been purchased from a vendor and is about to be implemented. Which of the following choices is a key consideration when implementing the application? A. Preventing the compromise of the source code during the implementation process B. Ensuring that vendor default accounts and passwords have been disabled C. Removing the old copies of the program from escrow to avoid confusion D. Verifying that the vendor is meeting support and maintenance agreements

B. Ensuring that vendor default accounts and passwords have been disabled

A new business requirement required changing database vendors. Which of the following areas should the IS auditor PRIMARILY examine in relation to this implementation? A. Integrity of the data B. Timing of the cutover C. Authorization level of users D. Normalization of the data

A. Integrity of the data

An organization implemented a distributed accounting system, and the IS auditor is conducting a postimplementation review to provide assurance of the data integrity controls. Which of the following choices should the auditor perform FIRST? A. Review user access. B. Evaluate the change request process. C. Evaluate the reconciliation controls. D. Review the data flow diagram.

D. Review the data flow diagram.

An organization is considering making a major investment in upgrading technology. Which of the following choices is the MOST important to consider? A. A cost analysis B. The security risk of the current technology C. Compatibility with existing systems D. A risk analysis

D. A risk analysis

An organization is reviewing its contract with a cloud computing provider. For which of the following reasons would the organization want to remove a lock-in clause from the contract? A. Availability B. Portability C. Agility D. Scalability

B. Portability

An organization recently deployed a customer relationship management (CRM) application that was developed in-house. Which of the following is the BEST option to ensure that the application operates as designed? A. User acceptance testing (UAT) B. Project risk assessment C. Post-implementation review D. Management approval of the system

C. Post-implementation review

The PRIMARY benefit of an enterprise architecture (EA) initiative would be to: A. enable the organization to invest in the most appropriate technology. B. ensure that security controls are implemented on critical platforms. C. allow development teams to be more responsive to business requirements. D. provide business units with greater autonomy to select IT solutions that fit their needs.

A. enable the organization to invest in the most appropriate technology.

The PRIMARY objective of the audit initiation meeting with an IS audit client is to: A. discuss the scope of the audit. B. identify resource requirements of the audit. C. select the methodology of the audit. D. review requested evidence provided by the audit client.

A. discuss the scope of the audit.

The PRIMARY purpose of installing data leak prevention (DLP) software is to control which of the following choices? A. Access privileges to confidential files stored on servers B. Attempts to destroy critical data on the internal network C. Which external systems can access internal resources D. Confidential documents leaving the internal network

D. Confidential documents leaving the internal network

The PRIMARY purpose of the IS audit charter is to: A. establish the organizational structure of the audit department. B. illustrate the reporting responsibilities of the IS audit function. C. detail the audit processes and procedures performed by the IS audit department. D. outline the responsibility and authority of the IS audit function.

D. outline the responsibility and authority of the IS audit function.

Segmenting a highly sensitive database results in: A. reduced exposure. B. reduced threat. C. less criticality. D. less sensitivity.

A. reduced exposure.

A small company cannot segregate duties between its development processes and its change control function. What is the BEST way to ensure that the tested code that is moved A. Release management software B. Manual code comparison C. Regression testing in preproduction D. Management approval of changes

A. Release management software

A vendor has released several critical security patches over the past few months and this has put a strain on the ability of the administrators to keep the patches tested and deployed in a timely manner. The administrators have asked if they could reduce the testing of the patches. What approach should the organization take? A. Continue the current process of testing and applying patches. B. Reduce testing and ensure that an adequate back out plan is in place. C. Delay patching until resources for testing are available. D. Rely on the vendor's testing of the patches.

A. Continue the current process of testing and applying patches.

What is the PRIMARY consideration for an IS auditor while reviewing the prioritization and coordination of IT projects and program management? A. Projects are aligned with the organization's strategy. B. Identified project risk is monitored and mitigated. C. Controls related to project planning and budgeting are appropriate. D. IT project metrics are reported accurately.

A. Projects are aligned with the organization's strategy.

What is the PRIMARY reason that an IS auditor would verify that the process of post-implementation review of an application was completed after a release? A. To make sure that users are appropriately trained B. To verify that the project was within budget C. To check that the project meets expectations D. To determine whether proper controls were implemented

C. To check that the project meets expectations

When performing a review of a business process reengineering (BPR) effort, which of the following choices would be the PRIMARY concern? A. Controls are eliminated as part of the BPR effort. B. Resources are not adequate to support the BPR process. C. The audit department is not involved in the BPR effort. D. The BPR effort includes employees with limited knowledge of the process area.

A. Controls are eliminated as part of the BPR effort.

When preparing a business case to support the need of an electronic data warehouse solution, which of the following choices is the MOST important to assist management in the decision-making process? A. Discuss a single solution. B. Consider security controls. C. Demonstrate feasibility. D. Consult the audit department.

C. Demonstrate feasibility.

Where would an IS auditor MOST likely see a hash function applied? A. Authentication B. Identification C. Authorization D. Encryption

A. Authentication

Which of the following choices BEST ensures accountability when updating data directly in a production database? A. Before and after screen images B. Approved implementation plans C. Approved validation plan D. Data file security

A. Before and after screen images

Which of the following choices BEST ensures the effectiveness of controls related to interest calculation inside an accounting system? A. Re-performance B. Process walk-through C. Observation D. Documentation review

A. Re-performance

Which of the following choices BEST helps information owners to properly classify data? A. Understanding of technical controls that protect data B. Training on organizational policies and standards C. Use of an automated data leak prevention (DLP) tool D. Understanding which people need to access the data

B. Training on organizational policies and standards

Which of the following choices is MOST important for an IS auditor to understand when auditing an e-commerce environment? A. The technology architecture of the e-commerce environment B. The policies, procedure and practices that form the internal control environment C. The nature and criticality of the business process supported by the application D. Continuous monitoring of control measures for system availability and reliability

C. The nature and criticality of the business process supported by the application

Which of the following choices is the MOST effective control that should be implemented to ensure accountability for application users accessing sensitive data in the human resource management system (HRMS) and among interfacing applications to the HRMS? A. Two-factor authentication B. A digital certificate C. Audit trails D. Single sign-on authentication

C. Audit trails

Which of the following choices is the PRIMARY benefit of requiring a steering committee to oversee IT investment? A. To conduct a feasibility study to demonstrate IT value B. To ensure that investments are made according to business requirements C. To ensure that proper security controls are enforced D. To ensure that a standard development methodology is implemented

B. To ensure that investments are made according to business requirements

Which of the following choices would be the BEST source of information when developing a risk-based audit plan? A. Process owners identify key controls. B. System custodians identify vulnerabilities. C. Peer auditors understand previous audit results. D. Senior management identify key business processes.

D. Senior management identify key business processes

Which of the following choices would MOST likely ensure that a disaster recovery (DR) effort is successful? A. The tabletop test was performed. B. Data restoration was completed. C. Recovery procedures are approved. D. Appropriate staff resources are committed.

B. Data restoration was completed.

Which of the following considerations is the MOST important while evaluating a business case for the acquisition of a new accounting application? A. Total cost of ownership (TCO) of the application B. The resources required for implementation C. Return on investment (ROI) to the company D. The cost and complexity of security requirements

C. Return on investment (ROI) to the company

Which of the following controls would be MOST effective to reduce the risk of loss due to fraudulent online payment requests? A. Transaction monitoring B. Protecting web sessions using Secure Sockets Layer (SSL) C. Enforcing password complexity for authentication D. Inputting validation checks on web forms

A. Transaction monitoring

Which of the following criteria are MOST needed to ensure that log information is admissible in court? Ensure that data have been: A. independently time stamped. B. recorded by multiple logging systems. C. encrypted by the most secure algorithm. D. verified to ensure log integrity.

D. verified to ensure log integrity.

Which of the following factors is the MOST critical when evaluating the effectiveness of an IT governance implementation? A. Ensure that assurance objectives are defined. B. Determine stakeholder requirements and involvement. C. Identify the relevant risk and related opportunities. D. Determine the relevant enablers and their applicability.

B. Determine stakeholder requirements and involvement.

Which of the following factors should an IS auditor PRIMARILY focus on when determining the appropriate level of protection for an information asset? A. Results of a risk assessment B. Relative value to the business C. Results of a vulnerability assessment D. Cost of security controls

A. Results of a risk assessment

Which of the following groups would create MOST concern to an IS auditor if they have direct full access to the production database? A. Application testers B. System administrators C. The database owner D. The data recovery team

A. Application testers

Which of the following inputs adds the MOST value to the strategic IT initiative decision- making process? A. The maturity of the project management process B. The regulatory environment C. Past audit findings D. The IT project portfolio analysis

D. The IT project portfolio analysis

Which of the following inputs would PRIMARILY help in designing the data backup strategy in case of potential natural disasters? A. Recovery point objective (RPO) B. Volume of data to be backed up C. Data backup technologies D. Recovery time objective (RTO)

A. Recovery point objective (RPO)

Which of the following is MOST important to determine the recovery point objective (RPO) for a critical process in an enterprise? A. Number of hours of acceptable downtime B. Total cost of recovering critical systems C. Extent of data loss that is acceptable D. Acceptable reduction in the level of service

C. Extent of data loss that is acceptable

Which of the following is the BEST way to ensure that incident response activities are consistent with the requirements of business continuity? A. Draft and publish a clear practice for enterprise-level incident response. B. Establish a cross-departmental working group to share perspectives. C. Develop a scenario and perform a structured walk-through. D. Develop a project plan for end-to-end testing of disaster recovery.

C. Develop a scenario and perform a structured walk-through.

Which of the following is PRIMARY requirement in reporting results of an IS audit? The report is: A. prepared according to a predefined and standard template. B. backed by sufficient and appropriate audit evidence. C. comprehensive in coverage of enterprise processes. D. reviewed and approved by audit management.

B. backed by sufficient and appropriate audit evidence.

Which of the following preventive controls BEST helps secure a web application? A. Password masking B. Developer training C. Encryption D. Vulnerability testing

B. Developer training

Which of the following should an IS auditor be MOST concerned about in a financial application? A. Programmers have access to application source code. B. Secondary controls are documented for identified role conflicts. C. The information security officer does not authorize all application changes. D. Programmers have access to the production database.

D. Programmers have access to the production database.

Which of the following stakeholders is the MOST important in terms of developing a business continuity plan (BCP)? A. Process owners B. Application owners C. The board of directors D. IT management

A. Process owners

Which of the following ways is the BEST for an IS auditor to verify that critical production servers are running the latest security updates released by the vendor? A. Ensure that automatic updates are enabled on critical production servers. B. Verify manually that the patches are applied on a sample of production servers. C. Review the change management log for critical production servers. D. Run an automated tool to verify the security patches on production servers.

D. Run an automated tool to verify the security patches on production servers.

Which technique would BEST test for the existence of dual control when auditing the wire A. Analysis of transaction logs B. Re-performance C. Observation D. Interviewing personnel

C. Observation

While auditing a third-party IT service provider, an IS auditor discovered that access reviews were not being performed as required by the contract. The IS auditor should: A. report the issue to IT management. B. discuss the issue with the service provider. C. perform a risk assessment. D. perform an access review.

A. report the issue to IT management.

While conducting an audit on the customer relationship management (CRM) application, the IS auditor observes that it takes a significantly long time for users to log on to the system during peak business hours as compared with other times of the day. Once logged on, the average response time for the system is within acceptable limits. Which of the following choices should the IS auditor recommend? A. The IS auditor should recommend nothing because the system is compliant with current business requirements. B. IT should increase the network bandwidth to improve performance. C. Users should be provided with detailed manuals to use the system properly. D. The IS auditor should recommend establishing performance measurement criteria for the authentication servers.

D. The IS auditor should recommend establishing performance measurement criteria for the authentication servers.

While reviewing a quality management system (QMS) the IS auditor should PRIMARILY focus on collecting evidence to show that: A. quality management systems (QMSs) comply with good practices. B. continuous improvement targets are being monitored. C. standard operating procedures of IT are updated annually. D. key performance indicators (KPIs) are defined.

B. continuous improvement targets are being monitored.

While reviewing the process for continuous monitoring of the capacity and performance of IT resources, an IS auditor should PRIMARILY ensure that the process is focused on: A. adequately monitoring service levels of IT resources and services. B. providing data to enable timely planning for capacity and performance requirements. C. providing accurate feedback on IT resource availability. D. properly forecasting performance, capacity and throughput of IT resources.

C. providing accurate feedback on IT resource availability.

ISACA 901-1000 Flashcards

(99 cards)