1. An IS auditor is evaluating data was designed to review the company mining and auditing software to be network and e-mail systems, which used in future IS audits. What is the were newly implemented last year, PRIMARY ability that the IS auditor but the plan did not include should look for in the software tool? reviewing the e-commerce web The software tool should? server. The company IT manager - Preserve data integrity and not indicates that this year the modify source data in any way organization prefers to focus the 2. Management instructs a junior IS audit on a newly-implemented auditor to prepare and deliver a final enterprise resource planning (ERP) report using his/her best judgment application. How should the IS since no senior IS auditor is available: auditor respond?
- The loss of reputation because the - Determine the highest-risk systems
audit was not performed according and plan the audit based on the to standards result
3. An IS auditor is reviewing the 6. An IS auditor has been asked to
process performed for the review the security controls for a protection of digital evidence. Which critical web-based order system of the following findings should shortly before the scheduled go-live present the MOST concern to the IS date. The auditor conducts a auditor? penetration test which produces inconclusive results and additional - There are no documented logs of testing cannot be concluded by the the transportation of evidence completion date agreed for the 4. Which of the following is the most audit. Which of the following is the significant risk of changing from BEST option for the auditor? using a traditional audit approach to - Publish a report based on the a facilitated control self-assessment available information, highlighting (FCSA) workshop approach without the potential security weaknesses adequate planning and preparation? and the requirement for the follow - Critical risk issues may not up audit testing identified by the process 7.In a risk based audit approach, the 5. An IS auditor is developing an IS auditor must consider the audit plan for a repeat client. The inherent risk as well as considering: - The balance of loss potential vs the 11. Which of the following is the cost to implement controls BEST reason to implement a policy which address secondary 8. The internal audit department of employment for IT employees? organization has been developed and maintained ACL scripts for - To prevent conflict of interest continuous auditing purposes. These 12. An IS auditor has been assigned scripts were provided to IT to review an organization’s management for continuous information security policy. Which of monitoring purposes. This situation the following issues represent the resulted in a potential conflict highest potential risk? related to the auditor's independence and objectivity. - The policy is approved by the Which of the following actions would security administrator. BEST resolve this issue? 13. An IS auditor is verifying the IT - It management should continue to policies and found that some of the use the script for continuous policies have not been approved by monitoring purposes with the management (as required by policy) understanding that it is responsible but the employees strictly follow the for testing and maintaining the policies. Should the IS auditor do scripts that it uses. FIRST?
9. When performance issues are - Report the absence of document
discovered during an assessment of approval. the organization's network, the 14. When auditing the IT governance MOST efficient way for the IS auditor framework and IT risk management to proceed is to examine the: practices that exist within an - network topology organization the IS auditor identified responsibilities regarding IT 10. Which of the following management and the governance represents an example of a roles. Which is the following preventive control with respect to IT recommendation is the MOST personnel? appropriate? - Implementation of a badge entry - Implement accountability rules system for the IT facility with in the organization. Domain 2 – IT Governance 15. An IS auditor is performing a review of the software quality management process in an - The vendor of custome written organization The FIRST step should software goes out of business be to: 20. When conducting an IT security - Request all standards that have risk assessment the IS auditor asked been adopted by the organization. the IT security officer to participate in a risk identification workshop with 16. When auditing the archiving of users and unit representative. What the company’s email is the MOST important communication, the auditor should recommendation that the IS auditor pay the MOST attention to: should make to obtain successful - The existence of a data retention result and avoid future conflicts/ policy - Ensure that the IT security risk 17. An IS auditor is reviewing assessment has a clearly defined changes to a company’s disaster scope recovery (DR). The auditor notices Domain 3 that the recovery point objectives (RPO) has been shortened for the 21. An IS auditor has been asked to company’s application. What is the review proposals to implement a MOST significant risk of this change? standardized IT infrastructure. Which of the following findings - Backups are not done frequently would likely be featured in the enough to archive the new RPO auditor’s report? The proposals 18. An IT auditor found that the likely to: enterprise architecture recently - Improve the cost-effectiveness of IT adopted by an organization has an service delivery and operational adequate current state support. representation. However the organization has started a separate 22. Which of the following would project to develop an optimized BEST help to prioritize project future state representation. The IT activities and determine the timeline auditor should : for a project? - Report this issue as a finding in the - Program evaluation review audit report technique (PERT) 19. Which of the following situation 23. An IS auditor reviewing a series is addresses by a software escrow of completed projects finds that the agreement? implemented functionality often exceeded requirements and most of allowing the new systems to run on the projects can significantly over its own. What is the MOST significant budget. Which of these areas of the advantage to the organization by organization’s project management using this strategy? process is the MOST likely cause of - Assurance that the new system this issue? meets functional requirements - Project Scope Management 27. What kind of software 24. An IS auditor is reviewing the application testing is considered the software development process for final stage of testing and typically an organization. Which of the includes users outside the following functions would be development team? appropriate for the end users to - Beta Testing perform? 28. During which phase of software - Program output testing application testing should an 25. An IS auditor is reviewing system organization perform the testing of development for a healthcare architectural design? organization with two application - Integration testing environments—production and test. During an interview, the auditor 29. Which of the following is the notes that production data are used MOST efficient way to test the in the test environment to test design effectiveness of a partially program changes. What is the MOST automated change control process? significant potential risk from this - Perform an end to end walk situation? through of the process - The test environment may not have 30. An organization is replacing a adequate access controls payroll program that it developed in implemented to ensure data house, with the relevant subsystem confidentiality of a commercial enterprise resource 26. The IS auditor is reviewing a planning (ERP) system. Which of the recently completed conversion to a following would represent the new enterprise resource planning highest potential risk? (ERP) system. As the final stage of - faculty migration of historical data the conversion process, the from the old system to the new organization ran the old and new system systems in parallel for 30 days before 31. An IS auditor is evaluating a - Tracing virtual machine-based (VM-based) 35. Web application developers architecture used for all sometimes use hidden fields on web programming and testing pages to save information about a environments. The production client session. This technique is used architecture is a three-tier physical in some cases to store session architecture. What is the MOST variables that enable persistence important IT control to test in order across web pages, such as to ensure availability and maintaining the contents of a confidentiality of the web shopping chart on a retail web site application in production? application. The MOST likely web- - Server configuration hardening based attack due to this practice is: 32. During a post-implementation - Parameter Tampering review, which of the following 36. . After consulting with senior activities should be performed? management, and organization’s IT - ROI analysis department decided that all IT hardware would be replaced three 33. . An IS auditor reports that the years from the procurement date. financial module of an enterprise The MOST likely reason for doing this resource planning (ERP) application is to: is very slow because the audit trails are activated on some sensitive - Manage IT assets in a cost effective tables. The vendor has asked to manner. disable audit trails on these Domain 4 transactional tables and restrict auditing only to successful and 37. An organization is considering unsuccessful logons to the system. using new it service provider. From What is the GREATEST threat if this an audit perspective, which of the recommendation is implemented? following would be the MOST important items to review? - The integrity of the financial data could not be guaranteed - The services level agreement (SLA) with the service provider 34. An IS auditor should ensure that review of online electronic funds 38. The IS auditor is reviewing the transfer (EFT) reconciliation implementation of storage area procedures should include: network (SAN). The SAN administrator indicates that logging and monitoring is active, hard zoning the auditor’s mind, what should be is used to isolate data from different the biggest area of concern? business units and all unused SAN - the connection to remote sites is port disabled. The administrator secure through the use of virtual implemented the system performed private network (VPN) and documented security testing during implementation and 41. An IT executive of insurance determined that he/she is the only company asked an external auditor user with administrative rights to the to evaluate the user IDs for system. What should auditor’s initial emergency access (fire call ID). The IS determination be? auditor found that fire call accounts are granted without predefined - The SAN present potential risk expiration date. What should the IS because only one employee has auditor recommend? access. - Review of the access control 39. When reviewing the desktop privilege authorization process software compliance of an organization, the IA auditor should 42. An IS auditor is reviewing be MOST concerned if the installed database security for an software: organization. Which of the following is the MOST important consideration - Is not listed in the approved for database hardening software standards document - The default configurations are 40. Due to recent economic change downturn, an IT organization has terminated several administration at 43. In auditing a database remote sites and consolidated all IT environment, an IS auditor will be administration to the organization’s MOST concerned if the database control headquarters. During the administrator (DBA) is performing annual IT audit, the auditor which of the following function determines that the organization has - Installing patches or upgrades to implemented remote admin the operation system connectivity to each site using low cost DSL connections and an 44. An IS auditor reviewing local area automated SNMP based monitoring network (LAN) performance in an system to detect any hardware or organization should FIRST examine: software issues that may occur. In - Data, Voice, and video throughput requirement 45. As IS auditor is evaluating the - The link between building may not effectiveness of the organization’s meet the long term business change management process. What requirement. is the MOST important control that 49. An IS auditor is to assess the the IS auditor should look for to suitability of a service level ensure system availability? agreement (SLA) between - That test plans and procedures organization and the supplier of exist and are closely followed outsourced services. To which of the following observation should the IS 46. An IS auditor reviewing a new auditor pay the MOST attention? outsourcing contract with a service The SLA does not contain a: provide would be MOST concerned if which of the following was missing? -Transition clause frim the old supplier to a new supplier in he case - A clause providing a “right to audit” of expiration or termination. service provider 50. During an application audit an IS 47.Which of the following auditor is asked to provide assurance specifically addresses how to detect of the database referential integrity. cyber attacks against an Which of the following should be organization’s IT systems an how to reviewed? recover from an attack? - Foreign key structure - An Incident response plan (IRP) Domain 5 48. An IS auditor is reviewing the expansion plans for an organization 51. An IS auditor is planning an audit which is opening a new office about of a bank wire transfer system in the 80 meters away from their existing contest of a regulation that requires facility. The plan is to implement banks to accurately report fiber optic cabling within the new transactions. Which of the following facility and it has been determined represents the PRIMARY focus of the that a 100 m, category 5 (cat 5). audit scope: Unshielded twisted pair (UTP) cable - Data Integrity. can be installed to provide connectivity between both building. 52. An IS auditor reviewing the What is the PRIMARY risk that the operating system integrity of server auditor should identify with this would PRIMARYLY: expansion plan? - verify that privileged programs or services cannot ben invoked by user program. 53. Which of the following is the MOST common concern for an IS auditor regarding audit logs? - Logs are collected but not analysed. 54. Which of the following would BEST help in preventing structured query language (SQL) injection attacks of a web application? - Built in input validation within the application. 55. Which is the following is the BEST control to implement in order to mitigate the risk of an insider attack? - Limit access to what is required for an individual’s job duties.