3. Which of the following types of risks assumes an absence of compensating controls in the area being reviewed?

Transcription

1 ISACA These questions were collected from different official ISACA resources and reflect the kind of the questions at the CISA exam. Every question has a detailed answer explanation. 1. An IS auditor, performing a review of an application s controls, discovers a weakness in system software, which could materially impact the application. The IS auditor should: A. Disregard these control weaknesses as a system software review is beyond the scope of this review. B. Conduct a detailed system software review and report the control weaknesses. C. Include in the report a statement that the audit was limited to a review of the application s controls. D. Review the system software controls as relevant and recommend a detailed system software review. The IS auditor is not expected to ignore control weaknesses just because they are outside the scope of a current review. Further, the conduct of a detailed systems software review may hamper the audit s schedule and the IS auditor may not be technically competent to do such a review at this time. If there are control weaknesses which have been discovered by the IS auditor, they should be disclosed. By issuing a disclaimer, this responsibility would be waived. Hence, the appropriate option would be to review the systems software as relevant to the review and recommend a detailed systems software for which additional resources may be recommended. 2. The reason for having controls in an IS environment: A. remains unchanged from a manual environment, but the implemented control features may be different. B. changes from a manual environment, therefore the implemented control features may be different. C. changes from a manual environment, but the implemented control features will be the same. D. remains unchanged from a manual environment and the implemented control features will also be the same. The internal control objectives apply to all areas, whether manual or automated. There are additional objectives to be achieved in the IS environment, when compared to the manual environment. Common control objectives remain unchanged in both the IS environment and manual environment, although the implementation of the control functions may be different in the IS environment, e.g., the adequacy of backup/recovery in a common internal control objective for IS and manual environment. The specific IS control objective may be to adequately back up the files to allow for proper recovery. This may be achieved by implementing proper control procedures, such as business continuity policy, in the IS department. Therefore, the implementation of the control functions may be different in the IS environment. But the common control objectives in an IS environment remains unchanged from a manual environment. 3. Which of the following types of risks assumes an absence of compensating controls in the area being reviewed? A. Control risk B. Detection risk C. Inherent risk D. Sampling risk The risk that an error exists that could be material or significant when combined with other errors encountered during the audit, there being no related compensating controls, is the inherent risk. Control risk is the risk that a material error exists that will not be prevented or detected on a timely basis by the system of internal controls. Detection risk is the risk when an IS auditor uses an

2 inadequate test procedure and concludes that material errors do not exist, when they do. Sampling risk is the risk that incorrect assumptions are made about the characteristics of a population from which a sample is taken. 4. An IS auditor is conducting substantive audit tests of a new accounts receivable module. The IS auditor has a tight schedule and limited computer expertise. Which would be the BEST audit technique to use in this situation? A. Test data B. Parallel simulation C. Integrated test facility D. Embedded audit module Test data uses a set of hypothetical transactions to verify the program logic and internal control in short a time and for an auditor with minimal IT background. In a parallel simulation, the results produced for an actual program are compared with the results from a program written for the IS auditor; this technique can be time consuming and requires IT expertise. An integrated test facility, enables test data to be continually evaluated when transactions are processed online; this technique is time consuming and requires IT expertise. An embedded audit module is a programmed module that is inserted into an application program to test controls; this technique is time consuming and requires IT expertise. 5. The PRIMARY purpose of compliance tests is to verify whether: A. controls are implemented as prescribed. B. documentation is accurate and current. C. access to users is provided as specified. D. data validation procedures are provided. Compliance tests are performed primarily to verify whether controls, as chosen by management, are implemented. Verification of documents is not directly related to compliance testing. Verifying whether access to users is provided is an example of compliance testing. Data validation procedures are part of application controls. Testing whether these are set as parameters and working as envisaged is compliance testing. 6. Which of the following BEST describes the early stages of an IS audit? A. Observing key organizational facilities. B. Assessing the IS environment. C. Understanding business process and environment applicable to the review. D. Reviewing prior IS audit reports. Understanding the business process and environment applicable to the review is most representative of what occurs early on, in the course of an audit. Other choices relate to activities actually occurring within this process. 7. The document used by the top management of organizations to delegate authority to the IS audit function is the: A. long-term audit plan. B. audit charter. C. audit planning methodology. D. steering committee minutes.

3 The audit charter outlines the overall authority, scope and responsibilities of the audit function to achieve the audit objectives stated in it. This document serves as an instrument for the delegation of authority to the IS audit function. Long-term audit planning relates to those aspects of the audit plan that are impacted by the organization s IT strategy and environment. Audit planning commences only after the audit charter has been approved by the highest level of management. The audit planning methodologies are decided upon based on the analysis of both long- and short-term audit issues. The steering committee minutes should address the approval of the audit charter but is not the driver that delegates authority. 8. Before reporting results of an audit to senior management, an IS auditor should: A. Confirm the findings with auditees. B. Prepare an executive summary and send it to auditee management. C. Define recommendations and present the findings to the audit committee. D. Obtain agreement from the auditee on findings and actions to be taken. Upon completion of an audit, an IS auditor should discuss with auditees the audit objectives for work performed, the test and evaluation techniques used, and the outcome of those tests that led to findings. The auditor should also obtain the agreement/disagreement of the auditee regarding the findings and the actions the auditor plans to take. 9. While developing a risk-based audit program, which of the following would the IS auditor MOST likely focus on? A. Business processes B. Critical IT applications C. Corporate objectives D. Business strategies A risk-based audit approach focuses on the understanding of the nature of the business and being able to identify and categorize risk. Business risks impact the long-term viability of a specific business. Thus an IS auditor using a risk-based audit approach must be able to understand business processes. 10. Which of the following is a substantive audit test? A. Verifying that a management check has been performed regularly B. Observing that user IDs and passwords are required to sign on the computer C. Reviewing reports listing short shipments of goods received D. Reviewing an aged trial balance of accounts receivable A review of accounts receivable will provide evidence of the validity and propriety of the financial statement balance. Choices A, B and C are compliance tests to determine that policies and procedures are being followed. 11. Which of the following tasks is performed by the same person in a well-controlled information processing facility/computer center? A. Security administration and management B. Computer operations and system development C. System development and change management D. System development and systems maintenance

4 It is common for system development and maintenance to be undertaken by the same person. In both cases, the programmer requires access to the source code in the development environment, but should not be allowed access in the production environment. Choice A is not correct because the roles of security administration and change management are incompatible functions. The level of security administration access rights could allow changes to go undetected. Computer operations and system development (choice B) are incompatible since it would be possible for an operator to run a program that he/she had amended. Choice C is incorrect because the combination of system development and change control would allow program modifications to bypass change control approvals. 12. Where adequate segregation of duties between operations and programming are not achievable, the IS auditor should look for: A. compensating controls. B. administrative controls. C. corrective controls. D. access controls. The IS auditor should identify compensating controls such as strong computer security, reviewing access control logs, end-user reconciliation of control reports and control information in transaction reports, where adequate segregation of duties is not achievable. Administrative controls deal with operational effectiveness, efficiency and adherence to management policies. Corrective controls are designed to correct errors, omissions and unauthorized uses and intrusions once they are detected. Access control is the process that limits and controls access to resources of a computer system. 13. Which of the following would be included in an IS strategic plan? A. Specifications for planned hardware purchases B. Analysis of future business objectives C. Target dates for development projects D. Annual budgetary targets for the IS department IS strategic plans must address the needs of the business and meet future business objectives. Hardware purchases may be outlined but not specified and neither budget targets nor development projects are relevant choices. Choices A, C and D are not strategic items. 14. The MOST important responsibility of a data security officer in an organization is: A. recommending and monitoring data security policies. B. promoting security awareness within the organization. C. establishing procedures for IT security policies. D. administering physical and logical access controls. A data security officer s prime responsibility is recommending and monitoring data security policies. Promoting security awareness within the organization is one of the responsibilities of a data security officer. But, it is not as important as recommending and monitoring data security policies. The IT department, not the data security officer, is responsible for establishing procedures for IT security policies recommended by the data security officer and for the administration of physical and logical access controls. 15. Which of the following BEST describes an IT department s strategic planning process?

5 A. The IT department will have either short-range or long-range plans depending on the organization s broader plans and objectives. B. The IT department s strategic plan must be time and project oriented, but not so detailed as to address and help determine priorities to meet business needs. C. Long-range planning for the IT department should recognize organizational goals, technological advances and regulatory requirements. D. Short-range planning for the IT department does not need to be integrated into the short-range plans of the organization since technological advances will drive the IT department plans much quicker than organizational plans. Long-range planning for the IT department should recognize organizational goals, technological advances and regulatory requirements. Typically, the IT department will have both long-range and short-range plans that are consistent and integrated with the organization s plans. These plans must be time- and project-oriented, as well as addressing the organization s broader plans for attaining the organization s goals. 16. When a complete segregation of duties cannot be achieved in an online system environment, which of the following functions should be separated from the others? A. Origination B. Authorization C. Recording D. Correction Authorization should be separated from all aspects of record keeping (origination, recording, and correction). Such a separation enhances the ability to detect the recording of unauthorized transactions. 17. In a small organization, where segregation of duties is not practical, an employee performs the function of computer operator and application programmer. Which of the following controls should the IS auditor recommend? A. Automated logging of changes to development libraries B. Additional staff to provide segregation of duties C. Procedures that verify that only approved program changes are implemented D. Access controls to prevent the operator from making program modifications In smaller organizations, it generally is not appropriate to recruit additional staff to achieve a strict segregation of duties. The IS auditor must look at alternatives. Of the choices, C is the only practical one that has an impact. The IS auditor should recommend processes that detect changes to production source and object code, such as code comparisons so that the changes can be reviewed by a third party on a regular basis. This would be a compensating control process. Choice A, involving logging of changes to development libraries, would not detect changes to production libraries. Choice D is in effect requiring a third party to do the changes, which may not be practical in a small organization. 18. An IT steering committee would MOST likely perform which of the following functions? A. Placement of a purchase order with the approved IT vendor B. Installation of systems software and application software C. Provide liaison between IT department and user department D. Interview staff for the IT department

6 A steering committee for information technology is a mechanism to ensure that the information systems strategies are in harmony with the corporate mission and objectives. Such a committee typically serves as a general review board for major IS projects and should not become involved in routine operations. Placement of purchase orders, installation of software and interviewing staff for the IT department are routine operations that are performed by the respective departments. A steering committee would provide a liaison between the IS department and the user department. 19. An IS auditor is auditing the controls relating to employee termination. Which of the following is the MOST important aspect to be reviewed? A. The related company staff are notified about the termination B. User ID and passwords of the employee have been deleted C. The details of employee have been removed from active payroll files D. Company property provided to the employee has been returned The highest risk is logical access to information by a terminated employee. This form of access is possible if the user id and password of the terminated employee have not been deleted. If the user id is not disabled or deleted, it is possible that the employee without physically visiting the company can access the information. The potential of loss on account of access to information is much higher, compared to payment of salary and non-return of company property. 20. When reviewing a service level agreement for an outsourced computer center an IS auditor should FIRST determine that: A. the cost proposed for the services is reasonable. B. security mechanisms are specified in the agreement. C. the services in the agreement are based on an analysis of business needs. D. audit access to the computer center is allowed under the agreement. The first consideration in reviewing the agreement is to ensure that the business is asking for the most appropriate services to meet its business requirements. There should be evidence that they have considered what services are required, both at present and in the future. The cost is important (choice A), since the business may be paying for levels of services that are not required or are not appropriate, but is not of first importance. Both, audit access (choice D) and security objectives, rather than security mechanisms (choice B), are issues to be considered as part of the review, but are not of first importance. 21. The PRIMARY benefit of database normalization is the: A. minimization redundancy of information in tables required to satisfy users needs. B. ability to satisfy more queries. C. maximization of database integrity by providing information in more than one table. D. minimization of response time through faster processing of information. The normalization means the elimination of redundant data. Hence, the objective of normalization in relational databases is to minimize the quantum of information by eliminating redundant data in tables, quickly processing users requests and maintaining data integrity. Maximizing the quantum of information is against the rules of normalization. If particular information is provided in difference tables, the objective of data integrity may be violated because one table may be updated and not others. Normalization rules advocate storing data in only one table, hence, minimizing the response time through faster processing of information.

7 22. Which of the following network topologies yields the GREATEST redundancy in the event of the failure of one node? A. Mesh B. Star C. Ring D. Bus In mesh configuration, devices are connected with many redundant interconnections among network nodes, thereby, yielding the greatest redundancy in the event that one of the nodes fail, in which case network traffic can be redirected to another node. In star configuration, each station is linked to the main hub. The main hub establishes the connection between stations by message or line switching. Therefore, failure of a node results in the disruption of the network. In ring configuration, all nodes are connected to one another forming a circle; therefore, the failure of a node results in the disruption of the network. In bus configuration, all devices are linked along one communication line with two end points called the backbone; therefore, the failure of a node results in the disruption of the network. 23. A vendor/contractor s performance against service level agreements must be evaluated by the: A. customer. B. contractor. C. third-party. D. contractor s management. Only the customer should evaluate the supplier s performance in a service level agreement (SLA). This makes the customer confident of the service provided by the supplier. However, the decision of what to measure must be decided by the customer and the supplier. 24. When auditing a mainframe operating system, what would the IS auditor do to establish which control features are in operation? A. Examine the parameters used when the system was generated B. Discuss system parameter options with the vendor C. Evaluate the systems documentation and installation guide D. Consult the systems programmers The only way to establish which controls are functioning in a current operating system is to determine what the parameter settings were at the time the system was generated or created (often referred to as the initial program load or IPL). Although the findings of this exercise may well be further evaluated by discussion with the vendor, evaluating the documentation and consulting the systems programmers, these actions would not, by themselves, establish specific control features. 25. When conducting an audit of client/server database security, the IS auditor would be MOST concerned about the availability of: A. system utilities. B. application program generators. C. system security documentation. D. access to stored procedures. System utilities may enable unauthorized changes to be made to data on the client-server database. In an audit of database security, the controls over such utilities would be the primary concern of the IS

8 auditor. Application program generators are an intrinsic part of client-server technology, and the IS auditor would evaluate the controls over the generators access rights to the database rather than their availability. Security documentation should be restricted to authorized security staff, but this is not a primary concern, nor is access to stored procedures. 26. Which of the following would allow a company to extend it s enterprise s intranet across the Internet to it s business partners? A. Virtual private network B. Client-Server C. Dial-Up access D. Network service provider VPN technology allows external partners to securely participate in the extranet using public networks as a transport or shared private network. Because of low cost, using public networks (Internet) as a transport is the principal method. VPNs rely on tunneling/encapsulation techniques, which allow the Internet protocol (IP) to carry a variety of different protocols (e.g., SNA, IPX, NETBEUI.) Client-server does not address extending the network to business partners (I.e., client-servers refers to a group of computers within an organization connected by a communications network where the client is the request machine and the server is the supplying machine.) A network service provider may provide services to a shared private network by providing Internet services, but it does not extended an organization s intranet. 27. An IS auditor auditing hardware monitoring procedures should review A. system availability reports. B. cost-benefit reports. C. response time reports. D. database utilization reports. An IS auditor while auditing hardware monitoring procedures will review system availability reports. Cost-benefit reports are reviewed during the feasibility study. Response time reports are related to applications, not hardware. Database utilization reports are reviewed to check the optimal usage of the database across the organization. 28. The device that connects two networks at the highest level of the ISO-OSI framework ( i.e., application layer) is a A. Gateway B. Router C. Bridge D. Brouter Anwer: A Gateway is used to connect two networks using dissimilar protocols at the lower layers through which connectivity is established namely physical, data link, network and transport layers. Router is a network layer device for which the two connecting networks must have the same network layer protocol. Bridge operates in the data link layer. It should have data link layer protocols, such as token ring, Ethernet, in use in both the networks. Brouter is essentially a bridge with some routing functionality. 29. Which of the following statements relating to packet switching networks is CORRECT? A. Packets for a given message travel the same route. B. Passwords cannot be embedded within the packet.

9 C. Packet lengths are variable and each packet contains the same amount of information. D. The cost charged for transmission is based on packet, not distance or route traveled. D is the correct answer since transmission charges are based on packets transmitted, not the distance or route traveled. Passwords and other data can be placed within a packet making choice B incorrect. Choices A and C are not correct because a complete message is broken into transmission units (packets), which are routed individually through the network. 30. An IS auditor when reviewing a network used for Internet communications, will FIRST examine the: A. validity of passwords change occurrences. B. architecture of the client-server application. C. network architecture and design. D. firewall protection and proxy servers. The first step in auditing a network is to understand the network architecture and design. This would provide an overall picture of the network of the enterprises and its connectivity. This will be starting point for identifying the various layers of information and the access architecture across the various layers, such as proxy servers, firewalls and client/server application. Reviewing validity of password changes would be performed as part of substantive testing. 31. Which of the following BEST provides access control to payroll data being processed on a local server? A. Logging of access to personal information B. Separate password for sensitive transactions C. Software restricts access rules to authorized staff D. System access restricted to business hours The server and system security should be defined to allow only authorized staff access to information about the staff whose records they handle on a day to day basis. Choice A is a good control in that it will allow access to be analyzed if there is concern that there is unauthorized access. However, it will not prevent access. Choice B, restricting access to sensitive transactions, will only restrict access to part of the data. It will not prevent access to other data. Choice D, system access restricted to business hours, only restricts when unauthorized access can occur, and would not prevent such access at other times. 32. Which of the following concerns about the security of an electronic message would be addressed by digital signatures? A. Unauthorized reading B. Theft C. Unauthorized copying D. Alteration A digital signature includes an encrypted hash total of the size of the message as it was transmitted by its originator. This hash would no longer be accurate if the message was subsequently altered, thus indicating that the alteration had occurred. Digital signatures will not identify or prevent any of the other options. The signature would neither prevent nor deter unauthorized reading, copying or theft. 33. The MOST effective method for limiting the damage of an attack by a software virus is:

10 A. software controls. B. policies, standards and procedures. C. logical access controls. D. data communication standards. Software controls in the form of virus detection and removal programs are the most effective method way to detect and remove viruses. Policies, standards and procedures are important, because they are people-based; however, they are generally considered less effective than software controls. Choices C and D, are not relevant to virus detection. 34. Which of the following BEST determines that complete encryption and authentication protocols exist for protecting information while transmitted? A. A digital signature with RSA has been implemented. B. Work is being done in tunnel mode with the nested services of AH and ESP C. Digital certificates with RSA are being used. D. Work is being done in transport mode, with the nested services of AH and ESP Tunnel mode provides encryption and authentication of the complete IP package. To accomplish this, the AH (authentication header) and ESP (encapsulating security payload) services can be nested. The transport mode provides primary protection for the protocols higher layers, this is, protection extends to the data field (payload) of an IP package. The other two mechanisms provide authentication and integrity. 35. Which of the following would be MOST appropriate to ensure the confidentiality of transactions initiated via the Internet? A. Digital signature B. Data encryption standard (DES) C. Virtual private network (VPN) D. Public key encryption Encryption is the only way to ensure Internet transactions are confidential, and of the choices available, the use of public key encryption is the best method. Digital signatures would ensure the transaction is not changed and cannot be repudiated, but would not ensure confidentiality. 36. The PRIMARY objective of a firewall is to protect: A. internal systems from exploitation by external threats. B. external systems from exploitation by internal threats. C. internal systems from exploitation by internal threats. D. itself and attached systems against being used to attack other systems. Firewall is placed at the point where the internal network connects to the outside world I.e., Internet. It acts as a security guard to the network, protecting it against malicious attacks from outside the organization s network. It screens packets coming into and going out of the internal network and prevents malicious packets from entering it and denies access to prohibited resources on the Internet for the internal users. It is neither the responsibility nor is it possible for the organization to protect outside systems. Packets whose source and destination IP addresses refer to hosts within the same network are not sent out of the network and hence do not pose a security threat. Choice D is not a

11 primary objective as this is just one form of attack hackers resort to that the firewall protects the internal network form. 37. Which of the following is an example of the physiological biometrics technique? A. Hand scans B. Voice scans C. Signature scans D. Keystroke monitoring Physiological biometrics are based on measurement of data derived from direct measurement of a part of the human body. Choices B, C and D are examples of behavior biometrics. 38. An IS auditor has just completed a review of an organization that has a mainframe and a clientserver environment where all production data reside. Which of the following weaknesses would be considered the MOST serious? A. The security officer also serves as the database administrator (DBA.) B. Password controls are not administered over the client/server environment. C. There is no business continuity plan for the mainframe system s non-critical applications. D. Most LANs do not back up file server fixed disks regularly. The absence of password controls on the client-server where production data resides is the most critical weakness. All other findings, while they are control weaknesses, do not carry the same disastrous impact. 39. An organization is proposing to install a single sign-on facility giving access to all systems. The organization should be aware that: A. Maximum unauthorized access would be possible if a password is disclosed. B. User access rights would be restricted by the additional security parameters. C. The security administrator s workload would increase. D. User access rights would be increased. If a password is disclosed when single sign-on is enabled, there is a risk that unauthorized access to all systems will be possible. User access rights should remain unchanged by single sign-on as additional security parameters are not necessarily implemented. One of the intended benefits of single sign-on is that security administration would be simplified and an increased workload is unlikely. 40. A B-to-C e-commerce web site as part of its information security program wants to monitor, detect and prevent hacking activities and alert the system administrator when suspicious activities occur. Which of the following infrastructure components could be used for this purpose? A. Intrusion detection systems B. Firewalls C. Routers D. Asymmetric encryption Intrusion detection systems detect intrusion activity based on the intrusion rules. It can detect both, external and internal intrusion activity and send an automated alarm message. Firewalls and routers

12 prevent the unwanted and well-defined communications between the internal and external networks. They do not have any automatic alarm messaging systems. 41. During an audit of a reciprocal disaster recovery agreement between two companies, the IS auditor would be PRIMARILY concerned about: A. the soundness of the impact analysis. B. hardware and software compatibility. C. differences in IS policies and procedures. D. frequency of system testing. For a reciprocal agreement to be effective, hardware and software at the two sites must be compatible. Processes to ensure this occurred must be in place. Choice D, frequency of system testing, is a concern, but the reason for considering this is that it tests hardware and software compatibility. Choice A is an issue when examining the planning process, not the reciprocal agreement. Choice C is not an issue since the organization can have differences in policies and procedures and still be able to run their systems on each other s sites in the event of a disaster. 42. An IS auditor discovers that an organization s business continuity plan provides for an alternate processing site that will accommodate fifty percent of the primary processing capability. Based on this, which of the following actions should the IS auditor take? A. Do nothing, because generally, less than twenty-five percent of all processing is critical to an organization s survival and the backup capacity, therefore is adequate. B. Identify applications that could be processed at the alternate site and develop manual procedures to backup other processing. C. Ensure that critical applications have been identified and that the alternate site could process all such applications. D. Recommend that the information processing facility arrange for an alternate processing site with the capacity to handle at least seventy-five percent of normal processing. Business continuity plans should provide for the recovery of critical systems, not necessarily all systems. Perhaps only fifty percent of the company's systems are critical. Therefore, careful assessment of critical systems and capacity requirements should be part of the IS auditor's test of the plan. 43. Which of the following components of a business continuity plan is PRIMARILY the responsibility of an organization s IS department? A. Developing the business continuity plan B. Selecting and approving the strategy for business continuity plan C. Declaring a disaster D. Restoring the IS systems and data after a disaster The correct choice is restoring the IT systems and data after a disaster. The IT department of an organization is primarily responsible for restoring the IT systems and data after a disaster at the earliest possible time. The senior management of the organization is primarily responsible for developing the business continuity plan for an organization. They are also responsible for selecting and approving the strategy for developing and implementing a detailed business continuity plan. The organization should identify a person in management as responsible for declaring a disaster. Although IT is involved in all the other three components, it is not primarily responsible for them. 44. Which of the following issues should be included in the business continuity plan?

13 A. The staff required to maintain critical business functions in the short, medium and long term B. The potential for a natural disaster to occur, such as an earthquake C. Disastrous events impacting information systems processing and end-user functions D. A risk analysis that considers systems malfunctions, accidental file deletions or other failures Where a unified business continuity plan does not exist, the plan for information systems processing should be extended to include planning for all units that are dependent upon information systems processing functions. But, when formulating a thorough business continuity plan, a very important issue to be considered is the staff that will be required to maintain critical business functions over time, until the organization is fully operational again. Another important issue is the configuration of the business facilities, e.g., desks, chairs, telephones, etc., that will be needed to maintain critical business functions in the short, medium and long term. Choice B is incorrect because it has to do with what a good business continuity plan will take into account in case of disastrous events happening. This could be considered as a subset of a business continuity plan, but it does not have the same impact as the staff required and trained to perform in the event of a natural disaster. Choice C is incorrect because, like in the natural disaster case, this could be considered a subset of a business continuity plan, but it does not have the same impact as the staff required and trained to perform in the event of a disaster that would impact information systems processing and end-user functions. Choice A would be the subject and choices B and C would be the cause to deploy the business continuity plan. Choice D is incorrect because it deals with disruptions in service having their roots in systems malfunctions; but again, this would be another aspect dealt with in the business continuity plan, but not a main issue included in it. 45. In an audit of a business continuity plan, which of the following findings is of MOST concern? A. There is no insurance for the addition of assets during the year. B. BCP manual is not updated on a regular basis. C. Testing of the backup of data has not been done regularly. D. Records for maintenance of access system have not been maintained. The most vital asset for a company is data. In a business continuity plan, it is critical to ensure that data is available. Hence, regular testing of the backup of data must be done. If testing is not done, the organization may not be able to retrieve data when required during a disaster; hence, the company may lose its most valuable asset and may not be able to recover from the disaster. The loss on account of lack of insurance is limited to the value of assets. If the BCP manual is not updated, the company may find the BCP manual not fully relevant for recovery during a disaster. However, recovery could be still possible. Non maintenance of records in an access system will not directly impact the relevance of the business continuity plan. 46. Classification of information systems is essential in business continuity planning. Which of the following system types can not be replaced by manual methods? A. Critical system B. Vital system C. Sensitive system D. Non-critical system The functions of a critical system can only be replaced by identical capabilities. The functions of vital and sensitive systems can be performed manually. Choice D is a distracter. 47. An IS auditor should be involved in: A. observing tests of the disaster recovery plan.

14 B. developing the disaster recovery plan. C. maintaining the disaster recovery plan. D. reviewing the disaster recovery requirements of supplier contracts. The IS auditor should always be present when disaster recovery plans are tested, to ensure that the test meets the required targets for restoration and recovery procedures are effective and efficient, reporting on the results as appropriate. IS auditors may be involved in overseeing plan development, but they are unlikely to be involved in the actual development process. Similarly, an audit of plan maintenance may be conducted, but the IS auditor would not normally have any responsibility for the actual maintenance. An IS auditor may be asked to comment upon various elements of a supplier contract but, again, this is not always the case. 48. The window of time recovery of information processing capabilities is based on the: A. criticality of the processes affected. B. quality of the data to be processed. C. nature of the disaster. D. applications that are mainframe based. The criticality of the processes that are affected by the disaster is the basis for computing the window of time recovery. The quality of the data to be processed and the nature of the disaster are not the basis for determining the window of time. Being a mainframe application does not of itself provide a window of time basis. 49. During an IT audit of a large bank, an IS auditor observes that no formal risk assessment exercise has been carried out for the various business applications to arrive at their relative importance and recovery time requirements. The risk that the bank is exposed to is that the: A. business continuity plan may not have been calibrated to the relative risk that disruption of each application poses to the organization. B. business continuity plan may not include all relevant applications and therefore may lack completeness in terms of its coverage. C. business impact of a disaster may not have been accurately understood by the management. D. business continuity plan may lack an effective ownership by the business owners of such applications. The first and key step in developing a business continuity plan is a risk assessment exercise that analyzes the various risks that an organization faces and the impact of non-availability of individual applications. Section of BS 7799 (Standard on Information Security Management ) states that a strategy plan, based on appropriate risk assessment, shall be developed for overall approach to business continuity. 50. Which of the following is necessary to have FIRST in the development of a business continuity plan? A. Risk-based classification of systems B. Inventory of all assets C. Complete documentation of all disasters D. Availability of hardware and software A well-defined, risk-based classification system for all assets and processes of the organization is one of the most important component for initializing the business continuity planning efforts. A well-defined

15 risk-based classification system would assist in identifying the criticality of each of the key processes and assets used by the organization. This would assist in the easy identification of key assets and processes to be secured and plans to be made to recover these processes and assets at the earliest after a disaster. Inventory of critical assets and not all assets is required for initiating a business continuity plan. Complete documentation of all disasters is not a prerequisite for initiating a business continuity plan, rather various disasters are considered while developing the plan and only the one having an impact on the organization is addressed in the plan. The availability of hardware and software is not required for initiating the development of a plan; however, it is considered when developing the detailed plan in accordance with the strategy adopted. 51. The application test plans are developed in which of the following systems development life cycle (SDLC) phases? A. Design B. Testing C. Requirement D. Development Developing test plans for the various levels of testing is one of the key activities during the application development design phase. The test plans are used in the actual software testing. 52. Which of the following tests confirm that the new system can operate in its target environment? A. Sociability testing B. Regression testing C. Validation testing D. Black box testing Sociability testing is used to confirm that the new or modified system can operate in its target environment without adversely impacting on existing system. Regression testing is the process of rerunning a portion of a test scenario or test plan to ensure that changes or corrections have not introduced new errors. Validation testing is used to test the functionality of the system against the detailed requirement to ensure that the software that has been built is traceable to customer requirements. Black box testing examines some aspect of the system during integration testing with little regard for the internal logical structure of the software. 53. The MOST appropriate person to chair the steering committee for a system development project with significant impact on a business area would be the: A. business analyst. B. chief information officer. C. project manager. D. executive level manager. The chair of the steering committee should be a senior person (executive level manager) with the authority to make decisions relating to the business requirements, resources, priority and deliverables of the system. The chief information officer (CIO) would not normally be the chair, although the CIO or his representative would be a member to provide input on organization wide strategies. The project manager and the business analyst do not have an appropriate level of authority within the organization, 54. The PRIMARY purpose of undertaking a parallel run of a new system is to: A. verify that the system provides required business functionality.

16 B. validate the operation of the new system against its predecessor. C. resolve any errors in the program and file interfaces. D. verify that the system can process the production load. The objective of parallel running is to verify that the new system produces the same results as the old system. The verification of functionality is through acceptance testing, while resolving errors in programs is accomplished through system testing. Verifying that the system can handle the production load may be a secondary outcome of a parallel run, but it is not the primary purpose. If it were the primary purpose, it would be a stress test probably run in the test environment. 55. Change control procedures to prevent scope creep during an application development project should be defined during: A. design. B. feasibility. C. implementation. D. requirements definition. The change control procedures are generally common for applications within one organization; however, the application-specific change control procedures are to be defined during the design phase of SDLC and should be based on the modules in the software. The other choices are incorrect. It is too early to define change control procedures during the feasibility phase, and it would also be too late during the implementation phase and after the implementation of software. 56. Which of the following would MOST likely ensure that a system development project meets business objectives? A. Maintenance of program change logs B. Development of a project plan identifying all development activities C. Release of application changes at specific times of the year D. User involvement in system specification and acceptance Effective user involvement (choice D) is the most critical factor in ensuring that the application meets business objectives. Choices A, B and C are project management tools and techniques and are not of themselves methods for ensuring that the business objectives are met by the application system. 57. Which of the following is a measure of the size of an information system based on the number and complexity of a system s inputs, outputs and files? A. Function point (FP) B. Program evaluation review technique (PERT) C. Rapid application design (RAD) D. Critical path method (CPM) Function point (FP) analysis is a measure of the size of an information system based on the number and complexity of the inputs, outputs and files with which a user sees and interacts with. FPs are used in a manner analogous to LOC as a measure of software productivity, quality and other attributes. PERT is a network management technique used in both the planning and control of projects. RAD is a methodology that enables organizations to develop strategically important systems faster while reducing development costs and maintaining quality. CPM is used by network management techniques such as PERT, to compute a critical path.

17 58. When auditing the requirements phase of a software acquisition, the IS auditor should: A. assess the feasibility of the project timetable. B. assess the vendor s proposed quality processes. C. ensure that the best software package is acquired. D. review the completeness of the specifications. The purpose of the requirements phase is to specify the functionality of the proposed system; therefore the IS auditor would concentrate on the completeness of the specifications. The decision to purchase a package from a vendor would come after the requirements have been completed. Therefore choices B and C are incorrect. Choice A is incorrect because a project timetable normally would not be found in a requirements document. 59. The purpose of debugging programs is to: A. generate random data that can be used to test programs before implementing them. B. protect, during the programming phase, valid changes from being overwritten by other changes. C. define the program development and maintenance costs to be include in the feasibility study. D. ensure that program abnormal terminations and program coding flaws are detected and corrected. Debugging provides the basis for the programmer to correct the logic errors in a program under development before it goes into production. Tools such as logic paths monitors, memory dumps and output analyzers aid in this process. 60. Software maintainability BEST relates to which of the following software attributes? A. Resources needed to make specified modifications. B. Effort needed to use the system application. C. Relationship between software performance and the resources needed. D. Fulfillment of user needs. Maintainability is the set of attributes that bears on the effort needed to make specified modifications. Other choices relate to software attributes for usability, efficiency and functionality respectively. 61. IT governance ensures that an organization aligns its IT strategy with: A. Enterprise objectives. B. IT objectives. C. Audit objectives. D. Finance objectives. IT governance ensures that the organization aligns its IT strategy with the enterprise/business objectives. Choices B, C and D are too limited. 62. A validation which ensures that input data are matched to predetermined reasonable limits or occurrence rates, is known as: A. Reasonableness check. B. Validity check. C. Existence check. D. Limit check.