1.
A financial enterprise has had difficulties establishing clear responsibilities between its IT strategy committee and its IT steering committee. Which of the following responsibilities would MOST likely be assigned to its IT steering committee?
A.
Approving IT project plans and budgets
B.
Aligning IT to business objectives
C.
Advising on IT compliance risk
D.
Promoting IT governance practices
2.
Responsibility for the governance of IT should rest with the:
A.
IT strategy committee.
B.
chief information officer [CIO].
C.
audit committee.
D.
board of directors.
3.
An IS auditor reviewing the IT organization would be MOST concerned if the IT steering committee:
A.
is responsible for project approval and prioritization.
B.
is responsible for developing the long-term IT plan.
C.
advises the board of directors on the relevance of developments in IT.
D.
is responsible for determining business goals.
4.
An IS auditor is performing a review of an organization's governance model. Which of the following should be of MOST concern to the auditor?
A. The organization's information security policy is not periodically reviewed by senior management.
B.
A policy to ensure that systems are patched in a timely manner does not exist.
C.
The audit committee did not review the global mission statement.
D.
An organizational policy related to malware protection does not exist.
5.
An IS auditor is evaluating the IT governance framework of an organization. Which of the following would be the GREATEST concern?
A.
Senior management has limited involvement.
B.
Return on investment [ROI] is not measured.
C.
Chargeback of IT cost is not consistent.
D.
Risk appetite is not quantified.
6.
Involvement of senior management is MOST important in the development of:
A.
strategic plans.
B.
IS policies.
C.
IS procedures.
D.
standards and guidelines.
7.
Rotating job responsibilities is a good security practice PRIMARILY because it:
A.
ensures that personnel are cross-trained.
B.
improves employee morale.
C.
maximizes employee performance.
D.
reduces the opportunity for fraud.
8.
When reviewing an organization's strategic IT plan an IS auditor should expect to find:
A. an assessment of the fit of the organization's application portfolio with business objectives. B.
actions to reduce hardware procurement cost.
C.
a listing of approved suppliers of IT contract resources.
D. a description of the technical architecture for the organization's network perimeter security.
9. A.
When reviewing the IT strategic planning process, an IS auditor should ensure that the plan: incorporates state of the art technology.
B.
addresses the required operational controls.
C.
articulates the IT mission and vision.
D.
specifies project management practices.
10. Which of the following would an IS auditor consider to be the MOST important when evaluating an organization's IS strategy? That it: A.
has been approved by line management.
B.
does not vary from the IS department's preliminary budget.
C.
complies with procurement procedures.
D.
supports the business objectives of the organization.
11. An IS steering committee should: A.
include a mix of members from different departments and staff levels.
B.
ensure that IS security policies and procedures have been executed properly.
C.
maintain minutes of its meetings and keep the board of directors informed.
D.
be briefed about new trends and products at each meeting by a vendor.
12. The MOST likely effect of the lack of senior management commitment to IT strategic planning is: A.
a lack of investment in technology.
B.
a lack of a methodology for systems development.
C.
technology not aligning with the organization's objectives.
D.
an absence of control over technology contracts.
13. As an outcome of information security governance, strategic alignment provides: A.
security requirements driven by enterprise requirements.
B.
baseline security following best practices.
C.
institutionalized and commoditized solutions.
D.
an understanding of risk exposure.
14. When implementing an IT governance framework in an organization the MOST important objective is: A.
IT alignment with the business.
B.
accountability.
C.
value realization with IT.
D.
enhancing the return on IT investments.
15. Effective IT governance requires organizational structures and processes to ensure that: A.
the organization's strategies and objectives extend the IT strategy.
B.
the business strategy is derived from an IT strategy.
C.
IT governance is separate and distinct from the overall governance.
D.
the IT strategy extends the organization's strategies and objectives.
16. An enterprise's risk appetite is BEST established by: A.
the chief legal officer.
B.
security management.
C.
the audit committee.
D.
the steering committee.
17. Which of the following IT governance best practices improves strategic alignment? A.
Supplier and partner risk is managed.
B.
A knowledge base on customers, products, markets and processes is in place.
C. A structure is provided that facilitates the creation and sharing of business information. D. Top management mediate between the imperatives of business and technology.
18. Which of the following is a function of an IS steering committee?
A.
Monitoring vendor-controlled change control and testing
B.
Ensuring a separation of duties within the information's processing environment
C.
Approving and monitoring major projects, the status of IS plans and budgets
D.
Liaising between the IS department and the end users
19. The ultimate purpose of IT governance is to: A.
encourage optimal use of IT.
B.
reduce IT costs.
C.
decentralize IT resources across the organization.
D.
centralize control of IT.
20. Which of the following is the MOST important element for the successful implementation of IT governance? A.
Implementing an IT scorecard
B.
Identifying organizational strategies
C.
Performing a risk assessment
D.
Creating a formal security policy
21. An IT steering committee should review information systems PRIMARILY to assess: A.
whether IT processes support business requirements.
B.
whether proposed system functionality is adequate.
C.
the stability of existing software.
D.
the complexity of installed technology.
22. From a control perspective, the key element in job descriptions is that they: A.
provide instructions on how to do the job and define authority.
B.
are current, documented and readily available to the employee.
C.
communicate management's specific job performance expectations.
D.
establish responsibility and accountability for the employee's actions
23. When an employee is terminated from service, the MOST important action is to: A.
hand over all of the employee's files to another designated employee.
B.
complete a backup of the employee's work.
C.
notify other employees of the termination.
D.
disable the employee's logical access.
24. Which of the following is the BEST performance criterion for evaluating the adequacy of an organization's security awareness training? A. Senior management is aware of critical information assets and demonstrates an adequate concern for their protection. B. Job descriptions contain clear statements of accountability for information security. C. In accordance with the degree of risk and business impact, there is adequate funding for security efforts. D. No actual incidents have occurred that have caused a loss or a public embarrassment.
25. Which of the following reduces the potential impact of social engineering attacks? A.
Compliance with regulatory requirements
B.
Promoting ethical understanding
C.
Security awareness programs
D.
Effective performance incentives
26. Which of the following activities performed by a database administrator [DBA] should be performed by a different person? A.
Deleting database activity logs
B.
Implementing database optimization tools
C.
Monitoring database usage
D.
Defining backup and recovery procedures
27. An IS auditor finds that, in accordance with IS policy, IDs of terminated users are deactivated within 90 days of termination. The IS auditor should: A. report that the control is operating effectively since deactivation happens within the time frame stated in the IS policy. B.
verify that user access rights have been granted on a need-to-have basis.
C. recommend changes to the IS policy to ensure deactivation of user IDs upon termination. D.
recommend that activity logs of terminated users be reviewed on a regular basis.
28. When auditing a role-based access control system [RBAC], the IS auditor noticed that some IT security employees have system administrator privileges on some servers which allows them to modify or delete transaction logs. Which would be the BEST recommendation that the IS auditor should make? A.
Ensure that these employees are adequately supervised.
B.
Ensure that backups of the transaction logs are retained.
C.
Implement controls to detect the changes.
D. Ensure that transaction logs are written in real time to Write Once and Read Many [WORM] drives.
29. In a small manufacturing business, an IT employee is doing both manufacturing work as well as all the programming activities. Which of the following is the BEST control to mitigate risk in the given scenario? A. Access restrictions to prevent the clerk from accessing the production environment B.
Segregation of duties implemented by hiring additional staff
C.
Automated logging of all program changes in the production environment
D.
Procedures to verify that only approved program changes are implemented
30. A long-term IS employee with a strong technical background and broad managerial
experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be MOST based on the individual's experience and: A.
length of service, since this will help ensure technical competence.
B.
age since training in audit techniques may be impractical.
C.
IS knowledge, since this will bring enhanced credibility to the audit function.
D.
ability, as an IS auditor, to be independent of existing IS relationships.
31. In a review of the human resources policies and procedures within an organization, an IS auditor would be MOST concerned with the absence of a: A.
requirement for job rotation on a periodic basis.
B.
process for formalized exit interviews.
C. termination checklist requiring that keys and company property be returned and all access permissions revoked upon termination. D. requirement for employees to sign a form signifying that they have read the organization's policies.
32. A local area network [LAN] administrator normally would be restricted from: A.
having end-user responsibilities.
B.
reporting to the end-user manager.
C.
having programming responsibilities.
D.
being responsible for LAN security administration
33. Many organizations require employees to take a mandatory one-week [or two-week] vacation each year PRIMARILY because the organization wants to ensure that: A.
adequate cross-training exists between all functions of the organization.
B. employee morale and satisfaction is maintained to help ensure an effective internal control environment.
C. potential irregularities in processing are identified by temporarily replacing an employee in the job function. D.
employee satisfaction is maintained to reduce the risk of processing errors.
34. An IS auditor of a large organization is reviewing the roles and responsibilities for the IS function and has found some individuals serving multiple roles. Which one of the following combinations of roles should be of GREATEST concern for the IS auditor? A.
Network administrators are responsible for quality assurance.
B.
Security administrators are system programmers.
C.
End users are security administrators for critical applications.
D.
Systems analysts are database administrators.
35. Which of the following represents an example of a preventive control with respect to IT personnel? A.
Review of visitor logs for the data center
B.
A log server that tracks logon IP addresses of users
C.
Implementation of a badge entry system for the IT facility
D.
An accounting system that tracks employee telephone calls
36. An IS auditor should be concerned when a telecommunication analyst: A. monitors systems performance and tracks problems resulting from program changes. B. reviews network load requirements in terms of current and future transaction volumes. C. assesses the impact of the network load on terminal response times and network data transfer rates. D.
recommends network balancing procedures and improvements.
37. Which of the following would BEST provide assurance of the integrity of new staff?
A.
Background screening
B.
References
C.
Bonding
D.
Qualifications listed on a résumé
38. Many organizations require an employee to take a mandatory vacation [holiday] of a week or more to: A. ensure the employee maintains a good quality of life, which will lead to greater productivity. B.
reduce the opportunity for an employee to commit an improper or illegal act.
C.
provide proper cross-training for another employee.
D. eliminate the potential disruption caused when an employee takes vacation one day at a time.
39. A key IT systems developer has suddenly resigned from an enterprise. Which of the following will be the MOST important action? A.
Set up an exit interview with human resources [HR].
B.
Initiate the handover process to ensure continuity of the project.
C.
Terminate the developer's logical access to IT resources.
D.
Ensure that management signs off on the termination paperwork
40. An IS auditor reviewing an organization that uses cross-training practices should assess the risk of: A.
dependency on a single person.
B.
inadequate succession planning.
C.
one person knowing all parts of a system.
D.
a disruption of operations.
41. An IS audit department is planning to minimize its dependency on key individuals. Activities that contribute to this objective are documented procedures, knowledge sharing, cross-training, and:
A.
succession planning.
B.
staff job evaluation.
C.
responsibilities definition.
D.
employee award programs.
42. Which of the following is normally a responsibility of the chief security officer [CSO]? A.
Periodically reviewing and evaluating the security policy
B.
Executing user application and software testing and evaluation
C.
Granting and revoking user access to IT resources
D.
Approving access to data and applications
43. When segregation of duties concerns exist between IT support staff and end users, what would be a suitable compensating control? A.
Restricting physical access to computing equipment
B.
Reviewing transaction and application logs
C.
Performing background checks prior to hiring IT staff
D.
Locking user sessions after a specified period of inactivity
44. A financial services enterprise has a small IT department, and individuals perform more than one role. Which of the following practices represents the GREATEST risk? A.
The developers promote code into the production environment.
B.
The business analyst writes the requirements and performs functional testing.
C.
The IT manager also performs systems administration.
D.
The database administrator [DBA] also performs data backups.
45. Which of the following is a risk of cross-training? A.
Increases the dependence on one employee
B.
Does not assist in succession planning
C.
One employee may know all parts of a system
D.
Does not help in achieving a continuity of operations
46. Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? A.
Overlapping controls
B.
Boundary controls
C.
Access controls
D.
Compensating controls
47. To support an organization's goals, an IS department should have: A.
a low-cost philosophy.
B.
long- and short-range plans.
C.
leading-edge technology.
D.
plans to acquire new hardware and software.
48. When reviewing the IT strategy, an IS auditor can BEST assess whether the strategy supports the organizations' business objectives by determining whether IS: A.
has all the personnel and equipment it needs.
B.
plans are consistent with management strategy.
C.
uses its equipment and personnel efficiently and effectively.
D.
has sufficient excess capacity to respond to changing directions.
49. To aid management in achieving IT and business alignment, an IS auditor should recommend the use of: A.
control self-assessments.
B.
a business impact analysis [BIA].
C.
an IT balanced scorecard [BSC].
D.
business process reengineering [BPR].
50. Which of the following is the BEST enabler for strategic alignment between business and IT? A.
A maturity model
B.
Goals and metrics
C.
Control objectives
D.
A responsible, accountable, consulted and informed [RACI] chart
51. Which of the following goals would you expect to find in an organization's strategic plan? A.
Test a new accounting package.
B.
Perform an evaluation of information technology needs.
C.
Implement a new project planning system within the next 12 months.
D.
Become the supplier of choice for the product offered.
52. Which of the following would an IS auditor consider the MOST relevant to shortterm planning for an IS department? A.
Allocating resources
B.
Keeping current with technology advances
C.
Conducting control self-assessment
D.
Evaluating hardware needs
53. The MOST important point of consideration for an IS auditor while reviewing an enterprise's project portfolio is that it: A.
does not exceed the existing IT budget.
B.
is aligned with the investment strategy.
C.
has been approved by the IT steering committee.
D.
is aligned with the business plan.
54. An IS auditor reviewing an organization's IT strategic plan should FIRST review: A.
the existing IT environment.
B.
the business plan.
C.
the present IT budget.
D.
current technology trends.
55. In reviewing the IS short-range [tactical] plan, an IS auditor should determine whether: A.
there is an integration of IS and business personnel within projects.
B.
there is a clear definition of the IS mission and vision.
C.
a strategic information technology planning methodology is in place.
D.
the plan correlates business objectives to IS goals and objectives.
56. When auditing the archiving of the company's email communications, the IS auditor should pay the MOST attention to: A.
the existence of a data retention policy.
B.
the storage capacity of the archiving solution.
C.
the level of user awareness concerning email use.
D.
the support and stability of the archiving solution manufacturer.
57. A top-down approach to the development of operational policies helps ensure: A.
that they are consistent across the organization.
B.
that they are implemented as a part of risk assessment.
C.
compliance with all policies.
D.
that they are reviewed periodically.
58. When developing a security architecture, which of the following steps should be executed FIRST? A.
Developing security procedures
B.
Defining a security policy
C.
Specifying an access control methodology
D.
Defining roles and responsibilities
59. The risk associated with electronic evidence gathering would MOST likely be reduced by an email: A.
destruction policy.
B.
security policy.
C.
archive policy.
D.
audit policy.
60. Which of the following should be included in an organization's information security policy? A.
A list of key IT resources to be secured
B.
The basis for control access authorization
C.
Identity of sensitive security features
D.
Relevant software security features
61. Which of the following provides the best evidence of the adequacy of a security awareness program? A.
The number of stakeholders including employees trained at various levels
B.
Coverage of training at all locations across the enterprise
C.
The implementation of security devices from different vendors
D.
Periodic reviews and comparison with best practices
62. An IS auditor has been assigned to review an organization's information security
policy. Which of the following issues represents the HIGHEST potential risk? A.
The policy has not been updated in more than one year.
B.
The policy includes no revision history.
C.
The policy is approved by the security administrator.
D.
The company does not have an information security policy committee.
63. An IS auditor is verifying IT policies and found that some of the policies have not been approved by management [as required by policy], but the employees strictly follow the policies. What should the IS auditor do FIRST? A. Ignore the absence of management approval because employees follow the policies. B.
Recommend immediate management approval of the policies.
C.
Emphasize the importance of approval to management.
D.
Report the absence of documented approval.
64. An IS auditor is reviewing changes to a company's disaster recovery [DR] strategy. The IS auditor notices that the recovery point objective [RPO] has been shortened for the company's mission-critical application. What is the MOST significant risk of this change? A.
The existing DR plan is not updated to achieve the new RPO.
B.
The DR team has not been trained on the new RPO.
C.
Backups are not done frequently enough to achieve the new RPO.
D.
The plan has not been tested with the new RPO.
65. Corporate IS policy for a call center requires that all users be assigned unique user accounts. On discovering that this is not the case for all current users, what is the MOST appropriate recommendation? A.
Have the current configuration approved by operations management.
B.
Ensure that there is an audit trail for all existing accounts.
C.
Implement individual user accounts for all staff.
D.
Amend the IS policy to allow shared accounts.
66. When developing a formal enterprise security program, the MOST critical success factor [CSF] would be the: A.
establishment of a review board.
B.
creation of a security unit.
C.
effective support of an executive sponsor.
D.
selection of a security process owner.
67. Which of the following is MOST indicative of the effectiveness of an information security awareness program? A.
Employees report more information regarding security incidents.
B.
All employees have signed the information security policy.
C.
Most employees have attended an awareness session.
D.
Information security responsibilities have been included in job descriptions.
68. Which of the following would impair the independence of a quality assurance team? A.
Ensuring compliance with development methods
B.
Checking the testing assumptions
C.
Correcting coding errors during the testing process
D.
Checking the code to ensure proper documentation
69. An IS auditor identifies that reports on product profitability produced by an organization's finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different. What should the IS auditor recommend? A.
User acceptance testing [UAT] occur for all reports before release into production
B.
Organizational data governance practices be put in place
C.
Standard software tools be used for report development
D.
Management sign-off on requirements for new reports
70. For a health care organization, which one of the following reasons would MOST likely indicate that the patient benefit data warehouse should remain in-house rather than be outsourced to an offshore operation? A.
There are regulations regarding data privacy.
B.
Member service representative training cost will be much higher.
C.
It is harder to monitor remote databases.
D.
Time zone differences could impede customer service.
71. Which of the following is the BEST way to ensure that organizational policies comply with legal requirements? A.
Inclusion of a blanket legal statement in each policy
B.
Periodic review by subject matter experts
C.
Annual sign-off by senior management on organizational policies
D.
Policy alignment to the most restrictive regulations
72. The rate of change in technology increases the importance of: A.
outsourcing the IS function.
B.
implementing and enforcing sound processes.
C.
hiring qualified personnel.
D.
meeting user requirements.
73. Which of the following should be of GREATEST concern to an IS auditor when reviewing an information security policy? The policy: A.
is driven by an IT department's objectives.
B.
is published, but users are not required to read the policy.
C.
does not include information security procedures.
D.
has not been updated in over a year.
74. Which of the following is MOST critical for the successful implementation and
maintenance of a security policy? A. Assimilation of the framework and intent of a written security policy by all appropriate parties B. Management support and approval for the implementation and maintenance of a security policy C. Enforcement of security rules by providing punitive actions for any violation of security rules D. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software
75. When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is the MOST appropriate? A.
Review the strategic alignment of IT with the business.
B.
Implement accountability rules within the organization.
C.
Ensure that independent IT audits are conducted periodically.
D.
Create a chief risk officer [CRO] role in the organization
76. The initial step in establishing an information security program is the: A.
development and implementation of an information security standards manual.
B.
performance of a comprehensive security control review by the IS auditor.
C.
adoption of a corporate information security policy statement.
D.
purchase of security access control software.
77. In an organization where an IT security baseline has been defined, an IS auditor should FIRST ensure: A.
implementation.
B.
compliance.
C.
documentation.
D.
sufficiency.
78. IT control objectives are useful to IS auditors, as they provide the basis for understanding the: A.
desired result or purpose of implementing specific control procedures.
B.
best IT security control practices relevant to a specific entity.
C.
techniques for securing information.
D.
security policy.
79. To ensure an organization is complying with privacy requirements, an IS auditor should FIRST review: A.
the IT infrastructure.
B.
organizational policies, standards and procedures.
C.
legal and regulatory requirements.
D.
adherence to organizational policies, standards and procedures.
80. Which of the following is responsible for the development of an information security policy? A.
The IS department
B.
The security committee
C.
The security administrator
D.
The board of directors
81. A comprehensive and effective email policy should address the issues of email structure, policy enforcement, monitoring and: A.
recovery.
B.
retention.
C.
rebuilding.
D.
reuse.
82. An IS auditor found that the enterprise architecture [EA] recently adopted by an organization has an adequate current-state representation. However, the organization has started a separate project to develop a future-state representation. The IS auditor should: A.
recommend that this separate project be completed as soon as possible.
B.
report this issue as a finding in the audit report.
C.
recommend the adoption of the Zachmann framework.
D.
re-scope the audit to include the separate project as part of the current audit.
83. An IS auditor finds that not all employees are aware of the enterprise's information security policy. The IS auditor should conclude that: A. this lack of knowledge may lead to unintentional disclosure of sensitive information. B.
information security is not critical to all functions.
C.
IS audit should provide security training to the employees.
D.
the audit finding will cause management to provide continuous training to staff.
84. The PRIMARY objective of implementing corporate governance is to: A.
provide strategic direction.
B.
control business operations.
C.
align IT with business.
D.
implement best practices
85. Which of the following is the BEST reason to implement a policy which addresses secondary employment for IT employees? A.
To ensure that employees are not misusing corporate resources
B.
To prevent conflicts of interest
C.
To prevent employee performance issues
D.
To prevent theft of IT assets
86. A subsidiary in another country is forced to depart from the parent organization's IT policies to conform to the local law. The BEST approach for the parent organization is to: A. create a provision to allow local policies to take precedence where required by law. B. have the subsidiary revise its policies to conform to the parent organization's policies. C. revise the parent organization's policies so that they match the subsidiary's policies. D. track the issue as a violation of policy with a note of the extenuating circumstances.
87. Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems? A.
User management coordination does not exist.
B.
Specific user accountability cannot be established.
C.
Unauthorized users may have access to originate, modify or delete data.
D.
Audit recommendations may not be implemented.
88. Effective IT governance will ensure that the IT plan is consistent with the organization's: A.
business plan.
B.
audit plan.
C.
security plan.
D.
investment plan.
89. When reviewing the development of information security policies, the PRIMARY focus of an IS auditor should be on assuring that these policies: A.
are aligned with globally accepted industry best practices.
B.
are approved by the board of directors and senior management.
C.
strike a balance between business and security requirements.
D.
provide direction for implementing security procedures.
90. An IS auditor is performing a review of the software quality management process in an organization. The FIRST step should be to: A.
verify how the organization follows the standards.
B.
identify and report the controls currently in place.
C.
review the metrics for quality evaluation.
D.
request all standards that have been adopted by the organization.
91. The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program? A.
Utilizing of intrusion detection system to report incidents
B.
Mandating the use of passwords to access all software
C.
Installing an efficient user log system to track the actions of each user
D.
Training provided on a regular basis to all current and new employees
92. Which of the following is the initial step in creating a firewall policy? A.
A cost-benefit analysis of methods for securing the applications
B.
Identification of network applications to be externally accessed
C. Identification of vulnerabilities associated with network applications to be externally accessed D.
Creation of an applications traffic matrix showing protection methods
93. Which of the following would MOST likely indicate that a customer data warehouse should remain in-house rather than be outsourced to an offshore operation? A.
Time zone differences could impede communications between IT teams.
B.
Telecommunications cost could be much higher in the first year.
C.
Privacy laws could prevent cross-border flow of information.
D.
Software development may require more detailed specifications.
94. Which of the following reasons BEST describes the purpose of a mandatory vacation policy? A.
To ensure that employees are properly cross-trained in multiple functions
B.
To improve employee morale
C.
To identify potential errors or inconsistencies in business processes
D.
To be used as a cost-saving measure
95. The MAJOR consideration for an IS auditor reviewing an organization's IT project portfolio is the: A.
IT budget.
B.
existing IT environment.
C.
business plan.
D.
investment plan.
96. The PRIMARY control purpose of required vacations or job rotations is to: A.
allow cross-training for development.
B.
help preserve employee morale.
C.
detect improper or illegal employee acts.
D.
provide a competitive employee benefit.
97. A benefit of open system architecture is that it: A.
facilitates interoperability.
B.
facilitates the integration of proprietary components.
C.
will be a basis for volume discounts from equipment vendors.
D.
allows for the achievement of more economies of scale for equipment.
98. After the merger of two organizations, multiple self-developed legacy applications from both organizations are to be replaced by a new common platform. Which of the following would be the GREATEST risk? A. Project management and progress reporting is combined in a project management office which is driven by external consultants. B. The replacement effort consists of several independent projects without integrating the resource allocation in a portfolio management approach. C. The resources of each of the organizations are inefficiently allocated while they are being familiarized with the other company's legacy systems. D. The new platform will force the business areas of both organizations to change their work processes, which will result in extensive training needs
99. An IS auditor is reviewing IT projects for a large company and wants to determine whether the IT projects undertaken in a given year are those which have been assigned the highest priority by the business and which will generate the greatest business value. Which of the following would be MOST relevant? A.
A capability maturity model [CMM]
B.
Portfolio management
C.
Configuration management
D.
Project management body of knowledge [PMBOK]
100.Which of the following should be the MOST important consideration when deciding on areas of priority for IT governance implementations? A.
Process maturity
B.
Performance indicators
C.
Business risk
D.
Assurance reports
101.An organization's disaster recovery plan should address early recovery of: A.
all information systems processes.
B.
all financial processing applications.
C.
only those applications designated by the IS manager.
D.
processing in priority order, as defined by business management
102.Which of the following BEST supports the prioritization of new IT projects? A.
Internal control self-assessment [CSA]
B.
Information systems audit
C.
Investment portfolio analysis
D.
Business risk assessment
103.The cost of ongoing operations when a disaster recovery plan is in place, compared to not having a disaster recovery plan, will MOST likely: A.
increase.
B.
decrease.
C.
remain the same.
D.
be unpredictable.
104.Which of the following should an IS auditor recommend to BEST enforce alignment of an IT project portfolio with strategic organizational priorities? A.
Define a balanced scorecard [BSC] for measuring performance.
B.
Consider user satisfaction in the key performance indicators [KPIs].
C.
Select projects according to business benefits and risk.
D.
Modify the yearly process of defining the project portfolio.
105.In the context of effective information security governance, the primary objective of value delivery is to: A.
optimize security investments in support of business objectives.
B.
implement a standard set of security practices.
C.
institute a standards-based solution.
D.
implement a continuous improvement culture.
106.After implementation of a disaster recovery plan, predisaster and postdisaster operational costs for an organization will: A.
decrease.
B.
not change [remain the same].
C.
increase.
D.
increase or decrease depending upon the nature of the business.
107.Which of the following situations is addressed by a software escrow agreement? A. The system administrator requires access to software in order to recover from a disaster. B.
A user requests to have software reloaded onto a replacement hard drive.
C.
The vendor of custom-written software goes out of business.
D.
An IT auditor requires access to software code written by the organization.
108.An IS auditor is reviewing a project to implement a payment system between a parent bank and a subsidiary. The IS auditor should FIRST verify that the: A.
technical platforms between the two companies are interoperable.
B.
parent bank is authorized to serve as a service provider.
C.
security features are in place to segregate subsidiary trades.
D.
subsidiary can join as a co-owner of this payment system.
109.With respect to the outsourcing of IT services, which of the following conditions
should be of GREATEST concern to an IS auditor? A. Outsourced activities are core and provide a differentiated advantage to the organization. B.
Periodic renegotiation is specified in the outsourcing contract.
C.
The outsourcing contract fails to cover every action required by the arrangement.
D.
Similar activities are outsourced to more than one vendor.
110.An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the: A.
hardware configuration.
B.
access control software.
C.
ownership of intellectual property.
D.
application development methodology.
111.The development of an application has been outsourced to an offshore vendor. Which of the following should be of GREATEST concern to an IS auditor? A.
The right to audit clause was not included in the contract.
B.
The business case was not established.
C.
There was no source code escrow agreement.
D.
The contract does not cover change management procedures.
112.When evaluating IT outsourcing strategies, an IS auditor should be MOST concerned if which of the following elements is part of the strategy? A.
Transfer of legal compliance responsibility
B.
Promoting long-term contracts rather than short-term contracts
C.
Use of only subsidiary companies for outsourcing
D.
Not forming a cross-functional contract management team
113.An IS auditor has been assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST? A.
An audit clause is present in all contracts.
B. The service level agreement [SLA] of each contract is substantiated by appropriate key performance indicators [KPIs]. C. The contractual warranties of the providers support the business needs of the organization. D. At contract termination, support is guaranteed by each outsourcer for new outsourcers.
114.While conducting an audit of a service provider, an IS auditor observes that the service provider has outsourced a part of the work to another provider. Since the work involves confidential information, the IS auditor's PRIMARY concern should be that the: A. requirement for protecting confidentiality of information could be compromised. B. contract may be terminated because prior permission from the outsourcer was not obtained. C.
other service provider to whom work has been outsourced is not subject to audit.
D.
outsourcer will approach the other service provider directly for further work.
115.During a feasibility study regarding outsourcing IS processing, the relevance for the IS auditor of reviewing the vendor's business continuity plan [BCP] is to: A. evaluate the adequacy of the service levels that the vendor can provide in a contingency. B. evaluate the financial stability of the service bureau and its ability to fulfill the contract. C.
review the experience of the vendor's staff.
D.
test the BCP.
116.An IS auditor is reviewing a contract management process to determine the financial
viability of a software vendor for a critical business application. An IS auditor should determine whether the vendor being considered: A.
can deliver on the immediate contract.
B.
is of similar financial standing as the organization.
C.
has significant financial obligations that can impose liability to the organization.
D.
can support the organization in the long term.
117.An IS auditor observes that an enterprise has outsourced software development to a third party that is a startup company. To ensure that the enterprise's investment in software is protected, which of the following should be recommended by the IS auditor? A.
Due diligence should be performed on the software vendor.
B.
A quarterly audit of the vendor facilities should be performed.
C.
There should be a source code escrow agreement in place.
D.
A high penalty clause should be included in the contract.
118.An organization has outsourced its help desk activities. An IS auditor's GREATEST concern when reviewing the contract and associated service level agreement [SLA] between the organization and vendor should be the provisions for:
A.
documentation of staff background checks.
B.
independent audit reports or full audit access.
C.
reporting the year-to-year incremental cost reductions.
D.
reporting staff turnover, development or training.
119.An enterprise hosts its data center onsite and has outsourced the management of its key financial applications. Which of the following controls BEST ensures that the outsourced company's employees adhere to the security policies? A.
Sign-off is required on the enterprise's security policies for all users.
B.
An indemnity clause is included in the contract with the service provider.
C.
Mandatory security awareness training is implemented for all users.
D.
Security policies should be modified to address compliance by third-party users.
120.While conducting an IS audit of a service provider for a governmental program involving confidential information, an IS auditor noted that the service provider delegated a part of the IS work to another subcontractor. Which of the following provides the MOST assurance that the requirements for protecting confidentiality of information are met? A.
Monthly committee meetings include the subcontractor's IS manager
B.
Management reviews weekly reports from the subcontractor
C.
Permission is obtained from the government agent regarding the contract
D.
Periodic independent audit of the work is delegated to the subcontractor
121.Which of the following is the MOST important function to be performed by IS management when a service has been outsourced? A.
Ensuring that invoices are paid to the provider
B.
Participating in systems design with the provider
C.
Renegotiating the provider's fees
D.
Monitoring the outsourcing provider's performance
122.Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider: A.
meets or exceeds industry security standards.
B.
agrees to be subject to external security reviews.
C.
has a good market reputation for service and experience.
D.
complies with security policies of the organization.
123.Which of the following is the MOST important for an IS auditor to consider when reviewing a service level agreement [SLA] with an external IT service provider?
A.
Payment terms
B.
Uptime guarantee
C.
Indemnification clause
D.
Default resolution
124.Which of the following disaster recovery/continuity plan components provides the GREATEST assurance of recovery after a disaster? A. The alternate facility will be available until the original information processing facility is restored. B. User management is involved in the identification of critical systems and their associated critical recovery times. C.
Copies of the plan are kept at the homes of key decision-making personnel.
D. Feedback is provided to management assuring them that the business continuity plans are indeed workable and that the procedures are current.