Which of the following is the most likely benefit of implementing a standardized infrastructure

When conducting a compliance review of an organization's incident response process, the BEST approach for the IS auditor is to determine whether:

Incorrect A. roles and responsibilities are clearly defined.

B. incident response data are secure.

C. incident response staff members are qualified.

D. past incidents were handled appropriately.

You answered A. The correct answer is D.

A. Roles and responsibilities may be established within the policy or separately documented and are important for the IS auditor to understand. However, the policy should be reviewed first.

B. While it is important to protect incident response data, this is a subset, not a primary focus, of the incident response compliance review. A compliance audit focuses on the performance of a process measured against the set policy or standard.

C. Ensuring that incident response staff members are qualified should be part of a compliance assessment. However, it is performed after the IS auditor reviews the policies and procedures to ensure what he/she reviews the process against.

D. Compliance reviews focus on the performance of a process measured against the set policy or standard. This can be achieved only when the IS auditor determines that past incidents were handled appropriately, in alignment with established policies and procedures.

To ensure structured disaster recovery, it is MOST important that the business continuity plan (BCP) and disaster recovery plan (DRP) are:

A. stored at an alternate location.

B. communicated to all users.

C. tested regularly.

Incorrect D. updated regularly.

You answered D. The correct answer is C.

A. Storing the business continuity plan (BCP) at an alternate location is useful in the case of complete site outage; however, the BCP is not useful during a disaster without adequate tests.

B. Communicating to users is not of much use without actual tests.

C. If the BCP is tested regularly, the BCP and disaster recovery plan (DRP) team is adequately aware of the process and that helps in structured disaster recovery.

D. Even if the plan is updated regularly, it is of less use during an actual disaster if it is not adequately tested.

The GREATEST advantage of rapid application development (RAD) over the traditional system development life cycle (SDLC) is that it:

A. facilitates user involvement.

Incorrect B. allows early testing of technical features.

C. facilitates conversion to the new system.

D. shortens the development time frame.

You answered B. The correct answer is D.

A. Rapid application development (RAD) emphasizes greater user involvement to ensure that the system meets user requirements; however, its primary objective is to speed up development.

B. RAD does allow early testing, but this is also true for the traditional system development life cycle (SDLC) models.

C. RAD does not facilitate conversion to a new system.

D. The greatest advantage and core objective of RAD is a shorter time frame for the development of a system.

Which of the following is the MOST likely benefit of implementing a standardized infrastructure?

A. Improved cost-effectiveness of IT service delivery and operational support

B. Increased security of the IT service delivery center

C. Reduced level of investment in the IT infrastructure

Incorrect D. Reduced need for testing future application changes

You answered D. The correct answer is A.

A. A standardized IT infrastructure provides a consistent set of platforms and operating systems across the organization. This standardization reduces the time and effort required to manage a set of disparate platforms and operating systems. In addition, the implementation of enhanced operational support tools (e.g., password management tools, patch management tools and auto provisioning of user access) is simplified. These tools can help the organization reduce the cost of IT service delivery and operational support.

B. A standardized infrastructure results in a more homogeneous environment, which is more prone to attacks.

C. While standardization can reduce support costs, the transition to a standardized kit can be expensive; therefore, the overall level of IT infrastructure investment is not likely to be reduced.

D. A standardized infrastructure may simplify testing of changes, but it does not reduce the need for such testing.

Which of the following BEST ensures the integrity of a server's operating system (OS)?

A. Protecting the server in a secure location

B. Setting a boot password

C. Hardening the server configuration

Incorrect D. Implementing activity logging

You answered D. The correct answer is C.

A. Protecting the server in a secure location is a good practice, but does not ensure that a user will not try to exploit logical vulnerabilities and compromise the operating system (OS).

B. Setting a boot password is a good practice, but does not ensure that a user will not try to exploit logical vulnerabilities and compromise the OS.

C. Hardening a system means to configure it in the most secure manner (install latest security patches, properly define access authorization for users and administrators, disable insecure options and uninstall unused services) to prevent nonprivileged users from gaining the right to execute privileged instructions and, thus, take control of the entire machine, jeopardizing the integrity of the OS.

D. Activity logging has two weaknesses in this scenario—it is a detective control (not a preventive one), and the attacker who already gained privileged access can modify logs or disable them.

An organization has outsourced its help desk activities. An IS auditor's GREATEST concern when reviewing the contract and associated service level agreement (SLA) between the organization and vendor should be the provisions for:

A. documentation of staff background checks.

B. independent audit reports or full audit access.

Incorrect C. reporting the year-to-year incremental cost reductions.

D. reporting staff turnover, development or training.

You answered C. The correct answer is B.

A. Although it is necessary to document the fact that background checks are performed, this is only one of the provisions that should be in place for audits.

B. When the functions of an IT department are outsourced, an IS auditor should ensure that a provision is made for independent audit reports that cover all essential areas, or that the outsourcer has full audit access.

C. Financial measures such as year-to-year incremental cost reductions are desirable to have in a service level agreement (SLA); however, cost reductions are not as important as the availability of independent audit reports or full audit access.

D. An SLA might include human relationship measures such as resource planning, staff turnover, development or training, but this is not as important as the requirements for independent reports or full audit access by the outsourcing organization.

An IS auditor's PRIMARY concern when application developers wish to use a copy of yesterday's production transaction file for volume tests is that:

A. users may prefer to use contrived data for testing.

B. unauthorized access to sensitive data may result.

C. error handling and credibility checks may not be fully proven.

Incorrect D. the full functionality of the new process may not necessarily be tested.

You answered D. The correct answer is B.

A. Production data are easier for users to use for comparison purposes.

B. Unless the data are sanitized, there is a risk of disclosing sensitive data.

C. There is a risk that former production data may not test all error routines; however, this is not as serious as the risk of release of sensitive data.

D. Using a copy of production data may not test all functionality, but this is not as serious as the risk of disclosure of sensitive data.

During an audit, the IS auditor notes that the application developer also performs quality assurance testing on a particular application. Which of the following should the IS auditor do?

Incorrect A. Recommend compensating controls.

B. Review the code created by the developer.

C. Analyze the quality assurance dashboards.

D. Report the identified condition.

You answered A. The correct answer is D.

A. While compensating controls may be a good idea, the primary response in this case should be to report the condition.

B. Evaluating the code created by the application developer is not the appropriate response in this case. The IS auditor may evaluate a sample of changes to determine whether the developer tested his/her own code, but the primary response should be to report the condition.

C. Analyzing the quality assurance dashboards can help evaluate the actual impact of the lack of segregation of duties, but does not address the underlying risk. The primary response should be to report the condition.

D. The software quality assurance role should be independent and separate from development and development activities. The same person should not hold both roles because this would cause a segregation of duties concern. The IS auditor should report this condition when identified.

An IS auditor wants to determine the number of purchase orders not appropriately approved. Which of the following sampling techniques should an IS auditor use to draw such conclusions?

A. Attribute

Incorrect B. Variable

C. Stop-or-go

D. Judgment

You answered B. The correct answer is A.

A. Attribute sampling is used to test compliance of transactions to controls—in this instance, the existence of appropriate approval.

B. Variable sampling is used in substantive testing situations and deals with population characteristics that vary, such as monetary values and weights.

C. Stop-or-go sampling is used when the expected occurrence rate is extremely low.

D. Judgment sampling is not relevant here. It refers to a subjective approach of determining sample size and selection criteria of elements of the sample.

An organization's disaster recovery plan (DRP) should address early recovery of:

Incorrect A. all information systems processes.

B. all financial processing applications.

C. only those applications designated by the IS manager.

D. processing in priority order, as defined by business management.

You answered A. The correct answer is D.

A. A disaster recovery plan (DRP) will recover most critical systems first according to business priorities.

B. Depending on business priorities, financial systems may or may not be the first to be recovered.

C. The business manager, not the IS manager, will determine priorities for system recovery.

D. Business management should know which systems are critical and what they need to process well in advance of a disaster. It is management's responsibility to develop and maintain the plan. Adequate time will not be available for this determination once the disaster occurs. IS and the information processing facility are service organizations that exist for the purpose of assisting the general user management in successfully performing their jobs.

During the system testing phase of an application development project the IS auditor should review the:

Incorrect A. conceptual design specifications.

B. vendor contract.

C. error reports.

D. program change requests.

You answered A. The correct answer is C.

A. A conceptual design specification is a document prepared during the requirements definition phase. The system testing will be based on a test plan.

B. A vendor contract is prepared during a software acquisition process and may be reviewed to ensure that all the deliverables in the contract have been delivered, but the most important area of review is the error reports.

C. Testing is crucial in determining that user requirements have been validated. The IS auditor should be involved in this phase and review error reports for their precision in recognizing erroneous data and review the procedures for resolving errors.

D. Program change requests would be reviewed normally as a part of the postimplementation phase.

An IS audit department is considering implementing continuous auditing techniques for a multinational retail enterprise that processes a large volume of transactions per day. A PRIMARY benefit of continuous auditing is that:

A. effective preventive controls are enforced.

B. system integrity is ensured.

Incorrect C. errors can be corrected in a timely fashion.

D. fraud can be detected more quickly.

You answered C. The correct answer is D.

A. Continuous monitoring is detective in nature, and therefore does not necessarily assist the IS auditor in monitoring for preventive controls. The approach will detect and monitor for errors that have already occurred. In addition, continuous monitoring will benefit the internal audit function in reducing the use of auditing resources and in the timely reporting of errors or inconsistencies.

B. System integrity is typically associated with preventive controls such as input controls and quality assurance reviews. These controls do not typically benefit an internal auditing function implementing continuous monitoring. Continuous monitoring benefits the internal audit function because it reduces the use of auditing resources.

C. Continuous audit will detect errors but not correct them. Error identification and handling is the primary responsibility of management. While audit's responsibility also is to find errors, audit can only report errors, not fix them.

D. Continuous auditing techniques assist the auditing function in reducing the use of auditing resources through continuous collection of evidence. This approach assists IS auditors in identifying fraud in a timely fashion and allows auditors to focus on relevant data.

An enterprise's risk appetite is BEST established by:

A. the chief legal officer.

B. security management.

Incorrect C. the audit committee.

D. the steering committee.

You answered C. The correct answer is D.

A. Although chief legal officers can give guidance regarding legal issues on the policy, they cannot determine the risk appetite.

B. The security management team is concerned with managing the security posture, but not with determining the posture.

C. The audit committee is not responsible for setting the risk tolerance or appetite of the enterprise.

D. The steering committee is best suited to determine the enterprise's risk appetite because the committee draws its representation from senior management.

To ensure that audit resources deliver the best value to the organization, the FIRST step would be to:

A. schedule the audits and monitor the time spent on each audit.

Incorrect B. train the IS audit staff on current technology used in the company.

C. develop the audit plan on the basis of a detailed risk assessment.

D. monitor progress of audits and initiate cost control measures.

You answered B. The correct answer is C.

A. Monitoring the audits and the time spent on audits would not be effective if the wrong areas were being audited. It is most important to develop a risk-based audit plan to ensure effective use of audit resources.

B. The IS auditor may have specialties or the audit team may rely on outside experts to conduct very specialized audits. It is not necessary for each IS auditor to be trained on all new technology.

C. Monitoring the time and audit programs, as well as adequate training, will improve the IS audit staff's productivity (efficiency and performance), but that which delivers value to the organization is ensuring that the resources and efforts being dedicated to audit are focused on higher-risk areas.

D. Monitoring audits and initiating cost controls will not necessarily ensure the effective use of audit resources.

Which of the following is a characteristic of timebox management?

Incorrect A. Not suitable for prototyping or rapid application development (RAD)

B. Eliminates the need for a quality process

C. Prevents cost overruns and delivery delays

D. Separates system and user acceptance testing

You answered A. The correct answer is C.

A. Timebox management is very suitable for prototyping and rapid application development (RAD).

B. Timebox management does not eliminate the need for a quality process.

C. Timebox management, by its nature, sets specific time and cost boundaries. It is effective in controlling costs and delivery time lines by ensuring that each segment of the project is divided into small controllable time frames.

D. Timebox management integrates system and user acceptance testing.