Which of the following would an IS auditor primarily review to understand key drivers of a project

An audit charter should:

1. be dynamic and change to coincide with the changing nature of technology and the audit profession.

   The audit charter should not be subject to changes in technology and should not significantly change over time. The charter should be approved at the highest level of management.

2. clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls.

   An audit charter will state the authority and reporting requirements for the audit but not the details of maintenance of internal controls.

3. document the audit procedures designed to achieve the planned audit objectives.

   An audit charter would not be at a detailed level and, therefore, would not include specific audit objectives or procedures.

4. outline the overall authority, scope and responsibilities of the audit function.

   An audit charter should state management's objectives for and delegation of authority to IS auditors.

An IS auditor finds a small number of user access requests that had not been authorized by managers through the normal predefined workflow steps and escalation rules. The IS auditor should:

1. perform an additional analysis.

   The IS auditor needs to perform substantive testing and additional analysis to determine why the approval and workflow processes are not working as intended. Before making any recommendation, the IS auditor should gain a good understanding of the scope of the problem and what factors caused this incident. The IS auditor should identify whether the issue was caused by managers not following procedures, by a problem with the workflow of the automated system or a combination of the two.

2. report the problem to the audit committee.

   The IS auditor does not yet have enough information to report the problem.

3. conduct a security risk assessment.

   Changing the scope of the IS audit or conducting a security risk assessment would require more detailed information about the processes and violations being reviewed.

4. recommend that the owner of the identity management (IDM) system fix the workflow issues.

   The IS auditor must first determine the root cause and impact of the findings and does not have enough information to recommend fixing the workflow issues.

An IS auditor observes that an enterprise has outsourced software development to a third party that is a startup company. To ensure that the enterprise's investment in software is protected, which of the following should be recommended by the IS auditor?

1. Due diligence should be performed on the software vendor.

   While due diligence is a good practice, it does not ensure availability of the source code in the event of vendor failure.

2. A quarterly audit of the vendor facilities should be performed.

   While a quarterly audit of vendor facilities is a good practice, it does not ensure availability of the source code in the event of failure of the start-up vendor.

3. There should be a source code escrow agreement in place.

   A source code escrow agreement is primarily recommended to help protect the enterprise's investment in software because the source code will be available through a trusted third party and can be retrieved if the start-up vendor goes out of business.

4. A high penalty clause should be included in the contract.

   While a penalty clause is a good practice, it does not provide protection or ensure availability of the source code in the event of vendor bankruptcy.

An enterprise's risk appetite is BEST established by:

1. the chief legal officer.

   Although chief legal officers can give guidance regarding legal issues on the policy, they cannot determine the risk appetite.

2. security management.

   The security management team is concerned with managing the security posture but not with determining the posture.

3. the audit committee.

   The audit committee is not responsible for setting the risk tolerance or appetite of the enterprise.

4. the steering committee.

   The steering committee is best suited to determine the enterprise's risk appetite because the committee draws its representation from senior management.

When identifying an earlier project completion time, which is to be obtained by paying a premium for early completion, the activities that should be selected are those:

1. whose sum of activity time is the shortest.

   Attention should focus on the tasks within the critical path that have no slack time.

2. that have zero slack time.

   A critical path's activity time is longer than that for any other path through the network. This path is important because if everything goes as scheduled, its length gives the shortest possible completion time for the overall project. Activities on the critical path become candidates for crashing (i.e., for reduction in their time by payment of a premium for early completion). Activities on the critical path have zero slack time and conversely, activities with zero slack time are on a critical path. By successively relaxing activities on a critical path, a curve showing total project costs versus time can be obtained.

3. that give the longest possible completion time.

   The critical path is the longest time length of the activities, but is not based on the longest time of any individual activity.

4. whose sum of slack time is the shortest.

   A task on the critical path has no slack time.

An IS auditor is assigned to audit a software development project, which is more than 80 percent complete, but has already overrun time by 10 percent and costs by 25 percent. Which of the following actions should the IS auditor take?

1. Report that the organization does not have effective project management.

   The organization may have effective project management practices and still be behind schedule or over budget.

2. Recommend the project manager be changed.

   There is no indication that the project manager should be changed without looking into the reasons for the overrun.

3. Review the IT governance structure.

   The organization may have sound IT governance and still be behind schedule or over budget.

4. Review the conduct of the project and the business case.

   Before making any recommendations, an IS auditor needs to understand the project and the factors that have contributed to bringing the project over budget and over schedule.

A programmer maliciously modified a production program to change data and then restored the original code. Which of the following would MOST effectively detect the malicious activity?

1. Comparing source code

   Source code comparisons are ineffective because the original programs were restored and the changed program does not exist.

2. Reviewing system log files

   Reviewing system log files is the only trail that may provide information about the unauthorized activities in the production library.

3. Comparing object code

   Object code comparisons are ineffective because the original programs were restored and the changed program does not exist.

4. Reviewing executable and source code integrity

   Reviewing executable and source code integrity is an ineffective control, because the source code was changed back to the original and will agree with the current executable.

Which of the following would BEST ensure continuity of a wide area network (WAN) across the organization?

1. Built-in alternative routing

   Alternative routing would ensure that the network would continue if a communication device fails or if a link is severed because message rerouting could be automatic.

2. Complete full system backup daily

   System backup will not afford protection for a networking failure.

3. A repair contract with a service provider

   The repair contract will almost always result in some lost time and is not as effective as permanent alternative routing.

4. A duplicate machine alongside each server.

   Standby servers will not provide continuity if a link is severed.

An IS auditor is reviewing the physical security controls of a data center and notices several areas for concern. Which of the following areas is the MOST important?

1. The emergency power off button cover is missing.

   The emergency power off button issue is a significant concern, but life safety is the highest priority.

2. Scheduled maintenance of the fire suppression system was not performed.

   The primary purpose of the fire suppression system is to protect the equipment and building. The lack of scheduled maintenance is a concern; however, this does not indicate that the system would not function as required. The more critical issue is the emergency exit because life safety is the highest priority.

3. There are no security cameras inside the data center.

   The lack of security cameras inside the data center may be a significant concern; however, the more significant issue is the emergency exit door being blocked.

4. The emergency exit door is blocked.

   Life safety is always the highest priority; therefore, the blocking of the emergency exit is the most serious problem.

Which of the following choices BEST helps information owners to properly classify data?

1. Understanding of technical controls that protect data

   While understanding how the data are protected is important, these controls might not be applied properly if the data classification schema is not well understood.

2. Training on organizational policies and standards

   RWhile implementing data classification, it is most essential that organizational policies and standards, including the data classification schema, are understood by the owner or custodian of the data so they can be properly classified.

3. Use of an automated data leak prevention (DLP) tool

   While an automated data leak prevention (DLP) tool may enhance productivity, the users of the application would still need to understand what classification schema was in place.

4. Understanding which people need to access the data

   In terms of protecting the data, the data requirements of end users are critical, but if the data owner does not understand what data classification schema is in place, it would be likely that inappropriate access to sensitive data might be granted by the data owner.