Which of the following would an IS auditor recommend as the most effective preventive control to reduce the risk of data leakage?

Overview

There are two basic categories of internal controls – preventive and detective.  An effective internal control system will have both types, as each serves a different purpose.  As you perform routine processes, or when you are thinking of implementing a new procedure or process, it is important to ask the following questions to help determine the appropriate control:

• What could go wrong?
• What steps have been taken to ensure that something does not go wrong?
• How can you verify that nothing went wrong?

The answers to these questions will enable you to better target the type of control that is needed.

Preventive Controls

Preventive controls aim to decrease the chance of errors and fraud before they occur, and often revolve around the concept of separation of duties. From a quality standpoint, preventive controls are essential because they are proactive and focused on quality.

Examples of preventive controls include:

• Separation of duties
• Pre-approval of actions and transactions (such as a Travel Authorization)
• Access controls (such as passwords and Gatorlink authentication)
• Physical control over assets (i.e. locks on doors or a safe for cash/checks)
• Employee screening and training (such as the PRO3 Series to increase employee knowledge)

Detective Controls

Detective controls are designed to find errors or problems after the transaction has occurred.  Detective controls are essential because they provide evidence that preventive controls are operating as intended, as well as offer an after-the-fact chance to detect irregularities.

Examples of detective controls include:

• Monthly reconciliations of departmental transactions
• Review organizational performance (such as a budget-to-actual comparison to look for any unexpected differences)
• Physical inventories (such as a cash or inventory count)

Last Reviewed

04/30/2022: reviewed content

Training

PRO303: Internal Controls at UF

University Controller’s Office: (352) 392-1321

An IS auditor has found that a vendor has gone out of business and the escrow has an older version of the source code. What is the auditor's BEST recommendation for the organization?

Options:

A.

Analyze a new application that moots the current re

B.

Perform an analysis to determine the business risk

C.

Bring the escrow version up to date.

D.

Develop a maintenance plan to support the application using the existing code

An audit identified that a computer system is not assigning sequential purchase order numbers to order requests. The IS auditor is conducting an audit follow-up to determine if management has reserved this finding. Which of two following is the MOST reliable follow-up procedure?

Options:

A.

Review the documentation of recant changes to implement sequential order numbering.

B.

Inquire with management if the system has been configured and tested to generate sequential order numbers.

C.

Inspect the system settings and transaction logs to determine if sequential order numbers are generated.

D.

Examine a sample of system generated purchase orders obtained from management

Management receives information indicating a high level of risk associated with potential flooding near the organization's data center within the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?

Options:

Which of the following is MOST important for an IS auditor to confirm when reviewing an organization's plans to implement robotic process automation (RPA> to automate routine business tasks?

Options:

A.

The end-to-end process is understood and documented.

B.

Roles and responsibilities are defined for the business processes in scope.

C.

A benchmarking exercise of industry peers who use RPA has been completed.

D.

A request for proposal (RFP) has been issued to qualified vendors.

An IS auditor concludes that logging and monitoring mechanisms within an organization are ineffective because critical servers are not included within the central log repository. Which of the following audit procedures would have MOST likely identified this exception?

Options:

A.

Inspecting a sample of alerts generated from the central log repository

B.

Comparing a list of all servers from the directory server against a list of all servers present in the central log repository

C.

Inspecting a sample of alert settings configured in the central log repository

D.

Comparing all servers included in the current central log repository with the listing used for the prior-year audit

An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported. The auditee has slated that it will take six months until the software is running on the current version. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?

Options:

A.

Verify all patches have been applied to the software system's outdated version.

B.

Close all unused ports on the outdated software system.

C.

Monitor network traffic attempting to reach the outdated software system.

D.

Segregate the outdated software system from the main network.

Which of the following BEST describes an audit risk?

Options:

A.

The company is being sued for false accusations.

B.

The financial report may contain undetected material errors.

C.

Employees have been misappropriating funds.

D.

Key employees have not taken vacation for 2 years.

An IS auditor is reviewing processes for importing market price data from external data providers. Which of the following findings should the auditor consider MOST critical?

Options:

A.

The quality of the data is not monitored.

B.

Imported data is not disposed frequently.

C.

The transfer protocol is not encrypted.

D.

The transfer protocol does not require authentication.

During a follow-up audit, an IS auditor finds that some critical recommendations have the IS auditor's BEST course of action?

Options:

A.

Require the auditee to address the recommendations in full.

B.

Adjust the annual risk assessment accordingly.

C.

Evaluate senior management's acceptance of the risk.

D.

Update the audit program based on management's acceptance of risk.

Which of the following would BEST detect that a distributed denial of service (DDoS) attack is occurring?

Options:

A.

Customer service complaints

B.

Automated monitoring of logs

Which of the following is the BEST way to ensure that an application is performing according to its specifications?

Options:

Which of the following is the BEST approach for determining the overall IT risk appetite of an organization when business units use different methods for managing IT risks?

Options:

A.

Average the business units’ IT risk levels

B.

Identify the highest-rated IT risk level among the business units

C.

Prioritize the organization's IT risk scenarios

D.

Establish a global IT risk scoring criteria

In which phase of the internal audit process is contact established with the individuals responsible for the business processes in scope for review?

Options:

An IS auditor has completed the fieldwork phase of a network security review and is preparing the initial following findings should be ranked as the HIGHEST risk?

Options:

A.

Network penetration tests are not performed

B.

The network firewall policy has not been approved by the information security officer.

C.

Network firewall rules have not been documented.

D.

The network device inventory is incomplete.

A credit card company has decided to outsource the printing of customer statements It Is MOST important for the company to verify whether:

Options:

A.

the provider has alternate service locations.

B.

the contract includes compensation for deficient service levels.

C.

the provider's information security controls are aligned with the company's.

D.

the provider adheres to the company's data retention policies.

Which of the following should be of GREATEST concern to an IS auditor reviewing an organization's business continuity plan (BCP)?

Options:

A.

The BCP's contact information needs to be updated

B.

The BCP is not version controlled.

C.

The BCP has not been approved by senior management.

D.

The BCP has not been tested since it was first issued.

Which of the following provides the MOST assurance of the integrity of a firewall log?

Options:

A.

The log is reviewed on a monthly basis.

B.

Authorized access is required to view the log.

C.

The log cannot be modified.

D.

The log is retained per policy.

Which of the following would be MOST impacted if an IS auditor were to assist with the implementation of recommended control enhancements?

Options:

Which of the following is an example of a preventative control in an accounts payable system?

Options:

A.

The system only allows payments to vendors who are included In the system's master vendor list.

B.

Backups of the system and its data are performed on a nightly basis and tested periodically.

C.

The system produces daily payment summary reports that staff use to compare against invoice totals.

D.

Policies and procedures are clearly communicated to all members of the accounts payable department

What is the PRIMARY benefit of an audit approach which requires reported findings to be issued together with related action plans, owners, and target dates?

Options:

A.

it facilitates easier audit follow-up

B.

it enforces action plan consensus between auditors and auditees

C.

it establishes accountability for the action plans

D.

it helps to ensure factual accuracy of findings

Which of the following is necessary for effective risk management in IT governance?

Options:

A.

Local managers are solely responsible for risk evaluation.

B.

IT risk management is separate from corporate risk management.

C.

Risk management strategy is approved by the audit committee.

D.

Risk evaluation is embedded in management processes.

Which of the following will BEST ensure that a proper cutoff has been established to reinstate transactions and records to their condition just prior to a computer system failure?

Options:

A.

Rotating backup copies of transaction files offsite

B.

Using a database management system (DBMS) to dynamically back-out partially processed transactions

C.

Maintaining system console logs in electronic formal

D.

Ensuring bisynchronous capabilities on all transmission lines

An IS auditor finds that application servers had inconsistent security settings leading to potential vulnerabilities Which of the following is the BEST recommendation by the IS auditor?

Options:

A.

Improve the change management process

B.

Establish security metrics.

C.

Perform a penetration test

D.

Perform a configuration review

Which of the following is the PRIMARY role of the IS auditor m an organization's information classification process?

Options:

A.

Securing information assets in accordance with the classification assigned

B.

Validating that assets are protected according to assigned classification

C.

Ensuring classification levels align with regulatory guidelines

D.

Defining classification levels for information assets within the organization

During an audit of a multinational bank's disposal process, an IS auditor notes several findings. Which of the following should be the auditor's GREATEST concern?

Options:

A.

Backup media are not reviewed before disposal.

B.

Degaussing is used instead of physical shredding.

C.

Backup media are disposed before the end of the retention period

D.

Hardware is not destroyed by a certified vendor.

When planning an audit to assess application controls of a cloud-based system, it is MOST important tor the IS auditor to understand the.

Options:

A.

architecture and cloud environment of the system.

B.

business process supported by the system.

C.

policies and procedures of the business area being audited.

D.

availability reports associated with the cloud-based system.

Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack against encrypted data at test?

Options:

C.

Use of symmetric encryption

D.

Use of asymmetric encryption

A manager Identifies active privileged accounts belonging to staff who have left the organization. Which of the following is the threat actor In this scenario?

Options:

Which of the following would BEST manage the risk of changes in requirements after the analysis phase of a business application development project?

Options:

A.

Expected deliverables meeting project deadlines

B.

Sign-off from the IT team

C.

Ongoing participation by relevant stakeholders

D.

Quality assurance (OA) review

Which of the following is MOST important to verify when determining the completeness of the vulnerability scanning process?

Options:

A.

The organization's systems inventory is kept up to date.

B.

Vulnerability scanning results are reported to the CISO.

C.

The organization is using a cloud-hosted scanning tool for Identification of vulnerabilities

D.

Access to the vulnerability scanning tool is periodically reviewed

An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?

Options:

A.

Preserving the same data classifications

B.

Preserving the same data inputs

C.

Preserving the same data structure

D.

Preserving the same data interfaces

Which of the following is the MOST important activity in the data classification process?

Options:

A.

Labeling the data appropriately

B.

Identifying risk associated with the data

C.

Determining accountability of data owners

D.

Determining the adequacy of privacy controls

Which of the following would be an appropriate rote of internal audit in helping to establish an organization's privacy program?

Options:

A.

Analyzing risks posed by new regulations

B.

Designing controls to protect personal data

C.

Defining roles within the organization related to privacy

D.

Developing procedures to monitor the use of personal data

Which of the following concerns is BEST addressed by securing production source libraries?

Options:

A.

Programs are not approved before production source libraries are updated.

B.

Production source and object libraries may not be synchronized.

C.

Changes are applied to the wrong version of production source libraries.

D.

Unauthorized changes can be moved into production.

An IS auditor is conducting a review of a data center. Which of the following observations could indicate an access control Issue?

Options:

A.

Security cameras deployed outside main entrance

B.

Antistatic mats deployed at the computer room entrance

C.

Muddy footprints directly inside the emergency exit

D.

Fencing around facility is two meters high

Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise email?

Options:

A.

The certificate revocation list has not been updated.

B.

The PKI policy has not been updated within the last year.

C.

The private key certificate has not been updated.

D.

The certificate practice statement has not been published

Which of the following types of firewalls provide the GREATEST degree of control against hacker intrusion?

Options:

B.

Application level gateway

C.

Packet filtering router

When testing the adequacy of tape backup procedures, which step BEST verifies that regularly scheduled Backups are timely and run to completion?

Options:

A.

Observing the execution of a daily backup run

B.

Evaluating the backup policies and procedures

C.

Interviewing key personnel evolved In the backup process

D.

Reviewing a sample of system-generated backup logs

Which of the following is the BEST source of information for an IS auditor to use as a baseline to assess the adequacy of an organization's privacy policy?

Options:

A.

Historical privacy breaches and related root causes

B.

Globally accepted privacy best practices

C.

Local privacy standards and regulations

D.

Benchmark studies of similar organizations

An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor’s PRIMARY concern Is that:

Options:

A.

the implementation plan meets user requirements.

B.

a full, visible audit trail will be Included.

C.

a dear business case has been established.

D.

the new hardware meets established security standards

Which of the following is the PRIMARY reason to follow a configuration management process to maintain application?

Options:

A.

To optimize system resources

B.

To follow system hardening standards

C.

To optimize asset management workflows

D.

To ensure proper change control

To enable the alignment of IT staff development plans with IT strategy, which of the following should be done FIRST?

Options:

A.

Review IT staff job descriptions for alignment

B.

Develop quarterly training for each IT staff member.

C.

Identify required IT skill sets that support key business processes

D.

Include strategic objectives m IT staff performance objectives

Which of the following metrics would BEST measure the agility of an organization's IT function?

Options:

A.

Average number of learning and training hours per IT staff member

B.

Frequency of security assessments against the most recent standards and guidelines

C.

Average time to turn strategic IT objectives into an agreed upon and approved initiative

D.

Percentage of staff with sufficient IT-related skills for the competency required of their roles

An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments. The IS auditor should FIRST

Options:

A.

document the exception in an audit report.

B.

review security incident reports.

C.

identify compensating controls.

D.

notify the audit committee.

Which of the following documents should specify roles and responsibilities within an IT audit organization?

Options:

Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?

Options:

A.

The job scheduler application has not been designed to display pop-up error messages.

B.

Access to the job scheduler application has not been restricted to a maximum of two staff members

C.

Operations shift turnover logs are not utilized to coordinate and control the processing environment

D.

Changes to the job scheduler application's parameters are not approved and reviewed by an operations supervisor

Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then keyed into the job-costing system. What is the BEST control to ensure that data is accurately entered into the system?

Options:

A.

Reconciliation of total amounts by project

B.

Validity checks, preventing entry of character data

C.

Reasonableness checks for each cost type

D.

Display back of project detail after entry

Which of the following is a social engineering attack method?

Options:

A.

An unauthorized person attempts to gam access to secure premises by following an authonzed person through a secure door.

B.

An employee is induced to reveal confidential IP addresses and passwords by answering questions over the phone.

C.

A hacker walks around an office building using scanning tools to search for a wireless network to gain access.

D.

An intruder eavesdrops and collects sensitive information flowing through the network and sells it to third parties.

Which of the following would BEST facilitate the successful implementation of an IT-related framework?

Options:

A.

Aligning the framework to industry best practices

B.

Establishing committees to support and oversee framework activities

C.

Involving appropriate business representation within the framework

D.

Documenting IT-related policies and procedures

Coding standards provide which of the following?

Options:

D.

Field naming conventions

An information systems security officer's PRIMARY responsibility for business process applications is to:

Options:

A.

authorize secured emergency access

B.

approve the organization's security policy

C.

ensure access rules agree with policies

D.

create role-based rules for each business process

The PRIMARY advantage of object-oriented technology is enhanced:

Options:

A.

efficiency due to the re-use of elements of logic.

B.

management of sequential program execution for data access.

C.

grouping of objects into methods for data access.

D.

management of a restricted variety of data types for a data object.

An online retailer is receiving customer complaints about receiving different items from what they ordered on the organization's website. The root cause has been traced to poor data quality. Despite efforts to clean erroneous data from the system, multiple data quality issues continue to occur. Which of the following recommendations would be the BEST way to reduce the likelihood of future occurrences?

Options:

A.

Assign responsibility for improving data quality.

B.

Invest in additional employee training for data entry.

C.

Outsource data cleansing activities to reliable third parties.

D.

Implement business rules to validate employee data entry.

Which of the following is the MOST important prerequisite for the protection of physical information assets in a data center?

Options:

A.

Segregation of duties between staff ordering and staff receiving information assets

B.

Complete and accurate list of information assets that have been deployed

C.

Availability and testing of onsite backup generators

D.

Knowledge of the IT staff regarding data protection requirements

To confirm integrity for a hashed message, the receiver should use:

Options:

A.

the same hashing algorithm as the sender's to create a binary image of the file.

B.

a different hashing algorithm from the sender's to create a binary image of the file.

C.

the same hashing algorithm as the sender's to create a numerical representation of the file.

D.

a different hashing algorithm from the sender's to create a numerical representation of the file.

Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. The IS auditor is concerned about management's decision. Which of the following should be the IS auditor's NEXT course of action?

Options:

A.

Accept management's decision and continue the follow-up.

B.

Report the issue to IS audit management.

C.

Report the disagreement to the board.

D.

Present the issue to executive management.

During an incident management audit, an IS auditor finds that several similar incidents were logged during the audit period. Which of the following is the auditor's MOST important course of action?

Options:

A.

Document the finding and present it to management.

B.

Determine if a root cause analysis was conducted.

C.

Confirm the resolution time of the incidents.

D.

Validate whether all incidents have been actioned.

An organization's enterprise architecture (EA) department decides to change a legacy system's components while maintaining its original functionality. Which of the following is MOST important for an IS auditor to understand when reviewing this decision?

Options:

A.

The current business capabilities delivered by the legacy system

B.

The proposed network topology to be used by the redesigned system

C.

The data flows between the components to be used by the redesigned system

D.

The database entity relationships within the legacy system

Which of the following is MOST important with regard to an application development acceptance test?

Options:

A.

The programming team is involved in the testing process.

B.

All data files are tested for valid information before conversion.

C.

User management approves the test design before the test is started.

D.

The quality assurance (QA) team is in charge of the testing process.

Which of the following would BEST demonstrate that an effective disaster recovery plan (DRP) is in place?

Options:

A.

Frequent testing of backups

B.

Annual walk-through testing

C.

Periodic risk assessment

Which audit approach is MOST helpful in optimizing the use of IS audit resources?

Options:

The PRIMARY benefit lo using a dry-pipe fire-suppression system rather than a wet-pipe system is that a dry-pipe system:

Options:

A.

is more effective at suppressing flames.

B.

allows more time to abort release of the suppressant.

C.

has a decreased risk of leakage.

D.

disperses dry chemical suppressants exclusively.

Which of the following is the PRIMARY reason for an IS auditor to conduct post-implementation reviews?

Options:

A.

To determine whether project objectives in the business case have been achieved

B.

To ensure key stakeholder sign-off has been obtained

C.

To align project objectives with business needs

D.

To document lessons learned to improve future project delivery

Which of the following is the PRIMARY advantage of parallel processing for a new system implementation?

Options:

A.

Assurance that the new system meets functional requirements

B.

More time for users to complete training for the new system

C.

Significant cost savings over other system implemental or approaches

D.

Assurance that the new system meets performance requirements

An IS auditor notes the transaction processing times in an order processing system have significantly increased after a major release. Which of the following should the IS auditor review FIRST?

Options:

A.

Capacity management plan

C.

Database conversion results

D.

Stress testing results

When evaluating the design of controls related to network monitoring, which of the following is MOST important for an IS auditor to review?

Options:

A.

Incident monitoring togs

B.

The ISP service level agreement

C.

Reports of network traffic analysis

D.

Network topology diagrams

Which of the following would be to MOST concern when determine if information assets are adequately safequately safeguarded during transport and disposal?

Options:

A.

Lack of appropriate labelling

B.

Lack of recent awareness training.

C.

Lack of password protection

D.

Lack of appropriate data classification

Which of the following is MOST important for an IS auditor to examine when reviewing an organization's privacy policy?

Options:

A.

Whether there is explicit permission from regulators to collect personal data

B.

The organization's legitimate purpose for collecting personal data

C.

Whether sharing of personal information with third-party service providers is prohibited

D.

The encryption mechanism selected by the organization for protecting personal data

An IS auditor who was instrumental in designing an application is called upon to review the application. The auditor should:

Options:

A.

refuse the assignment to avoid conflict of interest.

B.

use the knowledge of the application to carry out the audit.

C.

inform audit management of the earlier involvement.

D.

modify the scope of the audit.

IS management has recently disabled certain referential integrity controls in the database management system (DBMS) software to provide users increased query performance. Which of the following controls will MOST effectively compensate for the lack of referential integrity?

Options:

A.

More frequent data backups

B.

Periodic table link checks

C.

Concurrent access controls

D.

Performance monitoring tools

What is the BEST control to address SQL injection vulnerabilities?

Options:

B.

Secure Sockets Layer (SSL) encryption

An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be the auditor's NEXT course of action?

Options:

A.

Report the mitigating controls.

B.

Report the security posture of the organization.

C.

Determine the value of the firewall.

D.

Determine the risk of not replacing the firewall.