Domain 2 CISA Review 152 Questions, Answers & Explanations Manual, 12th Edition | Print | English,100% CORRECT

Domain 2 CISA Review 152 Questions, Answers & Explanations Manual, 12th Edition | Print | English AZ-148 An enterprise's risk appetite is BEST established by: A. The chief legal officer B. Security management C. The audit committee D. The steering committee - CORRECT ANSWER D is the correct answer. Justification: A. Although chief legal officers can give guidance regarding legal issues on the policy, they cannot determine the risk appetite. B. The security management team is concerned with managing the security posture but not with determining the posture. C. The audit committee is not responsible for setting the risk tolerance or appetite of the enterprise. D, The steering committee is best suited to determine the enterprise's risk appetite because the committee draws its representation from senior management. Organizations requiring employees to take a mandatory vacation each year PRIMARILY want to ensure: A. adequate cross-training exists between functions. B. an effective internal control environment is in place by increasing morale. C. potential irregularities in processing are identified by a temporary replacement. D. the risk of processing errors is reduced. - CORRECT ANSWER C is the correct answer. Justification: A. Cross-training is a good practice to follow but can be achieved without the requirement for mandatory vacation. B. Good employee morale and high levels of employee satisfaction are worthwhile objectives, but they should not be considered a means to achieve an effective internal control system. C. Employees who perform critical and sensitive functions within an organization should be required to take some time off to help ensure that irregularities and fraud are detected. D. Although rotating employees could contribute to fewer processing errors, this is not typically a reason to require a mandatory vacation policy. A2-2 An IS auditor is verifying IT policies and finds that some of the policies have not been approved by management (as required by policy), but the employees strictly follow the policies. What should the IS auditor do FIRST? A. Ignore the absence of management approval because employees follow-the policies. B. Recommend immediate management approval of the policies. C. Emphasize the importance of approval to management. D. Report the absence of documented approval. - CORRECT ANSWER D is the correct answer. Justification: A. Absence of management approval is an important (material) finding and, although it is not currently an issue with relation to compliance because the employees are following the policy without approval, it may be a problem at a later time and should be resolved. B. Although the IS auditor would likely recommend that the policies should be approved as soon as possible and may also remind management of the critical nature of this issue, the first step is to report this issue to the relevant stakeholders. C. The first step is to report the finding and provide recommendations later. D. The IS auditor must report the finding. Unapproved policies may present a potential risk to the organization, even if they are being followed, because this technicality may prevent management from enforcing the policies in some cases and may present legal issues. For example, if an employee was terminated as a result of violating an organization policy, and it was discovered that the policies had not been approved, the organization may face an expensive lawsuit. A2-3 What is the PRIMARY consideration for an IS auditor reviewing the prioritization and coordination of IT projects and program management? A. Projects are aligned with the organization's strategy. B. Identified project risk is monitored and mitigated. C. Controls related to project planning and budgeting are appropriate. D.ITprojectmetricsarereportedaccurately. - CORRECT ANSWER A is the correct answer. Justification: A. The primary goal of IT projects is to add value to the business, so they must be aligned with the business strategy to achieve the intended results. Therefore, the IS auditor should first focus on ensuring this alignment. B. An adequate process for monitoring and mitigating identified project risk is important; however, strategic alignment helps in assessing identified risk in business terms. C. Completion of projects within a predefined time and budget is important; however, the focus of project management should be on achieving the desired outcome of the project, which is aligned with the business strategy. D. Adequate reporting of project status is important but mayor may not help in providing the strategic perspective of project deliverables. A2-4 In a review ofthe human resources policies and procedures within an organization, an IS auditor is MOST concerned with the absence of a: A. requirement for periodic job rotations. B. process for formalized exit interviews. C. termination checklist. D.requirement for new employees to sign an on disclosure agreement. - CORRECT ANSWER C is the correct answer. Justification: A. Job rotation is a valuable control to ensure continuity of operations, but not the most serious human resources policy risk. B. Holding an exit interview is desirable when possible to gain feedback but is not a serious risk. e. A termination checklist is critical to ensure the logical and physical security of an enterprise. In addition to preventing the loss of enterprise property that was issued to the employee, there is the risk of unauthorized access, intellectual property theft and even sabotage by a disgruntled former employee. D. Signing a nondisclosure agreement (NDA) is a recommended human resources practice, but a lack of an NDA is not the most serious risk listed. A2-5 Which of the following factors is MOST critical when evaluating the effectiveness of an IT governance implementation? A. Ensure that assurance objectives are defined. B. Determine stakeholder requirements and involvement. C. Identify relevant risk and related opportunities. D.Determinerelevantenablersandtheirapplicability. - CORRECT ANSWER B is the correct answer. Justification: A. Stakeholders' needs and their involvement form the basis for scoping the IT governance implementation. This will be used to define assurance objectives. B. The most critical factor to be considered in auditing an IT governance implementation is to determine stakeholder requirements and involvement. This drives the success of the project. Based on this, the assurance scope and objectives are determined. C. The relevant risk and related opportunities are identified and driven by the assurance objectives. D. The relevant enablers and their applicability for the IT governance implementation are considered based on assurance objectives. A2-6 Which of the following is the BEST reason to implement a policy that places conditions on secondary employment for IT employees? A. To prevent the misuse of corporate resources B. To prevent conflicts of interest C. To prevent employee performance issues D. To prevent theft of IT assets - CORRECT ANSWER B is the correct answer. Justification: A. The misuse of corporate resources is an issue that must be addressed but is not necessarily related to secondary employment. B. The best reason to implement and enforce a policy governing secondary employment is to prevent conflicts of interest. Policies should be in place to control IT employees seeking secondary employment from releasing sensitive information or working for a competing otganization. Conflicts of interest can result in serious risk such as fraud, theft of intellectual property or other improprieties. C. Employee performance can certainly be an issue if an employee is overworked or has insufficient time off, but that should be dealt with as a management function and not the primary reason to have a policy on secondary employment. D. Theft of assets is a problem but not necessarily related to secondary employment. Al-7 An IS auditor has been assigned to review an organization's information security policy. Which of the following issues represents the HIGHEST potential risk? A. The policy has not been updated in more than one year. B. The policy includes no revision history. C. The policy is approved by the security administrator. D.Thecompanydoesnothaveaninformationsecuritypolicycommittee. - CORRECT ANSWER C is the correct answer. Justification: A. Although the information security policy should be updated on a regular basis, the specific time period may vary based on the organization. Although reviewing policies annually is a good practice, the policy may be updated less frequently and still be relevant and effective. An outdated policy is still enforceable, whereas a policy without proper approval is not enforceable. B. The lack of a revision history with respect to the IS policy document is an issue but not as significant as not having it approved by management. A new policy, for example, may not have been subject to any revisions yet. C. The information security policy should have an owner who has management responsibility for the development, review, approval and evaluation of the security policy. The position of security administrator is typically a staff-level position (not management), and therefore does not have the authority to approve the policy. In addition, an individual in a more independent position should also review the policy. Without proper management approval, enforcing the policy may be problematic, leading to compliance or security issues. D. Although a policy committee drawn from across the company is a good practice and may help write better policies, a good policy can be written by a single person, and the lack of a committee is not a problem by itself. Al-8 When performing a review of a business process reengineering (BPR) effort, which of the following is of PRIMARY concern? A. Controls are eliminated as part of the streamlining BPR effort. B. Resources are not adequate to support the BPR process. C. The audit department does not have a consulting role in the BPR effort. D.The BPR effort includes employees with limited knowledge of the process area. - CORRECT ANSWER A is the correct answer. Justification: A. A primary risk of business process reengineering (BPR) is that controls are eliminated as part of the reengineering effort. This is the primary concern. B. The BPR process can be a resource-intensive initiative; however, the more important issue is whether critical controls are eliminated as a result of the BPR effort. C. Although BPR efforts often involve many different business functions, it is not a significant concern if audit is not involved, and, in most cases, it is not appropriate for audit to be involved in such an effort. D. A recommended good practice for BPR is to include individuals from all parts of the enterprise, even those with limited knowledge of the process area. Therefore, this is not a concern. A2-9 When auditing the IT governance framework and IT risk management practices existing within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations isthe MOST appropriate? A. Review the strategic alignment of IT with the business .. " B. Implement accountability rules within the organization. ',. C. Ensure that independent IS audits are conducted periodically. D.Createachiefriskofficerroleintheorganization. - CORRECT ANSWER B is the correct answer. Justification: A. While the strategic alignment of IT with the business is important, it is not directly related to the gap identified in this scenario. B. IT risk is managed by embedding accountability into the enterprise. The IS auditor should recommend the implementation of accountability rules to ensure that all responsibilities are defined within the organization. Note that this question asks for the best recommendation-not about the finding itself. C. Performing more frequent IS audits is not helpful if the accountability rules are not clearly defined and implemented. D. Recommending the creation of a new role (e.g., chief risk officer) is not helpful if the accountability rules are not clearly defined and implemented. A2-10 An IS auditor is performing a review of the software quality management process in an organization. The FIRST step should be to: A. Verify how the organization complies the standards. B. Identify and report the existing controls. C. Review the metrics for quality evaluation. D.Requestallstandardsadoptedby theorganization. - CORRECT ANSWER D is the correct answer. Justification: A. The auditor needs to know what standards the organization has adopted and then measure compliance with those standards. Determining how the organization follows the standards is secondary to knowing what the standards are. The other items listed-verifying how well standards are being followed, identifying relevant controls and reviewing the quality metrics-are secondary to the identification of standards. B. The first step is to know the standards and what policies and procedures are mandated for the organization, then to document the controls and measure compliance. C. The metrics cannot be reviewed until the auditor has a copy of the standards that describe or require the metrics. D. Because an audit measures compliance with the standards of the organization, the first step of the review of the software quality management process should be to determine the evaluation criteria in the form of standards adopted by the organization. The evaluation of how well the organization follows their own standards cannot be performed until the IS auditor has determined what standards exist. A2-U An IS auditor found that the enterprise architecture (EA) recently adopted by an organization has an adequate current-state representation. However, the organization has started a separate project to develop a future-state representation. The IS auditor should: A. Recommend that this separate project be completed as soon as possible. B. Report this issue as a finding in the audit report. C. Recommend the adoption of the Zachmann framework. D.Rescopetheaudittoincludetheseparateprojectaspartofthecurrentaudit. - CORRECT ANSWER B is the correct answer. Justification: A. The IS auditor does not ordinarily provide input on the timing of projects, but rather provides an assessment of the current environment. The most critical issue in this scenario is that the enterprise architecture (EA) is undergoing change, so the IS auditor should be most concerned with reporting this issue. B. It is critical for the EA to include the future state because the gap between the current state and the future state will determine IT strategic and tactical plans. If the EA does not include a future-state representation, it is not complete, and this issue should be reported as a finding. C. The organization is free to choose any EA framework, and the IS auditor should not recommend a specific framework. D. Changing the scope of an audit to include the secondary project is not required, although a follow-up audit may be desired. A2-12 An IS auditor is evaluating management's risk assessment of information systems. The IS auditor should FIRST review: A. Controls in place. B. Effectiveness of the controls. C. Mechanism for monitoring the risk. D.Threats/vulnerabilitiesaffectingtheassets. - CORRECT ANSWER D is the correct answer. Justification: A. The controls are irrelevant until the IS auditor knows the threats and risk that the controls are intended to address. B. The effectiveness of the controls must be measured in relation to the risk (based on assets, threats and vulnerabilities) that the controls are intended to address. C. The first step must be to determine the risk that is being managed before reviewing the mechanism of monitoring risk. D. One of the key factors to be considered while assessing the information systems risk is the value of the systems (the assets) and the threats and vulnerabilities affecting the assets. The risk related to the use of information assets should be evaluated in isolation from the installed controls. A2-13 The PRIMARY benefit of an~nterprise architecture initiative is to: A. Enable the organization to invest in the most appropriate technology. B. Ensure security controls are implemented on critical platforms. C. Allow development teams to be more responsive to business requirements. D.Providebusinessunitswithgreaterautonomytoselectitsolutionsthatfittheirneeds. - CORRECT ANSWER A is the correct answer. Justification: A. The primary focus of the enterprise architecture to ensure that technology investments are consistent with the platform, data and development standards of the IT organization; therefore, the goal of the EA is to help the organization to implement the technology that is most effective. B. Ensuring that security controls are implemented on critical platforms is important, but this is not the function of the EA. The EA may be concerned with the design of security controls; however, the EA would not help to ensure that they were implemented. The primary focus of the EA is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization. C. While the EA process may enable development teams to be more efficient, because they are creating solutions based' on standard platforms using standard programming languages and methods, the more critical benefit of the EA is to provide guidance for IT investments of all types, which encompasses much more than software development. D. A primary focus of the EA is to define standard platforms, databases and interfaces. Business units that invest in technology would need to select IT solutions that meet their business needs and are compatible with the EA of the enterprise. There may be instances when a proposed solution works better for a business unit but is not at all consistent with the EA of the enterprise, so there would be a need to compromise to ensure that the application can be supported by IT. Overall, the EA would restrict the ability of business units in terms of the potential IT systems that they may wish to implement. The support requirements would not be affected in this case. A2-14 Which of the following situations is addressed by a software escrow agreement? A. The system administrator requires access to software to recover from a disaster. B. A user requests to have software reloaded onto a replacement hard drive. C. The vendor of custom-written software goes out of business. D.AnISauditorrequiresaccesstosoftwarecode writtenby theorganization - CORRECT ANSWER C is the correct answer. Justification: A. Access to software should be managed by an internally managed software library. Escrow refers to the storage of software with a third party-not the internal libraries. B. Providing the user with a backup copy of software is not escrow. Escrow requires that a copy be kept with a trusted third party. C. A software escrow is a legal agreement between a software vendor and a customer to guarantee access to source code. The application source code is held by a trusted third party, according to the contract. This agreement is necessary in the event that the software vendor goes out of business, there is a contractual dispute with the customer or the software vendor fails to maintain an update of the software as promised in the software license agreement. D. Software escrow is used to protect the intellectual property of software developed by one organization and sold to another organization. This is not used for software being reviewed by an auditor of the organization that wrote the software. A2-15 An IS auditor reviews an organizational chart PRIMARILY for: A. Understanding of the complexity of the organizational structure. B. Investigating various communication channels. C. Understanding the responsibilities and authority of individuals. D. Investigating the network connected to different employees. - CORRECT ANSWER C is the correct answer. Justification: A. Understanding the complexity of the organizational structure is not the primary reason to review an organizational chart because the chart will not necessarily depict the complexity. B. The organizational chart is a key tool for an auditor to understand roles and responsibilities and reporting lines but is not used for examining communications channels. C. An organizational chart provides information about the responsibilities and authority of individuals in the organization. This helps an IS auditor to know if there is a proper segregation of functions. D. A network diagram will provide information about the usage of various communication channels and will indicate the connection of users to the network. A2-16 Sharing risk is a key factor in which of the following methods of managing risk? A. Transferring risk B. Tolerating risk C. Terminating risk D. Treating risk - CORRECT ANSWER A is the correct answer. Justification: A. Transferring risk (e.g., by taking an insurance policy) is a way to share risk. B. Tolerating risk means that the risk is accepted, but not shared. C. Terminating risk would not involve sharing the risk because the organization has chosen to terminate the process associated with the risk. D. There are several ways of treating or controlling the risk, which may involve reducing or sharing the risk, but this is not as precise an answer as transferring the risk. A2-17 A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential impact, the team should: A. Compute the amortization of the related assets. B. Calculate a return on investment. C. Apply a qualitative approach. D. Spend the time needed to define the loss amount exactly. - CORRECT ANSWER C is the correct answer. Justification: A. Amortization is used in a profit and loss statement, not in computing potential losses. B. A return on investment (ROI) is computed when there is predictable savings or revenues that can be compared to the investment needed to realize the revenues. C. The common practice when it is difficult to calculate the financial losses is to take a qualitative approach, in which the manager affected by the risk defines the impact in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact). D. Spending the time needed to define exactly the total amount is normally a wrong approach. If it has been difficult to estimate potential losses (e.g., losses derived from erosion of public image due to a hack attack), that situation is not likely to change, and the result will be a not well-supported evaluation.C is the correct answer. Justification: A. Amortization is used in a profit and loss statement, not in computing potential losses. B. A return on investment (ROI) is computed when there is predictable savings or revenues that can be compared to the investment needed to realize the revenues. C. The common practice when it is difficult to calculate the financial losses is to take a qualitative approach, in which the manager affected by the risk defines the impact in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact). D. Spending the time needed to define exactly the total amount is normally a wrong approach. If it has been difficult to estimate potential losses (e.g., losses derived from erosion of public image due to a hack attack), that situation is not likely to change, and the result will be a not well-supported evaluation. A2-18 While reviewing a quality management system, the IS auditor should PRIMARILY focus on collecting evidence to show that: A. Quality management systems comply with good practices. B. Continuous improvement targets are being monitored. C. Standard operating procedures of it are updated annually. D. Key performance indicators are defined. - CORRECT ANSWER B is the correct answer. Justification: A. Generally, good practices are adopted according to business requirements. Therefore, conforming to good practices mayor may not be a requirement of the business. B. Continuous and measurable improvement of quality is the primary requirement to achieve the business objective for the quality management system (QMS). C. Updating operating procedures is part of implementing the QMS; however, it must be part of change management and not an annual activity. D. Key performance indicators may be defined in a QMS, but they are oflittle value if they are not being monitored. A2-19 An IS auditor discovers several IT-based projects were implemented and not approved by the steering committee. What is the GREATEST concern for the IS auditor? A. The IT department's projects will not be adequately funded. B. IT projects are not following the system development life cycle process. C. IT projects are not consistently formally approved. D.TheITdepartmentmaynotbeworkingtowarda commongoal. - CORRECT ANSWER D is the correct answer. Justification: A. Funding for the projects may be addressed through various budgets and may not require steering committee approval. The primary concern would be to ensure that the project is working toward meeting the goals of the company. B. Although requiring steering committee approval may be part of the system development life cycle process, the greater concern would be whether the projects are working toward the corporate goals. Without steering committee approval, it would be difficult to determine whether these projects are following the direction of the corporate goals. C. Although having a formal approval process is important, the greatest concern would be for the steering committee to provide corporate direction for the projects. D. The steering committee provides direction and control over projects to ensure that the company is making appropriate investments. Without approval, the project mayor may not be working toward the company's goals. A2-20 Value delivery from IT to the business is MOST effectively achieved by: A. Aligning the IT strategy with the enterprise strategy B. Embedding accountability in the enterprise C. Providing a positive return on investment D. Establishing an enterprise wide risk management process - CORRECT ANSWER A is the correct answer. Justification: A. IT's value delivery to the business is driven by aligning IT with the enterprise's strategy. B. Embedding accountability in the enterprise promotes risk management (another element of corporate governance). C. While return on investmentis important,it is not the only criterionby which the value ofIT is assessed. D. Enterprisewide risk management is critical to IT governance; however, by itself, it will not guarantee that IT delivers value to the business unless the IT strategy is aligned with the enterprise strategy. A2-21 During a feasibility study regarding outsourcing IT processing, the relevance for the IS auditor of reviewing the vendor's business continuity plan is to: A. Evaluate the adequacy of the service levels that the vendor can provide in a contingency. B. Evaluate the financial stability of the service bureau and its ability to fulfill the contract. C. Review the experience of the vendor's staff. D.Testthebusinesscontinuityplan. - CORRECT ANSWER A is the correct answer. Justification: A. A key factor in a successful outsourcing environment is the capability of the vendor to face a contingency and continue to support the organization's processing requirements. B. Financial stability is not related to the vendor's business continuity plan (BCP). C. Experience of the vendor's staff is not related to the vendor's BCP. D. The review of the vendor's BCP during a feasibility study is not a way to test the vendor's BCP. A2-22 An IS auditor is evaluating a newly developed IT policy for an organization. Which of the following factors does the IS auditor consider MOST important to facilitate compliance with the policy upon its implementation? A. Existing IT mechanisms enabling compliance B. Alignment of the policy to the business strategy C. Current and future technology initiatives D. Regulatory compliance objectives defined in the policy - CORRECT ANSWER A is the correct answer. Justification: A. The organization should be able to comply with a policy when it is implemented. The most important consideration when evaluating the new policy should be the existing mechanisms in place that enable the organization and its employees to comply with the policy. B. Policies should be aligned with the business strategy, but this does not affect an organization's ability to comply with the policy upon implementation. C. Current and future technology initiatives should be driven by the needs ofthe business and would not affect an organization's ability to comply with the policy. D. Regulatory compliance objectives may be defined in the IT policy, but that would not facilitate compliance with the policy. Defining objectives would only result in the organization knowing the desired state and would not aid in achieving compliance. The MOST likely effect of the lack of senior management commitment to IT strategic planning is: A. Lack of investment in technology B. Lack of a methodology for systems development C. Technology not aligning with organization objectives D. Absence of control over technology contracts - CORRECT ANSWER C is the correct answer. Justification: A. Lack of management commitment will almost certainly affect investment, but the primary loss will be the lack of alignment of IT strategy with the strategy of the business. B. Systems development methodology is a process-related function and not a key concern of management. C. A steering committee should exist to ensure that the IT strategies support the organization's goals. The absence of an information technology committee or a committee not composed of senior managers is an indication of a lack of top-level management commitment. This condition increases the risk that IT is aligned with organization strategy. D. Approval for contracts is a business process and would be controlled through financial process controls. This is not applicable here. Which of the following is a function of an IT steering committee? A. Monitoring vendor-controlled change control and testing B. Ensuring a separation of duties within the information's processing environment C. Approving and monitoring the status of IT plans and budgets D. Liaising between the IT department and end users - CORRECT ANSWER C is the correct answer. Justification: A. Vendor change control is a sourcing issue and should be monitored by IT management. B. Ensuring a separation of duties within the information's processing environment is an IT management responsibility. C. The IT steering committee typically serves as a general review board for major IT projects and should not become involved in routine operations; therefore, one of its functions is to approve and monitor major projects, such as the status of IT plans and budgets. D. Liaising between the IT department and end users is a function of the individual parties and not a committee responsibility. A2-25 An IS auditor is performing a review of an organization's governance model. Which of the following should be of MOST concern to the auditor? A. The information security policy is not periodically reviewed by senior management. B. A policy ensuring systems are patched in a timely manner does not exist. C. The audit committee did not review the organization'S mission statement. D.Anorganizationalpolicyrelatedtoinformationassetprotectiondoesnotexist. - CORRECT ANSWER A is the correct answer. Justification: A. Data security policies should be reviewed/refreshed once every year to reflect changes in the organization's environment. Policies are fundamental to the organization's governance structure, and, therefore, this is the greatest concern. B. While it is a concern that there is no policy related to system patching, the greater concern is that the information security policy is not reviewed periodically by senior management. C. Mission statements tend to be long term because they are strategic in nature and are established by the board of directors and management. This is not the IS auditor's greatest concern because proper governance oversight could lead to meeting the objectives ofthe organization's mission statement. D. While it is a concern that there is no policy related to the protection of information assets, the greater concern is that the security policy is not reviewed periodically by senior management because top level support is fundamental to information security governance. A2-26 Involvement of senior management is MOST important in the development of: A. Strategic plans. B. IT policies. C. IT procedures. D.Standardsandguidelines - CORRECT ANSWER A is the correct answer. Justification: A. Strategic plans provide the basis for ensuring that the enterprise meets its goals and objectives. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives. B. IT policies are created and enforced by IT management and information security. They are structured to support the overall strategic plan. C. IT procedures are developed to support IT policies. Senior management is not involved in the development of procedures. D. Standards and guidelines are developed to support IT policies. Senior management is not involved in the development of standards, baselines and guidelines. A2-27 Effective IT governance ensures that the IT plan is consistent with the organization's: A. Business plan. B. Audit plan. C. Security plan. D.Investmentplan - CORRECT ANSWER A is the correct answer. Justification: A. To govern IT effectively, IT and business should be moving in the same direction, requiring that the IT plans are aligned with an organization's business plans. B. The audit plan is not part of the IT plan. C. The security plan is not a responsibility of IT and does not need to be consistent with the IT plan. D. The investment plan is not part of the IT plan. A2-28 Establishing the level of acceptable risk is the responsibility of: A. Quality assurance management. B. Senior business management. C. The chief information officer. D. The chief security officer. - CORRECT ANSWER B is the correct answer. Justification: A. Quality assurance (QA) is concerned with reliability and consistency of processes. The QA team is not responsible for determining an acceptable risk level. B. Senior management should establish the acceptable risk level because they have the ultimate or final responsibility for the effective and efficient operation of the organization as a senior manager of the business process. The person can be the QA, chief information officer (CIO), or the chief security officer (CSO), but the responsibility rests with the business manager. C. The establishmentof acceptablerisk levelsis a seniorbusinessmanagementresponsibilityT. he CIO is the most seniorofficial of the enterprisewho is accountablefor IT advocacy;aligningIT and business strategies; and planning,resourcingand managingthe deliveryofIT services,informationand the deploymentof associatedhuman resources.The CIO is rarelythe person that determinesacceptablerisk levelsbecause this couldbe a conflictof interestunless the CIO is the seniorbusinessprocess owner. D. The establishment of acceptable risk levels is a senior business management responsibility. The CSO is responsible for enforcing the decisions of the senior management team unless the CIO is the business process manager. IT governance is PRIMARILY the responsibility of the: A. chief executive officer. B. board of directors. C. IT steering committee. D. audit committee. - CORRECT ANSWER B is the correct answer. Justification: A. The chief executive officer is instrumental in implementing IT governance according to the directions of the board of directors. B. IT governance is primarily the responsibility of the executives and shareholders (as represented by the board of directors). C. The IT steering committee monitors and facilitates deployment of IT resources for specific projects "in support of business plans. The IT steering committee enforces governance on behalf of the board of directors. D. The audit committee reports to the board of directors and executes governance-related audits. The audit committee should monitor the implementation of audit recommendations. Al-30 From a control perspective, the key element injob descriptions is that they: A. Provide instructions on how to do the job and define authority. B. Are current, documented and readily available to the employee. C. Communicate management's specific job performance expectations. D. Establish responsibility and accountability for the employee's actions. - CORRECT ANSWER D is the correct answer. Justification: A. Providing instructions on how to do the job and defining authority addresses the managerial and procedural aspects of the job and is a management responsibility. Job descriptions, which are a human resources (HR)-related function, are primarily used to establish job requirements and accountability. B. It is important that job descriptions are current, documented and readily available to the employee, but this, in itself, is not the key element of the job description. Job descriptions, which are an HR-related function, are primarily used to establish job requirements and accountability. C. Communication of management's specific expectations for job performance would not necessarily be included injob descriptions. D. From a control perspective, a job description should establish responsibility and accountability. This aids in ensuring that users are given system access in accordance with their defined job responsibilities and are accountable for how they use that access. A2-31 Which of the following BEST provides assurance of the integrity of new staff? A. Background screening B. References C. Bonding D. Qualifications listed on a resume - CORRECT ANSWER A is the correct answer. Justification: A. A background screening is the primary method for assuring the integrity of a prospective staff member. This may include criminal history checks, driver's license abstracts, financial status checks, verification of education, etc. B. References are important and would need to be verified, but they are not as reliable as background screening because the references themselves may not be validated as trustworthy. C. Bonding is directed at due-diligence compliance and does not ensure integrity. D. Qualifications listed on a resume may be used to demonstrate proficiency but will not indicate the integrity of the candidate employee. A2-32 When an employee is terminated from service, the MOST important action is to: A. hand over all of the employee's files to another designated employee. B. complete a backup of the employee's work. C.notifyotheremployeesofthetermination. D.disabletheemployee'slogicalaccess - CORRECT ANSWER D is the correct answer. Justification: A. All the work of the terminated employee needs to be handed over to a designated employee; however, this is not as critical as removing terminated employee access. B. All the work of the terminated employee needs to be backed up, but this is not as critical as removing terminated employee access. C. The employees need to be notified of the termination, but this is not as critical as removing terminated employee access. D. There is a probability that a terminated employee may-misuse access rights; therefore, disabling the terminated employee's logical access is the most important and immediate action to take. A2-33 A business unit has selected a new accounting application and did not consult with IT early in the selection process. The PRIMARY risk is that: A. The security controls of the application may not meet requirements. B. The application may not meet the requirements of the business users. C. The application technology may be inconsistent with the enterprise architecture. D. The application may create unanticipated support issues for IT. - CORRECT ANSWER C is the correct answer. Justification: A. Although security controls should be a requirement for any application, the primary focus of the enterprise architecture (EA) is to ensure that new applications are consistent with enterprise standards. Although the use of standard supported technology may be more secure, this is not the primary benefit of the EA. B. When selecting an application, the business requirements and the suitability of the application for the IT environment must be considered. If the business units selected their application without IT involvement, they are more likely to choose a solution that fits their business process the best with less emphasis on how compatible and supportable the solution will be in the enterprise, and this is not a concern. C. The primary focus of the EA is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization. The EA defines both a current and future state in areas such as the use of standard platforms, databases or programming languages. If a business unit selected an application using a database or operating system that is not part of the EA for the business, this increases the cost and complexity of the solution and ultimately delivers less value to the business. D. Although any new software implementation may create support issues, the primary benefit of the EA is ensuring that the IT solutions deliver value to the business. Decreased support costs may be a benefit of the EA, but the lack of IT involvement in this case would not affect the support requirements. A2-34 Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to: A. Ensure that the employee maintains a good quality of life, which will lead to greater productivity. B. Reduce the opportunity for an employee to commit an improper or illegal act. C. Provide proper cross-training for another employee. D.Eliminatethepotentialdisruptioncausedwhenanemployeetakes vacationonedayatatime. - CORRECT ANSWER B is the correct answer. Justification: A. Maintaining a good quality of life is important, but the primary reason for a mandatory vacation is to catch fraud or errors. B. Required vacations/holidays of a week or more in duration in which someone other than the regular employee performs the job function of the employee on vacation is often mandatory for sensitive positions because this reduces the opportunity to commit improper or illegal acts. During this time off, it may be possible to discover any fraudulent activity that was taking place. C. Providing cross-training is an important management function, but the primary reason for mandatory vacations is to detect fraud or errors. D. Enforcing a rule that all vacations must be taken a week at a time is a management decision but not related to a mandatory vacation policy. The primary reason for mandatory vacations is to detect fraud or errors. A2-35 A local area network (LAN) administrator normally is restricted from: A. having end-user responsibilities. B. reporting to the end-user manager. C. having programming responsibilities. D.beingresponsiblefor LANsecurityadministration. - CORRECT ANSWER C is the correct answer. Justification: A. Although not ideal, a local area network (LAN) administrator may have end-user responsibilities. B. The LAN administrator may report to the director of the information processing facility (IPF) or, in a decentralized operation, to the end-user manager. C. A LAN administrator should not have programming responsibilities because that could allow modification of production programs without proper separation of duties, but the LAN administrator may have end-user responsibilities. D. In small organizations, the LAN administrator may also be responsible for security administration over the LAN. A2-36 A decision support system is used to help high-level management: A. Solve highly structured problems. B. Combine the use of decision models with predetermined criteria. C. Make decisions based on data analysis and interactive models. D. Support only structured decision-making tasks. - CORRECT ANSWER C is the correct answer. Justification: A. A decision support system (DSS) is aimed at solving less structured problems. B. A DSS combines the use of models and analytic techniques with traditional data access and retrieval functions but is not limited by predetermined criteria. C. A DSS emphasizes flexibility in the decision-making approach of management through data analysis and the use of interactive models, not fixed criteria. D. A DSS supports semistructured decision-making tasks. A2-37 During an audit, the IS auditor discovers that the human resources (RR) department uses a cloud-based application to manage employee records. The RR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following is of GREATEST concern? A. Maximum acceptable downtime metrics have not been defined in the contract. B. The IT department does not manage the relationship with the cloud vendor. C. The help desk call center is in a different country, with different privacy requirements. D.Organization-definedsecuritypoliciesarenotappliedtothecloud application. - CORRECT ANSWER D is the correct answer. Justification: A. Maximum acceptable downtime is a good metric to have in the contract to ensure application availability; however, human resources (RR) applications are usually not mission-critical, and therefore, maximum acceptable downtime is not the most significant concern in this scenario. B. The responsibility for managing the relationship with a third party should be assigned to a designated individual or service management team; however, it is not essential that the individual or team belong to the IT department. C. An organization-defined security policy ensures that help desk personnel do not have access to personnel data, and this is covered under the security policy. The more critical issue is that the application complied with the security policy. D. Cloud applications should adhere to the organization-defined security policies to ensure that the data in the cloud are protected in a manner consistent with internal applications. These include, but are not limited to, the password policy, user access management policy and data classification policy. A2-38 Before implementing an IT balanced scorecard, an organization must: A. Deliver effective and efficient services. B. Define key performance indicators. C. Provide business value to IT projects. D.ControlITexpenses., - CORRECT ANSWER B is the correct answer. Justification: A. A balanced scorecard (BSC) is a method of specifying and measuring the attainment of strategic results. It will measure the delivery of effective and efficient services, but an organization may not have those in place prior to using a BSC. B. Because a BSC is a way to measure performauce, a definition of key performance indicators is required before implementing an IT BSC. C. A BSC will measure the value of IT to business, not the other way around. D. A BSC will measure the performance of IT, but the control over IT expenses is not a key requirement for implementing a BSC. 39 To support an organization's goals, an IT department should have: A. A low-cost philosophy. B. Long- and short-term plans. C. Leading-edge technology. D.Planstoacquirenewhardwareandsoftware. - CORRECT ANSWER B is the correct answer. Justification: A. A low-cost philosophy is one objective, but more important is the cost-benefit and the relation of IT investment cost to business strategy. B. To ensure its contribution to the realization of an organization's overall goals, the IT department should have long- and short-range plans that are consistent with the organization's broader and strategic plans for attaining its goals. C. Leading-edge technology is an objective, but IT plans would be needed to ensure that those plans are aligned with organizational goals. D. Plans to acquire new hardware and software could be a part of the overall plan but would be required only if hardware or software is needed to achieve the organizational goals. A2-40 In reviewing the IT short-range (tactical) plan, an IS auditor should determine whether: A. There is an integration of IT and business personnel within projects. B. There is a clear definition of the IT mission and vision. C. A strategic information technology planning scorecard is in place. D. The plan correlates business objectives to IT goals and objectives. - CORRECT ANSWER A is the correct answer. Justification: A. The integration of IT and business personnel in projects is an operational issue and should be considered while reviewing the short-range plan. A strategic plan provides a fra~ework for the IT short-range plan. B. A clear definition of the IT mission and vision would be covered by a strategic plan. C. A strategic information technology planning scorecard would be covered by a strategic plan. D. Business objectives correlating to IT goals and objectives would be covered by a strategic plan. A2-41 Which of the following does an IS auditor consider the MOST relevant to short-term planning for an IT department? A. Allocating resources B. Adapting to changing technologies C. Conducting control self-assessments D. Evaluating hardware needs - CORRECT ANSWER A is the correct answer. Justification: A. The IT department should specifically consider the manner in which resources are allocated in the short term. The IS auditor ensures that the resources are being managed adequately. B. Investments in IT need to be aligned with top management strategies rather than be relevant to short term planning and focus on technology for technology'S sake. C. Conducting control self-assessments is not as critical as allocating resources during short-term planning for the IT department. D. Evaluating hardware needs is not as critical as allocating resources during short-term planning for the IT department. A2-42 Which of the following goals do you expect to find in an organization's strategic plan? A. Results of new software testing B. An evaluation of information technology needs C. Short-term project plans for a new planning system D. Approved suppliers for products offered by the company - CORRECT ANSWER D is the correct answer. Justification: A. Results of a new accounting package is a tactical or short-term goal and would not be included in a strategic plan. B. An evaluation of information technology needs is a way to measure performance, but not a goal to be found in a strategicplan. C. Short-termprojectplans is project-orientedand is a method of implementinga goal but not the goal in itself The goal wouldbe to have better projectmanagement-the new systemis how to achievethat goal. D. Approved suppliers of choice for the product is a strategic business objective that is intended to focus the overall direction of the business and, thus, is a part of the organization's strategic plan. A2-43 Which of the following does an IS auditor consider to be MOST important when evaluating an organization's IT strategy? That it: A. Was approved by line management. B. Does not vary from the IT department's preliminary budget. C. Complies with procurement procedures. D.Supportsthebusinessobjectivesoftheorganization. - CORRECT ANSWER D is the correct answer. Justification: A. A strategic plan is a senior management responsibility and would receive input from line managers but would not be approved by them. B. The budget should not vary from the plan. C. Procurement procedures are organizational controls, but not a part of strategic planning. D. Strategic planning sets corporate or department objectives into motion. Both long-term and short-term strategic plans should be consistent with the organization's broader plans and business objectives for attaining these goals. A2-44 An organization has contracted with a vendor for a turnkey solution for their electronic toll collection system (ETCS). The vendor has provided its proprietary application software as part ofthe solution. The contract should require that: A. A backup server is available to run ETCS operations with up-to-date data. B. A backup server is loaded with all relevant software and data. C. The systems staff of the organization is trained to handle any event. D.Source code of the ETCS application is place dine scrow. - CORRECT ANSWER D is the correct answer. Justification: A. Having a backup server with current data is critical but not as critical as ensuring the availability of the source code. B. Having a backup server with relevant software is critical but not as critical as ensuring the availability of the source code. C. Having staff training is critical but not as critical as ensuring the availability ofthe source code. D. Whenever proprietary application software is purchased, the contract should provide for a sourcecodeescrowagreement. Thisagreement ensuresthatthepurchasing organization hasthe opportunity tomodifythesoftwareshouldthevendorceasetobeinbusiness. A2-45 When reviewing the IT strategy, an IS auditor can BEST assess whether the strategy supports the organizations' business objectives by determining whether IT: A. Has all the personnel and equipment it needs. B. Plans are consistent with management strategy. c. Uses its equipment and personnel efficiently and effectively. D. Has sufficient excess capacity to respond to changing directions. - CORRECT ANSWER B is the correct answer. Justification: A. Having personnel and equipment is an important requirement to meet the IT strategy but will not ensure that the IT strategy supports business objectives. B. The only way to know if IT strategy will meet business objectives is to determine if the IT plan is consistent with management strategy and that it relates IT planning to business plans. C. Using equipment and personnel efficiently and effectively is an effective method for determining the proper management of the IT function but does not ensure that the IT strategy is aligned with business objectives. D. Having sufficient excess capacity to respond to changing directions is important to show flexibility to meet organizational changes but is not in itself a way to ensure that IT is aligned with business goals. A2-46 An IS auditor of a large organization is reviewing the roles and responsibilities of the IT function and finds some individuals serving multiple roles. Which one of the following combinations of roles should be of GREATEST concern for the IS auditor? A. Network administrators are responsible for quality assurance. B. System administrators are application programmers. C. End users are security administrators for critical applications. D.Systemsanalystsaredatabaseadministrators. - CORRECT ANSWER B is the correct answer. Justification: A. Ideally, network administrators should not be responsible for quality assurance because they could approve their own work. However,that is not as serious as the combination of system administrator and application programmer, which would allow'nearly unlimited abuse of privilege. B. When individuals serve multiple roles, this represents a separation-of-duties problem with associated risk. System administrators should not be application programmers, due to the associated rights of both functions. A person with both system and programming rights can do almost anything on a system, including creating a back door. The other combinations of roles are valid from a separation of duties perspective. C. In some distributedenvironments,especiallywith small staffmglevels,users may also manage security. D. While a database administrator is a very privileged position it would not be in conflict with the role of a systems analyst. A2-47 Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems? A. User management coordination does not exist. B. Specific user accountability cannot be established. C. Unauthorized users may have access to modify data. D. Audit recommendations may not be implemented: - CORRECT ANSWER C is the correct answer. Justification: A. The greatest risk is from unauthorized users being able to modify data. User management is important but not the greatest risk. B. User accountability is important but not as great a risk as the actions of unauthorized users. C. Without a policy defining who has the responsibility for granting access to specific systems, there is an increased risk that individuals can gain (be given) system access when they should not have authorization. The ability of unauthorized users to modify data is greater than the risk of authorized user accounts not being controlled properly. D. The failure to implement audit recommendations is a management problem but not as serious as the ability of unauthorized users making modifications. A2-48 An IS audit department is planning to minimize the risk of short-term employees. Activities contributing to this objective are documented procedures, knowledge sharing, cross-training and: A. Succession planning. B. Staff job evaluation. C. Responsibilities definitions. D. Employee award programs. - CORRECT ANSWER A is the correct answer. Justification: A. Succession planning ensures that internal personnel with the potential to fill key positions in the organization are identified and developed. B. Job evaluation is the process of determining the worth of one job in relation to that of the other jobs in a company so that a fair and equitable wage and salary system can be established. C. Staff responsibilities definitions provide for well-defined roles and responsibilities; however, they do not minimize dependency on key individuals. D. Employee award programs provide motivation; however, they do not minimize dependency on key individuals. A2-49 The rate of change in technology increases the importance of: A. Outsourcing the IT function. B. Implementing and enforcing sound processes. C. Hiring qualified personnel. D.Meetinguserrequirement. - CORRECT ANSWER B is the correct answer. Justification: A. Outsourcing the IT function is a business decision and not directly related to the rate of technological change, nor does the rate of change increase the importance of outsourcing. B. Change control requires that good change management processes be implemented and enforced. C. Personnel in a typical IT department can often be trained in new technologies to meet organizational requirements. D. Although meeting user requirements is important, it is not directly related to the rate of technological change in the IT environment. Al-SO An IS auditor finds that not all employees are aware of the enterprise's information security policy. The IS auditor should conclude that: A. This lack of knowledge may lead to unintentional disclosure of sensitive information. B. Information security is not critical to all functions. C. Is audit should provide security training to the employees. D.Theauditfindingwillcausemanagementtoprovidecontinuoustrainingtostaff. - CORRECT ANSWER A is the correct answer. Justification: A. AIl employees should be aware of the enterprise's information security policy to prevent unintentional disclosure of sensitive information. Training is a preventive control. Security awareness programs for employees can prevent unintentional disclosure of sensitive information to outsiders. B. Information security is everybody's business, and all staff should be trained in how to handle information correctly. C. Providing security awareness training is not an IS audit function. D. Management may agree to or reject an audit finding. The IS auditor cannot be assured that management will act upon an audit finding unless they are aware of its impact; therefore, the auditor must report the risk associated with lack of security awareness. Al-Sl Which of the following is responsible for the approval of an information security policy? A. IT department B. Security committee C. Security administrator D. Board of directors - CORRECT ANSWER D is the correct answer. Justification: A. The IT departmentis responsiblefor the executionof the policy,having no authorityin framingthe policy. B. The security committee also functions within the broad security policy framed by the board of directors. C. The security administrator is responsible for implementing, monitoring and enforcing the security rules that management has established and authorized. D. Normally, the approval of an information systems security policy is the responsibility of top management or the board of directors. A2-S2 While reviewing the IT governance processes of an organization, an IS auditor discovers the firm has recently implemented an IT balanced scorecard (BSC). The implementation is complete; however, the IS auditor notices that performance indicators are not objectively measurable. What is the PRIMARY risk presented by this situation? A. Key performance indicators are not reported to management and management cannot determine the effectiveness of the BSC. B. IT projects could suffer from cost overruns. C. Misleading indications of IT performance may be presented to management. D. IT service level agreements may not be accurate. - CORRECT ANSWER C is the correct answer. Justification: A. If the performance indicators are not objectively measurable, the most significant risk would.£_e the presentation of misleading performance results to management. This could result in a false seltle of assurance and, as a result, IT resources may be misallocated, or strategic decisions may be based on incorrect information. Whether or not the performance indicators are correctly defined, the results would be reported to management. B. Although project management issues could arise from performance indicators that were not correctly defined, the presentation of misleading performance to management is a much more significant risk. C. The IT balanced scorecard is designed to measure IT performance. To measure performance, a sufficient number of performance drivers (key performance indicators [KPIs]) must be defined and measured over time. Failure to have objective KPIs may result in arbitrary, subjective measures that may be misleading and lead to unsound decisions. D. Although performance management issues related to service level agreements could arise from performance indicators that were not correctly defined, the presentation of misleading performance to management is a much more significant risk. A2-53 Which of the following should be included in an organization's information security policy? A. A list of key IT resources to be secured B. The basis for access control authorization C. Identity of sensitive security assets D. Relevant software security features - CORRECT ANSWER B is the correct answer. Justification: A. A list of key IT resources to be secured is more detailed than that which should be included in a policy. B. The security policy provides the broad framework of security as laid down and approved by senior management. It includes a definition of those authorized to grant access and the basis for granting the access. C. The identity of sensitive security assets is more detailed than that which should be included in a policy. D. A list of the relevant software security features is more detailed than that which should be included in a policy. A2-54 Which of the following is the initial step in creating a firewall policy? A. A cost-benefit analysis of methods for securing the applications B. Identification of network applications to be externally accessed C. Identification of vulnerabilities associated with network applications to be externally accessed D. Creation of an application traffic matrix showing protection methods - CORRECT ANSWER B is the correct answer. Justification: A. Identifying methods to protect against identified vulnerabilities and their comparative cost-benefit analysis is the third step. B. Identification of the applications required across the network should be the initial step. After identification, depending on the physical location