Help please ASAP

NAME: ______________________________________ Course: ACC 624, Midterm Exam Semester: Spring, 2014 St. John's University Please, fill your answer in the blank space provided after each question or you may highlight the answers. Make sure you save the answers. Please fill in your name as well. Due Date: March 14, 2014 by 9:00 PM (to be emailed to professor) 1. An audit charter should: A. be dynamic and change often to coincide with the changing nature of technology and the audit profession. B. clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls. C. document the audit procedures designed to achieve the planned audit objectives. D. Outline the overall authority, scope and responsibilities of the audit function. Answer:___________________________ 2. Which of the following criteria for selecting the applications to be audited is LEAST likely to be used? A. Materiality of audit risk B. Sensitivity of transactions C. Technological complexity D. Regulatory agency involvement Answer: ___________________________ 3. Which of the following is the MOST likely reason why email systems have become a useful source of evidence for litigation? A. Multiple cycles of backup files remain available B. Access controls establish accountability for email activity C. Data classification regulates what information should be communicated via email 1 D. Within the enterprise, a clear policy for using email ensures that evidence is available Answer:___________________________ 4. While planning an audit, an assessment of risk should be made to provide: NAME: ______________________________________ A. Reasonable assurance that the audit will cover material items. B. Definite assurance that material items will be covered during the audit work. C. Reasonable assurance that all items will be covered by the audit. D. Sufficient assurance that all items will be covered during the audit work. Answer:___________________________ 5. When evaluating the collective effect of preventive, detective or corrective controls within a process, an IS auditor should be aware of which of the following? A. The point at which controls are exercised as data flow through the system B. Only preventive and detective controls are relevant C. Corrective controls can only be regarded as compensating D. Classification allows an IS auditor to determine which controls are missing Answer: ___________________________ 6. During an implementation review of a multiuser distributed application, an IS auditor finds minor weaknesses in three areasthe initial setting of parameters is improperly installed, weak passwords are being used and some vital reports are not being checked properly. While preparing the audit report, the IS auditor should: A. Record the observations separately with the impact of each of them marked against each respective finding. B. Advise the manager of probable risks without recording the observations since the control weaknesses are minor ones. C. Record the observations and the risk arising from the collective weaknesses. D. Apprise the departmental heads concerned with each observation and properly document it in the report. Answer:___________________________ 7. When developing a riskbased audit strategy, an IS auditor should conduct a risk assessment to ensure that: A. controls needed to mitigate risks are in place. B. vulnerabilities and threats are identified. C. audit risks are considered. D. a gap analysis is appropriate. 2 Answer:___________________________ 8. The success of control selfassessment (CSA) depends highly on: A. Having line managers assume a portion of the responsibility for control monitoring. B. Assigning staff managers the responsibility for building, but not monitoring, controls. C. The implementation of a stringent control policy and ruledriven controls. NAME: ______________________________________ D. The implementation of supervision and the monitoring of controls of assigned duties. Answer: ___________________________ 9. A longterm IS employee has asked to transfer to IS auditing. The individual has a strong technical background and broad managerial experience. According to ISACA's General Standards for IS Auditing, consideration should be given to the candidate's: A Length of service since this will help ensure technical competence B. IS knowledge since this will bring enhanced credibility to the audit function C. Existing IS relationships and ability to retain audit independence D. Age as training in audit techniques may be practical Answer:___________________________ 10. Which of the following audit techniques would BEST aid an auditor in determining whether there have been unauthorized program changes since the last authorized program update? A. Test data run B. Code review C. Automated code comparison D. Review of code migration procedures Answer:___________________________ 11. The IT balanced scorecard (BSC) is a business governance tool intended to monitor IT performance evaluation indicators other than: A. Financial results. B. Customer satisfaction. C. Internal process efficiency. D. Innovation capacity. Answer:___________________________ 3 12. Which of the following is the initial step in creating a firewall policy? A. A costbenefit analysis of methods for securing the applications B. Identification of network applications to be externally accessed C. Identification of vulnerabilities associated with network applications to be externally accessed D. Creation of an applications traffic matrix showing protection methods Answer:___________________________ NAME: ______________________________________ 13. The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program? A. Utilization of an intrusion detection system to report incidents B. Mandating the use of passwords to access all software C. Installing an efficient user log system to track the actions of each user D. Training provided on a regular basis to all current and new employees Answer:___________________________ 14. IT control objectives are useful to IS auditors since they provide the basis for understanding the: A. Desired result or purpose of implementing specific control procedures. B. Best IT security control practices relevant to a specific entity. C. Techniques for securing information. D. Security policy. Answer:___________________________ 15. Which of the following is the MOST important function to be performed by IS management when a service has been outsourced? A. Ensuring that invoices are paid to the provider B. Participating in systems design with the provider C. Renegotiating the provider's fees D. Monitoring the outsourcing provider's performance Answer:___________________________ 16. Is it appropriate for an IS auditor from a company that is considering outsourcing its IS processing to request and review a copy of each vendor's business continuity plan? 4 A. Yes, because an IS auditor will evaluate the adequacy of the service bureau's plan and assist their company in implementing a complementary plan. B. Yes, because based on the plan, an IS auditor will evaluate the financial stability of the service bureau and its ability to fulfill the contract. C. No, because the backup to be provided should be specified adequately in the contract. D. No, because the service bureau's business continuity plan is proprietary information. Answer:___________________________ 17. An IS auditor was hired to review ebusiness security. The IS auditor's first task was to examine each existing ebusiness application, looking for vulnerabilities. What would be the next task? A. Immediately report the risks to the CIO and CEO NAME: ______________________________________ B. Examine ebusiness application in development C. Identify threats and likelihood of occurrence D. Check the budget available for risk management Answer: ___________________________ 18. In an organization, the responsibilities for IT security are clearly assigned and enforced, and an IT security risk and impact analysis is consistently performed. This represents which level of ranking in the information security governance maturity model? A. Optimized B. Managed C. Defined D. Repeatable Answer:___________________________ 19. Which of the following IT governance best practices improves strategic alignment? A. Supplier and partner risks are managed. B. A knowledge base on customers, products, markets and processes is in place. C. A structure is provided that facilitates the creation and sharing of business information. D. Top management mediates between the imperatives of business and technology. Answer:___________________________ 20. A topdown approach to the development of operational policies will help ensure: 5 A. That they are consistent across the organization. B. That they are implemented as a part of risk assessment. C. Compliance with all policies. D. That they are reviewed periodically. Answer:___________________________ 21. Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated? A. Overlapping controls B. Boundary controls C. Access controls D. Compensating controls Answer:___________________________ 22. Which of the following reduces the potential impact of social engineering attacks? NAME: ______________________________________ A. Compliance with regulatory requirements B. Promoting ethical understanding C. Security awareness programs D. Effective performance incentives Answer:___________________________ 23. Which of the following is the MOST important element for the successful implementation of IT governance? A. Implementing an IT scorecard B. Identifying organizational strategies C. Performing a risk assessment D. Creating a formal security policy Answer:___________________________ 24. A benefit of open system architecture is that it: A. facilitates interoperability. B. facilitates the integration of proprietary components. C. will be a basis for volume discounts from equipment vendors. D. allows for the achievement of more economies of scale for equipment. Answer:___________________________ 6 25. A retail outlet has introduced radio frequency identification (RFID) tags to create unique serial numbers for all products. Which of the following is the PRIMARY concern associated with this initiative? A. Issues of privacy B. Wavelength can be absorbed by the human body C. RFID tags may not be removable D. RFID eliminates lineofsight reading Answer:___________________________ 26. Which of the following is the MOST important criterion when selecting a location for an offsite storage facility for IS backup files? The offsite facility must be: A. physically separated from the data center and not subject to the same risks. B. Given the same level of protection as that of the computer data center. C. outsourced to a reliable third party. D. equipped with surveillance capabilities. Answer:___________________________ NAME: ______________________________________ 27. Which of the following findings should an IS auditor be MOST concerned about when performing an audit of backup and recovery and the offsite storage vault? A. There are three individuals with a key to enter the area B. Paper documents are also stored in the offsite vault C. Data files that are stored in the vault are synchronized D. The offsite vault is located in a separate facility Answer:___________________________ 28. Which of the following represents the GREATEST risk created by a reciprocal agreement for disaster recovery made between two companies? A. Developments may result in hardware and software incompatibility B. Resources may not be available when needed C. The recovery plan cannot be tested D. The security infrastructures in each company may be different Answer:___________________________ 29. Which of the following disaster recovery/continuity plan components provides the GREATEST assurance of recovery after a disaster? 7 A. The alternate facility will be available until the original information processing facility is restored. B. User management is involved in the identification of critical systems and their associated critical recovery times. C. Copies of the plan are kept at the homes of key decisionmaking personnel. D. Feedback is provided to management, assuring them that the business continuity plans are, indeed, workable and that the procedures are current. Answer:___________________________ 30. Which of the following would have the HIGHEST priority in a business continuity plan? A. Resuming critical processes B. Recovering sensitive processes C. Restoring the site D. Relocating operations to an alternative site Answer:___________________________ 31. An IS auditor has audited a business continuity plan. Which of the following findings is the MOST critical? A. Nonavailability of an alternate private branch exchange (PBX) system NAME: ______________________________________ B. Absence of a backup for the network backbone C. Lack of backup systems for the users' PCs D. Failure of the access card system Answer:___________________________ 32. During a business continuity audit, an IS auditor found that the business continuity plan covered only critical processes. The IS auditor should: A. Recommend that the business continuity plan cover all business processes. B. Assess the impact of the processes not covered. C. Report the findings to the IT manager. D. Redefine critical processes. Answer:___________________________ 33. An IS auditor noted that an organization had adequate business continuity plans for each individual process, but no comprehensive business continuity plan. Which would be the BEST course of action for the IS auditor? 8 A. Recommend that an additional comprehensive business continuity plan be developed. B. Determine whether the business continuity plans are consistent. C. Accept the business continuity plans as written. D. Recommend the creation of a single business continuity plan. Answer: ___________________________ 34. Which of the following is MOST important when there is a lack of adequate fire detection and control equipment in the computer areas? A. Adequate fire insurance B. Regular hardware maintenance C. Offsite storage of transaction and master files D. Fully tested backup processing facilities Answer: ___________________________ 35. When developing a business continuity plan, which of the following tools should be used to gain an understanding of the organization's business processes? A. Business continuity selfaudit B. Resource recovery analysis C. Business Impact analysis D. Gap analysis Answer: ___________________________ NAME: ______________________________________ 36. The PRIMARY objective of testing a business continuity plan is to: A. Familiarize employees with the business continuity plan. B. Ensure that all residual risks are addressed. C. Exercise all possible disaster scenarios. D. Identify limitations of the business continuity plan. Answer:___________________________ 37. In determining the acceptable time period for the resumption of critical business processes: A. only downtime costs need to be considered. B. recovery operations should be analyzed. C. both downtime costs and recovery costs need to be evaluated. D. indirect downtime costs should be ignored. 9 Answer:___________________________ 38. Separation of duties between computer operators and other data processing personnel is intended to: A. Prevent unauthorized modifications to program or data. B. Reduce overall cost of operations. C. Allow operators to concentrate on their assigned duties. D. Restrict operator access to data. Answer: ___________________________ 39. During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that: A. assessment of the situation may be delayed. B. execution of the disaster recovery plan could be impacted. C. notification of the teams might not occur. D. potential crisis recognition might be ineffective. Answer: ___________________________ 40. Which of the following pairs of job functions/duties would an organization MOST likely keep separate? A. Operations and Programming. B. Systems Analysis and Programming. C. Database Administration and IS Management. D. Tape Librarian and Program Librarian. Answer: ___________________________ 41. The IS Auditor should perform all of the following EXCEPT: a. participate in testing of the disaster recovery plan. b. review the disaster recovery plan for completeness. c. lead the team developing the disaster recovery plan. d. review the contract for alternative processing. Answer: ___________________________ 42. Disaster recovery plans do NOT need to address which of the following during the period of processing at the alternative site? a. Maintenance of processing activity b. Immediate recovery of all applications c. Logical access security 10 d. Physical security Answer: ___________________________ 43. Which of the following is the MOST important resource to be protected by a recovery plan? a. Equipment b. Software c. Input and output materials d. Data Answer: ___________________________ 44. An IS Audit report would normally include all of the following, EXCEPT: a. Scope, objective(s) and period of coverage b. Nature and extent of audit work performed c. Findings, conclusions and recommendations d. Details of programs, procedures and software used Answer: ___________________________ 45. Which of the following would be considered a corrective control? a. Contingency planning b. Suitable procedures for transaction authorization c. Use of access control software d. Echo controls in telecommunications Answer: ___________________________ 11