| A |
A termination checklist is critical to ensure the logical and physical security of an enterprise. In addition to preventing the loss of enterprise property that was issued to the employee, there is the risk of unauthorized access, intellectual property theft and even sabotage by a disgruntled former employee.
|
| B |
Holding an exit interview is desirable when possible to gain feedback but is not a serious risk.
|
| C |
Job rotation is a valuable control to ensure continuity of operations, but not the most serious human resources policy risk.
|
| D |
Signing a nondisclosure agreement (NDA) is a recommended human resources practice, but a lack of an NDA is not the most serious risk listed.
|
| A |
The organization is free to choose any EA framework, and the IS auditor should not recommend a specific framework.
|
| B |
It is critical for the EA to include the future state because the gap between the current state and the future state will determine IT strategic and tactical plans. If the EA does not include a future-state representation, it is not complete, and this issue should be reported as a finding.
|
| C |
The IS auditor does not ordinarily provide input on the timing of projects, but rather provides an assessment of the current environment. The most critical issue in this scenario is that the enterprise architecture (EA) is undergoing change, so the IS auditor should be most concerned with reporting this issue.
|
| D |
Changing the scope of an audit to include the secondary project is not required, although a follow-up audit may be desired.
|
| A |
A steering committee should exist to ensure that the IT strategies support the organization's goals. The absence of an information technology committee or a committee not composed of senior managers is an indication of a lack of top-level management commitment. This condition increases the risk that IT is aligned with organization strategy.
|
| B |
Lack of management commitment will almost certainly affect investment, but the primary loss will be the lack of alignment of IT strategy with the strategy of the business.
|
| C |
Approval for contracts is a business process and would be controlled through financial process controls. This is not applicable here.
|
| D |
Systems development methodology is a process-related function and not a key concern of management.
|
| A |
A primary focus of the EA is to define standard platforms, databases and interfaces. Business units that invest in technology would need to select IT solutions that meet their business needs and are compatible with the EA of the enterprise. There may be instances when a proposed solution works better for a business unit but is not at all consistent with the EA of the enterprise, so there would be a need to compromise to ensure that the application can be supported by IT. Overall, the EA would restrict the ability of business units in terms of the potential IT systems that they may wish to implement. The support requirements would not be affected in this case.
|
| B |
The primary focus of the enterprise architecture to ensure that technology investments are consistent with the platform, data and development standards of the IT organization; therefore, the goal of the EA is to help the organization to implement the technology that is most effective.
|
| C |
Ensuring that security controls are implemented on critical platforms is important, but this is not the function of the EA. The EA may be concerned with the design of security controls; however, the EA would not help to ensure that they were implemented. The primary focus of the EA is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization.
|
| D |
While the EA process may enable development teams to be more efficient, because they are creating solutions based' on standard platforms using standard programming languages and methods, the more critical benefit of the EA is to provide guidance for IT investments of all types, which encompasses much more than software development.
|
| A |
Vendor change control is a sourcing issue and should be monitored by IT management.
|
| B |
Ensuring a separation of duties within the information processing environment is an IT management responsibility.
|
| C |
Liaising between the IT department and end users is a function of the individual parties and not a committee responsibility.
|
| D |
The IT steering committee typically serves as a general review board for major IT projects and should not become involved in routine operations; therefore, one of its functions is to approve and monitor major projects, such as the status of IT plans and budgets.
|
| A |
The review of the vendor's BCP during a feasibility study is not a way to test the vendor's BCP.
|
| B |
Experience of the vendor's staff is not related to the vendor's BCP.
|
| C |
A key factor in a successful outsourcing environment is the capability of the vendor to face a contingency and continue to support the organization's processing requirements.
|
| D |
Financial stability is not related to the vendor's business continuity plan (BCP).
|
| A |
Providing instructions on how to do the job and defining authority addresses the managerial and procedural aspects of the job and is a management responsibility. Job descriptions, which are a human resources (HR)-related function, are primarily used to establish job requirements and accountability.
|
| B |
Communication of management's specific expectations for job performance would not necessarily be included in job descriptions.
|
| C |
It is important that job descriptions are current, documented and readily available to the employee, but this, in itself, is not the key element of the job description. Job descriptions, which are an HR-related function, are primarily used to establish job requirements and accountability.
|
| D |
From a control perspective, a job description should establish responsibility and accountability. This aids in ensuring that users are given system access in accordance with their defined job responsibilities and are accountable for how they use that access.
|
| A |
Tolerating risk means that the risk is accepted, but not shared.
|
| B |
Transferring risk (e.g., by taking an insurance policy) is a way to share risk.
|
| C |
Terminating risk would not involve sharing the risk because the organization has chosen to terminate the process associated with the risk.
|
| D |
There are several ways of treating or controlling the risk, which may involve reducing or sharing the risk, but this is not as precise an answer as transferring the risk.
|
| A |
The misuse of corporate resources is an issue that must be addressed but is not necessarily related to secondary employment.
|
| B |
Theft of assets is a problem but not necessarily related to secondary employment.
|
| C |
Employee performance can certainly be an issue if an employee is overworked or has insufficient time off, but that should be dealt with as a management function and not the primary reason to have a policy on secondary employment.
|
| D |
The best reason to implement and enforce a policy governing secondary employment is to prevent conflicts of interest. Policies should be in place to control IT employees seeking secondary employment from releasing sensitive information or working for a competing organization. Conflicts of interest can result in serious risk such as fraud, theft of intellectual property or other improprieties.
|
| A |
IT risk is managed by embedding accountability into the enterprise. The IS auditor should recommend the implementation of accountability rules to ensure that all responsibilities are defined within the organization. Note that this question asks for the best recommendation-not about the finding itself.
|
| B |
Performing more frequent IS audits is not helpful if the accountability rules are not clearly defined and implemented.
|
| C |
Recommending the creation of a new role (e.g., chief risk officer) is not helpful if the accountability rules are not clearly defined and implemented.
|
| D |
While the strategic alignment of IT with the business is important, it is not directly related to the gap identified in this scenario.
|
| A |
Although requiring steering committee approval may be part of the system development life cycle process, the greater concern would be whether the projects are working toward the corporate goals. Without steering committee approval, it would be difficult to determine whether these projects are following the direction of the corporate goals.
|
| B |
Although having a formal approval process is important, the greatest concern would be for the steering committee to provide corporate direction for the projects.
|
| C |
The steering committee provides direction and control over projects to ensure that the company is making appropriate investments. Without approval, the project mayor may not be working toward the company's goals.
|
| D |
Funding for the projects may be addressed through various budgets and may not require steering committee approval. The primary concern would be to ensure that the project is working toward meeting the goals of the company.
|
| A |
The IS auditor must report the finding. Unapproved policies may present a potential risk to the organization, even if they are being followed, because this technicality may prevent management from enforcing the policies in some cases and may present legal issues. For example, if an employee was terminated as a result of violating an organization policy, and it was discovered that the policies had not been approved, the organization may face an expensive lawsuit.
|
| B |
The first step is to report the finding and provide recommendations later.
|
| C |
Although the IS auditor would likely recommend that the policies should be approved as soon as possible and may also remind management of the critical nature of this issue, the first step is to report this issue to the relevant stakeholders.
|
| D |
Absence of management approval is an important (material) finding and, although it is not currently an issue with relation to compliance because the employees are following the policy without approval, it may be a problem at a later time and should be resolved.
|
| A |
The primary goal of IT projects is to add value to the business, so they must be aligned with the business strategy to achieve the intended results. Therefore, the IS auditor should first focus on ensuring this alignment.
|
| B |
Adequate reporting of project status is important but mayor may not help in providing the strategic perspective of project deliverables.
|
| C |
Completion of projects within a predefined time and budget is important; however, the focus of project management should be on achieving the desired outcome of the project, which is aligned with the business strategy.
|
| D |
An adequate process for monitoring and mitigating identified project risk is important; however, strategic alignment helps in assessing identified risk in business terms.
|
| A |
A return on investment (ROI) is computed when there is predictable savings or revenues that can be compared to the investment needed to realize the revenues.
|
| B |
The common practice when it is difficult to calculate the financial losses is to take a qualitative approach, in which the manager affected by the risk defines the impact in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact).
|
| C |
Amortization is used in a profit and loss statement, not in computing potential losses.
|
| D |
Spending the time needed to define exactly the total amount is normally a wrong approach. If it has been difficult to estimate potential losses (e.g., losses derived from erosion of public image due to a hack attack), that situation is not likely to change, and the result will be a not well-supported evaluation.
|
| A |
IT's value delivery to the business is driven by aligning IT with the enterprise's strategy.
|
| B |
Embedding accountability in the enterprise promotes risk management (another element of corporate governance).
|
| C |
Enterprise Wide risk management is critical to IT governance; however, by itself, it will not guarantee that IT delivers value to the business unless the IT strategy is aligned with the enterprise strategy.
|
| D |
While return on investment is important,it is not the only criterion by which the value of IT is assessed.
|
| A |
The audit committee reports to the board of directors and executes governance-related audits. The audit committee should monitor the implementation of audit recommendations.
|
| B |
The IT steering committee monitors and facilitates deployment of IT resources for specific projects "in support of business plans. The IT steering committee enforces governance on behalf of the board of directors.
|
| C |
The chief executive officer is instrumental in implementing IT governance according to the directions of the board of directors.
|
| D |
IT governance is primarily the responsibility of the executives and shareholders (as represented by the board of directors).
|
| A |
Key performance indicators may be defined in a QMS, but they are of little value if they are not being monitored.
|
| B |
Continuous and measurable improvement of quality is the primary requirement to achieve the business objective for the quality management system (QMS).
|
| C |
Generally, good practices are adopted according to business requirements. Therefore, conforming to good practices mayor may not be a requirement of the business.
|
| D |
Updating operating procedures is part of implementing the QMS; however, it must be part of change management and not an annual activity.
|
| A |
The first step must be to determine the risk that is being managed before reviewing the mechanism of monitoring risk.
|
| B |
The effectiveness of the controls must be measured in relation to the risk (based on assets, threats and vulnerabilities) that the controls are intended to address.
|
| C |
The controls are irrelevant until the IS auditor knows the threats and risk that the controls are intended to address.
|
| D |
One of the key factors to be considered while assessing the information systems risk is the value of the systems (the assets) and the threats and vulnerabilities affecting the assets. The risk related to the use of information assets should be evaluated in isolation from the installed controls.
|
| A |
The lack of a revision history with respect to the IS policy document is an issue but not as significant as not having it approved by management. A new policy, for example, may not have been subject to any revisions yet.
|
| B |
Although a policy committee drawn from across the company is a good practice and may help write better policies, a good policy can be written by a single person, and the lack of a committee is not a problem by itself.
|
| C |
Although the information security policy should be updated on a regular basis, the specific time period may vary based on the organization. Although reviewing policies annually is a good practice, the policy may be updated less frequently and still be relevant and effective. An outdated policy is still enforceable, whereas a policy without proper approval is not enforceable.
|
| D |
The information security policy should have an owner who has management responsibility for the development, review, approval and evaluation of the security policy. The position of security administrator is typically a staff-level position (not management), and therefore does not have the authority to approve the policy. In addition, an individual in a more independent position should also review the policy. Without proper management approval, enforcing the policy may be problematic, leading to compliance or security issues.
|
| A |
Mission statements tend to be long term because they are strategic in nature and are established by the board of directors and management. This is not the IS auditor's greatest concern because proper governance oversight could lead to meeting the objectives of the organization's mission statement.
|
| B |
While it is a concern that there is no policy related to system patching, the greater concern is that the information security policy is not reviewed periodically by senior management.
|
| C |
While it is a concern that there is no policy related to the protection of information assets, the greater concern is that the security policy is not reviewed periodically by senior management because top level support is fundamental to information security governance.
|
| D |
Data security policies should be reviewed/refreshed once every year to reflect changes in the organization's environment. Policies are fundamental to the organization's governance structure, and, therefore, this is the greatest concern.
|
| A |
Regulatory compliance objectives may be defined in the IT policy, but that would not facilitate compliance with the policy. Defining objectives would only result in the organization knowing the desired state and would not aid in achieving compliance.
|
| B |
The organization should be able to comply with a policy when it is implemented. The most important consideration when evaluating the new policy should be the existing mechanisms in place that enable the organization and its employees to comply with the policy.
|
| C |
Policies should be aligned with the business strategy, but this does not affect an organization's ability to comply with the policy upon implementation.
|
| D |
Current and future technology initiatives should be driven by the needs of the business and would not affect an organization's ability to comply with the policy.
|
| A |
Because an audit measures compliance with the standards of the organization, the first step of the review of the software quality management process should be to determine the evaluation criteria in the form of standards adopted by the organization. The evaluation of how well the organization follows their own standards cannot be performed until the IS auditor has determined what standards exist.
|
| B |
The first step is to know the standards and what policies and procedures are mandated for the organization, then to document the controls and measure compliance.
|
| C |
The auditor needs to know what standards the organization has adopted and then measure compliance with those standards. Determining how the organization follows the standards is secondary to knowing what the standards are. The other items listed-verifying how well standards are being followed, identifying relevant controls and reviewing the quality metrics-are secondary to the identification of standards.
|
| D |
The metrics cannot be reviewed until the auditor has a copy of the standards that describe or require the metrics.
|
| A |
An organizational chart provides information about the responsibilities and authority of individuals in the organization. This helps an IS auditor to know if there is a proper segregation of functions.
|
| B |
A network diagram will provide information about the usage of various communication channels and will indicate the connection of users to the network.
|
| C |
The organizational chart is a key tool for an auditor to understand roles and responsibilities and reporting lines but is not used for examining communications channels.
|
| D |
Understanding the complexity of the organizational structure is not the primary reason to review an organizational chart because the chart will not necessarily depict the complexity.
|
| A |
Providing the user with a backup copy of software is not escrow. Escrow requires that a copy be kept with a trusted third party.
|
| B |
Access to software should be managed by an internally managed software library. Escrow refers to the storage of software with a third party-not the internal libraries.
|
| C |
Software escrow is used to protect the intellectual property of software developed by one organization and sold to another organization. This is not used for software being reviewed by an auditor of the organization that wrote the software.
|
| D |
A software escrow is a legal agreement between a software vendor and a customer to guarantee access to source code. The application source code is held by a trusted third party, according to the contract. This agreement is necessary in the event that the software vendor goes out of business, there is a contractual dispute with the customer or the software vendor fails to maintain an update of the software as promised in the software license agreement.
|
| A |
The BPR process can be a resource-intensive initiative; however, the more important issue is whether critical controls are eliminated as a result of the BPR effort.
|
| B |
A recommended good practice for BPR is to include individuals from all parts of the enterprise, even those with limited knowledge of the process area. Therefore, this is not a concern.
|
| C |
Although BPR efforts often involve many different business functions, it is not a significant concern if audit is not involved, and, in most cases, it is not appropriate for audit to be involved in such an effort.
|
| D |
A primary risk of business process reengineering (BPR) is that controls are eliminated as part of the reengineering effort. This is the primary concern.
|
| A |
Strategic plans provide the basis for ensuring that the enterprise meets its goals and objectives. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives.
|
| B |
IT procedures are developed to support IT policies. Senior management is not involved in the development of procedures.
|
| C |
Standards and guidelines are developed to support IT policies. Senior management is not involved in the development of standards, baselines and guidelines.
|
| D |
IT policies are created and enforced by IT management and information security. They are structured to support the overall strategic plan.
|
| A |
To govern IT effectively, IT and business should be moving in the same direction, requiring that the IT plans are aligned with an organization's business plans.
|
| B |
The security plan is not a responsibility of IT and does not need to be consistent with the IT plan.
|
| C |
The investment plan is not part of the IT plan.
|
| D |
The audit plan is not part of the IT plan.
|
| A |
The relevant enablers and their applicability for the IT governance implementation are considered based on assurance objectives.
|
| B |
The most critical factor to be considered in auditing an IT governance implementation is to determine stakeholder requirements and involvement. This drives the success of the project. Based on this, the assurance scope and objectives are determined.
|
| C |
The relevant risk and related opportunities are identified and driven by the assurance objectives.
|
| D |
Stakeholders' needs and their involvement form the basis for scoping the IT governance implementation. This will be used to define assurance objectives.
|
| A |
Senior management should establish the acceptable risk level because they have the ultimate or final responsibility for the effective and efficient operation of the organization as a senior manager of the business process. The person can be the QA, chief information officer (CIO), or the chief security officer (CSO), but the responsibility rests with the business manager.
|
| B |
The establishment of acceptable risk level is a senior business management responsibility. The CIO is the most senior official of the enterprise who is accountable for IT advocacy; aligning IT and business strategies; and planning, resourcing and managing the delivery of IT services, information and the deployment of associated human resources.The CIO is rarely the person that determines acceptable risk levels because this could be a conflict of interest unless the CIO is the senior business process owner.
|
| C |
The establishment of acceptable risk levels is a senior business management responsibility. The CSO is responsible for enforcing the decisions of the senior management team unless the CIO is the business process manager.
|
| D |
Quality assurance (QA) is concerned with reliability and consistency of processes. The QA team is not responsible for determining an acceptable risk level.
|
| A |
Employees who perform critical and sensitive functions within an organization should be required to take some time off to help ensure that irregularities and fraud are detected.
|
| B |
Good employee morale and high levels of employee satisfaction are worthwhile objectives, but they should not be considered a means to achieve an effective internal control system.
|
| C |
Cross-training is a good practice to follow but can be achieved without the requirement for mandatory vacation.
|
| D |
Although rotating employees could contribute to fewer processing errors, this is not typically a reason to require a mandatory vacation policy.
|