| 1. | Which of the following processes is MOST important to ensure that implementation of applications and systems is optimized to the organization's goals and objectives? 
| A. | Obtaining a comprehensive network diagram |
| B. | Reviewing the organization's IT policies and procedures |
| C. | Obtaining a thorough understanding of the organization's business processes |
| D. | Performing compliance testing on current controls |
|
| A1: | Answer: C. An IS auditor must first understand relative business processes before performing a systems or application audit. All other answers describe processes to be performed after obtaining a thorough understanding of the organization's business processes. |
| 2. | Processing controls should ensure that:
| A. | All data is accurate |
| B. | All data is complete |
| C. | All transactions are authorized |
| D. | All of the above |
|
| A2: | Answer: D. Processing controls ensure that data is accurate and complete, and is processed only through authorized routines. |
| 3. | Which of the following must be proven to ensure message or transaction nonrepudiation?
| A. | The integrity of the message or transaction cannot have been compromised after it was last controlled by the party sending the message or performing the transaction. |
| B. | The level of nonrepudiation is tightly linked to the strength of authentication of the party sending the message or performing the transaction. |
| C. | Both A and B are true. |
| D. | Neither A nor B is true. |
|
| A3: | Answer: C. Nonrepudiation is provided by having proof that an action occurred and proof of the identity of the party performing the action. |
| 4. | These are steps included in business process re-engineering: Gain an understanding of the business process to be reviewed Establish a continuous improvement process Redesign and streamline the process Define the areas to be reviewed Implement and monitor the new process Develop a project plan
What is the proper sequence of these steps?
| A. | d, f, a, c, e, b |
| B. | a, f, d, c, e, b |
| C. | f, a, d, c, e, b |
| D. | d, a, f, c, e, b |
|
| A4: | Answer: A. Answer A describes the correct sequence of steps performed in business process re-engineering. All other answers are out of proper sequence. |
| 5. | An organization has automated data transfer between two database applications. How should controls be implemented to ensure data integrity?
| A. | Input controls on the application sending the data, and output controls on the application receiving the data |
| B. | Input and output controls on both the sending and receiving applications |
| C. | Output controls on the application sending the data, and input controls on the application receiving the data |
| D. | Input and output controls in the application sending the data, but only input controls are necessary on the application receiving the data |
|
| A5: | Answer: B. Input and output controls should be implemented for both the sending and receiving applications in an integrated systems environment. |
| 6. | Data mining is a technique that BEST detects which of the following?
| A. | Fraudulent transactions |
| B. | Password compromise |
| C. | Malicious network traffic |
| D. | Malicious code |
|
| A6: | Answer: A. By comparing and cross-indexing transaction data from multiple databases, data mining can be used to determine suspicious transactions that fall outside the norm. Data-mining techniques can be used to support investigation of a password compromise, but this is still more appropriate for answer A. Network-based intrusion detection is better suited for detecting malicious network traffic. Host-based intrusion detection, code auditing, and antivirus software are better suited for detecting malicious code. |
| 7. | A company is backing up its transactional database to an offsite location. Which of the following is the MOST important issue if the backups are not kept up-to-date and fully synchronized with the live transaction-processing databases?
| A. | The capability of the primary data to survive disruptive events without losing accuracy |
| B. | The capability of the primary data to survive disruptive events without losing completeness |
| C. | The capability of the primary data to survive disruptive events without losing availability |
| D. | The capability of the primary data to survive disruptive events without losing confidentiality |
|
| A7: | Answer: B. When storing data archives offsite, data must be synchronized to ensure backup data completeness. Failure to maintain backup synchronization in a live transaction-based processing environment could result in the incapability to restore all transactional data lost in the event of primary data or systems failure. Failure to synchronize does not affect the accuracy, availability, or confidentiality of the data that exists in backup. |
| 8. | When a business attempts to streamline its business processes through business process re-engineering (BPR), utilization of technology often:
| A. | Increases |
| B. | Decreases |
| C. | Stays the same |
| D. | Is a waste of money |
|
| A8: | Answer: A. Business process re-engineering often results in increased automation, which results in a greater number of people using technology. Cost-effectiveness is evaluated within BPR and should not be negatively affected by BPR. |
| 9. | To which of the following should an IS auditor give the MOST consideration when auditing systems affected by a recent business process re-engineering (BPR) project?
| A. | Cultural feasibility of the re-engineered business process incorporates input from affected end users. |
| B. | Financial feasibility of the re-engineered business process was properly conducted by appropriate parties. |
| C. | The technical feasibility of the re-engineered business process was properly evaluated by the appropriate parties. |
| D. | The re-engineered business process incorporates new internal controls where appropriate, and does not inadvertently negate prior internal controls. |
|
| A9: | Answer: D. An IS auditor should always check to make sure that a re-engineered business process has not inadvertently removed key controls from the previous control environment, and has taken newly introduced risks and corresponding controls into consideration. For example: BPR often results in higher levels of automation, so the human resources staff is often consolidated. This can easily result in improper segregation of duties by users, which can result in unauthorized activity. The re-engineered business process planning should recognize this and implement appropriate new compensatory internal controls. |
| 10. | When attempting to assess financial risk when accurate financial impact cannot be determined, which of the following is the MOST appropriate approach to risk assessment?
| A. | Quantitative risk assessment |
| B. | Decision support system approach |
| C. | Qualitative risk assessment approach |
| D. | Quantum risk assessment approach |
|
| A10: | Answer: C. Quantitative risk assessment is not always possible because the IS auditor is attempting to calculate risk using nonquantifiable threats and potential losses. In this event, a qualitative risk assessment is more appropriate. Answers B and D are invalid and are misleading. |
