| 1. | A bottom-up approach to the development of organizational policies is driven by: 
| A. | A review of corporate goals and objectives. |
| B. | A structured approach that maps policy objectives to corporate strategy. |
| C. | A risk assessment of asset vulnerabilities. |
| D. | A business impact analysis of known threats. |
|
| A1: | Answer: C. A bottom-up approach to the development of organizational policies is often driven by risk assessment. |
| 2. | A primary responsibility of an auditor with regard to improper segregation of duties is to: 
| A. | Ensure the enforcement of proper segregation of duties. | | B. | Advise senior management of the risk involved in not implementing proper segregation of duties. | | C. | Participate in the organization's definition of roles and responsibilities, to prevent improper segregation of duties. | | D. | Simply document breaches of proper segregation of duties. |
|
| A2: | Answer: B. Remember, it is not an auditor's place to participate in the implementation of controls. As to improper segregation of duties, an IS auditor's primary responsibility is to advise senior management of the risk involved in not implementing proper segregation of duties, such as having the security administrator perform an operations function. |
| 3. | Which of the following roles is accountable for the maintenance of appropriate security measures over information assets? | A. | Data and systems owners, such as the corporate officers | | B. | Data and systems custodians, such as the network administrator and firewall administrator | | C. | Data and systems users, such as the payroll department | | D. | Data and systems managers |
|
| A3: | Answer: A. Specific security administration is directed by senior management and implemented by system custodians. Still, ultimate accountability for data and system security lies with senior management. |
| 4. | If an IS auditor observes that proper project-approval procedures do not exist, the auditor should: | A. | Provide detailed procedures that the auditor recommends for implementation. | | B. | Look for evidence of other undocumented approval procedures. | | C. | Recognize that the lack of proper project-approval procedures is a risk indicator for insufficient project-management skills, and recommend project-management training as a compensatory control. | | D. | Recommend to management that proper project-approval procedures be adopted and documented. |
|
| A4: | Answer: D. If an IS auditor observes that project-approval procedures do not exist, the IS auditor should recommend to management that formal approval procedures be adopted and documented. |
| 5. | When auditing third-party service providers, an auditor should be concerned with: | A. | Ownership of programs and files. | | B. | A statement of due care and confidentiality. | | C. | The capability for continued service in the event of a disaster. | | D. | All of the above. |
|
| A5: | Answer: D. When auditing third-party service providers, an auditor should be concerned with ownership of the program and files, a statement of due care and confidentiality, and the service provider's capability to provide continued service in the event of a disaster. |
| 6. | Proper segregation of duties does not prohibit a LAN administrator from also having programming responsibilities. True or false? | A. | True | | B. | False |
|
| A6: | Answer: B. Proper segregation of duties normally prohibits a LAN administrator from also having programming responsibilities because the administrator would have custody of the computing assets, while also having the potential to control transaction authorization and recording. |
| 7. | When performing an IS strategy audit, which of the following is LEAST important for the auditor to consider? | A. | Reviewing short-term plans (one year) and long-term plans (three to five years) | | B. | Reviewing information systems procedures | | C. | Interviewing appropriate corporate management personnel | | D. | Ensure that the external environment has been considered |
|
| A7: | Answer: B. Information systems procedures are not strategic in nature. |
| 8. | Which of the following is MOST important when evaluating an IS strategy? | A. | Making sure that the IS strategy maximizes efficiency and utilization of current and future IT resources | | B. | Ensuring that information security is considered in all IS initiatives | | C. | Making sure the IS strategy supports corporate goals and objectives | | D. | Ensuring that systems administrators are allowed to provide accurate input on true systems capabilities |
|
| A8: | Answer: C. Above all else, an IS strategy must support the business objectives of the organization. |
| 9. | Allowing applications programmers to access live production applications for patching and security maintenance breaches proper segregation of duties. True or false? | A. | True | | B. | False |
|
| A9: | Answer: A. Although it is common practice in many organizations, allowing application programmers to change code in production programs increases the risk of fraud. |
| 10. | Proper segregation of duties does not prohibit a quality-control administrator from performing change control and problem management. True or false? | A. | True | | B. | False |
|
| A10: | Answer: A. Proper segregation of duties does not prohibit a quality-control administrator from also being responsible for change control and problem management. |
