Answer A is correct. Using a statistical sample to inventory the tape library is an example of a substantive test.
Answer B is correct. If proper identification and authentication are not performed during access control, no accountability can exist for any action performed.
Answer C is correct. In planning an audit, the most critical step is identifying the areas of high risk.
Answer C is correct. When evaluating the collective effect of preventive, detective, or corrective controls within a process, an IS auditor should be aware of the point at which controls are exercised as data flows through the system.
Answer D is correct. When implementing continuous-monitoring systems, an IS auditor’s first step is to identify high-risk areas within the organization.
Answer D is correct. Inherent risk is associated with authorized program exits (trap doors).
Answer B is correct. Generalized audit software can be used to search for address field duplications.
Answer A is correct. Lack of reporting of a successful attack on the network is a great concern to an IS auditor.
Answer B is correct. An integrated test facility is considered a useful audit tool because it compares processing output with independently calculated data.
Answer A is correct. It is true that an advantage of a continuous audit approach is that it can improve system security when used in time-sharing environments that process a large number of transactions.
Answer A is correct. An IS auditor’s primary responsibility is to advise senior management of the risk involved in not implementing proper segregation of duties, such as having the security administrator perform an operations function.
Answer B is correct. Business unit management is responsible for implementing cost-effective controls in an automated system.
Answer C is correct. The primary reason an IS auditor reviews an organization chart is to better understand the responsibilities and authority of individuals.
Answer A is correct. Ensuring that security and control policies support business and IT objectives is a primary objective of an IT security policies audit.
Answer D is correct. When auditing third-party service providers, an auditor should be concerned with ownership of programs and files, a statement of due care and confidentiality, and the capability for continued service of the service provider in the event of a disaster.
Answer B is correct. When performing an IS strategy audit, an IS auditor should review both short-term (one-year) and long-term (three- to five-year) IS strategies, interview appropriate corporate management personnel, and ensure that the external environment has been considered.
Answer C is correct. IS assessment methods allow IS management to determine whether the activities of the organization differ from the planned or expected levels.
Answer A is correct. Reviewing an audit client’s business plan should be performed before reviewing an organization’s IT strategic plan.
Answer A is correct. Allowing application programmers to directly patch or change code in production programs increases risk of fraud.
Answer B is correct. Security administrators are usually responsible for network security operations.
Answer A is correct. Proper segregation of duties does not prohibit a quality-control administrator from also being responsible for change control and problem management.
Answer A is correct. Layering perimeter network protection by configuring the firewall as a screened host in a screened subnet behind the bastion host provides a higher level of protection from external attack than all other answers.
Answer B is correct. The directory system of a database-management system describes the location of data and the access method.
Answer D is correct. Improper file access becomes a greater risk when implementing a database system.
Answer B is correct. To properly protect against unauthorized disclosure of sensitive data, hard disks should be demagnetized before disposal or release.
Answer C is correct. When reviewing print systems spooling, an IS auditor is most concerned with the potential for unauthorized printing of report copies.
Answer C is correct. Functioning as a protocol-conversion gateway for wireless TLS to Internet SSL, the WAP gateway is a component warranting critical concern and review for the IS auditor when auditing and testing controls that enforce message confidentiality.
Answer A is correct. Proper segregation of duties prevents a computer operator (user) from performing security administration duties.
Answer A is correct. Modems (modulation/demodulation) convert analog transmissions to digital, and digital transmissions to analog, and are required for analog transmissions to enter a digital network.
Answer B is correct. Neural networks are effective in detecting fraud because they have the capability to consider a large number of variables when trying to resolve a problem.
Answer A is correct. Diverse routing supports data transmission through split cable facilities, or duplicate cable facilities.
Answer C is correct. An application-layer gateway, or proxy firewall, and stateful-inspection firewalls provide the greatest degree of protection and control because both firewall technologies inspect all seven OSI layers of network traffic.
Answer D is correct. Inefficient and superfluous use of network devices such as hubs can degrade network performance.
Answer B is correct. Data mirroring and parallel processing are both used to provide near-immediate recoverability for time-sensitive systems and transaction processing.
Answer A is correct. Creating user accounts that automatically expire by a predetermined date is an effective control for granting temporary access to vendors and external support personnel.
Answer C is correct. Outbound traffic filtering can help prevent an organization’s systems from participating in a distributed denial-of-service (DDoS) attack.
Answer C is correct. Improperly configured routers and router access lists are a common vulnerability for denial-of-service attacks.
Answer D is correct. Trojan horse programs are a common form of Internet attack.
Answer A is correct. Network performance-monitoring tools are used to measure and ensure proper network capacity management and availability of services.
Answer B is correct. Intrusion-detection systems (IDS) are used to gather evidence of network attacks.
Answer A is correct. Traffic analysis is a passive attack method used by intruders to determine potential network vulnerabilities. All others are active attacks.
Answer C is correct. Although many methods of fire suppression exist, dry-pipe sprinklers are considered to be the most environmentally friendly.
Answer C is correct. A callback system is a remote-access control whereby the user initially connects to the network systems via dial-up access, only to have the initial connection terminated by the server, which then subsequently dials the user back at a predetermined number stored in the server’s configuration database.
Answer A is correct. A dry-pipe sprinkler system suppresses fire via water that is released from a main valve to be delivered via a system of dry pipes installed throughout the facilities.
Answer B is correct. Digital signatures require the sender to “sign” the data by encrypting the data with the sender’s private key, to then be decrypted by the recipient using the sender’s public key.
Answer A is correct. Although biometrics provides only single-factor authentication, many consider it to be an excellent method for user authentication.
Answer C is correct. A website certificate is used to provide authentication of the website and can also be used to successfully authenticate keys used for data encryption.
Answer B is correct. The strength of a secret key within a symmetric key cryptosystem is determined by a combination of key length, initial input vectors, and the complexity of the data-encryption algorithm that uses the key.
Answer D is correct. Authentication is used to validate a subject’s identity.
Answer A is correct. Database integrity is most often ensured through table link verification and reference checks.
Answer B is correct. IS auditors should review access-control lists (ACL) to determine user permissions that have been granted for a particular resource.
Answer B is correct. IS auditors should always check to ensure that password files are encrypted.
Answer C is correct. User applications often encrypt and encapsulate data using protocols within the OSI session layer or farther down in the transport layer.
Answer B is correct. Systems administrators should always assess the impact of patches before installation.
Answer A is correct. Adopting and communicating a comprehensive antivirus policy is the most fundamental step in preventing virus attacks. All other antivirus prevention efforts rely upon decisions established and communicated via policy.
Answer A is correct. A major IS audit concern is users’ ability to directly modify the database.
Answer D is correct. Intrusion-detection systems (IDS) are used to identify intrusion attempts on a network.
Answer B is correct. Instead of simply reviewing the effectiveness and utilization of assets, an IS auditor is more concerned with adequate access control, appropriate access policies, and effectiveness of safeguards and procedures.
Answer A is correct. If a programmer has update access to a live system, IS auditors are more concerned with the programmer’s ability to initiate or modify transactions and the ability to access production than with the programmer’s ability to authorize transactions.
Answer C is correct. Redundancy is the best answer because it provides both integrity and availability. Organizations should use off-site storage facilities to maintain redundancy of current and critical information within backup files.
Answer B is correct. The primary purpose of business continuity planning and disaster-recovery planning is to mitigate, or reduce, the risk and impact of a business interruption or disaster. Total elimination of risk is impossible.
Answer B is correct. If a database is restored from information backed up before the last system image, the system should be restarted before the last transaction because the final transaction must be reprocessed.
Answer B is correct. An off-site processing facility should not be easily identifiable externally because easy identification would create an additional vulnerability for sabotage.
Answer A is correct. Although the primary business objective of BCP and DRP is to mitigate the risk and impact of a business interruption, the dominating objective remains the protection of human life.
Answer B is correct. Minimizing single points of failure or vulnerabilities of a common disaster is mitigated by geographically dispersing resources.
Answer A is correct. Mitigating the risk and impact of a disaster or business interruption usually takes priority over transferring risk to a third party such as an insurer.
Answer D is correct. Off-site data storage should be kept synchronized when preparing for the recovery of time-sensitive data such as that resulting from transaction processing.
Answer C is correct. Shadow file processing can be implemented as a recovery mechanism for extremely time-sensitive transaction processing.
Answer D is correct. Off-site data backup and storage should be geographically separated, to mitigate the risk of a widespread physical disaster such as a hurricane or an earthquake.
Answer D is correct. A clause for requiring source code escrow in an application vendor agreement is important to ensure that the source code remains available even if the application vendor goes out of business.
Answer B is correct. Decision trees use questionnaires to lead the user through a series of choices to reach a conclusion.
Answer C is correct. Source code escrow protects an application purchaser’s ability to fix or change an application in case the application vendor goes out of business.
Answer A is correct. The project sponsor is ultimately responsible for providing requirement specifications to the software-development team.
Answer D is correct. Regression testing should use data from previous tests to obtain accurate conclusions regarding the effects of changes or corrections to a program, and ensuring that those changes and corrections have not introduced new errors.
Answer A is correct. An IS auditor should carefully review the functional requirements in a systems-development project to ensure that the project is designed to meet business objectives.
Answer B is correct. Procedures to prevent scope creep are baselined in the design phase of the systems-development life cycle (SDLC) model.
Answer D is correct. Application controls should be considered as early as possible in the system-development process, even in the development of the project’s functional specifications.
Answer A is correct. Rapid application development (RAD) is used to develop strategically important systems faster, reduce development costs, and still maintain high quality.
Answer A is correct. Test and development environments should be separated, to control the stability of the test environment.
Answer A is correct. Programmers should perform unit, module, and full regression testing following any changes to an application or system.
Answer B is correct. Rapid application development (RAD) uses a prototype that can be updated continually to meet changing user or business requirements.
Answer B is correct. Inadequate user participation during system requirements definition is the most common reason for information systems to fail to meet the needs of users.
Answer B is correct. The project steering committee is responsible for the overall direction, costs, and timetables for systems-development projects.
Answer A is correct. Plans for testing for user acceptance are usually prepared in the requirements definition phase of the systems-development project.
Answer A is correct. Above almost all other concerns, failing to perform user acceptance testing often results in the greatest negative impact on the implementation of new application software.
Answer C is correct. Input/output controls should be implemented for both the sending and receiving applications in an integrated systems environment
Answer B is correct. Authentication techniques for sending and receiving data between EDI systems are crucial to prevent unauthorized transactions.
Answer C is correct. After identifying potential security vulnerabilities, the IS auditor’s next step is to perform a business impact analysis of the threats that would exploit the vulnerabilities.
Answer D is correct. Transaction authorization is the primary security concern for EDI environments.
Answer B is correct. Threats exploit vulnerabilities to cause loss or damage to the organization and its assets.
Answer A is correct. Business process re-engineering often results in increased automation, which results in a greater number of people using technology.
Answer A is correct. Whenever business processes have been re-engineered, the IS auditor should attempt to identify and quantify the impact of any controls that might have been removed, or controls that might not work as effectively after business process changes.
Answer D is correct. An application-level edit check to verify availability of funds should be completed at the electronic funds transfer (EFT) interface before an EFT is initiated.
Answer A is correct. Control totals should be implemented as early as data preparation to support data integrity at the earliest point possible.
Answer C is correct. Hash totals are used as a control to detect loss, corruption, or duplication of data.
Answer D is correct. Data edits are implemented before processing and are considered preventive integrity controls.
Answer A is correct. In small office environments, it is not always possible to maintain proper segregation of duties for programmers. If a programmer has access to production data or applications, compensatory controls such as the review of transaction results to approved input might be necessary.
Answer B is correct. Processing controls ensure that data is accurate and complete, and is processed only through authorized routines.
Answer C is correct. A reasonableness check is a data validation edit control that matches input data to an occurrence rate.
Answer A is correct. Database snapshots can provide an excellent audit trail for an IS auditor.