Last Updated on December 13, 2021 by Admin 3

 CISA : Certified Information Systems Auditor : Part 139

  1. From a control perspective, the key element in job descriptions is that they:

    • provide instructions on how to do the job and define authority.
    • are current, documented and readily available to the employee.
    • communicate management’s specific job performance expectations.
    • establish responsibility and accountability for the employee’s actions.

    From a control perspective, a job description should establish responsibility and accountability. This will aid in ensuring that users are given system access in accordance with their defined job responsibilities. The other choices are not directly related to controls. Providing instructions on how to do the job and defining authority addresses the managerial and procedural aspects of the job. It is important that job descriptions are current, documented and readily available to the employee, but this in itself is not a control. Communication of management’s specific expectations for job performance outlines the standard of performance and would not necessarily include controls.

  2. Which of the following would BEST provide assurance of the integrity of new staff?

    • background screening
    • References
    • Bonding
    • Qualifications listed on a resume
    A background screening is the primary method for assuring the integrity of a prospective staff member. References are important and would need to be verified, but they are not as reliable as background screening. Bonding is directed at due-diligence compliance, not at integrity, and qualifications listed on a resume may not be accurate.
  3. When an employee is terminated from service, the MOST important action is to:

    • hand over all of the employee’s files to another designated employee.
    • complete a backup of the employee’s work.
    • notify other employees of the termination.
    • disable the employee’s logical access.
    There is a probability that a terminated employee may misuse access rights; therefore, disabling the terminated employee’s logical access is the most important action to take. All the work of the terminated employee needs to be handed over to a designated employee; however, this should be performed after implementing choice D. All the work of the terminated employee needs to be backed up and the employees need to be notified of the termination of the employee, but this should not precede the action in choice D.
  4. Many organizations require an employee to take a mandatory vacation (holiday) of a week or more to:

    • ensure the employee maintains a good quality of life, which will lead to greater productivity.
    • reduce the opportunity for an employee to commit an improper or illegal act.
    • provide proper cross-training for another employee.
    • eliminate the potential disruption caused when an employee takes vacation one day at a time.
    Required vacations/holidays of a week or more in duration in which someone other than the regular employee performs the job function is often mandatory for sensitive positions, as this reduces the opportunity to commit improper or illegal acts. During this time, it may be possible to discover any fraudulent activity that was taking place. Choices A, C and D could all be organizational benefits from a mandatory vacation policy, but they are not the reason why the policy is established.
  5. A local area network (LAN) administrator normally would be restricted from:

    • having end-user responsibilities.
    • reporting to the end-user manager
    • having programming responsibilities.
    • being responsible for LAN security administration.
    A LAN administrator should not have programming responsibilities but may have end-user responsibilities. The LAN administrator may report to the director of the IPF or, in a decentralized operation, to the end-user manager. In small organizations, the LAN administrator may also be responsible for security administration over the LAN.
  6. A long-term IS employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be based on the individual’s experience and:

    • length of service, since this will help ensure technical competence.
    • age, as training in audit techniques may be impractical.
    • IS knowledge, since this will bring enhanced credibility to the audit function.
    • ability, as an IS auditor, to be independent of existing IS relationships.
    Independence should be continually assessed by the auditor and management. This assessment should consider such factors as changes in personal relationships, financial interests, and prior job assignments and responsibilities. The fact that the employee has worked in IS for many years may not in itself ensure credibility. The audit department’s needs should be defined and any candidate should be evaluated against those requirements. The length of service will not ensure technical competency. Evaluating an individual’s qualifications based on the age of the individual is not a good criterion and is illegal in many parts of the world.
  7. An IS auditor should be concerned when a telecommunication analyst:

    • monitors systems performance and tracks problems resulting from program changes.
    • reviews network load requirements in terms of current and future transaction volumes.
    • assesses the impact of the network load on terminal response times and network data transfer rates.
    • recommends network balancing procedures and improvements.
    The responsibilities of a telecommunications analyst include reviewing network load requirements in terms of current and future transaction volumes {choice B), assessing the impact of network load or terminal response times and network data transfer rates (choice C), and recommending network balancing procedures and improvements (choice D). Monitoring systems performance and tracking problems as a result of program changes {choice A) would put the analyst in a self- monitoring role.
  8. When segregation of duties concerns exists between IT support staff and end users, what would be suitable compensating control?

    • Restricting physical access to computing equipment
    • Reviewing transaction and application logs
    • Performing background checks prior to hiring IT staff
    • Locking user sessions after a specified period of inactivity
    Only reviewing transaction and application logs directly addresses the threat posed by poor segregation of duties. The review is a means of detecting inappropriate behavior and also discourages abuse, because people who may otherwise be tempted to exploit the situation are aware of the likelihood of being caught. Inadequate segregation of duties is more likely to be exploited via logical access to data and computing resources rather than physical access. Choice C is a useful control to ensure IT staff are trustworthy and competent but does not directly address the lack of an optimal segregation of duties. Choice D acts to prevent unauthorized users from gaining system access, but the issue of a lack of segregation of duties is more the misuse (deliberately or inadvertently} of access privileges that have officially been granted.
  9. An IS auditor reviewing an organization that uses cross-training practices should assess the risk of:

    • dependency on a single person.
    • inadequate succession planning.
    • one person knowing all parts of a system.
    • a disruption of operations.
    Cross-training is a process of training more than one individual to perform a specific job or procedure. This practice helps decrease the dependence on a single person and assists in succession planning. This provides for the backup of personnel in the event of an absence and, thereby, provides for the continuity of operations. However, in using this approach, it is prudent to have first assessed the risk of any person knowing all parts of a system and the related potential exposures. Cross-training reduces the risks addressed in choices A, B and D.
  10. Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?

    • Overlapping controls
    • Boundary controls
    • Access controls
    • Compensating controls
    Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated.
    Overlapping controls are two controls addressing the same control objective or exposure. Since primary controls cannot be achieved when duties cannot or are not appropriately segregated, it is difficult to install overlapping controls. Boundary controls establish the interface between the would-be user of a computer system and the computer system itself, and are individual-based, not role-based, controls. Access controls for resources are based on individuals and not on roles.
  11. Which of the following reduces the potential impact of social engineering attacks?

    • Compliance with regulatory requirements
    • Promoting ethical understanding
    • Security awareness programs
    • Effective performance incentives
    Because social engineering is based on deception of the user, the best countermeasure or defense is a security awareness program. The other choices are not user-focused.
  12. Which of the following activities performed by a database administrator (DBA) should be performed by a different person?

    • Deleting database activity logs
    • Implementing database optimization tools
    • Monitoring database usage
    • Defining backup and recovery procedures
    Since database activity logs record activities performed by the database administrator (DBA), deleting them should be performed by an individual other than the DBA. This is a compensating control to aid in ensuring an appropriate segregation of duties and is associated with the DBA’s role. A DBA should perform the other activities as part of the normal operations.
  13. To gain an understanding of the effectiveness of an organization’s planning and management of investments in IT assets, an IS auditor should review the:

    • enterprise data model.
    • IT balanced scorecard (BSC).
    • IT organizational structure.
    • historical financial statements.
    The IT balanced scorecard (BSC) is a tool that provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. An enterprise data model is a document defining the data structure of an organization and how data interrelate. It is useful, but it does not provide information on investments. The IT organizational structure provides an overview of the functional and reporting relationships in an IT entity. Historical financial statements do not provide information about planning and lack sufficient detail to enable one to fully understand management’s activities regarding IT assets. Past costs do not necessarily reflect value, and assets such as data are not represented on the books of accounts.
  14. Which of the following is the BEST performance criterion for evaluating the adequacy of an organization’s security awareness training?

    • Senior management is aware of critical information assets and demonstrates an adequate concern for their protection.
    • Job descriptions contain clear statements of accountability for information security.
    • In accordance with the degree of risk and business impact, there is adequate funding for security efforts.
    • No actual incidents have occurred that have caused a loss or a public embarrassment.
    Inclusion in job descriptions of security responsibilities is a form of security training and helps ensure that staff and management are aware of their roles with respect to information security. The other three choices are not criterion for evaluating security awareness training. Awareness is a criterion for evaluating the importance that senior management attaches to information assets and their protection. Funding is a criterion that aids in evaluating whether security vulnerabilities are being addressed, while the number of incidents that have occurred is a criterion for evaluating the adequacy of the risk management program.
  15. Which of the following is a risk of cross-training?

    • Increases the dependence on one employee
    • Does not assist in succession planning
    • One employee may know all parts of a system
    • Does not help in achieving a continuity of operations
    When cross-training, it would be prudent to first assess the risk of any person knowing all parts of a system and what exposures this may cause. Cross-training has the advantage of decreasing dependence on one employee and, hence, can be part of succession planning. It also provides backup for personnel in the event of absence for any reason and thereby facilitates the continuity of operations.
  16. Which of the following is normally a responsibility of the chief security officer (CSO)?

    • Periodically reviewing and evaluating the security policy
    • Executing user application and software testing and evaluation
    • Granting and revoking user access to IT resources
    • Approving access to data and applications
    The role of a chief security officer (CSO) is to ensure that the corporate security policy and controls are adequate to prevent unauthorized access to the company assets, including data, programs and equipment. User application and other software testing and evaluation normally are the responsibility of the staff assigned to development and maintenance. Granting and revoking access to IT resources is usually a function of network or database administrators. Approval of access to data and applications is the duty of the data owner.
  17. To support an organization’s goals, an IS department should have:

    • a low-cost philosophy.
    • long- and short-range plans.
    • leading-edge technology.
    • plans to acquire new hardware and software.
    To ensure its contribution to the realization of an organization’s overall goals, the IS department should have long- and short-range plans that are consistent with the organization’s broader plans for attaining its goals. Choices A and C are objectives, and plans would be needed to delineate how each of the objectives would be achieved. Choice D could be a part of the overall plan but would be required only if hardware or software is needed to achieve the organizational goals.
  18. In reviewing the IS short-range (tactical) plan, an IS auditor should determine whether:

    • there is an integration of IS and business staffs within projects.
    • there is a clear definition of the IS mission and vision.
    • a strategic information technology planning methodology is in place.
    • the plan correlates business objectives to IS goals and objectives.
    The integration of IS and business staff in projects is an operational issue and should be considered while reviewing the short-range plan. A strategic plan would provide a framework for the IS short-range plan. Choices B, C and D are areas covered by a strategic plan.
  19. Which of the following would an IS auditor consider the MOST relevant to short-term planning for an IS department?

    • Allocating resources
    • Keeping current with technology advances
    • Conducting control self-assessment
    • Evaluating hardware needs
    The IS department should specifically consider the manner in which resources are allocated in the short term. Investments in IT need to be aligned with top management strategies, rather than focusing on technology for technology’s sake. Conducting control self-assessments and evaluating hardware needs are not as critical as allocating resources during short-term planning for the IS department.
  20. Which of the following goals would you expect to find in an organization’s strategic plan?

    • Test a new accounting package.
    • Perform an evaluation of information technology needs.
    • Implement a new project planning system within the next 12 months.
    • Become the supplier of choice for the product offered.
    Strategic planning sets corporate or departmental objectives into motion. Comprehensive planning helps ensure an effective and efficient organization. Strategic planning is time- and project-oriented, but also must address and help determine priorities to meet business needs. Long- and short-range plans should be consistent with the organization’s broader plans for attaining their goals. Choice D represents a business objective that is intended to focus the overall direction of the business and would thus be a part of the organization’s strategic plan. The other choices are project-oriented and do not address business objectives.