An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following
should be the auditor's NEXT course of action?
D
Explanation:
The IS auditor’s next course of action after finding that firewalls are outdated and not supported by
vendors should be to determine the risk of not replacing the firewall. Outdated firewalls may have
known vulnerabilities that can be exploited by attackers to bypass security controls and access the
network. They may also lack compatibility with newer technologies or standards that are required for
optimal network performance and protection. Not replacing the firewall could expose the
organization to various threats, such as data breaches, denial-of-service attacks, malware infections,
or regulatory non-compliance. The IS auditor should assess the likelihood and impact of these
threats and quantify the risk level for management to make informed decisions.
Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP)
was successful?
A
Explanation:
The best way to determine whether a test of a disaster recovery plan (DRP) was successful is to
analyze whether predetermined test objectives were met. Test objectives are specific, measurable,
achievable, relevant, and time-bound (SMART) goals that define what the test aims to accomplish
and how it will be evaluated. Test objectives should be aligned with the DRP objectives and scope,
and should cover aspects such as recovery time objectives (RTOs), recovery point objectives (RPOs),
critical business functions, roles and responsibilities, communication channels, backup systems, and
contingency procedures. By comparing the actual test results with the expected test objectives, the
IS auditor can measure the effectiveness and efficiency of the DRP and identify any gaps or
weaknesses that need to be addressed.
An IS auditor found that a company executive is encouraging employee use of social networking sites
for business purposes. Which of the following recommendations would BEST help to reduce the risk
of data leakage?
C
Explanation:
The best recommendation to reduce the risk of data leakage from employee use of social
networking sites for business purposes is to provide education and guidelines to employees on use
of social networking sites. Education and guidelines can help employees understand the benefits and
risks of using social media for business purposes, such as enhancing brand awareness, engaging with
customers, or sharing industry insights. They can also inform employees about the dos and don’ts of
social media etiquette, such as respecting privacy, protecting intellectual property, avoiding conflicts
of interest, or complying with legal obligations. Education and guidelines can also raise awareness of
potential data leakage scenarios, such as phishing attacks, malicious links, fake profiles, or
oversharing sensitive information, and provide tips on how to prevent or respond to them.
An IS auditor notes that several employees are spending an excessive amount of time using social
media sites for personal reasons. Which of the following should the auditor recommend be
performed FIRST?
D
Explanation:
The first course of action that the auditor should recommend after finding that several employees
are spending an excessive amount of time using social media sites for personal reasons is to
implement policies addressing acceptable usage of social media during working hours. Policies can
help define the scope, purpose, rules, and expectations of using social media in the workplace, both
for personal and professional reasons. Policies can also specify the consequences of violating the
policies, such as disciplinary actions or termination. Policies can help deter employees from misusing
social media at work, which could affect their productivity, performance, or security. Policies can also
help protect the organization from legal liabilities or reputational damages that could arise from
inappropriate or unlawful employee behavior on social media.
Which of the following fire suppression systems needs to be combined with an automatic switch to
shut down the electricity supply in the event of activation?
A
Explanation:
Carbon dioxide fire suppression systems need to be combined with an automatic switch to shut
down the electricity supply in the event of activation. This is because carbon dioxide displaces
oxygen in the air and can create a suffocation hazard for people in the protected area. Therefore, it is
essential to cut off the power source before releasing carbon dioxide to avoid electrical shocks and
sparks that could ignite the fire again. Carbon dioxide systems are typically used for total flooding
applications in spaces that are not habitable, such as server rooms or data centers.
Which of the following would MOST likely impair the independence of the IS auditor when
performing a post-implementation review of an application system?
D
Explanation:
The IS auditor’s independence would be most likely impaired if they implemented a specific control
during the development of an application system. This is because the IS auditor would be auditing
their own work, which creates a self-review threat that could compromise their objectivity and
impartiality. The IS auditor should avoid participating in any operational or management activities
that could affect their ability to perform an unbiased audit. The other options do not pose a
significant threat to the IS auditor’s independence, as long as they follow the ethical standards and
guidelines of the profession.
An IS auditor suspects an organization's computer may have been used to commit a crime. Which of
the following is the auditor's BEST course of action?
C
Explanation:
The IS auditor’s best course of action if they suspect an organization’s computer may have been used
to commit a crime is to contact the incident response team to conduct an investigation. The incident
response team is a group of experts who are responsible for responding to security incidents, such as
data breaches, ransomware attacks, or cybercrimes. The incident response team can help to preserve
and collect digital evidence, determine the scope and impact of the incident, contain and eradicate
the threat, and restore normal operations. The IS auditor should not examine the computer
themselves, as they may inadvertently alter or destroy potential evidence, or compromise the chain
of custody. The IS auditor should also not notify local law enforcement before further investigation,
as this may escalate the situation unnecessarily or interfere with the internal investigation process.
The IS auditor should advise management of the crime after the investigation, or as soon as possible
if there is an imminent risk or legal obligation to do so.
Which of the following access rights presents the GREATEST risk when granted to a new member of
the system development staff?
A
Explanation:
Write access to production program libraries presents the greatest risk when granted to a new
member of the system development staff. Production program libraries contain executable code that
runs on live systems and supports critical business functions. Write access allows a user to modify or
delete existing programs, or add new programs to the library. If a user were to make unauthorized or
erroneous changes to production programs, it could cause serious disruptions, errors, or security
breaches in the organization’s operations. Therefore, writeaccess to production program libraries
should be restricted to authorized personnel only, and subject to strict change management
controls.
An IS auditor is conducting a post-implementation review of an enterprise resource planning (ERP)
system. End users indicated concerns with the accuracy of critical automatic calculations made by
the system. The auditor's FIRST course of action should be to:
C
Explanation:
The IS auditor’s first course of action should be to verify the results of the critical automatic
calculations made by the system to determine the validity of user concerns. This is because the IS
auditor needs to obtain sufficient and appropriate audit evidence to support the audit findings and
conclusions. By verifying the results, the IS auditor can assess whether there are any errors or
discrepancies in the system’s calculations that could affect the accuracy and reliability of the financial
data. The IS auditor can use various techniques to verify the results, such as re-performing the
calculations, comparing them with expected values, or tracing them to source documents.
Which of the following provides the MOST reliable audit evidence on the validity of transactions in a
financial application?
B
Explanation:
Substantive testing provides the most reliable audit evidence on the validity of transactions in a
financial application. Substantive testing is an audit procedure that examines the financial statements
and supporting documentation to see if they contain errors or misstatements. Substantive testing
can help to verify that the transactions recorded in the financial applicationare authorized, complete,
accurate, and properly classified. Substantive testing can include methods such as vouching,
confirmation, analytical procedures, or physical examination.