CISA : Certified Information Systems Auditor : Part 149

  1. The reason a certification and accreditation process is performed on critical systems is to ensure that:

    • security compliance has been technically evaluated.
    • data have been encrypted and are ready to be stored.
    • the systems have been tested to run on different platforms.
    • the systems have followed the phases of a waterfall model.

    Certified and accredited systems are systems that have had their security compliance technically evaluated for running on a specific production server. Choice B is incorrect because not all data of certified systems are encrypted. Choice C is incorrect because certified systems are evaluated to run in a specific environment. A waterfall model is a software development methodology and not a reason for performing a certification and accrediting process.

  2. During a postimplementation review of an enterprise resource management system, an IS auditor would MOST likely:

    • review access control configuration
    • evaluate interface testing.
    • review detailed design documentation.
    • evaluate system testing.
    Reviewing access control configuration would be the first task performed to determine whether security has been appropriately mapped in the system. Since a postimplementation review is done after user acceptance testing and actual implementation, one would not engage in interface testing or detailed design documentation. Evaluating interface testing would be part of the implementation process. The issue of reviewing detailed design documentation is not generally relevant to an enterprise resource management system, since these are usually vendor packages with user manuals. System testing should be performed before final user signoff.
  3. During an application audit, an IS auditor finds several problems related to corrupted data in the database. Which of the following is a corrective control that the IS auditor should recommend?

    • Implement data backup and recovery procedures.
    • Define standards and closely monitor for compliance.
    • Ensure that only authorized personnel can update the database.
    • Establish controls to handle concurrent access problems.
    Implementing data backup and recovery procedure is a corrective control, because backup and recovery procedures can be used to roll back database errors. Defining or establishing standards is a preventive control, while monitoring for compliance is a detective control. Ensuring that only authorized personnel can update the database is a preventive control. Establishing controls to handle concurrent access problems is also a preventive control.
  4. An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation?

    • Log all table update transactions.
    • implement before-and-after image reporting.
    • Use tracing and tagging.
    • implement integrity constraints in the database.
    Implementing integrity constraints in the database is a preventive control, because data is checked against predefined tables or rules preventing any undefined data from being entered. Logging all table update transactions and implementing before-and-after image reporting are detective controls that would not avoid the situation. Tracing and tagging are used to test application systems and controls and could not prevent out-of-range data.
  5. Responsibility and reporting lines cannot always be established when auditing automated systems since:

    • diversified control makes ownership irrelevant.
    • staff traditionally changes jobs with greater frequency.
    • ownership is difficult to establish where resources are shared.
    • duties change frequently in the rapid development of technology.
    Because of the diversified nature of both data and application systems, the actual owner of data and applications may be hard to establish.
  6. In an online transaction processing system, data integrity is maintained by ensuring that a transaction is either completed in its entirety or not at all. This principle of data integrity is known as:

    • isolation.
    • consistency.
    • atomicity.
    • durability.
    The principle of atomicity requires that a transaction be completed in its entirety or not at all. If an error or interruption occurs, all changes made up to that point are backed out. Consistency ensures that all integrity conditions in the database be maintained with each transaction. Isolation ensures that each transaction is isolated from other transactions; hence, each transaction only accesses data that are part of a consistent database state. Durability ensures that, when a transaction has been reported back to a user as complete, the resultant changes to the database will survive subsequent hardware or software failures.
  7. Which of the following would help to ensure the portability of an application connected to a database?

    • Verification of database import and export procedures
    • Usage of a structured query language (SQL)
    • Analysis of stored procedures/triggers
    • Synchronization of the entity-relation model with the database physical schema
    The use of SQL facilitates portability. Verification of import and export procedures with other systems ensures better interfacing with other systems, analyzing stored procedures/triggers ensures proper access/performance, and reviewing the design entity- relation model will be helpful, but none of these contribute to the portability of an application connecting to a database.
  8. Business units are concerned about the performance of a newly implemented system. Which of the following should an IS auditor recommend?

    • Develop a baseline and monitor system usage.
    • Define alternate processing procedures.
    • Prepare the maintenance manual.
    • implement the changes users have suggested.
    An IS auditor should recommend the development of a performance baseline and monitor the system’s performance, against the baseline, to develop empirical data upon which decisions for modifying the system can be made. Alternate processing procedures and a maintenance manual will not alter a system’s performance. Implementing changes without knowledge of the cause(s) for the perceived poor performance may not result in a more efficient system.
  9. A company undertakes a business process reengineering (BPR) project in support of a new and direct marketing approach to its customers. Which of the following would be an IS auditor’s main concern about the new process?

    • Whether key controls are in place to protect assets and information resources
    • If the system addresses corporate customer requirements
    • Whether the system can meet the performance goals (time and resources)
    • Whether owners have been identified who will be responsible for the process
    The audit team must advocate the inclusion of the key controls and verify that the controls are in place before implementing the new process. Choices B, C and D are objectives that the business process reengineering (BPR) process should achieve, but they are not the auditor’s primary concern.
  10. A company has implemented a new client-server enterprise resource planning (ERP) system. Local branches transmit customer orders to a central manufacturing facility. Which of the following would BEST ensure that the orders are entered accurately and the corresponding products are produced?

    • Verifying production to customer orders
    • Logging all customer orders in the ERP system
    • Using hash totals in the order transmitting process
    • Approving (production supervisor) orders prior to production
    Verification will ensure that production orders match customer orders. Logging can be used to detect inaccuracies, but does not in itself guarantee accurate processing. Hash totals will ensure accurate order transmission, but not accurate processing centrally. Production supervisory approval is a time consuming, manual process that does not guarantee proper control.
  11. When two or more systems are integrated, input/output controls must be reviewed by an IS auditor in the:

    • systems receiving the output of other systems.
    • systems sending output to other systems.
    • systems sending and receiving data.
    • interfaces between the two systems.
    Both of the systems must be reviewed for input/output controls, since the output for one system is the input for the other.
  12. An IS auditor who has discovered unauthorized transactions during a review of EDI transactions is likely to recommend improving the:

    • EDI trading partner agreements.
    • physical controls for terminals.
    • authentication techniques for sending and receiving messages.
    • program change control procedures.
    Authentication techniques for sending and receiving messages play a key role in minimizing exposure to unauthorized transactions. The EDI trading partner agreements would minimize exposure to legal issues.
  13. An IS auditor recommends that an initial validation control be programmed into a credit card transaction capture application. The initial validation process would MOST likely:

    • check to ensure that the type of transaction is valid for the card type.
    • verify the format of the number entered then locate it on the database.
    • ensure that the transaction entered is within the cardholder’s credit limit.
    • confirm that the card is not shown as lost or stolen on the master file.
    The initial validation should confirm whether the card is valid. This validity is established through the card number and PIN entered by the user. Based on this initial validation, all other validations will proceed. A validation control in data capture will ensure that the data entered is valid (i.e., it can be processed by the system). If the data captured in the initial validation is not valid (if the card number or PIN do not match with the database), then the card will be rejected or captured per the controls in place. Once initial validation is completed, then other validations specific to the card and cardholder would be performed.
  14. A company has recently upgraded its purchase system to incorporate EDI transmissions. Which of the following controls should be implemented in the EDI interface to provide for efficient data mapping?

    • Key verification
    • One-for-one checking
    • Manual recalculations
    • Functional acknowledgements
    Acting as an audit trail for EDI transactions, functional acknowledgements are one of the main controls used in data mapping. All the other choices are manual input controls, whereas data mapping deals with automatic integration of data in the receiving company.
  15. Once an organization has finished the business process reengineering (BPR) of all its critical operations, an IS auditor would MOST likely focus on a review of:

    • pre-BPR process flowcharts.
    • post-BPR process flowcharts.
    • BPR project plans.
    • continuous improvement and monitoring plans.
    An IS auditor’s task is to identify and ensure that key controls have been incorporated into the reengineered process. Choice A is incorrect because an IS auditor must review the process as it is today, not as it was in the past. Choices C and D are incorrect because they are steps within a BPR project.
  16. A company uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (e.g., hourly rate changes, terminations) are completed and delivered to the bank, which prepares checks (cheques) and reports for distribution. To BEST ensure payroll data accuracy:

    • payroll reports should be compared to input forms.
    • gross payroll should be recalculated manually.
    • checks (cheques) should be compared to input forms.
    • checks (cheques) should be reconciled with output reports.
    The best way to confirm data accuracy, when input is provided by the company and output is generated by the bank, is to verify the data input (input forms) with the results of the payroll reports. Hence, comparing payroll reports with input forms is the best mechanism of verifying data accuracy. Recalculating gross payroll manually would only verify whether the processing is correct and not the data accuracy of inputs. Comparing checks (cheques) to input forms is not feasible as checks (cheques)have the processed information and input forms have the input data. Reconciling checks (cheques) with output reports only confirms that checks (cheques) have been issued as per output reports.
  17. Which of the following represents the GREATEST potential risk in an EDI environment?

    • Transaction authorization
    • Loss or duplication of EDI transmissions
    • Transmission delay
    • Deletion or manipulation of transactions prior to or after establishment of application controls
    Since the interaction between parties is electronic, there is no inherent authentication occurring; therefore, transaction authorization is the greatest risk. Choices B and D are examples of risks, but the impact is not as great as that of unauthorized transactions. Transmission delays may terminate the process or hold the line until the normal time for processing has elapsed; however, there will be no loss of data.
  18. Which of the following is the MOST critical and contributes the greatest to the quality of data in a data warehouse?

    • Accuracy of the source data
    • Credibility of the data source
    • Accuracy of the extraction process
    • Accuracy of the data transformation
    Accuracy of source data is a prerequisite for the quality of the data in a data warehouse. Credibility of the data source, accurate extraction processes and accurate transformation routines are all important, but would not change inaccurate data into quality (accurate) data.
  19. When transmitting a payment instruction, which of the following will help verify that the instruction was not duplicated?

    • Use of a cryptographic hashing algorithm
    • Enciphering the message digest
    • Deciphering the message digest
    • A sequence number and time stamp
    When transmitting data, a sequence number and/or time stamp built into the message to make it unique can be checked by the recipient to ensure that the message was not intercepted and replayed. This is known as replay protection, and could be used to verify that a payment instruction was not duplicated. Use of a cryptographic hashing algorithm against the entire message helps achieve data integrity. Enciphering the message digest using the sender’s private key, which signs the sender’s digital signature to the document, helps in authenticating the transaction. When the message is deciphered by the receiver using the sender’s public key, it ensures that the message could only have come from the sender. This process of sender authentication achieves nonrepudiation.
  20. When reviewing input controls, an IS auditor observes that, in accordance with corporate policy, procedures allow supervisory override of data validation edits. The IS auditor should:

    • not be concerned since there may be other compensating controls to mitigate the risks.
    • ensure that overrides are automatically logged and subject to review.
    • verify whether all such overrides are referred to senior management for approval.
    • recommend that overrides not be permitted.
    If input procedures allow overrides of data validation and editing, automatic logging should occur. A management individual who did not initiate the override should review this log. An IS auditor should not assume that compensating controls exist. As long as the overrides are policy- compliant, there is no need for senior management approval or a blanket prohibition.