CISA : Certified Information Systems Auditor : Part 150

  1. When using an integrated test facility (ITF), an IS auditor should ensure that:

    • production data are used for testing.
    • test data are isolated from production data.
    • a test data generator is used.
    • master files are updated with the test data.

    An integrated test facility (ITF) creates a fictitious file in the database, allowing for test transactions to be processed simultaneously with live data. While this ensures that periodic testing does not require a separate test process, there is a need to isolate test data from production data. An IS auditor is not required to use production data or a test data generator. Production master files should not be updated with test data.

  2. A clerk changed the interest rate for a loan on a master file. The rate entered is outside the normal range for such a loan. Which of the following controls is MOST effective in providing reasonable assurance that the change was authorized?

    • The system will not process the change until the clerk’s manager confirms the change by entering an approval code.
    • The system generates a weekly report listing all rate exceptions and the report is reviewed by the clerk’s manager.
    • The system requires the clerk to enter an approval code.
    • The system displays a warning message to the clerk.
    Choice A would prevent or detect the use of an unauthorized interest rate. Choice B informs the manager after the fact that a change was made, thereby making it possible for transactions to use an unauthorized rate prior to management review. Choices C and D do not prevent the clerk from entering an unauthorized rate change.
  3. The GREATEST advantage of using web services for the exchange of information between two systems is:

    • secure communications.
    • improved performance.
    • efficient interfacing.
    • enhanced documentation.
    Web services facilitate the exchange of information between two systems, regardless of the operating system or programming language used. Communication is not necessarily securer or faster, and there is no documentation benefit in using web services.
  4. An IS auditor reviewing an accounts payable system discovers that audit logs are not being reviewed. When this issue is raised with management the response is that additional controls are not necessary because effective system access controls are in place. The BEST response the auditor can make is to:

    • review the integrity of system access controls.
    • accept management’s statement that effective access controls are in place.
    • stress the importance of having a system control framework in place.
    • review the background checks of the accounts payable staff.
    Experience has demonstrated that reliance purely on preventative controls is dangerous. Preventative controls may not prove to be as strong as anticipated or their effectiveness can deteriorate over time. Evaluating the cost of controls versus the quantum of risk is a valid management concern. However, in a high-risk system a comprehensive control framework is needed, intelligent design should permit additional detective and corrective controls to be established that don’t have high ongoing costs, e.g., automated interrogation of logs to highlight suspicious individual transactions or data patterns. Effective access controls are, in themselves, a positive but, for reasons outlined above, may not sufficiently compensate for other control weaknesses. In this situation the IS auditor needs to be proactive. The IS auditor has a fundamental obligation to point out control weaknesses that give rise to unacceptable risks to the organization and work with management to have these corrected. Reviewing background checks on accounts payable staff does not provide evidence that fraud will not occur.
  5. When evaluating the controls of an EDI application, an IS auditor should PRIMARILY be concerned with the risk of:

    • excessive transaction turnaround time.
    • application interface failure.
    • improper transaction authorization.
    • no validated batch totals.

    Foremost among the risks associated with electronic data interchange (EDI) is improper transaction authorization. Since the interaction with the parties is electronic, there is no inherent authentication. The other choices, although risks, are not as significant.

  6. When reviewing an organization’s approved software product list, which of the following is the MOST important thing to verify?

    • The risks associated with the use of the products are periodically assessed
    • The latest version of software is listed for each product
    • Due to licensing issues the list does not contain open source software
    • After hours’ support is offered
    Since the business conditions surrounding vendors may change, it is important for an organization to conduct periodic risk assessments of the vendor software list. This might be best incorporated into the IT risk management process. Choices B, C and D are possible considerations but would not be the most important.
  7. An existing system is being extensively enhanced by extracting and reusing design and program components. This is an example of:

    • reverse engineering.
    • prototyping.
    • software reuse.
    • reengineering.
    Old (legacy) systems that have been corrected, adapted and enhanced extensively require reengineering to remain maintainable. Reengineering is a rebuilding activity to incorporate new technologies into existing systems. Using program language statements, reverse engineering involves reversing a program’s machine code into the source code in which it was written to identify malicious content in a program, such as a virus, or to adapt a program written for use with one processor for use with a differently designed processor. Prototyping is the development of a system through controlled trial and error. Software reuse is the process of planning, analyzing and using previously developed software components. The reusable components are integrated into the current software product systematically.
  8. An IS auditor performing an application maintenance audit would review the log of program changes for the:

    • authorization of program changes.
    • creation date of a current object module.
    • number of program changes actually made.
    • creation date of a current source program.
    The manual log will most likely contain information on authorized changes to a program. Deliberate, unauthorized changes will not be documented by the responsible party. An automated log, found usually in library management products, and not a changelog would most likely contain date information for the source and executable modules.
  9. After discovering a security vulnerability in a third-party application that interfaces with several external systems, a patch is applied to a significant number of modules. Which of the following tests should an IS auditor recommend?

    • Stress
    • Black box
    • Interface
    • System
    Given the extensiveness of the patch and its interfaces to external systems, system testing is most appropriate. Interface testing is not enough, and stress or black box testing are inadequate in these circumstances.
  10. When performing an audit of a client relationship management (CRM) system migration project, which of the following should be of GREATEST concern to an IS auditor?

    • The technical migration is planned for a Friday preceding a long weekend, and the time window is too short for completing all tasks.
    • Employees pilot-testing the system are concerned that the data representation in the new system is completely different from the old system.
    • A single implementation is planned, immediately decommissioning the legacy system.
    • Five weeks prior to the target date, there are still numerous defects in the printing functionality of the new system’s software.
    Major system migrations should include a phase of parallel operation or a phased cut-over to reduce implementation risks. Decommissioning or disposing of the old hardware would complicate any fallback strategy, should the new system not operate correctly. A weekend can be used as a time buffer so that the new system will have a better chance of being up and running after the weekend. A different data representation does not mean different data presentation at the front end. Even when this is the case, this issue can be solved by adequate training and user support. The printing functionality is commonly one of the last functions to be tested in a new system because it is usually the last step performed in any business event. Thus, meaningful testing and the respective error fixing are only possible after all other parts of the software have been successfully tested.
  11. Which of the following reports should an IS auditor use to check compliance with a service level agreements (SLA) requirement for uptime?

    • Utilization reports
    • Hardware error reports
    • System logs
    • Availability reports
    IS inactivity, such as downtime, is addressed by availability reports. These reports provide the time periods during which the computer was available for utilization by users or other processes. Utilization reports document the use of computer equipment, and can be used by management to predict how/where/when resources are required. Hardware error reports provide information to aid in detecting hardware failures and initiating corrective action. System logs are a recording of the system’s activities.
  12. A benefit of quality of service (QoS) is that the:

    • entire network’s availability and performance will be significantly improved.
    • telecom carrier will provide the company with accurate service-level compliance reports.
    • participating applications will have guaranteed service levels.
    • communications link will be supported by security controls to perform secure online transactions.
    The main function of QoS is to optimize network performance by assigning priority to business applications and end users, through the allocation of dedicated parts of the bandwidth to specific traffic. Choice A is not true because the communication itself will not be improved. While the speed of data exchange for specific applications could be faster, availability will not be improved. The QoS tools that many carriers are using do not provide reports of service levels; however, there are other tools that will generate service-level reports. Even when QoS is integrated with firewalls, VPNs, encryption tools and others, the tool itself is not intended to provide security controls.
  13. An organization has outsourced its help desk. Which of the following indicators would be the best to include in the SLA?

    • Overall number of users supported
    • Percentage of incidents solved in the first call
    • Number of incidents reported to the help desk
    • Number of agents answering the phones
    Since it is about service level (performance) indicators, the percentage of incidents solved on the first call is the only option that is relevant. Choices A, C and D are not quality measures of the help desk service.
  14. The PRIMARY objective of service-level management (SLM) is to:

    • define, agree, record and manage the required levels of service.
    • ensure that services are managed to deliver the highest achievable level of availability.
    • keep the costs associated with any service at a minimum.
    • monitor and report any legal noncompliance to business management.
    The objective of service-level management (SLM) is to negotiate, document and manage (i.e., provide and monitor) the services in the manner in which the customer requires those services. This does not necessarily ensure that services are delivered at the highest achievable level of availability (e.g., redundancy and clustering). Although maximizing availability might be necessary for some critical services, it cannot be applied as a general rule of thumb. SLM cannot ensure that costs for all services will be kept at a low or minimum level, since costs associated with a service will directly reflect the customer’s requirements. Monitoring and reporting legal noncompliance is not a part of SLM.
  15. Which of the following should be of PRIMARY concern to an IS auditor reviewing the management of external IT service providers?

    • Minimizing costs for the services provided
    • Prohibiting the provider from subcontracting services
    • Evaluating the process for transferring knowledge to the IT department
    • Determining if the services were provided as contracted
    From an IS auditor’s perspective, the primary objective of auditing the management of service providers should be to determine if the services that were requested were provided in a way that is acceptable, seamless and in line with contractual agreements. Minimizing costs, if applicable and achievable (depending on the customer’s need) is traditionally not part of an IS auditor’s job. This would normally be done by a line management function within the IT department.
    Furthermore, during an audit, it is too late to minimize the costs for existing provider arrangements. Subcontracting providers could be a concern, but it would not be the primary concern. Transferring knowledge to the internal IT department might be desirable under certain circumstances, but should not be the primary concern of an IS auditor when auditing IT service providers and the management thereof. 
  16. IT best practices for the availability and continuity of IT services should:

    • minimize costs associated with disaster-resilient components.
    • provide for sufficient capacity to meet the agreed upon demands of the business.
    • provide reasonable assurance that agreed upon obligations to customers can be met.
    • produce timely performance metric reports.
    It is important that negotiated and agreed commitments (i.e., service level agreements [SLAs]) can be fulfilled all the time. If this were not achievable, IT should not have agreed to these requirements, as entering into such a commitment would be misleading to the business. ‘All the time’ in this context directly relates to the ‘agreed obligations’ and does not imply that a service has to be available 100 percent of the time. Costs are a result of availability and service continuity management and may only be partially controllable. These costs directly reflect the agreed upon obligations. Capacity management is a necessary, but not sufficient, condition of availability.
    Despite the possibility that a lack of capacity may result in an availability issue, providing the capacity necessary for seamless operations of services would be done within capacity management, and not within availability management. Generating reports might be a task of availability and service continuity management, but that is true for many other areas of interest as well (e.g., incident, problem, capacity and change management).
  17. During a human resources (HR) audit, an IS auditor is informed that there is a verbal agreement between the IT and HR departments as to the level of IT services expected. In this situation, what should the IS auditor do FIRST?

    • Postpone the audit until the agreement is documented
    • Report the existence of the undocumented agreement to senior management
    • Confirm the content of the agreement with both departments
    • Draft a service level agreement (SLA) for the two departments
    An IS auditor should first confirm and understand the current practice before making any recommendations. The agreement can be documented after it has been established that there is an agreement in place. The fact that there is not a written agreement does not justify postponing the audit, and reporting to senior management is not necessary at this stage of the audit. Drafting a service level agreement (SLA) is not the IS auditor’s responsibility.
  18. Which of the following procedures would MOST effectively detect the loading of illegal software packages onto a network?

    • The use of diskless workstations
    • Periodic checking of hard drives
    • The use of current antivirus software
    • policies that result in instant dismissal if violated
    The periodic checking of hard drives would be the most effective method of identifying illegal software packages loaded to the network. Antivirus software will not necessarily identify illegal software, unless the software contains a virus. Diskless workstations act as a preventive control and are not effective, since users could still download software from other than diskless workstations. Policies lay out the rules about loading the software, but will not detect the actual occurrence.
  19. To determine which users can gain access to the privileged supervisory state, which of the following should an IS auditor review?

    • System access log files
    • Enabled access control software parameters
    • Logs of access control violations
    • System configuration files for control options used
    A review of system configuration files for control options used would show which users have access to the privileged supervisory state. Both systems access log files and logs of access violations are detective in nature. Access control software is run under the operating system.
  20. Which of the following would an IS auditor consider to be the MOST helpful when evaluating the effectiveness and adequacy of a computer preventive maintenance program?

    • A system downtime log
    • Vendors’ reliability figures
    • Regularly scheduled maintenance log
    • A written preventive maintenance schedule
    A system downtime log provides information regarding the effectiveness and adequacy of computer preventive maintenance programs.