Sie sind auf Seite 1von 5

Day 3

Total points9/9

(21) The audit charter should be approved by the highest level of


management and should:
1/1
A. be updated often to upgrade with the changing nature of technology and the audit profession.
B. include audit calendar along with resource allocation.
C. include plan of action in case of disruption of business services.
D. outlines the overall authority, scope and responsibilities of the audit function.

Feedback

The correct answer is: D. outline the overall authority, scope and responsibilities
of the audit function.
Explanation:
(1) An audit charter should state management's objectives for and delegation of
authority to IS audit.
(2)Charter should not be significantly change over time. An audit charter outlines
the overall authority, scope and responsibilities of the audit function. An audit
charter would not be at a detailed level and therefore frequent updation is not
required.
(3)Audit charter would not include detailed audit calendar and resource
allocation.
(4)Action plan in case of disruption of services is included in BCP policy and not
in Audit Charter.

(22) In a risk-based audit approach, an IS auditor, in addition to risk, would


be influenced PRIMARILY by:
1/1
A. the audit charter.

B. management's representation.
C. organizational structure
D. no. of outsourcing contracts.
Feedback

Answer: A. the audit charter.


Explanation:
Auditor’s role and responsibility is documented in Audit Charter. The audit
charter outlines the overall authority of Audit function. Hence primarily his
actions will be influenced by Audit Charter.
(23) The authority, scope and responsibility of the Information System Audit
function is:
1/1
A. Defined by the audit charter approved by the senior management/Board

B. Defined by the I.T. Head of the organization, as the expert in the matter
C. Defined by the various functional divisions, depending upon criticality
D. Generated by the Audit division of the organization
Feedback

The correct answer is: A. Defined by the audit charter approved by the senior
management/Board

Explanation:

The authority, scope and responsibility of the Information system audit is


invariably defined by the audit charter which is approved by the senior
management and, most often, by the Board of Directors. It is not left to the Audit
division, the IT Head or the functional heads to decide on this. Hence, answer at
Option A alone is correct.

(24)Which of the following is the MOST critical function of a firewall?


1/1
A. to act as a special router that connects different network.
B. device for preventing authorized users from accessing the LAN.
C. device used to connect authorized users to trusted network resources.

D. proxy server to increase the speed of access to authorized users.


Feedback

Answer: C. device used to connect authorized users to trusted network


resources.

Explanation:
Main and critical function of a firewall is to prevent unauthorised access to
server. A firewall is a set of related programs that protects the resources of a
private network from users of other networks.
(25)An IS auditor is reviewing firewall security of the organization. Which of
the following is the BEST audit procedure to determine if a firewall is
configured as per security policy?
1/1
A. Review incident logs.
B. Review Access Control List.
C. Review the actual procedures.
D. Review the parameter settings.

Feedback

Answer: D. Review the parameter settings.

Explanation:
A review of the parameter settings will provide a good basis for comparison of
the actual
configuration to the security policy and will provide audit evidence
documentation. The other
choices do not provide as strong audit evidence as choice A.

(26)Which of the following concerns would be addressed by a firewall?


1/1
A. Unauthorized access from external network

B. Unauthorized access from internal network


C. A delay in Internet connectivity
D. A delay in system processing
Feedback

Answer: A. Unauthorized access from outside the organization

Explanation:
Firewalls are meant to prevent outsiders from gaining access to an
organization's computer systems through the Internet gateway.

(27) An organization is introducing a single sign-on (SSO) system. Under the


SSO system, users will be required to enter only one user ID and password
for access to all application systems .A major risk of using single sign-on
(SSO) is that it:
1/1
A. acts as a single authentication point for multiple applications.

B. acts as a single point of failure.


C. acts as a bottleneck for smooth administration.
D. leads to a lockout of valid users in case of authentication failure.
Feedback

Answer A. acts as a single authentication point for multiple applications.

Explanation:
SSO acts as a single authentication point for multiple applications which
constitute risk of single point of failure. The primary risk associated with single
sign-on is the single authentication point. A Single point of failure provides a
similar redundancy to the single authentication point. However, failure can be
due to any other reasons also. So more specific answer to this question is option
A.

(28)Which following is most important benefit of Single Sign On?


A. Easier administration of password management.

B. It can avoid a potential single point of failure issue


C. Maintaining SSO is easy as it is not prone to human errors
D. It protects network traffic
Feedback

Answer: A. Easier administration of password management.

Explanation:
Easier administration of changing or deleting passwords is the major advantage
of implementing SSO. The advantages of SSO include having the ability to use
stronger passwords, easier administration of changing or deleting the
passwords, and requiring less time to access resources.

(29)Which of the following is the MOST important objective of data


protection?
1/1
A. Current technology trend
B. Ensuring the confidentiality & integrity of information

C. Denying or authorizing access to the IS system


D. Internal processing efficiency.
Feedback
The correct answer is:
B. Ensuring the confidentiality of information

Explanation:
Maintaining data confidentiality and integrity is the most important objective of
data security. This is a basic requirement if an organization is to continue as a
viable and successful enterprise.

(30)An IS auditor reviewing system controls should be most concerned that:


1/1
A. security and performance requirements are considered.

B. changes are recorded in log.


C. process for change authorization is in place.
D. restricted access for system parameters is in place.
Feedback

The correct answer is: A. security and performance requirements are


considered.

Explanation:
The primary concern is to ensure that security as well as performance aspects
have been considered. This helps to ensure that control objectives are aligned
with business objectives. Log maintenance and change authorization are also
important but in absence of proper security and performance requirements same
may not be effective.