Cisa Exam Cram 2

  1. A bottom-up approach to the development of organizational policies is often driven by risk assessment.

  2. An IS auditor's primary responsibility is to advise senior management of the risk involved in not implementing proper segregation of duties, such as having the security administrator perform an operations function.

  3. Data and systems owners are accountable for maintaining appropriate security measures over information assets.

  4. Business unit management is responsible for implementing cost-effective controls in an automated system.

  5. Proper segregation of duties prohibits a system analyst from performing quality-assurance functions.

  6. The primary reason an IS auditor reviews an organization chart is to better understand the responsibilities and authority of individuals.

  7. If an IS auditor observes that project-approval procedures do not exist, the IS auditor should recommend to management that formal approval procedures be adopted and documented.

  8. Ensuring that security and control policies support business and IT objectives is a primary objective of an IT security policies audit.

  9. The board of directors is ultimately accountable for developing an IS security policy.

  10. When auditing third-party service providers, an auditor should be concerned with ownership of programs and files, a statement of due care and confidentiality, and the capability for continued service of the service provider in the event of a disaster.

  11. Proper segregation of duties normally prohibits a LAN administrator from also having programming responsibilities.

  12. When performing an IS strategy audit, an IS auditor should review both short-term (one-year) and long-term (three- to five-year) IS strategies, interview appropriate corporate management personnel, and ensure that the external environment has been considered. The auditor should not focus on procedures in an audit of IS strategy.

  13. Above all else, an IS strategy must support the business objectives of the organization.

  14. IS assessment methods enable IS management to determine whether the activities of the organization differ from the planned or expected levels.

  15. Batch control reconciliations is a compensatory control for mitigating risk of inadequate segregation of duties.

  16. An audit client's business plan should be reviewed before an organization's IT strategic plan is reviewed.

  17. Key verification is one of the best controls for ensuring that data is entered correctly.

  18. Allowing application programmers to directly patch or change code in production programs increases risk of fraud.

Категории