The initial step in establishing an information security program is the:A.development and implementation of an information security standards manual.B.performance of a comprehensive security control review by the IS auditor.C.adoption of a corporate information security policy statement.D.purchase of security access control software.Which of the following is the initial step in creating a firewall policy?A.A cost-benefit analysis of methods for securing the applicationsB.Identification of network applications to be externally accessedC.Identification of vulnerabilities associated with network applications to be externally accessedD.Creation of an application traffic matrix showing protection methodsAn IS auditor wants to determine the number of purchase orders not appropriately approved. Which of the following sampling techniques should an IS auditor use to draw such conclusions?A.AttributeB.VariableC.Stop-or-goD.JudgmentAn IS auditor is validating a control that involves a review of system-generated exception reports. Which of the following is the BEST evidence of the effectiveness of the control?A.Walk-through with the reviewer of the operation of the controlB.System-generated exception reports for the review period with the reviewer's sign-offC.A sample system-generated exception report for the review period, with follow-up action items noted by the reviewerD.Management's confirmation of the effectiveness of the control for the review periodAn IT steering committee should:A.include a mix of members from different departments and staff levels.B.ensure that IS security policies and procedures have been executed properly.C.maintain minutes of its meetings and keep the board of directors informed.D.be briefed about new trends and products at each meeting by a vendor.Which of the following is MOST effective for monitoring transactions exceeding predetermined thresholds?A.Generalized audit softwareB.An integrated test facilityC.Regression testsD.Transaction snapshotsAn auditee disagrees with an audit finding. Which of the following is the BEST course of action for the IT auditor to take?A.Discuss the finding with the IT auditor's manager.B.Retest the control to confirm the finding.C.Elevate the risk associated with the control.D.Discuss the finding with the auditee's manager.Which of the following will MOST successfully identify overlapping key controls in business application systems?A.Reviewing system functionalities that are attached to complex business processesB.Submitting test transactions through an integrated test facilityC.Replacing manual monitoring with an automated auditing solutionD.Testing controls to validate that they are effectiveWhich of the following is the MOST important skill that an IS auditor should develop to understand the constraints of conducting an audit?A.Managing audit staffB.Allocating resourcesC.Project managementD.Attention to detailDuring an IS audit, which is the BEST method for an IS auditor to evaluate the implementation of segregation of duties within an IT department?A.Discuss it with the IT managers.B.Review the IT job descriptions.C.Research past IT audit reports.D.Evaluate the organizational structure.The PRIMARY advantage of a continuous audit approach is that it:A.does not require an IS auditor to collect evidence on system reliability while processing is taking place.B.allows the IS auditor to review and follow up on audit issues in a timely manner.C.places the responsibility for enforcement and monitoring of controls on the security department instead of audit.D.simplifies the extraction and correlation of data from multiple and complex systems.Which of the following situations could impair the independence of an IS auditor? The IS auditor:A.implemented specific functionality during the development of an application.B.designed an embedded audit module for auditing an application.C.participated as a member of an application project team and did not have operational responsibilities.D.provided consulting advice concerning application good practices.For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing emerging risk?A.Use of computer-assisted audit techniquesB.Quarterly risk assessmentsC.Sampling of transaction logsD.Continuous auditingWhich of the following represents the GREATEST potential risk in an electronic data interchange (EDI) environment?A.Lack of transaction authorizationsB.Loss or duplication of EDI transmissionsC.Transmission delayD.Deletion or manipulation of transactions prior to or after establishment of application controlsWhich of the following would be expected to approve the audit charter?A.Chief financial officerB.Chief executive officerC.Audit steering committeeD.Audit committeeWhich of the following is the PRIMARY purpose of a risk-based audit?A.High-impact areas are addressed first.B.Audit resources are allocated efficiently.C.Material areas are addressed first.D.Management concerns are prioritized.An organization uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (e.g., hourly rate changes, terminations) are completed and delivered to the bank, which prepares checks and reports for distribution. To BEST ensure payroll data accuracy:A.payroll reports should be compared to input forms.B.gross payroll should be recalculated manually.C.checks should be compared to input forms.D.checks should be reconciled with output reports.When testing program change requests for a remote system, an IS auditor finds that the number of changes available for sampling would not provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take?A.Develop an alternate testing procedure.B.Report the finding to management.C.Perform a walk-through of the change management process.D.Create additional sample data to test additional changes.In the process of evaluating program change controls, an IS auditor would use source code comparison software to:A.examine source program changes without information from IS personnel.B.detect a source program change made between acquiring a copy of the source and the comparison run.C.identify and validate any differences between the control copy and the production program.D.ensure that all changes made in the current source copy are tested.During a compliance audit of a small bank, the IS auditor notes that both the IT and accounting functions are being performed by the same user of the financial system. Which of the following reviews conducted by the user's supervisor would represent the BEST compensating control?A.Audit trails that show the date and time of the transactionB.A daily report with the total numbers and dollar amounts of each transactionC.User account administrationD.Computer log files that show individual transactions
Explore Features
Discover the full suite of AI-powered study tools.
Study Plan
Build a personalized study schedule powered by AI.
Record Lecture
Capture and generate enhanced notes from your lectures.
Notes
Automatically generate comprehensive notes from any course material.
Calendar
Plan personalized study sessions with AI-assisted scheduling
Tutor Me
Get comprehensive step-by-step explanations on any topic.
Spark.E Call
Have a live voice conversation with your AI tutor.
Spark.E Visuals
Analyze diagrams, charts, and images with AI-powered explanations.
Audio Recap
Generate podcast-style audio summaries of your study materials.
Explainer Video
Turn any topic into an AI-generated educational video.
Flashcards
Create smart flashcard decks from your study materials with one click.
QuizFetch
Auto-generated quizzes from your uploaded content.
Arcade
Learn through interactive study games.
Exam-Specific Questions
Practice with real exam formats and questions.
Practice Tests
Simulate full-length exams from your material.
Essay Grader
Receive personalized feedback and grading on your essays.
Plugins
Shape the way Spark.E teaches you.
Mini Apps
Explore interactive study apps or build your own.