Which of the following risks should be assessed by an IS auditor reviewing an organization that uses cross training practices?

E. To assess IT risks, threats and vulnerabilities need to be evaluated using qualitative or quantitative riskassessment approaches.

C2.59Q. When segregation of duties concerns exist between IT support staff and end users, what would be asuitable compensating control?

Get answer to your question and much more

C2.60Q. A top down approach to the development of operational policies will help ensure:

Get answer to your question and much more

C2.61Q. An IS auditor reviewing an organization that uses cross-training practices should assess the risk of:

Get answer to your question and much more

C2.62Q. Which of the following controls would an IS auditor look for in an environment where duties cannotbe appropriately segregated?

Get answer to your question and much more

‘ skipped 2.63, 64, 65, 66C2.67Q. Which of the following provides the BEST evidence of the adequacy of a security awareness program?

Get answer to your question and much more

C2.68Q. Which of the following is the MOST important element for the successful implementation of ITgovernance?

Get answer to your question and much more

© 2022 - Free Practice Exam Collection - www.freecram.net | DMCA

Disclaimer:
www.freecram.net doesn't offer Real GIAC Exam Questions.
www.freecram.net doesn't offer Real SAP Exam Questions.
www.freecram.net doesn't offer Real (ISC)² Exam Questions.
www.freecram.net doesn't offer Real CompTIA Exam Questions.
Oracle and Java are registered trademarks of Oracle and/or its affiliates
www.freecram.net material do not contain actual actual Oracle Exam Questions or material.
www.freecram.net doesn't offer Real Microsoft Exam Questions.
Microsoft®, Azure®, Windows®, Windows Vista®, and the Windows logo are registered trademarks of Microsoft Corporation
www.freecram.net Materials do not contain actual questions and answers from Cisco's Certification Exams. The brand Cisco is a registered trademark of CISCO, Inc
CFA Institute does not endorse, promote or warrant the accuracy or quality of these questions. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.
www.freecram.net does not offer exam dumps or questions from actual exams. We offer learning material and practice tests created by subject matter experts to assist and help learners prepare for those exams. All certification brands used on the website are owned by the respective brand owners. www.freecram.net does not own or claim any ownership on any of the brands.

Recommended textbook solutions

Human Resource Management

15th EditionJohn David Jackson, Patricia Meglich, Robert Mathis, Sean Valentine

249 solutions

Operations Management: Sustainability and Supply Chain Management

12th EditionBarry Render, Chuck Munson, Jay Heizer

1,698 solutions

Human Resource Management

15th EditionJohn David Jackson, Patricia Meglich, Robert Mathis, Sean Valentine

249 solutions

Information Technology Project Management: Providing Measurable Organizational Value

5th EditionJack T. Marchewka

346 solutions

Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?

A. Overlapping controls

B. Boundary controls

C. Access controls

D. Compensating controls

ANSWER: D. Compensating controls

Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated.

Overlapping controls are two controls addressing the same control objective or exposure. Since primary controls cannot be achieved when duties cannot or are not appropriately segregated, it is
difficult to install overlapping controls.

Boundary controls establish the interface between the
would-be user of a computer system and the computer system itself, and are individual-based, not role-based, controls.

Access controls for resources are based on individuals and not on roles.

IT control objectives are useful to IS auditors, as they provide the basis for understanding the:

A. desired result or purpose of implementing specific control procedures.

B. best IT security control practices relevant to a specific entity.

C. techniques for securing information.

D. security policy.

ANSWER: A. desired result or purpose of implementing specific control procedures.

An IT control objective is defined as the statement of the desired result or purpose to be achieved by implementing control procedures in a particular IT activity.

They provide the actual objectives for implementing controls and may or may not be the best practices.

Techniques are the means of achieving an objective, and a security policy is a subset of IT control objectives.

An IS auditor reviewing an organization that uses cross-training practices should assess the risk of:

A. dependency on a single person.
B. inadequate succession planning.
C. one person knowing all parts of a system.
D. a disruption of operations.

C is the correct answer.

Justification:
A. Cross-training helps decrease dependence on a single person.

B. Cross-training assists in succession planning.

C. Cross-training is a process of training more than one individual to perform a specific job or procedure. However, in using this approach, it is prudent to have first assessed the risk of any person knowing all parts of a system and the related potential exposures related to abuse of privilege.

D. Cross-training provides for the backup of personnel in the event of an absence and, thereby, provides for the continuity of operations.

Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?

A. Overlapping controls
B. Boundary controls
C. Access controls
D. Compensating controls

D is the correct answer.

Justification:
A. Overlapping controls are two controls addressing the same control objective or exposure. Because primary controls cannot be achieved when duties cannot or are not appropriately segregated, it is difficult to install overlapping controls.

B. Boundary controls establish the interface between the would-be user of a computer system and the computer system itself and are individual-based, not role-based, controls.

C. Access controls for resources are based on individuals and not on roles. A lack of segregation of duties would mean that the IS auditor would expect to find that a person has higher levels of access than would be ideal. This would mean the IS auditor wants to find compensating controls to address this risk.

D. Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated.

When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is the MOST appropriate?

A. Review the strategic alignment of IT with the business.

B. Implement accountability rules within the organization.

C. Ensure that independent IS audits are conducted periodically.

D. Create a chief risk officer (CRO) role in the organization.

B is the correct answer.

Justification:
While the strategic alignment of IT with the business is important, it is not directly related to the gap identified in this scenario. IS A HIGHER LEVEL SOLUTUION, NOT AT ROLES & RESPONSBILITIES

IT risk is managed by embedding accountability into the enterprise. The IS auditor should recommend the implementation of accountability rules to ensure that all responsibilities are defined within the organization. Note that this question asks for the best recommendation—not about the finding itself.

Performing more frequent IS audits is not helpful if the accountability rules are not clearly defined and implemented.

Recommending the creation of a new role (CRO) is not helpful if the accountability rules are not clearly defined and implemented.

Which of the following controls would an IS auditor look for in an environment where duties cannot be appropriately segregated?

A. Overlapping controls
B. Boundary controls
C. Access controls
D. Compensating controls

D is the correct answer.

Justification:
Overlapping controls are two controls addressing the same control objective or exposure. Because primary controls cannot be achieved when duties cannot or are not appropriately segregated, it is difficult to install overlapping controls.

Boundary controls establish the interface between the would-be user of a computer system and the computer system itself and are individual-based, not role-based, controls.

Access controls for resources are based on individuals and not on roles. A lack of segregation of duties would mean that the IS auditor would expect to find that a person has higher levels of access than would be ideal. This would mean the IS auditor wants to find compensating controls to address this risk.

Compensating controls are internal controls that are intended to reduce the risk of an existing or potential control weakness that may arise when duties cannot be appropriately segregated.

An IS auditor reviewing an organization that uses cross-training practices should assess the risk of:

A. dependency on a single person.
B. inadequate succession planning.
C. one person knowing all parts of a system.
D. a disruption of operations.

C is the correct answer.

Justification:
Cross-training helps decrease dependence on a single person.

Cross-training assists in succession planning.

Cross-training is a process of training more than one individual to perform a specific job or procedure. However, in using this approach, it is prudent to have first assessed the risk of any person knowing all parts of a system and the related potential exposures related to abuse of privilege.

Cross-training provides for the backup of personnel in the event of an absence and, thereby, provides for the continuity of operations.

Which of the following choices is the PRIMARY benefit of requiring a steering committee to oversee IT investment?

A. To conduct a feasibility study to demonstrate IT value

B. To ensure that investments are made according to business requirements

C. To ensure that proper security controls are enforced

D. To ensure that a standard development methodology is implemented

B is the correct answer.

Justification:
A. A steering committee may use a feasibility study in its reviews; however, it is not responsible for performing/conducting the study.

B. A steering committee consists of representatives from the business and IT and ensures that IT investment is based on business objectives rather than on IT priorities.

C. The steering committee is not responsible for enforcing security controls.

D. The steering committee is not responsible for implementing development methodologies.

The MAJOR consideration for an IS auditor reviewing an organization's IT project portfolio is the:

A. IT budget.
B. existing IT environment.
C. business plan.
D. investment plan.

Correct Answer: C

Explanation/Reference:
One of the most important reasons for which projects get funded is how well a project meets an organization's strategic objectives. Portfolio management takes a holistic view of a company's overall IT strategy. IT strategy should be aligned with the business strategy and, hence, reviewing the business plan should be the major consideration. Choices A, B and D are important but secondary to the importance of reviewing the business plan.

Which of the following is a function of an IS steering
committee?

A. Monitoring vendor controlled change control and testing

B. Ensuring a separation of duties within the information's
processing environment

C. Approving and monitoring major projects, the status of IS
plans and budgets

D. Responsible for liaison between the IS department and the
end users

Answer: C

Explanation/Reference:
The IS steering committee typically serves as a general review board for major IS projects and should not become involved in routine operations, therefore, one of its functions is to approve and monitor major projects, the status of IS plans and budgets. Vendor change control is an outsourcing issue and should be monitored by IS management.

Ensuring a separation of duties within the information's processing environment is an IS management responsibility.

Liaison between the IS department and the end
users is a function of the individual parties and not a committee.

Which of the following should an IS auditor recommend to BEST enforce alignment of an IT
project portfolio with strategic organizational priorities?

A. Define a balanced scorecard (BSC) for measuring performance

B. Consider user satisfaction in the key performance indicators (KPIs)

C. Select projects according to business benefits and risks

D. Modify the yearly process of defining the project portfolio

Answer: C

Explanation:

Prioritization of projects on the basis of their expected benefit(s) to business, and the related risks, is the best measure for achieving alignment of the project portfolio to an organization's strategic priorities. Modifying the yearly process of the projects portfolio definition might improve the
situation, but only if the portfolio definition process is currently not tied to the definition of corporate strategies; however, this is unlikely since the difficulties are in maintaining the alignment, and not in setting it up initially. Measures such as balanced scorecard (BSC) and key performance
indicators (KPIs) are helpful, but they do not guarantee that the projects are aligned with business strategy.

In reviewing the IS short-range (tactical) plan, the IS
auditor should determine whether:

A. there is an integration of IS and business staffs within
projects.

B. there is a clear definition of the IS mission and vision.

C. there is a strategic information technology planning
methodology in place.

D. the plan correlates business objectives to IS goals and
objectives.

Answer: A

The integration of IS and business staff in projects is an operational issue and should be considered while reviewing the short-range plan. A strategic plan would provide a framework for the IS short-range plan.

Choices B, C, and D are areas covered by a strategic plan.

Many companies use categories like Transformational, Informational, Strategic, and Infrastructure as:

IT investment portfolio categories.

The rate of change of technology increases the importance of:

A. outsourcing the IS function.

B. implementing and enforcing good processes.

C. hiring personnel willing to make a career within the
organization.

D. meeting user requirements.

Answer: B

Change requires that good change management processes be
implemented and enforced. Outsourcing the IS function is not
directly related to the rate of technological change.
Personnel in a typical IS department are highly qualified
and educated, usually they do not feel their jobs are at
risk and are prepared to switch jobs frequently. Although
meeting user requirements is important, it is not directly
related to the rate of technological change in the IS
environment.

An IS auditor identifies that reports on product profitability by an organization's finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different. What should the IS auditor recommend?

A. User acceptance testing (UAT) occur for all reports before release into production.

B. Organizational data governance be put into place.

C. Standard software tools be used for report development.

D. Management sign-off on requirements for new reports.

B. Organizational data governance practices be put in place.

Six Sigma, Total Quality Management and Plan, Do, Check, Act are available methods of ________________.

A. evaluating the alignment of IT investments to enterprise goals.

B. managing continuous quality improvement in IT processes.

C. assessing enterprise IT capability needs.

D. developing business cases for IT investments

B. managing continuous quality improvement in IT processes.

Which of the following would an IS auditor consider to be the most important when evaluating an organization's IS strategy that it?

Which of the following controls would an IS auditor look for in an environment where duties Cannot be appropriately segregated?

Which of the following does an IS auditor consider the most relevant to short term planning for an IT department?

Which of the following programs would a sound information security policy most likely include to handle suspected intrusions?