When auditing the requirements phase of a system development
project, an IS auditor would:
A. assess the adequacy of audit trails.
B. identify and determine the criticality of the need.
C. verify cost justifications and anticipated benefits.
D. ensure that control specifications have been defined.
Answer / guest
Answer: D
During the requirements phase the IS auditor should verify
the detailed requirements definition document. The IS
auditor would identify and determine the criticality of the
need and verify all cost justifications/benefits during the
feasibility phase. The assessment of the adequacy of audit
trails would take place during the detailed design and
programming phase.
Is This Answer Correct ? | 5 Yes | 0 No |
A company has recently upgraded its purchase system to incorporate EDI transmissions. Which of the following controls should be implemented in the EDI interface in order to provide for efficient data mapping? A. Key verification B. One-for-one checking C. Manual recalculations D. Functional acknowledgements
An organization is introducing a single sign-on (SSO) system. Under the SSO system, users will be required to enter only one user ID and password for access to all application systems. Under the SSO system, unauthorized access: A. is less likely. B. is more likely. C. will have a greater impact. D. will have a smaller impact.
To determine which users can gain access to the privileged supervisory state, which of the following should an IS auditor review? A. System access log files B. Enabled access control software parameters C. Logs of access control violations D. System configuration files for control options used
Business continuity/disaster recovery is PRIMARILY the responsibility of: A. IS management. B. business unit managers. C. the security administrator. D. the board of directors.
Which of the following is the FIRST thing an IS auditor should do after the discovery of a trojan horse program in a computer system? A. Investigate the author. B. Remove any underlying threats. C. Establish compensating controls. D. Have the offending code removed.
The initial step in establishing an information security program is the: A. development and implementation of an information security standards manual. B. performance of a comprehensive security control review by the IS auditor. C. adoption of a corporate information security policy statement. D. purchase of security access control software.
When a complete segregation of duties cannot be achieved in an online system environment, which of the following functions should be separated from the others? A. Origination B. Authorization C. Recording D. Correction
The window of time recovery of information processing capabilities is based on the: A. criticality of the processes affected. B. quality of the data to be processed. C. nature of the disaster. D. applications that are mainframe based.
During an implementation review of a multiuser distributed application, the IS auditor finds minor weaknesses in three areas-the initial setting of parameters is improperly installed, weak passwords are being used and some vital reports are not being checked properly. While preparing the audit report, the IS auditor should: A. record the observations separately with the impact of each of them marked against each respective finding. B. advise the manager of probable risks without recording the observations, as the control weaknesses are minor ones. C. record the observations and the risk arising from the collective weaknesses. D. apprise the departmental heads concerned with each observation and properly document it in the report.
Which of the following database administrator (DBA) activities is unlikely to be recorded on detective control logs? A. Deletion of a record B. Change of a password C. Disclosure of a password D. Changes to access rights
To make an electronic funds transfer (EFT), one employee enters the amount field and another employee reenters the same data again, before the money is transferred. The control adopted by the organization in this case is: A. sequence check. B. key verification. C. check digit. D. completeness check.
Which of the following are data file controls? A. Internal and external labeling B. Limit check and logical relationship checks C. Total items and hash totals D. Report distribution procedures