The difference between a vulnerability assessment and a penetration test is that a vulnerability assessment: A. searches and checks the infrastructure to detect vulnerabilities, whereas penetration testing intends to exploit the vulnerabilities to probe the damage that could result from the vulnerabilities. B. and penetration tests are different names for the same activity. C. is executed by automated tools, whereas penetration testing is a totally manual process. D. is executed by commercial tools, whereas penetration testing is executed by public processes.

The objective of IT governance is to ensure that the IT strategy is aligned with the objectives of (the): A. enterprise. B. IT. C. audit. D. finance.

Which of the following is an objective of a control self-assessment (CSA) program? A. Concentration on areas of high risk B. Replacement of audit responsibilities C. Completion of control questionnaires D. Collaborative facilitative workshops

Which of the following offsite information processing facility conditions would cause an IS auditor the GREATEST concern? The facility A. is identified clearly on the outside with the company name. B. is located more than an hour driving distance from the originating site. C. does not have any windows to let in natural sunlight. D. entrance is located in the back of the building rather than the front.

An organization has been an Internet user for several years and the business plan now calls for initiating e-commerce via web-based transactions. Which of the following will LEAST impact transactions in e-commerce? A. Encryption is required B. Timed authentication is required C. Firewall architecture hides the internal network D. Traffic is exchanged through the firewall at the application layer only

An IS auditor discovers evidence of fraud perpetrated with a manager's user id. The manager had written the password, allocated by the system administrator, inside his/her desk drawer. The IS auditor should conclude that the: A. manager's assistant perpetrated the fraud. B. perpetrator cannot be established beyond doubt. C. fraud must have been perpetrated by the manager. D. system administrator perpetrated the fraud.

The PRIMARY reason for replacing checks (cheques) with EFT systems in the accounts payable area is to: A. make the payment process more efficient. B. comply with international EFT banking standards. C. decrease the number of paper-based payment forms. D. reduce the risk of unauthorized changes to payment transactions.

At the end of a simulation of an operational contingency test, the IS auditor performed a review of the recovery process. The IS auditor concluded that the recovery took more than the critical time frame allows. Which of the following actions should the auditor recommend? A. Widen the physical capacity to accomplish better mobility in a shorter time. B. Shorten the distance to reach the hot site. C. Perform an integral review of the recovery tasks. D. Increase the number of human resources involved in the recovery process.

Which of the following procedures would MOST effectively detect the loading of illegal software packages onto a network? A. The use of diskless workstations B. Periodic checking of hard drives C. The use of current antivirus software D. Policies that result in instant dismissal if violated

An IS auditor reviewing an organization's IS disaster recovery plan should verify that it is: A. tested every 6 months. B. regularly reviewed and updated. C. approved by the chief executive officer (CEO). D. communicated to every departmental head in the organization.

In a system development project the purpose of the program and procedure development phase is to: A. prepare, test and document all programs and manual procedures. B. document a business or system problem to a level at which management can select a solution. C. prepare a high-level design of a proposed system solution and present reasons for adopting a solution. D. expand the general design of an approved solution so that program and procedure writing can begin.

As updates to an online order entry system are processed, the updates are recorded on a transaction tape and a hard-copy transaction log. At the end of the day, the order entry files are backed up on tape. During the backup procedure, a drive malfunctions and the order entry files are lost. Which of the following are necessary to restore these files? A. The previous day's backup file and the current transaction tape B. The previous day's transaction file and the current transaction tape C. The current transaction tape and the current hard-copy transaction log D. The current hard-copy transaction log and the previous day's transaction file

An IS auditor conducting a review of disaster recovery planning at a financial processing organization has discovered the following: * The existing disaster recovery plan was compiled two years ago by a systems analyst in the organization's IT department using transaction flow projections from the operations department. * The plan was presented to the deputy CEO for approval and formal issue, but it is still awaiting his attention. * The plan has never been updated, tested or circulated to key management and staff, though interviews show that each would know what action to take for their area in the event of a disruptive incident. The IS auditor's report should recommend that: A. the deputy CEO be censured for his failure to approve the plan. B. a board of senior managers be set up to review the existing plan. C. the existing plan be approved and circulated to all key management and staff. D. a manager coordinate the creation of a new or revised plan within a defined time limit.

The PRIMARY objective of an IS audit function is to: A. determine whether everyone uses IS resources according to their job description. B. determine whether information systems safeguard assets, and maintain data integrity. C. examine books of accounts and relative documentary evidence for the computerized system. D. determine the ability of the organization to detect fraud.

Is it appropriate for an IS auditor from a company that is considering outsourcing its IS processing to request and review a copy of each vendor's business continuity plan? A. Yes, because the IS auditor will evaluate the adequacy of the service bureau's plan and assist his/her company in implementing a complementary plan. B. Yes, because, based on the plan, the IS auditor will evaluate the financial stability of the service bureau and its ability to fulfill the contract. C. No, because the backup to be provided should be specified adequately in the contract. D. No, because the service bureau's business continuity plan is proprietary information.