Interested to Buy Any Domain ? << Click Here >> for more details...
An IS auditor conducting a review of disaster recovery
planning at a financial processing organization has
discovered the following:
* The existing disaster recovery plan was compiled two years
ago by a systems analyst in the organization's IT department
using transaction flow projections from the operations
department.
* The plan was presented to the deputy CEO for approval and
formal issue, but it is still awaiting his attention.
* The plan has never been updated, tested or circulated to
key management and staff, though interviews show that each
would know what action to take for their area in the event
of a disruptive incident.
The basis of an organization's disaster recovery plan is to
reestablish live processing at an alternative site where a
similar, but not identical hardware configuration is already
established. The IS auditor should:
A. take no action as the lack of a current plan is the only
significant finding.
B. recommend that the hardware configuration at each site
should be identical.
C. perform a review to verify that the second configuration
can support live processing.
D. report that the financial expenditure on the alternative
site is wasted without an effective plan.
- 1 Answers
- 5038 Views
- I also Faced
- E-Mail Answers
Answer / guest
Answer: C
The IS auditor does not have a finding unless it can be
shown that the alternative hardware cannot support the live
processing system. Even though the primary finding is the
lack of a proven and communicated disaster recovery plan, it
is essential that this aspect of recovery is included in the
audit. Since, if it is found to be inadequate the finding
will materially support the overall audit opinion. It is
certainly not appropriate to take no action at all, leaving
this important factor untested, and unless it is shown that
the alternative site is inadequate, there can be no comment
on the expenditure (even if this is considered a proper
comment for the IS auditor to make). Similarly, there is no
need for the configurations to be identical. The alternative
site could actually exceed the recovery requirements if it
is also used for other work, such as other processing or
systems development and testing. The only proper course of
action at this point would be to find out if the recovery
site can actually cope with a recovery.
| Is This Answer Correct ? | 2 Yes | 0 No |
The risk of an IS auditor using an inadequate test procedure and concluding that material errors do not exist when, in fact, they exist is:
In a risk-based audit approach, an IS auditor, in addition to risk, would be influenced by: A. the availability of CAATs. B. management's representation. C. organizational structure and job responsibilities. D. the existence of internal and operational controls
When conducting a review of business process re-engineering, an IS auditor found that a key preventive control had been removed. In this case, the IS auditor should: A. inform management of the finding and determine if management is willing to accept the potential material risk of not having that preventing control. B. determine if a detective control has replaced the preventive control during the process and if so, not report the removal of the preventive control. C. recommend that this and all control procedures that existed before the process was reengineered be included in the new process. D. develop a continuous audit approach to monitor the effects of the removal of the preventive control.
Applying a retention date on a file will ensure that: A. data cannot be read until the date is set. B. data will not be deleted before that date. C. backup copies are not retained after that date. D. datasets having the same name are differentiated.
An organization is experiencing a growing backlog of undeveloped applications. As part of a plan to eliminate this backlog, end-user computing with prototyping, supported by the acquisition of an interactive application generator system is being introduced. Which of the following areas is MOST critical to the ultimate success of this venture? A. Data control B. Systems analysis C. Systems programming D. Application programming
Which tests is an IS auditor performing when certain program is selected to determine if the source and object versions are the same?
Which of the following would contribute MOST to an effective business continuity plan (BCP)? The BCP: A. document was circulated to all interested parties. B. planning involved all user departments. C. was approved by senior management. D. was audited by an external IS auditor.
Which of the following steps would an IS auditor normally perform FIRST in a data center security review? A. Evaluate physical access test results. B. Determine the risks/threats to the data center site. C. Review business continuity procedures. D. Test for evidence of physical access at suspect locations.
A database administrator is responsible for: A. defining data ownership. B. establishing operational standards for the data dictionary. C. creating the logical and physical database. D. establishing ground rules for ensuring data integrity and security.
Assumptions while planning an IS project involve a high degree of risk because they are: A. based on known constraints. B. based on objective past data. C. a result of lack of information. D. often made by unqualified people.
The role of IT auditor in complying with the Management Assessment of Internal Controls (Section 404 of the Sarbanes-Oxley Act) is: A. planning internal controls B. documenting internal controls C. designing internal controls D. implementing internal controls
The Primary purpose of audit trails is to
Cisco Certifications 
