IS项目管理与审计模拟题

信息系统审计考题

A卷答案

信息系统审计考题

同济大学经济与管理学院试卷 (B卷) 2010 -2011 学年第1 学期

课号： 课程名：信息系统审计 考试形式：开卷（ ）闭卷（√）

此卷选为：期中考试( )、期终考试( )、补考(√ )试卷

专业和年级 学号 姓名

答案请填写于下表

A. be dynamic and change often to coincide with the changing nature of technology and the audit profession.

B. clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls.

C. document the audit procedures designed to achieve the planned audit objectives.

D. outline the overall authority, scope and responsibilities of the audit function.

2. The IT balanced scorecard (BSC) is a business governance tool intended to monitor IT performance evaluation indicators other than: A. financial results.

B. customer satisfaction.

信息系统审计考题

C. internal process efficiency. D. innovation capacity.

3. The reason for establishing a stop or freezing point on the design of a new system is to:

A. prevent further changes to a project in process.

B. indicate the point at which the design is to be completed.

C. require that changes after that point be evaluated for cost-effectiveness. D. provide the project management team with more control over the project design.

4. An IS auditor evaluating the resilience of a high-availability network should be MOST concerned if:

A. the setup is geographically dispersed.

B. the network servers are clustered in a site. C. a hot site is ready for activation.

D. diverse routing is implemented for the network.

5. Which of the following is the PRIMARY safeguard for securing software and data within an information processing facility? A. Security awareness

B. Reading the security policy C. Security committee D. Logical access controls

6. Which of the following is the MOST important criterion when selecting a location for an offsite storage facility for IS backup files? The offsite facility must be: A. physically separated from the data center and not subject to the same risks.

B. given the same level of protection as that of the computer data center. C. outsourced to a reliable third party. D. equipped with surveillance capabilities.

7. Which of the following sampling methods is MOST useful when testing for compliance?

A. Attribute sampling B. Variable sampling

C. Stratified mean per unit D. Difference estimation

8. Which of the following is the MOST important function to be performed by IS management when a service has been outsourced? A. Ensuring that invoices are paid to the provider B. Participating in systems design with the provider C. Renegotiating the provider’s fees

D. Monitoring the outsourcing provider’s performance

9. Which of the following system and data conversion strategies provides the GREATEST redundancy? A. Direct cutover B. Pilot study

C. Phased approach D. Parallel run

10.An IS auditor reviewing database controls discovered that changes to the

信息系统审计考题

database during normal working hours were handled through a standard set of procedures. However, changes made after normal hours required only an abbreviated number of steps. In this situation, which of the following would be considered an adequate set of compensating controls?

A. Allow changes to be made only with the DBA user account

B. Make changes to the database after granting access to a normal user account

C. Use the DBA user account to make changes, log the changes and review the change log the following day

D. Use the normal user account to make changes, log the changes and review the change log the following day

11.Which of the following is a feature of an intrusion detection system (IDS)? A. Gathering evidence on attack attempts

B. Identifying weaknesses in the policy definition C. Blocking access to particular sites on the Internet

D. Preventing certain users from accessing specific servers

12.During a business continuity audit, an IS auditor found that the business continuity plan covered only critical processes. The IS auditor should: A. recommend that the business continuity plan cover all business processes.

B. assess the impact of the processes not covered. C. report the findings to the IT manager. D. redefine critical processes.

13.While planning an audit, an assessment of risk should be made to provide: A. reasonable assurance that the audit will cover material items.

B. definite assurance that material items will be covered during the audit work.

C. reasonable assurance that all items will be covered by the audit.

D. sufficient assurance that all items will be covered during the audit work. 14.The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program?

A. Utilization of an intrusion detection system to report incidents B. Mandating the use of passwords to access all software

C. Installing an efficient user log system to track the actions of each user D. Training provided on a regular basis to all current and new employees

15.An IS auditor finds that a system under development has 12 linked modules and each item of data can carry up to 10 definable attribute fields. The system

handles several million transactions a year. Which of these techniques could an IS auditor use to estimate the size of the development effort? A. Program evaluation review technique (PERT) B. Counting source lines of code (SLOC) C. Function point analysis D. White box testing

16.An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should:

信息系统审计考题

A. apply the patch according to the patch’s release notes.

B. ensure that a good change management process is in place. C. thoroughly test the patch before sending it to production. D. approve the patch after doing a risk assessment.

17.Which of the following is the BEST way to handle obsolete magnetic tapes before disposing of them?

A. Overwriting the tapes B. Initializing the tape labels C. Degaussing the tapes D. Erasing the tapes

18.Which of the following findings should an IS auditor be MOST concerned about when performing an audit of backup and recovery and the offsite storage vault? A. There are three individuals with a key to enter the area B. Paper documents are also stored in the offsite vault C. Data files that are stored in the vault are synchronized D. The offsite vault is located in a separate facility

19.When evaluating the collective effect of preventive, detective or corrective controls within a process, an IS auditor should be aware of which of the following?

A. The point at which controls are exercised as data flow through the system B. Only preventive and detective controls are relevant

C. Corrective controls can only be regarded as compensating

D. Classification allows an IS auditor to determine which controls are missing

20.Which of the following audit techniques would BEST aid an auditor in determining whether there have been unauthorized program changes since the last authorized program update? A. Test data run B. Code review

C. Automated code comparison

D. Review of code migration procedures

21.IT control objectives are useful to IS auditors since they provide the basis for understanding the:

A. desired result or purpose of implementing specific control procedures. B. best IT security control practices relevant to a specific entity. C. techniques for securing information. D. security policy.

22.Which of the following is the PRIMARY purpose for conducting parallel testing? A. To determine if the system is cost-effective

B. To enable comprehensive unit and system testing C. To highlight errors in the program interfaces with files D. To ensure the new system meets user requirements

23.A review of wide area network (WAN) usage discovers that traffic on one

communication line between sites, synchronously linking the master and standby database, peaks at 96 percent of the line capacity. An IS auditor should conclude that:

A. analysis is required to determine if a pattern emerges that results in a service loss for a short period of time.