8/13/2019 Test Online - Solved
1/2
1
IT Audit: Test paper - online
1.In the course of performing a risk analysis, a IS auditor has
identified threats and potential
impacts. Next, the IS auditor should:
d) disclosure the threats and impacts to
management;Organizations use risk analysis to determine the extent
of the potential threat and the risk
associated with an IT system. The output of this process helps
to identify appropriate controls forreducing or eliminating risk
during the risk mitigation process. Upon completion of an audit, a
IS
auditor should describe and discuss with management the threats
and potential impacts on the
assets.
2.When developing a risk-based audit strategy, a IS auditor
should conduct a risk assessment to
ensure that:
b) vulnerabilities and threats are identified;In order to
develop a risk-based audit strategy, it is a must identify the risk
and vulnerabilities,
and to understand them. As I said in the answer from the first
question, this will determine the
areas to be audited and the extent of coverage. Understanding
whether appropriate controlsrequired to mitigate risks are in place
is a resultant effect of an audit. Audit risks are inherent
aspects of auditing, are directly related to the audit process
and are not relevant to the risk
analysis of the environment to be audited. A gap analysis would
normally be done to comparethe actual state to an expected or
desirable state.
3.While conducting an audit, the IS auditor detects the presence
of a virus. What should be the
IS auditors next step?
c) Inform appropriate personnel immediately;
After detecting the presence of a virus, IS auditor should alert
the organization about itspresence, then wait for their response.
Choice a) observe the response mechanism, should be
taken after Choice c) Inform appropriate personnel immediately.
In this way a IS auditor can
examine the actual workability and effectiveness of the response
system. An IS auditor cannotmake changes to the system which is
being audited; ensuring the deletion of the virus is a
management responsibility.
4.An e-mail message from an unknown sender was send to various
members of an organizationasking them to contribute funds to a
charity organization. This is an example of what type of
attack?
a) Event phishing;Event phishing is a targeted phishing attack
based on an event that has recently occurred.
Blended phishing typically involves cross-site scripting in
conjunction with fake e-mail
messages engineering is the art of manipulating people into
performing actions or divulging
8/13/2019 Test Online - Solved
2/2
2
information. Spear phishing is the act of sending fake e-mail
messages targeted to specific
individuals of an organization, but not typically related to a
specific event.
5.Which of the following provides the framework for designing
and developing logical access
controls?
a) Information systems security policy;The information systems
security policy is developed and approved by the top management of
an
organization, and represents the basis on which logical access
control is designed and developed.
The other choices: access control lists, password management and
systems configuration filesrepresent tools for implementing the
access controls.
