When conducting a review of business process re-engineering,
an IS auditor found that a key preventive control had been
removed. In this case, the IS auditor should:
A. inform management of the finding and determine if
management is willing to accept the potential material risk
of not having that preventing control.
B. determine if a detective control has replaced the
preventive control during the process and if so, not report
the removal of the preventive control.
C. recommend that this and all control procedures that
existed before the process was reengineered be included in
the new process.
D. develop a continuous audit approach to monitor the
effects of the removal of the preventive control.
Answers were Sorted based on User's Feedback
Answer / guest
Answer: A
Choice A is the best answer. Management should be informed
immediately to determine if they are willing to accept the
potential material risk of not having that preventive
control in place. The existence of a detective control
instead of a preventive control usually increases the risks
that a material problem may occur. Often during a BPR many
non-value-added controls will be eliminated. This is good,
unless they increase the business and financial risks. The
IS auditor may wish to monitor or recommend that management
monitor the new process, but this should be done only after
management has been informed and accepts the risk of not
having the preventive control in place.
Is This Answer Correct ? | 12 Yes | 0 No |
Answer / antoine
A. inform management of the finding and determine if
management is willing to accept the potential material risk
of not having that preventing control.
Is This Answer Correct ? | 4 Yes | 0 No |
The phases and deliverables of a systems development life cycle (SDLC) project should be determined: A. during the initial planning stages of the project. B. after early planning has been completed, but before work has begun. C. through out the work stages based on risks and exposures. D. only after all risks and exposures have been identified and the IS auditor has recommended appropriate controls.
Information for detecting unauthorized input from a terminal would be BEST provided by the: A. console log printout. B. transaction journal. C. automated suspense file listing. D. user error report.
Which of the following is the operating system mode in which all instructions can be executed? A. Problem B. Interrupt C. Supervisor D. Standard processing
Which of the following types of transmission media provide the BEST security against unauthorized access? A. Copper wire B. Twisted pair C. Fiber-optic cables D. Coaxial cables
A probable advantage to an organization that has outsourced its data processing services is that: A. needed IS expertise can be obtained from the outside. B. greater control can be exercised over processing. C. processing priorities can be established and enforced internally. D. greater user involvement is required to communicate user needs.
Which of the following is the MOST effective control over visitor access to a data center? A. Visitors are escorted. B. Visitor badges are required. C. Visitors sign in. D. Visitors are spot-checked by operators.
An IS auditor who is participating in a systems development project should: A. recommend appropriate control mechanisms regardless of cost. B. obtain and read project team meeting minutes to determine the status of the project. C. ensure that adequate and complete documentation exists for all project phases. D. not worry about his/her own ability to meet target dates since work will progress regardless.
An IS auditor has just completed a review of an organization that has a mainframe and a client-server environment where all production data reside. Which of the following weaknesses would be considered the MOST serious? A. The security officer also serves as the database administrator (DBA.) B. Password controls are not administered over the client/server environment. C. There is no business continuity plan for the mainframe system?s non-critical applications. D. Most LANs do not back up file server fixed disks regularly.
When a complete segregation of duties cannot be achieved in an online system environment, which of the following functions should be separated from the others? A. Origination B. Authorization C. Recording D. Correction
In a web server, a common gateway interface (CGI) is MOST often used as a(n): A. consistent way for transferring data to the application program and back to the user. B. computer graphics imaging method for movies and TV. C. graphic user interface for web design. D. interface to access the private gateway domain.
An IS auditor auditing hardware monitoring procedures should review A. system availability reports. B. cost-benefit reports. C. response time reports. D. database utilization reports.
Which of the following is a practice that should be incorporated into the plan for testing disaster recovery procedures? A. Invite client participation. B. Involve all technical staff. C. Rotate recovery managers. D. Install locally stored backup.