Incorporating the results of a maturity model assessment is MOST useful in the development of:
Correct Answer: A
Question 142
Which of the following do digital signatures provide?
Correct Answer: A
Explanation/Reference: Explanation: The primary purpose of digital signatures is to provide authentication and integrity of datA.
Question 143
What is wrong with a Black Box type of intrusion detection system?
Correct Answer: C
Section: Protection of Information Assets Explanation: "An intrusion detection system should be able to run continually without human supervision. The system must be reliable enough to allow it to run in the background of the system being observed. However, it should not be a "black box", because you want to ensure its internal workings are examinable from outside."
Question 144
An IS auditor discovers that due to resource constraints a database administrator (DBA) is responsible for developing and executing changes into the production environment Which ot the following should the auditor do FIRSTS
Correct Answer: C
A database administrator (DBA) is responsible for maintaining the integrity, security and performance of the database systems. A DBA who is also responsible for developing and executing changes into the production environment may have a conflict of interest and pose a risk to the data quality and availability. Therefore, the IS auditor should first identify whether any compensating controls exist to mitigate this risk, such as independent reviews, approvals, audits or monitoring of the changes. Determining whether another DBA could make the changes, reporting a potential segregation of duties violation and ensuring a change management process is followed prior to implementation are possible actions that the auditor could take after identifying the compensating controls or the lack thereof. References: * : Database Administrator (DBA) Definition * : Segregation of Duties | ISACA * : [Compensating Control Definition]
Question 145
A CFO has requested an audit of IT capacity management due to a series of finance system slowdowns during month-end reporting. What would be MOST important to consider before including this audit in the program?
Correct Answer: B
The most important thing to consider before including an audit of IT capacity management in the program is whether the system's performance poses a significant risk to the organization. IT capacity management is a process that ensures that IT resources are sufficient to meet current and future business needs, and that they are optimized for cost and performance. A poor IT capacity management can result in system slowdowns, outages, failures, or breaches, which can affect the availability, reliability, security, and efficiency of IT services and business processes. Therefore, before conducting an audit of IT capacity management, the auditor should assess the potential impact and likelihood of these risks on the organization's objectives, reputation, compliance, and customer satisfaction. Whether system delays result in more frequent use of manual processing (option A) is not the most important thing to consider before including an audit of IT capacity management in the program, as it is only one possible consequence of poor IT capacity management. Manual processing can introduce errors, delays, inefficiencies, and inconsistencies in the data and reports, which can affect the quality and accuracy of financial information. However, manual processing is not the only or the worst outcome of poor IT capacity management; there may be other more severe or frequent risks that need to be considered. Whether stakeholders are committed to assisting with the audit (option C) is also not the most important thing to consider before including an audit of IT capacity management in the program, as it is a factor that affects the feasibility and effectiveness of the audit, not the necessity or priority of it. Stakeholder commitment is important for ensuring that the auditor has access to relevant information, documents, data, and personnel, as well as for facilitating communication, collaboration, and feedback during the audit process. However, stakeholder commitment is not a sufficient reason to conduct an audit of IT capacity management; there must be a clear risk-based rationale for selecting this area for audit. Whether internal auditors have the required skills to perform the audit (option D) is also not the most important thing to consider before including an audit of IT capacity management in the program, as it is a factor that affects the quality and credibility of the audit, not the urgency or importance of it. Internal auditors should have the appropriate knowledge, skills, and experience to perform an audit of IT capacity management, which may include technical, business, analytical, and communication skills. However, internal auditors can also acquire or supplement these skills through training, coaching, consulting, or outsourcing. Therefore, internal auditors' skills are not a decisive factor for choosing this area for audit. Therefore, option B is the correct answer. References: * Guide to IT Capacity Management | Smartsheet * ISO 27001 capacity management: How to implement control A.12.1.3 - Advisera * ISO 27002:2022 - Control 8.6 - Capacity Management
