Download CISA Exam Questions (401 - 500) with Verified Answers,100% CORRECT and more Exams Information and Communications Technology (ICT) in PDF only on Docsity! CISA Exam Questions (401 - 500) with Verified Answers An IS auditor is reviewing the software development process for an organization. Which of the following functions would be appropriate for the end users to perform? Select an answer: A. Program output testing B. System configuration C. Program logic specification D. Performance tuning - CORRECT ANSWER You are correct, the answer is A. A. A user can test program output by checking the program input and comparing it with the system output. This task, although usually done by the programmer, can also be done effectively by the user. B. System configuration is usually too technical to be accomplished by a user and this situation could create security issues. This could introduce a segregation of duties issue. C. Program logic specification is a very technical task that is normally performed by a programmer. This could introduce a segregation of duties issue. D. Performance tuning also requires high levels of technical skill and will not be effectively accomplished by a user. This could introduce a segregation of duties issue. An IS auditor is reviewing system development for a health care organization with two application environments—production and test. During an interview, the auditor notes that production data are used in the test environment to test program changes. What is the MOST significant potential risk from this situation? Select an answer: A. The test environment may not have adequate controls to ensure data accuracy. B. The test environment may produce inaccurate results due to use of production data. C. Hardware in the test environment may not be identical to the production environment. D. The test environment may not have adequate access controls implemented to ensure data confidentiality. - CORRECT ANSWER You are correct, the answer is D. A. The accuracy of data used in the test environment is not of significant concern as long as these data are representative of the production environment. B. Using production data in the test environment would not cause test results to be inaccurate. If anything, using production data would improve the accuracy of testing processes because the data would most closely mirror the production environment. In spite of that fact, the risk of data disclosure or unauthorized access in the test environment is still significant and, as a result, production data should not be used in the test environment. This is especially important in a health care organization where patient data confidentiality is critical and privacy laws in many countries impose strict penalties on misuse of these data. C. Hardware in the test environment should mirror the production environment to ensure that testing is reliable. However, this does not relate to the risk from using live data in a test environment. This is not the correct answer because it does not relate to the risk presented in the scenario. A. Alpha testing is the testing stage just before beta testing. Alpha testing is typically performed by programmers and business analysts, instead of users. Alpha testing is used to identify bugs or glitches that can be fixed before beta testing begins with external users. B. White box testing is performed much earlier in the software development life cycle than alpha or beta testing. White box testing is used to assess the effectiveness of software program logic, where test data are used to determine procedural accuracy of the programs being tested. In other words, does the program operate the way it is supposed to at a functional level? White box testing does not typically involve external users. C. Regression testing is the process of re-running a portion of a test scenario to ensure that changes or corrections have not introduced more errors. In other words, the same tests are run after multiple successive program changes to ensure that the "fix" for one problem did not "break" another part of the program. Regression testing is not the last stage of testing and does not typically involve external users. D. Beta testing is the final stage of testing and typically includes users outside the development area. Beta testing is a form of user acceptance testing (UAT) and generally involves a limited number of users who are external to the development effort. During which phase of software application testing should an organization perform the testing of architectural design? Select an answer: A. Acceptance testing B. System testing C. Integration testing D. Unit testing - CORRECT ANSWER You answered B. The correct answer is C. A. Acceptance testing determines whether the solution meets the requirements of the business and is performed after system staff has completed the initial system test. This testing includes both quality assurance testing (QAT) and user acceptance testing (UAT), although not combined. B. System testing relates a series of tests by the test team or system maintenance staff to ensure that the modified program interacts correctly with other components. System testing references the functional requirements of the system. C. Integration testing evaluates the connection of two or more components that pass information from one area to another. The objective is to utilize unit-tested modules, thus building an integrated structure according to the design. D. Unit testing references the detailed design of the system and uses a set of cases that focus on the control structure of the procedural design to ensure that the internal operation of the program performs according to specification. An IS auditor is evaluating a virtual machine-based (VM-based) architecture used for all programming and testing environments. The production architecture is a three-tier physical architecture. What is the MOST important IT control to test to ensure availability and confidentiality of the web application in production? Select an answer: A. Server configuration has been hardened appropriately. B. Allocated physical resources are available. C. System administrators are trained to use the virtual machine (VM) architecture. D. The VM server is included in the disaster recovery plan (DRP). - CORRECT ANSWER You are correct, the answer is A. A. The most important control to test in this configuration is the server configuration hardening. It is important to patch known vulnerabilities and to disable all non-required functions before production, especially when production architecture is different from development and testing architecture. B. The greatest risk is associated with the difference between the testing and production environments. Ensuring that physical resources are available is a relatively low risk and easily addressed. C. Virtual machines (VMs) are often used for optimizing programming and testing infrastructure. In this scenario, the development environment (VM architecture) is different from the production infrastructure (physical three-tier). Because the VMs are not related to the web application in production, there is no real requirement for the system administrators to be familiar with a virtual environment. D. Because the VMs are only used in a development environment and not in production, it may not be necessary to include VMs in the disaster recovery plan (DRP). Which of the following situations would increase the likelihood of fraud? Select an answer: A. Application programmers are implementing changes to production programs. B. Administrators are implementing vendor patches to vendor-supplied software without following change control procedures. C. Operations support staff members are implementing changes to batch schedules. D. C. Interface/integration testing is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective is to take unit-tested modules and build an integrated structure. This will not test in a true production environment. D. The purpose of sociability testing is to confirm that a new or modified system can operate in its target environment without adversely impacting existing systems. This should cover the platform that will perform primary application processing and interfaces with other systems, as well as changes to the desktop in a client-server or web development. At the end of the testing phase of software development, an IS auditor observes that an intermittent software error has not been corrected. No action has been taken to resolve the error. The IS auditor should: Select an answer: A. report the error as a finding and leave further exploration to the auditee's discretion. B. attempt to resolve the error. C. recommend that problem resolution be escalated. D. ignore the error because it is not possible to get objective evidence for the software error. - CORRECT ANSWER You answered A. The correct answer is C. A. Recording it as a minor error and leaving it to the auditee's discretion would be inappropriate. Action should be taken before the application goes into production. B. The IS auditor is not authorized to resolve the error. C. When an IS auditor observes such conditions, it is best to fully apprise the auditee and suggest that further problem resolutions be attempted including escalation if necessary. D. Neglecting the error would indicate that the IS auditor has not taken steps to further probe the issue to its logical end. Which of the following is an implementation risk within the process of decision support systems (DSSs)? Select an answer: A. Management control B. Semistructured dimensions C. Inability to specify purpose and usage patterns D. Changes in decision processes - CORRECT ANSWER You answered D. The correct answer is C. A. Management control is not a type of risk, but a characteristic of a decision support system (DSS). B. Semistructured dimensions is not a type of risk, but a characteristic of a DSS. C. The inability to specify purpose and usage patterns is a risk that developers need to anticipate while implementing a DSS. D. Changes in decision processes are not a type of risk, but a characteristic of a DSS. An organization is implementing a new system to replace a legacy system. Which of the following conversion practices creates the GREATEST risk? Select an answer: A. Pilot B. Parallel C. Direct cutover D. Phased - CORRECT ANSWER You are correct, the answer is C. A. All other alternatives are done gradually and, thus, provide greater recoverability and are less risky. A pilot implementation is the implementation of the system at a single location or region and then a rollout of the system to the rest of the organization after the application and implementation plan have been proven to work correctly at the pilot location. B. A parallel test requires running both the old and new system in parallel for a time period. This would highlight any problems or inconsistencies between the old and new systems. C. Direct cutover implies switching to the new system immediately, usually without the ability to revert to the old system in the event of problems. This is the riskiest approach and may cause a significant impact on the organization. D. A phased approach is used to implement the system in phases or sections—this minimizes the overall risk by only affecting one area at a time. Which of the following system and data conversion strategies provides the GREATEST redundancy? Select an answer: A. Direct cutover C. Testing is crucial in determining that user requirements have been validated. The IS auditor should be involved in this phase and review error reports for their precision in recognizing erroneous data and review the procedures for resolving errors. D. Program change requests would be reviewed normally as a part of the postimplementation phase. An appropriate control for ensuring the authenticity of orders received in an electronic data interchange (EDI) system application is to: Select an answer: A. acknowledge receipt of electronic orders with a confirmation message. B. perform reasonableness checks on quantities ordered before filling orders. C. verify the identity of senders and determine if orders correspond to contract terms. D. encrypt electronic orders. - CORRECT ANSWER You are correct, the answer is C. A. Acknowledging the receipt of electronic orders with a confirming message is good practice but will not authenticate orders from customers. B. Performing reasonableness checks on quantities ordered before placing orders is a control for ensuring the correctness of the company's orders, not the authenticity of its customers' orders. C. An electronic data interchange (EDI) system is subject not only to the usual risk exposures of computer systems but also to those arising from the potential ineffectiveness of controls on the part of the trading partner and the third-party service provider, making authentication of users and messages a major security concern. D. Encrypting sensitive messages is an appropriate step but does not prove authenticity of messages received. A legacy payroll application is migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing-off on the accuracy and completeness of the data before going live? Select an answer: A. IS auditor B. Database administrator C. Project manager D. Data owner - CORRECT ANSWER You answered C. The correct answer is D. A. An IS auditor should ensure that there is a review and sign-off by the data owner during the data conversion stage of the project. B. A database administrator's primary responsibility is to maintain the integrity of the database and make the database available to users. A database administrator is not responsible for reviewing migrated data. C. A project manager provides day-to-day management and leadership of the project but is not responsible for the accuracy and integrity of the data. D. During the data conversion stage of a project, the data owner is primarily responsible for reviewing and signing-off that the data are migrated completely and accurately and are valid. An IS auditor is not responsible for reviewing and signing-off on the accuracy of the converted data. An organization is migrating from a legacy system to an enterprise resource planning (ERP) system. While reviewing the data migration activity, the MOST important concern for the IS auditor is to determine that there is a: Select an answer: A. correlation of semantic characteristics of the data migrated between the two systems. B. correlation of arithmetic characteristics of the data migrated between the two systems. C. correlation of functional characteristics of the processes between the two systems. D. relative efficiency of the processes between the two systems. - CORRECT ANSWER You answered C. The correct answer is A. A. Due to the fact that the two systems could have a different data representation, including the database schema, the IS auditor's main concern should be to verify that the interpretation of the data (structure) is the same in the new as it was in the old system. B. Arithmetic characteristics represent aspects of data structure and internal definition in the database and, therefore, are less important than the semantic characteristics. C. A review of the correlation of the functional characteristics between the two systems is not relevant to a data migration review. D. A review of the relative efficiencies of the processes between the two systems is not relevant to a data migration review. examines a program's functionality by executing it in a tightly controlled or virtual environment with restricted access to the host system. - CORRECT ANSWER You are correct, the answer is C. A. Verifying the program can operate successfully with other parts of the system is sociability testing. B. Testing the program's functionality without knowledge of internal structures is black box testing. C. White box testing assesses the effectiveness of software program logic. Specifically, test data are used in determining procedural accuracy or conditions of a program's logic paths. D. Controlled testing of programs in a semi-debugged environment, either heavily controlled step-by-step or via monitoring in virtual machines, is sand box testing. Following good practices, formal plans for implementation of new information systems are developed during the: Select an answer: A. development phase. B. design phase. C. testing phase. D. deployment phase. - CORRECT ANSWER You are correct, the answer is B. A. The implementation plans are updated during the development of the system, but the plans were already addressed during the design phase. B. The method of implementation may affect the design of the system. Therefore, planning for implementation should begin well in advance of the actual implementation date. A formal implementation plan should be constructed in the design phase and revised as the development progresses. C. The testing phase focuses on testing the system and is not concerned with implementation planning. D. The deployment phase implements the system according to the plans set out earlier in the design phase. The reason a certification and accreditation (C&A) process is performed on critical systems is to ensure that: Select an answer: A. security compliance has been technically evaluated. B. data have been encrypted and are ready to be stored. C. the systems have been tested to run on different platforms. D. the systems have followed the phases of a waterfall model. - CORRECT ANSWER You are correct, the answer is A. A. Certified and accredited systems are systems that have had their security compliance technically evaluated for running in a specific environment and configuration. B. Certification tests security functionality, including encryption where that is required, but that is not the primary objective of the certification and accreditation (C&A) process. C. Certified systems are evaluated to run in a specific environment. D. A waterfall model is a software development methodology and not a reason for performing a C&A process. An IS auditor is reviewing a project that is using an agile software development approach. Which of the following should the IS auditor expect to find? Select an answer: A. Use of a capability maturity model (CMM) B. Regular monitoring of task-level progress against schedule C. Extensive use of software development tools to maximize team productivity D. Postiteration reviews that identify lessons learned for future use in the project - CORRECT ANSWER You answered C. The correct answer is D. A. The capability maturity model (CMM) places heavy emphasis on predefined formal processes and formal project management and software development deliverables, while agile software development projects, by contrast, rely on refinement of process as dictated by the particular needs of the project and team dynamics. B. Task-level tracking is not used because daily meetings identify challenges and impediments to the project. C. Agile projects make use of suitable development tools; however, tools are not seen as the primary means of achieving productivity. Team harmony, effective communications and collective ability to solve challenges are of greater importance. D. A key tenet of the agile approach to software project management is ongoing team learning to refine project management and software development B. Setting a boot password is a good practice but does not ensure that a user will not try to exploit logical vulnerabilities and compromise the OS. C. Hardening a system means to configure it in the most secure manner (install latest security patches, properly define access authorization for users and administrators, disable insecure options and uninstall unused services) to prevent nonprivileged users from gaining the right to execute privileged instructions and, thus, take control of the entire machine, jeopardizing the integrity of the OS. D. Activity logging has two weaknesses in this scenario—it is a detective control (not a preventive one), and the attacker who already gained privileged access can modify logs or disable them. Which of the following network components is PRIMARILY set up to serve as a security measure by preventing unauthorized traffic between different segments of the network? Select an answer: A. Firewalls B. Routers C. Layer 2 switches D. Virtual local area networks (VLANs) - CORRECT ANSWER You answered B. The correct answer is A. A. Firewall systems are the primary tool that enables an organization to prevent unauthorized access between networks. An organization may choose to deploy one or more systems that function as firewalls. B. Routers can filter packets based on parameters, such as source address but are not primarily a security tool. C. Based on Media Access Control (MAC) addresses, layer 2 switches separate traffic without determining whether it is authorized or unauthorized traffic. D. A virtual local area network (VLAN) is a functionality of some switches that allows them to control traffic between different ports even though they are in the same physical local access network (LAN). Nevertheless, they do not effectively deal with authorized versus unauthorized traffic. A company is implementing a Dynamic Host Configuration Protocol (DHCP). Given that the following conditions exist, which represents the GREATEST concern? Select an answer: A. Most employees use laptops. B. A packet filtering firewall is used. C. The IP address space is smaller than the number of PCs. D. Access to a network port is not restricted. - CORRECT ANSWER You answered C. The correct answer is D. A. Dynamic Host Configuration Protocol (DHCP) provides convenience (an advantage) to the laptop users. B. The existence of a firewall can be a security measure. C. A limited number of IP addresses can be addressed through network address translation (NAT). D. Given physical access to a port, anyone can connect to the internal network. This would allow individuals to connect that were not authorized to be on the corporate network. Which of the following line media would provide the BEST security for a telecommunication network? Select an answer: A. Broadband network digital transmission B. Baseband network C. Dial-up D. Dedicated lines - CORRECT ANSWER You are correct, the answer is D. A. The secure use of broadband communications is subject to whether the network is shared with other users, the data are encrypted and the risk of network interruption. B. A baseband network is one that is usually shared with many other users and requires encryption of traffic but still may allow some traffic analysis by an attacker. C. A dial-up line is fairly secure because it is a private connection, but it is too slow to be considered for most commercial applications today. D. Dedicated lines are set apart for a particular user or organization. Because there is no sharing of lines or intermediate entry points, the risk of interception or disruption of telecommunications messages is lower. When reviewing the implementation of a local area network (LAN), an IS auditor should FIRST review the: Select an answer: A. absence of a defined process owner, there may be issues in respect to monitoring or authorization controls. B. The allocation method of application usage cost is of less importance. C. The fact that multiple application owners exist is not a concern for an IS auditor as long as process owners have been identified. D. The fact that a training program does not exist would only be a minor concern for the IS auditor. Which of the following would be the BEST approach to ensure that sufficient test coverage will be achieved for a project with a strict end date and a fixed time to perform testing? Select an answer: A. Requirements should be tested in terms of importance and frequency of use. B. Test coverage should be restricted to functional requirements. C. Automated tests should be performed through the use of scripting. D. The number of required test runs should be reduced by retesting only defect fixes. - CORRECT ANSWER You are correct, the answer is A. A. The idea is to maximize the usefulness of testing by concentrating on the most important aspects of the system and on the areas where defects represent the greatest risk to user acceptance. A further extension of this approach is to also consider the technical complexity of requirements because complexity tends to increase the likelihood of defects. B. The problem with testing only functional requirements is that nonfunctional requirement areas, such as usability and security, which are important to the overall quality of the system, are ignored. C. Increasing the efficiency of testing by automating test execution is a good idea. However, by itself, this approach does not ensure the appropriate targeting of test coverage and so is not as effective an alternative. D. Retesting only defect fixes has a considerable risk that it will not detect instances in which defect fixes may have caused the system to regress (i.e., introduced errors in parts of the system that were previously working correctly). For this reason, it is a good practice to undertake formal regression testing after defect fixes have been implemented. An IS auditor is reviewing a new web-based order entry system the week before it goes live. The IS auditor has identified that the application, as designed, may be missing several critical controls regarding how the system stores customer credit card information. The IS auditor should FIRST: Select an answer: A. determine whether system developers have proper training on adequate security measures. B. determine whether system administrators have disabled security controls for any reason. C. verify that security requirements have been properly specified in the project plan. D. validate whether security controls are based on requirements which are no longer valid. - CORRECT ANSWER You are correct, the answer is C. A. While it is important for programmers to understand security, it is more important that the security requirements were properly stated in the project plan. B. System administrators may have made changes to the controls, but it is assumed that the auditor is reviewing the system as designed a week prior to implementation so the administrators have not yet configured the system. C. If there are significant security issues identified by an IS auditor, the first question is whether the security requirements were correct in the project plan. Depending on whether the requirements were included in the plan would affect the recommendations the auditor would make. D. It is possible that security requirements will change over time based on new threats or vulnerabilities, but if critical controls are missing, this points toward a faulty design that was based on incomplete requirements. Which of the following helps an IS auditor evaluate the quality of new software that is developed and implemented? Select an answer: A. The reporting of the mean time between failures over time B. The overall mean time to repair failures C. The first report of the mean time between failures D. The overall response time to correct failures - CORRECT ANSWER You answered A. The correct answer is C. A. The mean time between failures that are repetitive includes the inefficiency in fixing the first reported failures and is a reflection on the response team or help desk team in fixing the reported issues. D. Setting up the new system, including access permissions and payroll data, always presents some level of risk; however, the greatest risk is related to the migration of data from the old system to the new system. During a postimplementation review, which of the following activities should be performed? Select an answer: A. User acceptance testing (UAT) B. Return on investment (ROI) analysis C. Activation of audit trails D. Updates of the state of enterprise architecture (EA) diagrams - CORRECT ANSWER You answered C. The correct answer is B. A. User acceptance testing (UAT) should be performed prior to the implementation (perhaps during the development phase), not after the implementation. B. Following implementation, a cost-benefit analysis or return on investment (ROI) should be re-performed to verify that the original business case benefits are delivered. C. The audit trail should be activated during the implementation of the application. D. While updating the enterprise architecture (EA) diagrams is a good practice, it would not normally be part of a postimplementation review. During a postimplementation review of an enterprise resource management system, an IS auditor would MOST likely: Select an answer: A. review access control configuration. B. evaluate interface testing. C. review detailed design documentation. D. evaluate system testing. - CORRECT ANSWER You are correct, the answer is A. A. Reviewing access control configuration would be the first task performed to determine whether security has been appropriately mapped in the system. B. Because a postimplementation review is done after user acceptance testing and actual implementation, one would not engage in interface testing or detailed design documentation. Evaluating interface testing would be part of the implementation process. C. The issue of reviewing detailed design documentation is not generally relevant to an enterprise resource management system because these are usually vendor packages with user manuals. System testing should be performed before final user signoff. Further, because the system has been implemented, the IS auditor would only check the detailed design if there appeared to be a gap between design and functionality. D. System testing should be performed before final user signoff. The IS auditor should not need to review the system tests postimplementation During the review of a web-based software development project, an IS auditor realizes that coding standards are not enforced and code reviews are rarely carried out. This will MOST likely increase the likelihood of a successful: Select an answer: A. buffer overflow. B. brute force attack. C. distributed denial-of-service attack (DDoS). D. war dialing attack. - CORRECT ANSWER You answered B. The correct answer is A. A. Poorly written code, especially in web-based applications, is often exploited by hackers using buffer overflow techniques. B. A brute force attack is used to crack passwords, but this is not related to coding standards. C. A distributed denial-of-service (DDoS) attack floods its target with numerous packets, to prevent it from responding to legitimate requests. This is not related to coding standards. D. War dialing uses modem-scanning tools to hack private branch exchanges (PBXs) or other telecommunications services. An IS auditor is conducting a postimplementation review of an enterprise's network. Which of the following findings would be of MOST concern? Select an answer: A. Wireless mobile devices are not password-protected. B. Default passwords are not changed when installing network devices. review subsequent program change requests. - CORRECT ANSWER You are correct, the answer is C. A. The IS auditor should check whether user feedback has been provided, but this is not the most important area for audit. B. It is important to assess the effectiveness of the project; however, assuring that the production environment is adequately controlled after the implementation is of primary concern. C. Because management is assuming that the implementation went well, the primary focus of the IS auditor is to test the controls built into the application to assure that they are functioning as designed. D. Reviewing change requests may be a good idea, but this is more important if the application is perceived to have a problem. Management observed that the initial phase of a multiphase implementation was behind schedule and over budget. Prior to commencing with the next phase, an IS auditor's PRIMARY suggestion for a postimplementation focus should be to: Select an answer: A. assess whether the planned cost benefits are being measured, analyzed and reported. B. review control balances and verify that the system is processing data accurately. C. review the impact of program changes made during the first phase on the remainder of the project. D. determine whether the system's objectives were achieved. - CORRECT ANSWER You answered D. The correct answer is C. A. While all choices are valid, the postimplementation focus and primary objective should be understanding the impact of the problems in the first phase on the remainder of the project. B. The review should assess whether the control is working correctly, but should focus on the problems that led to project overruns in budget and time. C. Because management is aware that the project had problems, reviewing the subsequent impact will provide insight into the types and potential causes of the project issues. This will help to identify whether IT has adequately planned for those issues in subsequent projects. D. Ensuring that the system works is a primary objective for the IS auditor, but in this case because the project planning was a failure, the IS auditor should focus on the reasons for, and impact of, the failure. The PRIMARY objective of conducting a postimplementation review for a business process automation project is to: Select an answer: A. ensure that the project meets the intended business requirements. B. evaluate the adequacy of controls. C. confirm compliance with technological standards. D. confirm compliance with regulatory requirements. - CORRECT ANSWER You answered D. The correct answer is A. A. Ensuring that the project meets the intended business requirements is the primary objective of a postimplementation review. B. Evaluating the adequacy of controls may be part of the review but is not the primary objective. C. Confirming compliance with technological standards is normally not part of the postimplementation review because this should be addressed during the design and development phase. D. Confirming compliance with regulatory requirements is normally not part of the postimplementation review because this should be addressed during the design and development phase. Which of the following BEST helps an IS auditor assess and measure the value of a newly implemented system? Select an answer: A. Review of business requirements B. System certification C. Postimplementation review D. System accreditation - CORRECT ANSWER You are correct, the answer is C. A. While reviewing the business requirements is important, only a postimplementation review provides evidence that the project met the business requirements. B. System certification involves performing a comprehensive assessment against a standard of management, operational and technical controls in an information system to examine the level of compliance in meeting certain requirements such as standards, policies, processes, procedures, work instructions and guidelines. diversified control makes ownership irrelevant. B. staff traditionally changes jobs with greater frequency. C. ownership is difficult to establish where resources are shared. D. duties change frequently in the rapid development of technology. - CORRECT ANSWER You are correct, the answer is C. A. Ownership is required to ensure that someone has responsibility for the secure and proper operation of a system and the protection of data. B. The movement of staff is not a serious issue because the responsibility should be linked to a job description, not an individual. C. The actual data and/or application owner may be hard to establish because of the complex nature of both data and application systems and many systems support more than one business department. D. Duties may change frequently, but that does not absolve the organization of having a declared owner for systems and data. Once an organization has finished the business process reengineering (BPR) of all its critical operations, an IS auditor would MOST likely focus on a review of: Select an answer: A. pre-BPR process flowcharts. B. post-BPR process flowcharts. C. BPR project plans. D. continuous improvement and monitoring plans. - CORRECT ANSWER You answered D. The correct answer is B. A. An IS auditor must review the process as it is today, not as it was in the past. B. An IS auditor's task is to identify and ensure that key controls have been incorporated into the reengineered process. C. Business process reengineering (BPR) project plans are a step within a BPR project. D. Continuous improvement and monitoring plans are steps within a BPR project. When reviewing an organization's approved software product list, which of the following is the MOST important thing to verify? Select an answer: A. The risk associated with the use of the products is periodically assessed. B. The latest version of software is listed for each product. C. Due to licensing issues, the list does not contain open source software. D. After-hours support is offered. - CORRECT ANSWER You are correct, the answer is A. A. Because the business conditions surrounding vendors may change, it is important for an organization to conduct periodic risk assessments of the vendor software list. This may be best incorporated into the IT risk management process. B. The organization may not be using the latest version of a product. C. The list may contain open source software depending on the business requirements and associated risk. D. Support may be provided internally or externally, and technical support should be arranged depending on the criticality of the software. Which of the following reports should an IS auditor use to check compliance with a service level agreement's (SLA) requirement for uptime? Select an answer: A. Utilization reports B. Hardware error reports C. System logs D. Availability reports - CORRECT ANSWER You are correct, the answer is D. A. Utilization reports document the use of computer equipment, and can be used by management to predict how, where and/or when resources are required. B. Hardware error reports provide information to aid in detecting hardware failures and initiating corrective action. These error reports may not indicate actual system uptime. C. System logs are used for recording the system's activities. They may not indicate availability. D. IS inactivity, such as downtime, is addressed by availability reports. These reports provide the time periods during which the computer was available for utilization by users or other processes. B. Switches are at a low level of network security and transmit a packet to the device to which it is addressed. This reduces the ability of one device to capture the packets that are meant for another device. C. Routers allow packets to be given or denied access based on the addresses of the sender and receiver, and the type of packet. D. Firewalls are a collection of computer and network equipment used to allow communications to flow out of the organization and restrict communications flowing into the organization. When reviewing the configuration of network devices, an IS auditor should FIRST identify: Select an answer: A. the good practices for the type of network devices deployed. B. whether components of the network are missing. C. the importance of the network devices in the topology. D. whether subcomponents of the network are being used appropriately. - CORRECT ANSWER You answered B. The correct answer is C. A. After understanding the devices in the network, a good practice for using the device should be reviewed to ensure that there are no anomalies within the configuration. B. Identification of which component is missing can only be known upon reviewing and understanding the topology and a good practice for deployment of the device in the network. C. The first step is to understand the importance and role of the network device within the organization's network topology. D. Identification of which subcomponent is being used inappropriately can only be known upon reviewing and understanding the topology and a good practice for deployment of the device in the network. There are several methods of providing telecommunication continuity. The method of routing traffic through split cable or duplicate cable facilities is called: Select an answer: A. alternative routing. B. diverse routing. C. long-haul network diversity. D. last-mile circuit protection. - CORRECT ANSWER You are correct, the answer is B. A. Alternative routing is a method of routing information via an alternate medium such as copper cable or fiber optics. This involves the use of different networks, circuits or end points should the normal network be unavailable. B. Diverse routing routes traffic through split-cable facilities or duplicate-cable facilities. This can be accomplished with different and/or duplicate cable sheaths. If different cable sheaths are used, the cable may be in the same conduit and, therefore, subject to the same interruptions as the cable it is backing up. The communication service subscriber can duplicate the facilities by having alternate routes, although the entrance to and from the customer premises may be in the same conduit. The subscriber can obtain diverse routing and alternate routing from the local carrier, including dual-entrance facilities. This type of access is time consuming and costly. C. Long-haul network diversity is a diverse, long-distance network utilizing different packet switching circuits among the major long-distance carriers. It ensures long-distance access should any carrier experience a network failure. D. Last-mile circuit protection is a redundant combination of local carrier T-1s (E- 1s in Europe), microwave and/or coaxial cable access to the local communications loop. This enables the facility to have access during a local carrier communication disaster. Alternate local-carrier routing is also utilized. A financial institution that processes millions of transactions each day has a central communications processor (switch) for connecting to automated teller machines (ATMs). Which of the following would be the BEST contingency plan for the communications processor? Select an answer: A. Reciprocal agreement with another organization B. Alternate processor in the same location C. Alternate processor at another network node D. Installation of duplex communication links - CORRECT ANSWER You are correct, the answer is C. A. Reciprocal agreements make an organization dependent on the other organization and raise privacy, competition and regulatory issues. B. Having an alternate processor in the same location resolves the equipment problem, but would not be effective if the failure was caused by environmental conditions (i.e., power disruption). C. The unavailability of the central communications processor would disrupt all access to the banking network. This could be caused by an equipment, power or B. The physical security of the service provider site C. The draft service level agreement (SLA) with the service provider D. Background checks of the service provider's employees - CORRECT ANSWER You answered A. The correct answer is C. A. A due diligence activity such as reviewing references from other clients is a good practice, but the service level agreement (SLA) would be most critical because it would define what specific levels of performance would be required and make the provider contractually obligated to deliver what was promised. B. A due diligence activity such as reviewing physical security controls is a good practice, but the SLA would be most critical because it would define what specific levels of security would be required and make the provider contractually obligated to deliver what was promised. C. When contracting with a service provider, it is a good practice to enter into an SLA with the provider. An SLA is a guarantee that the provider will deliver the services according to the contract. The IS auditor will want to ensure that performance and security requirements are clearly stated in the SLA. D. A due diligence activity such as the use of background checks for the service provider's employees is a good practice, but the SLA would be most critical because it would define what specific levels of security and labor practices would be required and make the provider contractually obligated to deliver what was promised. An IS auditor is to assess the suitability of a service level agreement (SLA) between the organization and the supplier of outsourced services. To which of the following observations should the IS auditor pay the MOST attention? The SLA does not contain a: Select an answer: A. transition clause from the old supplier to a new supplier in the case of expiration or termination. B. late payment clause between the customer and the supplier. C. contractual commitment for service improvement. D. dispute resolution procedure between the contracting parties. - CORRECT ANSWER You are correct, the answer is A. A. The delivery of IT services for a specific customer always implies a close linkage between the client and the supplier of the service. If there are no contract terms to specify how the transition to a new supplier may be performed, there is the risk that the old supplier may simply "pull the plug" if the contract expires or is terminated or may not make data available to the outsourcing organization or new supplier. This would be the greatest risk to the organization. B. Contractual issues regarding payment, service improvement and dispute resolution are important but not as critical as ensuring that service disruption, data loss, data retention, or other significant events occur in the event that the organization switches to a new firm providing outsourced services. C. The service level agreement (SLA) should address performance requirements and metrics to report on the status of services provided, but it does not necessarily address commitment for performance improvement. D. The SLA should address a dispute resolution procedure and specify the jurisdiction in case of a legal dispute, but this is not the most critical part of an SLA. An IS auditor reviewing a new outsourcing contract with a service provider would be MOST concerned if which of the following was missing? Select an answer: A. A clause providing a "right to audit" the service provider B. A clause defining penalty payments for poor performance C. Predefined service level report templates D. A clause regarding supplier limitation of liability - CORRECT ANSWER You answered B. The correct answer is A. A. The absence of a "right to audit" clause or other form of attestation that the supplier was compliant with a certain standard would potentially prevent the IS auditor from investigating any aspect of supplier performance moving forward, including control deficiencies, poor performance and adherence to legal requirements. This would be a major concern for the IS auditor because it would be difficult for the organization to assess whether the appropriate controls had been put in place. B. While a clear definition of penalty payment terms is desirable, not all contracts require the payment of penalties for poor performance, and when performance penalties are required, these penalties are often subject to negotiation on a case- by-case basis. As such, the absence of this information would not be as significant as a lack of right to audit. C. While the inclusion of service level report templates would be desirable, as long as the requirement for service level reporting is included in the contract, the absence of predefined templates for reporting is not a significant concern. D. The absence of a limitation of liability clause for the service provider would, theoretically, expose the provider to unlimited liability. This would be to the advantage of the outsourcing company so, while the IS auditor might highlight the absence of such a clause, it would not constitute a major concern. Report the existence of the undocumented agreement to senior management. C. Confirm the content of the agreement with both departments. D. Draft a service level agreement (SLA) for the two departments. - CORRECT ANSWER You answered B. The correct answer is C. A. There is no reason to postpone an audit because a service agreement is not documented, unless that is all that is being audited. The agreement can be documented after it has been established that there is an agreement in place. B. Reporting to senior management is not necessary at this stage of the audit because this is not a serious immediate vulnerability. C. An IS auditor should first confirm and understand the current practice before making any recommendations. Part of this will be to ensure that both parties are in agreement with the terms of the agreement. D. Drafting a service level agreement (SLA) is not the IS auditor's responsibility. Which of the following reports is the MOST appropriate source of information for an IS auditor to validate that an Internet service provider (ISP) has been complying with an enterprise service level agreement (SLA) for the availability of outsourced telecommunication services? Select an answer: A. Downtime reports on the telecommunication services generated by the ISP B. A utilization report of automatic failover services generated by the enterprise C. A bandwidth utilization report provided by the ISP D. Downtime reports on the telecommunication services generated by the enterprise - CORRECT ANSWER You answered A. The correct answer is D. A. The Internet service provider (ISP)-generated downtime reports are produced by the same entity that is being monitored. As a result, it will be necessary to review these reports for possible bias and/or errors against other data. B. The information provided by these reports is indirect evidence of the extent that the backup telecommunication services were used. These reports may not indicate compliance with the service level agreement (SLA), just that the failover systems had been used. C. Utilization reports are used to measure the usage of bandwidth, not uptime. D. The enterprise should use internally generated downtime reports to monitor the service provided by the ISP and, as available, to compare with the reports provided by the ISP. An IS auditor reviewing a cloud computing environment managed by a third party should be MOST concerned when: Select an answer: A. the organization is not permitted to assess the controls in the participating vendor's site. B. the service level agreement (SLA) does not address the responsibility of the vendor in the case of a security breach. C. laws and regulations are different in the countries of the organization and the vendor. D. the organization is using an older version of a browser and is vulnerable to certain types of security risk. - CORRECT ANSWER You answered C. The correct answer is B. A. The IS auditor has no role to play if the contract between the parties does not provide for assessment of controls in the other vendor's site. B. Administration of cloud computing occurs over the Internet and involves more than one participating entity. It is the responsibility of each of the partners in the cloud computing environment to take care of security issues in their own environments. When there is a security breach, the party responsible for the breach should be identified and made accountable. This is not possible if the service level agreement (SLA) does not address the responsibilities of the partners during a security breach. C. The IS auditor should ensure that the contract addresses the differing laws and regulations in the countries of the organization and the vendor, but having different laws and regulations is not a problem in itself. D. The IS auditor can make suggestions to the audited entity to use appropriate patches or to switch over to safer browsers, and the IS auditor can follow up on the action taken. An IS auditor is assessing services provided by an Internet service provider (ISP) during an IS compliance audit of a nationwide corporation that operates a governmental program. Which of the following is MOST important? Select an answer: A. Review the request for proposal (RFP). B. Review monthly performance reports generated by the ISP. C. Review the service level agreement (SLA). B. Implementing an online polling tool to monitor and record application outages is the best option for an organization to monitor application availability. Comparing internal reports with the vendor's service level agreement (SLA) reports would ensure that the vendor's monitoring of the SLA is accurate and that all conflicts are appropriately resolved. C. Logging the outage times reported by users is helpful, but does not give a true picture of all outages of the online application. Some outages may go unreported, especially if the outages are intermittent. D. Contracting a third party to implement availability monitoring is not a cost- effective option. Additionally, this results in a shift from monitoring the SaaS vendor to monitoring the third party. The PRIMARY benefit of an IT manager monitoring technical capacity is to: Select an answer: A. identify the need for new hardware and storage procurement. B. determine the future capacity need based on usage. C. ensure that the service level agreement (SLA) requirements are met. D. ensure that systems operate at optimal capacity. - CORRECT ANSWER You answered A. The correct answer is C. A. This is one benefit of monitoring technical capacity because it can help forecast future demands, not just react to system failures. However, the primary responsibility of the IT manager is to meet the overall requirement to ensure that IT is meeting the service level expectations of the business. B. Determining future capacity is one definite benefit of technical capability monitoring. C. Capacity monitoring has multiple objectives; however, the primary objective is to ensure compliance with the internal service level agreement (SLA) between the business and IT. D. IT management is interested in ensuring that systems are operating at optimal capacity, but their primary obligation is to ensure that IT is meeting the service level requirements of the business. Determining the service delivery objective (SDO) should be based PRIMARILY on: Select an answer: A. the minimum acceptable operational capability. B. the cost-effectiveness of the restoration process. C. meeting the recovery time objectives (RTOs). D. the allowable interruption window (AIW). - CORRECT ANSWER You are correct, the answer is A. A. The service delivery objective (SDO) is the level of service to be reached during the alternate process mode until the normal situation is restored. This is directly related to the business needs. B. The cost-effectiveness of the restoration process is not the main consideration of determining the SDO. C. Meeting the recovery time objectives (RTO) may be one of the considerations in determining the SDO, but it is a secondary factor. D. The allowable interruption window (AIW) may be one of the factors secondary to determining the SDO. Which of the following should be of PRIMARY concern to an IS auditor reviewing the management of external IT service providers? Select an answer: A. Minimizing costs for the services provided B. Prohibiting the provider from subcontracting services C. Evaluating the process for transferring knowledge to the IT department D. Determining if the services were provided as contracted - CORRECT ANSWER You are correct, the answer is D. A. Minimizing costs, if applicable and achievable (depending on the customer's need), is traditionally not part of an IS auditor's job. This would normally be done by a line management function within the IT department. Furthermore, during an audit, it is too late to minimize the costs for existing provider arrangements. B. Subcontracting providers could be a concern but would not be the primary concern. This should be addressed in the contract. C. Transferring knowledge to the internal IT department might be desirable under certain circumstances, but should not be the primary concern of an IS auditor when auditing IT service providers and the management thereof. D. From an IS auditor's perspective, the primary objective of auditing the management of service providers should be to determine if the services that were requested were provided in a way that is acceptable, seamless and in line with contractual agreements. In a contract with a hot, warm or cold site, contractual provisions should PRIMARILY cover which of the following considerations? A. If one organization updates its hardware and software configuration, it may mean that it is no longer compatible with the systems of the other party in the agreement. This may mean that each company is unable to use the facilities at the other company to recover their processing following a disaster. B. Resources being unavailable when needed are an intrinsic risk in any reciprocal agreement, but this is a contractual matter and is not the greatest risk. C. The plan can be tested by paper-based walk-throughs and possibly by agreement between the companies. D. The difference in security infrastructures, while a risk, is not insurmountable. An organization is planning to deploy an outsourced cloud-based application that is used to track job applicant data for the human resources (HR) department. Which of the following should be the GREATEST concern to an IS auditor? Select an answer: A. The service level agreement (SLA) ensures strict limits for uptime and performance. B. The cloud provider will not agree to an unlimited right-to-audit as part of the SLA. C. The SLA is not explicit regarding the disaster recovery plan (DRP) capabilities of the cloud provider. D. The cloud provider's data centers are in multiple cities and countries. - CORRECT ANSWER You answered B. The correct answer is D. A. While this application may have strict requirements for availability, it is assumed that the service level agreement (SLA) would contain these same elements; therefore, this is not a concern. B. The right-to-audit clause is good to have, but there are limits on how a cloud service provider may interpret this requirement. The task of reviewing and assessing all the controls in place at a multinational cloud provider would likely be a costly and time-consuming exercise; therefore, such a requirement may be of limited value. C. Because the SLA would normally specify uptime requirements, the means used to achieve those goals (which would include the specific disaster recovery plan (DRP) capabilities of the provider) are typically not reviewed in-depth by the customer, nor are they typically specified in a SLA. D. Having data in multiple countries is the greatest concern because human resources (HR) applicant data could contain personally identifiable information (PII). There may be legal compliance issues if these data are stored in a country with different laws regarding data privacy. While the organization would be bound by the privacy laws where it is based, it may not have legal recourse if a data breach happens in a jurisdiction where the same laws do not apply. While performing a review of a critical third-party application, an IS auditor would be MOST concerned with discovering: Select an answer: A. inadequate procedures for ensuring adequate system portability. B. inadequate operational documentation for the system. C. an inadequate alternate service provider listing. D. an inadequate software escrow agreement. - CORRECT ANSWER You answered C. The correct answer is D. A. Procedures to ensure that systems are developed so that they can be ported to other system platforms will help ensure that the system can still continue functioning without affecting the business process if changes to the infrastructure occur. This is less important than availability of the software. B. Inadequate operational documentation is a risk but would be less significant than the risk of unavailability of the software. C. While alternate service providers could be used if a vendor goes out of business, having access to the source code via a software escrow agreement is more important. D. The inclusion of a clause in the agreement that requires software code to be placed in escrow helps to ensure that the customer can continue to use the software and/or obtain technical support if a vendor were to go out of business. Which of the following assures an enterprise of the existence and effectiveness of internal controls relative to the service provided by a third party? Select an answer: A. The current service level agreement (SLA) B. A recent external audit report C. The current business continuity plan (BCP) procedures D. A recent disaster recovery plan (DRP) test report - CORRECT ANSWER You are correct, the answer is B. A. A service level agreement (SLA) defines the contracted level of service; however, it would not provide assurance related to internal controls. To verify that the correct version of a data file was used for a production run, an IS auditor should review: Select an answer: A. operator problem reports. B. operator work schedules. C. system logs. D. output distribution reports. - CORRECT ANSWER You are correct, the answer is C. A. Operator problem reports are used by operators to log computer operation problems. B. Operator work schedules are maintained to assist in human resource planning. C. System logs are automated reports which identify most of the activities performed on the computer. Programs that analyze the system log have been developed to report on specifically defined items. The IS auditor can then carry out tests to ensure that the correct file version was used for a production run. D. Output distribution reports identify all application reports generated and their distribution. The MAIN reason for requiring that all computer clocks across an organization be synchronized is to: Select an answer: A. prevent omission or duplication of transactions. B. ensure smooth data transition from client machines to servers. C. ensure that email messages have accurate time stamps. D. support the incident investigation process. - CORRECT ANSWER You answered A. The correct answer is D. A. The possibility of omission or duplication of transactions will not happen due to lack of clock synchronization. B. Data transfer has nothing to do with the time stamp. C. While the time stamp on an email may not be accurate, this is not a significant issue. D. During an investigation of incidents, audit logs are used as evidence, and the time stamp information in them is useful. If the clocks are not synchronized, investigations will be more difficult because a time line of events occurring on different systems might not be easily established. An IS auditor discovers that some hard drives disposed of by an enterprise were not sanitized in a manner that would reasonably ensure the data could not be recovered. In addition, the enterprise does not have a written policy on data disposal. The IS auditor should FIRST: Select an answer: A. draft an audit finding and discuss it with the auditor in charge. B. determine the sensitivity of the information on the hard drives. C. discuss with the IT manager the good practices in data disposal. D. develop an appropriate data disposal policy for the enterprise. - CORRECT ANSWER You are correct, the answer is B. A. Drafting a finding without a quantified risk would be premature. B. Even though a policy is not available, the IS auditor should make a determination as to the nature of the information on the hard drives to quantify, as much as possible, the risk. C. It would be premature to discuss good practices with the IT manager until the extent of the incident has been quantified. D. An IS auditor should not develop policies. Which one of the following could be used to provide automated assurance that proper data files are being used during processing? Select an answer: A. File header record B. Version usage C. Parity checking D. File security controls - CORRECT ANSWER You answered B. The correct answer is A. A. A file header record provides assurance that proper data files are being used, and it allows for automatic checking. B. Although version usage provides assurance that the correct file and version are being used, it does not allow for automatic checking. C. Because the system was developed outside the organization, the IT department may not have the necessary skills and resources to develop patches. D. Suitable patches from the existing developers should be selected and tested before applying them. An IS auditor notes that patches for the operating system used by an organization are deployed by the IT department as advised by the vendor. The MOST significant concern an IS auditor should have with this practice is that IT has NOT considered: Select an answer: A. the training needs for users after applying the patch. B. any beneficial impact of the patch on the operational systems. C. delaying deployment until testing the impact of the patch. D. the necessity of advising end users of new patches. - CORRECT ANSWER You answered B. The correct answer is C. A. Normally, there is no need for training users when a new operating system patch has been installed. B. Any beneficial impact is less important than the risk of unavailability, which could be avoided with proper testing. C. Deploying patches without testing exposes an organization to the risk of system disruption or failure. D. Normally, there is no need for advising users when a new operating system patch has been installed except to ensure that the patch is applied at a time that will have minimal impact on operations. Which of the following would BEST ensure continuity of a wide area network (WAN) across the organization? Select an answer: A. Built-in alternative routing B. Complete full system backup daily C. A repair contract with a service provider D. A duplicate machine alongside each server - CORRECT ANSWER You are correct, the answer is A. A. Alternative routing would ensure that the network would continue if a communication device fails or if a link is severed because message rerouting could be automatic. B. System backup will not afford protection for a networking failure. C. The repair contract will almost always result in some lost time and is not as effective as permanent alternative routing. D. Standby servers will not provide continuity if a link is severed. An enterprise uses privileged accounts to process configuration changes for mission-critical applications. Which of the following would be the BEST and appropriate control to limit the risk in such a situation? Select an answer: A. Ensure that audit trails are accurate and specific. B. Ensure that personnel have adequate training. C. Ensure that personnel background checks are performed for critical personnel. D. Ensure that supervisory approval and review are performed for critical changes. - CORRECT ANSWER You are correct, the answer is D. A. Audit trails are a detective control and, in many cases, can be altered by those with privileged access. B. Staff proficiency is important and good training may be somewhat of a deterrent, but supervisory approval and review is the best choice. C. Performing background checks is a very basic control and will not effectively prevent or detect errors or malfeasance. D. Supervisory approval and review of critical changes by the accountable managers in the enterprise are required to avoid and detect any unauthorized change. In addition to authorization, supervision enforces a separation of duties and prevents an unauthorized attempt by any single employee. During an IS audit of a bank, the IS auditor is assessing whether the enterprise properly manages staff member access to the operating system. The IS auditor should determine whether the enterprise performs: Select an answer: A. periodic review of user activity logs. B. verification of user authorization at the field level. C. review of data communication access activity logs. B. Transactional business data loss is determined by data backup frequency and, consequently, the backup schedule. C. The vendor must abide by the terms of the contract and those should include compliance with the privacy policies of the organization, but the lack of application owner involvement is the most important concern. D. The greatest risk of making a change to the maintenance of critical systems is that the change could have an adverse impact on a critical business process. While there is a benefit in selecting a less expensive maintenance vendor, the resolution time must be aligned with the needs of the business. During the review of an enterprise's preventive maintenance process for systems at a data center, the IS auditor has determined that adequate maintenance is being performed on all critical computing, power and cooling systems. Additionally, it is MOST important for the IS auditor to ensure that the organization: Select an answer: A. has performed background checks on all service personnel. B. escorts service personnel at all times when performing their work. C. performs maintenance during noncritical processing times. D. independently verifies that maintenance is being performed. - CORRECT ANSWER You answered D. The correct answer is C. A. While the trustworthiness of the service personnel is important, it is normal practice for these individuals to be escorted and supervised by the data center personnel. It is also expected that the service provider would perform this background check, not the customer. B. Escorting service personnel is common and a good practice, but the greater risk in this case would be if work were performed during critical processing times. C. The biggest risk to normal operations in a data center would be if an incident or mishap were to happen during critical peak processing times; therefore, it would be prudent to ensure that no type of system maintenance be performed at these critical times. D. It is possible that the service provider is performing inadequate maintenance; therefore, this issue may need to be investigated; however, the bigger risk is maintenance being performed at critical processing times. Which of the following is an object-oriented technology characteristic that permits an enhanced degree of security over data? Select an answer: A. Inheritance B. Dynamic warehousing C. Encapsulation D. Polymorphism - CORRECT ANSWER You answered A. The correct answer is C. A. In object-oriented systems an object is called by another module and inherits its data from the calling module. This does not affect security. B. Dynamic warehousing is not related to the security of object-oriented technology. C. Encapsulation is a property of objects, and it prevents accessing either properties or methods that have not been previously defined as public. This means that any implementation of the behavior of an object is not accessible. An object defines a communication interface with the exterior and only that which belongs to that interface can be accessed. D. Polymorphism is the principle of creating different objects that will behave differently depending on the input. This is not a security feature. An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to avoid this situation? Select an answer: A. Log all table update transactions. B. Implement before-and-after image reporting. C. Use tracing and tagging. D. Implement integrity constraints in the database. - CORRECT ANSWER You are correct, the answer is D. A. Logging all table update transactions is a detective control that would not help avoid invalid data entry. B. Implementing before-and-after image reporting is a detective control that would not help avoid the situation. C. Tracing and tagging are used to test application systems and controls and could not prevent out-of-range data. D. Implementing integrity constraints in the database is a preventive control because data are checked against predefined tables or rules, preventing any undefined data from being entered.