CA Foundation Business Economics Questions 2023 - Part 32
Fri, 03 Mar 2023
1. While conducting an audit of a service provider, an IS auditor observes that the service provider has outsourced a part of the work to another provider. Since the work involves confidential information, the IS auditor's PRIMARY concern should be that the:
A) requirement for protecting confidentiality of information could be compromised.
B) contract may be terminated because prior permission from the outsourcer was not obtained.
C) other service provider to whom work has been outsourced is not subject to audit.
D) outsourcer will approach the other service provider directly for further work.
2. Which of the following is the BEST information source for management to use as an aid in the identification of assets that are subject to laws and regulations?
A) Security incident summaries
B) Vendor best practices
C) CERT coordination center
D) Significant contracts
3. An organization has outsourced its help desk activities. An IS auditor's GREATEST concern when reviewing the contract and associated service level agreement(SLA) between the organization and vendor should be the provisions for:
A) documentation of staff background checks.
B) independent audit reports or full audit access.
C) reporting the year-to-year incremental cost reductions.
D) reporting staff turnover, development or training.
4. Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider:
A) meets or exceeds industry security standards.
B) agrees to be subject to external security reviews.
C) has a good market reputation for service and experience.
D) complies with security policies of the organization.
5. The risks associated with electronic evidence gathering would MOST likely be reduced by an e- mail:
A) destruction policy.
B) security policy.
C) archive policy.
D) audit policy.
A) requirement for protecting confidentiality of information could be compromised.
B) contract may be terminated because prior permission from the outsourcer was not obtained.
C) other service provider to whom work has been outsourced is not subject to audit.
D) outsourcer will approach the other service provider directly for further work.
2. Which of the following is the BEST information source for management to use as an aid in the identification of assets that are subject to laws and regulations?
A) Security incident summaries
B) Vendor best practices
C) CERT coordination center
D) Significant contracts
3. An organization has outsourced its help desk activities. An IS auditor's GREATEST concern when reviewing the contract and associated service level agreement(SLA) between the organization and vendor should be the provisions for:
A) documentation of staff background checks.
B) independent audit reports or full audit access.
C) reporting the year-to-year incremental cost reductions.
D) reporting staff turnover, development or training.
4. Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider:
A) meets or exceeds industry security standards.
B) agrees to be subject to external security reviews.
C) has a good market reputation for service and experience.
D) complies with security policies of the organization.
5. The risks associated with electronic evidence gathering would MOST likely be reduced by an e- mail:
A) destruction policy.
B) security policy.
C) archive policy.
D) audit policy.
1. Right Answer: A
Explanation: Many countries have enacted regulations to protect the confidentiality of information maintained in their countries and/or exchanged with other countries. Where a service provider outsources part of its services to another service provider, there is a potential risk that the confidentiality of the information will be compromised.Choices B and C could be concerns but are no related to ensuring the confidentiality of information. There is no reason why an IS auditor should be concerned with choice D.
2. Right Answer: D
Explanation: Contractual requirements are one of the sources that should be consulted to identify the requirements for the management of information assets. Vendor best practices provides a basis for evaluating how competitive an enterprise is, while security incident summaries are a source for assessing the vulnerabilities associated with the IT infrastructure. CERT {www.cert.org) is an information source for assessing vulnerabilities within the IT infrastructure.
3. Right Answer: B
Explanation: When the functions of an IS department are outsourced, an IS auditor should ensure that a provision is made for independent audit reports that cover all essential areas, or that the outsourcer has full audit access. Although it is necessary to document the fact that background checks are performed, this is not as important as provisions for audits. Financial measures such as year-to-year incremental cost reductions are desirable to have in a service level agreement (SLA); however, cost reductions are not as important as the availability of independent audit reports or full audit access. An SLA might include human relationship measures such as resource planning, staff turnover, development or training, but this is not as important as the requirements for independent reports or full audit access by the outsourcing organization.
4. Right Answer: B
Explanation: It is critical that an independent security review of an outsourcing vendor be obtained because customer credit information will be kept there. Compliance with security standards or organization policies is important, but there is no way to verify or prove that that is the case without an independent review. Though long experience in business and good reputation is an important factor to assess service quality, the business cannot outsource to a provider whose security control is weak.
5. Right Answer: C
Explanation: With a policy of well-archived e-mail records, access to or retrieval of specific e-mail records is possible without disclosing other confidential e-mail records.Security and/or audit policies would not address the efficiency of record retrieval, and destroying e-mails may be an illegal act.
Explanation: Many countries have enacted regulations to protect the confidentiality of information maintained in their countries and/or exchanged with other countries. Where a service provider outsources part of its services to another service provider, there is a potential risk that the confidentiality of the information will be compromised.Choices B and C could be concerns but are no related to ensuring the confidentiality of information. There is no reason why an IS auditor should be concerned with choice D.
2. Right Answer: D
Explanation: Contractual requirements are one of the sources that should be consulted to identify the requirements for the management of information assets. Vendor best practices provides a basis for evaluating how competitive an enterprise is, while security incident summaries are a source for assessing the vulnerabilities associated with the IT infrastructure. CERT {www.cert.org) is an information source for assessing vulnerabilities within the IT infrastructure.
3. Right Answer: B
Explanation: When the functions of an IS department are outsourced, an IS auditor should ensure that a provision is made for independent audit reports that cover all essential areas, or that the outsourcer has full audit access. Although it is necessary to document the fact that background checks are performed, this is not as important as provisions for audits. Financial measures such as year-to-year incremental cost reductions are desirable to have in a service level agreement (SLA); however, cost reductions are not as important as the availability of independent audit reports or full audit access. An SLA might include human relationship measures such as resource planning, staff turnover, development or training, but this is not as important as the requirements for independent reports or full audit access by the outsourcing organization.
4. Right Answer: B
Explanation: It is critical that an independent security review of an outsourcing vendor be obtained because customer credit information will be kept there. Compliance with security standards or organization policies is important, but there is no way to verify or prove that that is the case without an independent review. Though long experience in business and good reputation is an important factor to assess service quality, the business cannot outsource to a provider whose security control is weak.
5. Right Answer: C
Explanation: With a policy of well-archived e-mail records, access to or retrieval of specific e-mail records is possible without disclosing other confidential e-mail records.Security and/or audit policies would not address the efficiency of record retrieval, and destroying e-mails may be an illegal act.
0 Comments
Leave a comment
Categories
Recent posts
CA Foundation Business Economics Questions 2023 - Part 31
Fri, 03 Mar 2023
CA Foundation Business Economics Questions 2023 - Part 30
Fri, 03 Mar 2023
