Question 141: An auditor has delivered a Sarbanes-Oxley audit report containing 12 exceptions to the audit client, who disagrees with the findings. The audit client is upset and is asking the auditor to remove any six findings from the report in exchange for a payment of $25,000. A review of the audit findings resulted in the confirmation that all 12 findings are valid. How should the auditor proceed?
A. The auditor should report the matter to his or her manager.
B. The auditor should reject the payment and meet the auditee halfway by removing three of the findings.
C. The auditor should reject the payment and remove six of the findings.
D. The auditor should report the incident to the audit client’s audit committee.
Correct Answer: A. The auditor should report the matter to his or her manager.
Explanation: The auditor should first report the matter to his or her manager, who will in turn decide how to handle it. More than likely, the audit manager will notify the audit client’s audit committee, who can decide to refer the matter to regulatory authorities.
“The auditor should reject the payment and meet the auditee halfway by removing three of the findings” and “The auditor should reject the payment and remove six of the findings” are incorrect because the auditor should stand by the report and not make any changes to it. “The auditor should report the incident to the audit client’s audit committee” is incorrect because a better course of action is to first notify his or her manager, who will decide how to handle the matter further.
Question 142: An auditor is auditing a change control process. During a walkthrough, the control owner described the process as follows: “Engineers plan their changes and send an e-mail about their changes to the IT manager before 5 p.m. on Wednesday. The engineers then proceed with their changes during the change window on Friday evening.” What, if any, findings should the auditor identify?
A. The change control process is fine as is, but could be improved by creating a ledger of changes.
B. The change control process is fine as is.
C. The change control process lacks a review step.
D. The change control process lacks review and approval steps.
Correct Answer: D. The change control process lacks review and approval steps.
Explanation: The change control process lacks a step where requested changes are reviewed, discussed, and approved. As it stands, it appears that engineers unilaterally decide what changes to make.
“The change control process is fine as is, but could be improved by creating a ledger of changes” is incorrect because the process lacks an approval step. “The change control process is fine as is” is incorrect because the process should include an approval step. “The change control process lacks a review step” is incorrect because the more important finding is the lack of an approval step.
Question 143: An auditor is selecting samples from records in the user access request process. While privileged access requests account for approximately 5 percent of all access requests, the auditor wants 20 percent of the samples to be requests for administrative access. What sampling technique has the auditor selected?
A. Judgmental sampling
B. Stratified sampling
C. Statistical sampling
D. Variable sampling
Correct Answer: B. Stratified sampling
Explanation: This is stratified sampling, where an auditor is selecting samples from various classes or values — in this case, higher-risk privileged accounts.
“Judgmental sampling” is incorrect because the auditor is not examining samples to be selected. “Statistical sampling” is incorrect because statistical sampling would result in about 5 percent of the selected samples being related to privileged access requests. “Variable sampling” is incorrect because variable sampling is used to estimate conclusions about the evidence population.
Question 144: According to the cover story on the role of AI in analytics, in recent studies and surveys on cybersecurity:
A. Capgemini found that the majority of senior IT and cybersecurity professionals trust AI’s ability to accurately detect breaches.
B. Meticulous Research forecasted an annual growth rate of 23.6% over the next seven years in the AI cybersecurity market.
C. Deloitte found that nearly three-quarters of respondents consider AI “critically” or “very” important to their business.
D. all of the above.
Correct Answer: D. all of the above.
Question 145: A June 2020 report by VMware Carbon Black identified the three fastest-rising COVID-19 cyber threats as:
A. COVID-19-related malware, phishing emails and cellphone tower impersonation.
B. COVID-19-related malware, brute-force attacks and reverse engineering.
C. COVID-19-related malware, phishing emails and masquerading.
D. COVID-19-related ransomware, computer camera hacking and phishing emails.
Correct Answer: C. COVID-19-related malware, phishing emails and masquerading.
Question 146: In the cover story on the role of AI in analytics, experts and users say AI’s most valuable capabilities include:
A. the ability to learn from real-time feeds to flag novel threats.
B. the ability to identify threat intelligence patterns that fall outside the parameters of “acceptable” or “safe” activities.
C. the ability to fine-tune and learn the security nuances of a particular organization.
D. all of the above.
Correct Answer: D. all of the above.
Question 147: In our feature on IoT security risks, experts say organizations should verify IoT devices’ security and identify their potential vulnerabilities. This is essential because:
A. many IoT systems have default configurations that are insecure; moreover, rebooting or reinitialization processes can often return a system to those default configurations.
B. backdoors and other vulnerabilities are often inserted into IoT components for data-gathering and other purposes.
C. both.
D. neither.
Correct Answer: C. both.
Question 148: Rich Mogull of DisruptOps recommended that CISOs take these three strategic steps to respond to the 2020 shift to a WFH model:
A. take stock of the new cybersecurity reality for your business; respond rapidly to quickly close the main security gaps; start rebuilding by accepting the new reality and working out long-term initiatives.
B. set up more VPN servers than you expect to need; avoid cloud for now, due to rising cyber attacks on that tech; start planning now even though it will be more like 2022 before business as usual returns.
C. launch a cybersecurity training program for all employees; require MFA on every device that connects to the enterprise network; accelerate any digital transformation programs.
D. none of the above.
Correct Answer: A. take stock of the new cybersecurity reality for your business; respond rapidly to quickly close the main security gaps; start rebuilding by accepting the new reality and working out long-term initiatives.
Question 149: When it comes to third parties and IoT security, the author of the November feature story advised an organization to:
A. use only vendors who can be trusted to vet the third parties they outsource to.
B. be sure that the network hosting IoT devices possesses strong authentication and network controls that limit access to the IoT environment.
C. both.
D. neither.
Correct Answer: B. be sure that the network hosting IoT devices possesses strong authentication and network controls that limit access to the IoT environment.
Question 150: According to ISACA’s 2020 “Covid-19 Study,” nearly 90% of IT professionals blame the pandemic-induced shift to the WFH model for a rise in data privacy and protection problems.
A. True
B. False
Correct Answer: A. True