140. c. Scavenging is obtaining information that may be left in or around a computer system after the execution of a job. Data diddling involves changing data before or during input to computers or during output from a computer system. The salami technique is theft of small amounts of assets (primarily money) from a number of sources. Piggybacking can be done physically or electronically. Both methods involve gaining access to a controlled area without authorization.
141. An exception-based security report is an example of which of the following?
a. Preventive control
b. Detective control
c. Corrective control
d. Directive control
141. c. Detecting an exception in a transaction or process is detective in nature, but reporting it is an example of corrective control. Both preventive and directive controls do not either detect or correct an error; they simply stop it if possible.
142. There is a possibility that incompatible functions may be performed by the same individual either in the IT department or in the user department. One compensating control for this situation is the use of:
a. Log
b. Hash totals
c. Batch totals
d. Check-digit control
142. a. A log, preferably a computer log, records the actions or inactions of an individual during his access to a computer system or a data file. If any abnormal activities occur, the log can be used to trace them. The purpose of a compensating control is balancing weak controls with strong controls. The other three choices are examples of application system-based specific controls not tied to an individual action, as a log is.
143. When an IT auditor becomes reasonably certain about a case of fraud, what should the auditor do next?
a. Say nothing now because it should be kept secret.
b. Discuss it with the employee suspected of fraud.
c. Report it to law enforcement officials.
d. Report it to company management.
143. d. In fraud situations, the auditor should proceed with caution. When certain about a fraud, he should report it to company management, not to external organizations. The auditor should not talk to the employee suspected of fraud. When the auditor is not certain about fraud, he should talk to the audit management.
144. An effective relationship between risk level and internal control level is which of the following?
a. Low risk and strong controls
b. High risk and weak controls
c. Medium risk and weak controls
d. High risk and strong controls
144. d. There is a direct relationship between the risk level and the control level. That is, high-risk situations require stronger controls, low-risk situations require weaker controls, and medium-risk situations require medium controls. A control is defined as the policies, practices, and organizational structure designed to provide reasonable assurance that business objectives will be achieved and that undesired events would be prevented or detected and corrected. Controls should facilitate accomplishment of an organization’s objectives.
145. Incident handling is not closely related to which of the following?
a. Contingency planning
b. System support
c. System operations
d. Strategic planning
145. d. Strategic planning involves long-term and major issues such as management of the computer security program and the management of risks within the organization and is not closely related to the incident handling, which is a minor issue.
Incident handling is closely related to contingency planning, system support, and system operations. An incident handling capability may be viewed as a component of contingency planning because it provides the ability to react quickly and efficiently to disruptions in normal processing. Broadly speaking, contingency planning addresses events with the potential to interrupt system operations. Incident handling can be considered that portion of contingency planning that responds to malicious technical threats.
146. In which of the following areas do the objectives of systems auditors and information systems security officers overlap the most?
a. Determining the effectiveness of security-related controls
b. Evaluating the effectiveness of communicating security policies
c. Determining the usefulness of raising security awareness levels
