Last Updated on December 13, 2021 by Admin 3

 CISA : Certified Information Systems Auditor : Part 123

  1. Calculation of the recovery time objective (RTO) is necessary to determine the:

    • time required to restore files.
    • annual loss expectancy (ALE).
    • point of synchronization.
    • priority of restoration.
  2. Which of the following metrics BEST evaluates the completeness of disaster-recovery preparations?

    • Number of published applications-recovery plans
    • Ratio of successful to unsuccessful tests
    • Ratio of recovery-plan documents to total applications
    • Ratio of tested application to total applications
  3. An organization establishes an internal document collaboration site. To ensure data confidentiality of each project group, it is MOST important to:

    • conduct a vulnerability assessment.
    • enforce document life cycle management.
    • prohibit remote access to the site.
    • prohibit remote access to the site.
  4. Which of the following is MOST relevant for an information security manager to communicate to IT operations?

    • The level of inherent risk
    • Vulnerability assessments
    • Threat assessments
    • The level of exposure
  5. The PRIMARY purpose of a periodic threat and risk assessment report to senior management is to communicate the:

    • cost-benefit of security controls.
    • status of the security posture.
    • probability of future incidents.
    • risk acceptance criteria.
  6. Which of the following is the MOST important part of an incident response plan?

    • Recovery point objective (RPO)
    • Recovery time objective (RTO)
    • Mean time to report (MTR)
    • Business impact analysis (BIA)
  7. If an IS auditor observes that an IS department fails to use formal documented methodologies, policies, and standards, what should the auditor do?

    • Lack of IT documentation is not usually material to the controls tested in an IT audit.
    • The auditor should at least document the informal standards and policies. Furthermore, the IS auditor should create formal documented policies to be implemented.
    • The auditor should at least document the informal standards and policies, and test for a compliance. Furthermore, the IS auditor should recommend management that formal documented policies be developed and implemented.
    • The auditor should at least document the informal standards and policies, and test for compliance. Furthermore, the IS auditor should create formal documented policies to be implemented.

    Explanation: 
    If an IS auditor observes that an IS department fails to use formal documented methodologies, policies, and standards, the auditor should at least document the informal standards and policies, and test for compliance. Furthermore, the IS auditor should recommend to management that formal documented policies be developed and implemented.

  8. What often results in project scope creep when functional requirements are not defined as well as they could be?

    • Inadequate software baselining
    • Insufficient strategic planning
    • Inaccurate resource allocation
    • Project delays
    Explanation: 
    Inadequate software baselining often results in project scope creep because functional requirements are not defined as well as they could be.
  9. Fourth-Generation Languages (4GLs) are most appropriate for designing the application’s graphical user interface (GUI). They are inappropriate for designing any intensive data- calculation procedures. True or false?

    • True
    • False
    Explanation: 
    Fourth-generation languages (4GLs) are most appropriate for designing the application’s graphical user interface (GUI). They are inappropriate for designing any intensive data-calculation procedures.
  10. Run-to-run totals can verify data through which stage(s) of application processing?

    • Initial
    • Various
    • Final
    • Output
    Explanation:
    Run-to-run totals can verify data through various stages of application processing.
  11. ________ (fill in the blank) is/are ultimately accountable for the functionality, reliability, and security within IT governance.

    • Data custodians
    • The board of directors and executive officers
    • IT security administration
    • Business unit managers
    Explanation:
    The board of directors and executive officers are ultimately accountable for the functionality, reliability, and security within IT governance.
  12. What can be used to help identify and investigate unauthorized transactions?

    • Postmortem review
    • Reasonableness checks
    • Data-mining techniques
    • Expert systems
    Explanation:
    Data-mining techniques can be used to help identify and investigate unauthorized transactions.
  13. Network environments often add to the complexity of program-to-program communication, making the implementation and maintenance of application systems more difficult. True or false?

    • True
    • False
    Explanation:
    Network environments often add to the complexity of program-to-program communication, making application systems implementation and maintenance more difficult.
  14. ________ risk analysis is not always possible because the IS auditor is attempting to calculate risk using nonquantifiable threats and potential losses. In this event, a _________________ risk assessment is more appropriate. Fill in the blanks.

    • Quantitative; qualitative
    • Qualitative; quantitative
    • Residual; subjective
    • Quantitative; subjective
    Explanation:
    Quantitative risk analysis is not always possible because the IS auditor is attempting to calculate risk using nonquantifiable threats and potential losses. In this event, a qualitative risk assessment is more appropriate.
  15. What must an IS auditor understand before performing an application audit?

    • The potential business impact of application risks.
    • Application risks must first be identified.
    • Relative business processes.
    • Relevant application risks.
    Explanation:
    An IS auditor must first understand relative business processes before performing an application audit.
  16. What is the first step in a business process re-engineering project?

    • Identifying current business processes
    • Forming a BPR steering committee
    • Defining the scope of areas to be reviewed
    • Reviewing the organizational strategic plan
    Explanation: 
    Defining the scope of areas to be reviewed is the first step in a business process re-engineering project.
  17. When storing data archives off-site, what must be done with the data to ensure data completeness?

    • The data must be normalized.
    • The data must be validated.
    • The data must be parallel-tested.
    • The data must be synchronized.
    Explanation: 
    When storing data archives off-site, data must be synchronized to ensure data completeness
  18. Which of the following can help detect transmission errors by appending specially calculated bits onto the end of each segment of data?

    • Redundancy check
    • Completeness check
    • Accuracy check
    • Parity check
    Explanation: 
    A redundancy check can help detect transmission errors by appending especially calculated bits onto the end of each segment of data.
  19. What is an edit check to determine whether a field contains valid data?

    • Completeness check
    • Accuracy check
    • Redundancy check
    • Reasonableness check
    Explanation: 
    A completeness check is an edit check to determine whether a field contains valid data.
  20. A transaction journal provides the information necessary for detecting unauthorized ___________ (fill in the blank) from a terminal.

    • Deletion
    • Input
    • Access
    • Duplication
    Explanation: 
    A transaction journal provides the information necessary for detecting unauthorized input from a terminal.