Last Updated on December 13, 2021 by Admin 3

 CISA : Certified Information Systems Auditor : Part 133

  1. Which of the following is an attribute of the control self-assessment (CSA) approach?

    • Broad stakeholder involvement
    • Auditors are the primary control analysts
    • Limited employee participation
    • Policy driven

    Explanation: 
    The control self-assessment (CSA) approach emphasizes management of and accountability for developing and monitoring the controls of an organization’s business processes. The attributes of CSA include empowered employees, continuous improvement, extensive employee participation and training, at! of which are representations of broad stakeholder involvement. Choices B, C and D are attributes of a traditional audit approach.

  2. Which of the following is the key benefit of control self-assessment (CSA)?

    • Management ownership of the internal controls supporting business objectives is reinforced.
    • Audit expenses are reduced when the assessment results are an input to external audit work.
    • Improved fraud detection since internal business staff are engaged in testing controls
    • Internal auditors can shift to a consultative approach by using the results of the assessment.
    Explanation: 
    The objective of control self-assessment is to have business management become more aware of the importance of internal control and their responsibility in terms of corporate governance.
    Reducing audit expenses is not a key benefit of control self-assessment (CSA). improved fraud detection is important, but not as important as ownership, and is not a principal objective of CSA. CSA may give more insights to internal auditors, allowing them to take a more consultative role; however, this is an additional benefit, not the key benefit.
  3. An IT steering committee should review information systems PRIMARILY to assess:

    • whether IT processes support business requirements.
    • if proposed system functionality is adequate
    • the stability of existing software.
    • the complexity of installed technology.
    Explanation: 
    The role of an IT steering committee is to ensure that the IS department is in harmony with the organization’s mission and objectives. To ensure this, the committee must determine whether IS processes support the business requirements. Assessing proposed additional functionality and evaluating software stability and the complexity of technology are too narrow in scope to ensure that IT processes are, in fact, supporting the organization’s goals.
  4. The MOST likely effect of the lack of senior management commitment to IT strategic planning is:

    • a lack of investment in technology.
    • a lack of a methodology for systems development.
    • technology not aligning with the organization’s objectives.
    • an absence of control over technology contracts.
    Explanation: 
    A steering committee should exist to ensure that the IT strategies support the organization’s goals. The absence of an information technology committee or a committee not composed of senior managers would be an indication of a lack of top-level management commitment. This condition would increase the risk that IT would not be aligned with the organization’s strategy.
  5. Which of the following is a function of an IS steering committee?

    • Monitoring vendor-controlled change control and testing
    • Ensuring a separation of duties within the information’s processing environment
    • Approving and monitoring major projects, the status of IS plans and budgets
    • Liaising between the IS department and the end users
    Explanation: 
    The IS steering committee typically serves as a general review board for major IS projects and should not become involved in routine operations; therefore, one of its functions is to approve and monitor major projects, the status of IS plans and budgets. Vendor change control is an outsourcing issue and should be monitored by IS management. Ensuring a separation of duties within the information’s processing environment is an IS management responsibility. Liaising between the IS department and the end users is a function of the individual parties and not a committee.
  6. An IS steering committee should:

    • include a mix of members from different departments and staff levels.
    • ensure that IS security policies and procedures have been executed properly.
    • have formal terms of reference and maintain minutes of its meetings.
    • be briefed about new trends and products at each meeting by a vendor.
    Explanation: 
    It is important to keep detailed steering committee minutes to document the decisions and activities of the IS steering committee, and the board of directors should be informed about those decisions on a timely basis. Choice A is incorrect because only senior management or high-level staff members should be on this committee because of its strategic mission. Choice B is not a responsibility of this committee, but the responsibility of the security administrator. Choice D is incorrect because a vendor should be invited to meetings only when appropriate.
  7. Involvement of senior management is MOST important in the development of:

    • strategic plans.
    • IS policies.
    • IS procedures.
    • standards and guidelines.
    Explanation: 
    Strategic plans provide the basis for ensuring that the enterprise meets its goals and objectives. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives. IS policies, procedures, standards and guidelines are all structured to support the overall strategic plan.
  8. Effective IT governance will ensure that the IT plan is consistent with the organization’s:

    • business plan.
    • audit plan.
    • security plan.
    • investment plan.
    Explanation: 
    To govern IT effectively, IT and business should be moving in the same direction, requiring that the IT plans are aligned with an organization’s business plans. The audit and investment plans are not part of the IT plan, while the security plan should be at a corporate level.
  9. Establishing the level of acceptable risk is the responsibility of:

    • quality assurance management.
    • senior business management.
    • the chief information officer.
    • the chief security officer.
  10. IT governance is PRIMARILY the responsibility of the:

    • chief executive officer.
    • board of directors.
    • IT steering committee.
    • audit committee.
    Explanation: 
    IT governance is primarily the responsibility of the executives and shareholders {as represented by the board of directors). The chief executive officer is instrumental in implementing IT governance per the directions of the board of directors. The IT steering committee monitors and facilitates deployment of IT resources for specific projects in support of business plans. The audit committee reports to the board of directors and should monitor the implementation of audit recommendations.
  11. As an outcome of information security governance, strategic alignment provides:

    • security requirements driven by enterprise requirements.
    • baseline security following best practices.
    • institutionalized and commoditized solutions.
    • an understanding of risk exposure.
    Explanation: 
    Information security governance, when properly implemented, should provide four basic outcomes: strategic alignment, value delivery, risk management and performance measurement. Strategic alignment provides input for security requirements driven by enterprise requirements. Value delivery provides a standard set of security practices, i.e., baseline security following best practices or institutionalized and commoditized solutions. Risk management provides an understanding of risk exposure.
  12. Which of the following IT governance best practices improves strategic alignment?

    • Supplier and partner risks are managed.
    • A knowledge base on customers, products, markets and processes is in place.
    • A structure is provided that facilitates the creation and sharing of business information.
    • Top management mediate between the imperatives of business and technology.
    Explanation: 
    Top management mediating between the imperatives of business and technology is an IT strategic alignment best practice. Supplier and partner risks being managed is a risk management best practice. A knowledge base on customers, products, markets and processes being in place is an IT value delivery best practice. An infrastructure being provided to facilitate the creation and sharing of business information is an IT value delivery and risk management.
  13. Which of the following is BEST addressed when using a timestamp within a digital signature to deliver sensitive financial information?

    • Replay protection
    • Authentication
    • Nonrepudiation
    • Data integrity
  14. An organization has software that is not compliant with data protection requirements. To help ensure that appropriate and relevant data protection controls are implemented in the future, the auditor’s BEST course of action would be to:

    • conduct a privacy impact assessment to identity gaps in the organization’s privacy.
    • recommend that privacy checks are included within the solution development life cycle.
    • recommend an executive be appointed to oversee privacy program improvements.
    • map the organization’s business processes to identify personally identifiable information (PII).
  15. Which of the following would be of MOST concern during an audit of an end user computing system containing sensitive information?

    • Audit logging is not available.
    • System data is not protected.
    • Secure authorization is not available.
    • The system is not included in inventory.
  16. Following a recent internal data breach, an IS auditor was asked to evaluate information security practices within the organization. Which of the following findings would be MOST important to report to senior management?

    • Employees are not required to sign a non-compete agreement.
    • Security education and awareness workshops have not been completed.
    • Users lack technical knowledge related to security and data protection.
    • Desktop passwords do not require special characters.
  17. Which of the following is the BEST way to protect the confidentiality of data on a corporate smartphone?

    • Disabling public wireless connections
    • Using remote data wipe capabilities
    • Using encryption
    • Changing the default PIN for Bluetooth connections
  18. To help ensure the organization’s information assets are adequately protected, which of the following considerations is MOST important when developing an information classification and handling policy?

    • The policy has been mapped against industry frameworks for classifying information assets.
    • The policy is owned by the head of information security, who has the authority to enforce the policy.
    • The policy specifies requirements to safeguard information assets based on their importance to the organization.
    • The policy is subject to periodic reviews to ensure its provisions are up to date.
  19. An IS auditor has been asked to perform a post-implementation assessment of a new corporate human resources (HR) system. Which of the following control areas would be MOST important to review for the protection of employee information?

    • Logging capabilities
    • Authentication mechanisms
    • Data retention practices
    • System architecture
  20. A multinational company wants to establish a mandatory global standard for information security including data protection and privacy. Which of the following should be the GREATEST concern to an IS auditor?

    • Inconsistent roll-out of the standard across all countries.
    • Increased organizational effort without any tangible benefit
    • Noncompliance with local laws in the affected countries
    • Lack of adoption by organized labor groups in all affected countries