Last Updated on December 13, 2021 by Admin 3

 CISA : Certified Information Systems Auditor : Part 142

  1. An IS auditor reviewing an outsourcing contract of IT facilities would expect it to define the:

    • hardware configuration.
    • access control software.
    • ownership of intellectual property.
    • application development methodology.

    Of the choices, the hardware and access control software is generally irrelevant as long as the functionality, availability and security can be affected, which are specific contractual obligations. Similarly, the development methodology should be of no real concern. The contract must, however, specify who owns the intellectual property (i.e., information being processed, application programs). Ownership of intellectual property will have a significant cost and is a key aspect to be defined in an outsourcing contract.

  2. When performing a review of the structure of an electronic funds transfer (EFT) system, an IS auditor observes that the technological infrastructure is based on a centralized processing scheme that has been outsourced to a provider in another country. Based on this information, which of the following conclusions should be the main concern of the IS auditor?

    • There could be a question regarding the legal jurisdiction.
    • Having a provider abroad will cause excessive costs in future audits.
    • The auditing process will be difficult because of the distance.
    • There could be different auditing norms.
    In the funds transfer process, when the processing scheme is centralized in a different country, there could be legal issues of jurisdiction that might affect the right to perform a review in the other country. The other choices, though possible, are not as relevant as the issue of legal jurisdiction. 
  3. An IS auditor should expect which of the following items to be included in the request for proposal (RFP) when IS is procuring services from an independent service provider (ISP)?

    • References from other customers
    • Service level agreement (SLA) template
    • Maintenance agreement
    • Conversion plan
    An IS auditor should look for an independent verification that the ISP can perform the tasks being contracted for. References from other customers would provide an independent, external review and verification of procedures and processes the ISP follows-issues which would be of concern to an IS auditor. Checking references is a means of obtaining an independent verification that the vendor can perform the services it says it can. A maintenance agreement relates more to equipment than to services, and a conversion plan, while important, is less important than verification that the ISP can provide the services they propose.
  4. To minimize costs and improve service levels an outsourcer should seek which of the following contract clauses?

    • O/S and hardware refresh frequencies
    • Gain-sharing performance bonuses
    • Penalties for noncompliance
    • Charges tied to variable cost metrics
    Because the outsourcer will share a percentage of the achieved savings, gain-sharing performance bonuses provide a financial incentive to go above and beyond the stated terms of the contract and can lead to cost savings for the client. Refresh frequencies and penalties for noncompliance would only encourage the outsourcer to meet minimum requirements. Similarly, tying charges to variable cost metrics would not encourage the outsourcer to seek additional efficiencies that might benefit the client.
  5. When an organization is outsourcing their information security function, which of the following should be kept in the organization?

    • Accountability for the corporate security policy
    • Defining the corporate security policy
    • Implementing the corporate security policy
    • Defining security procedures and guidelines
    Accountability cannot be transferred to external parties. Choices B, C and D can be performed by outside entities as long as accountability remains within the organization. 
  6. An IS auditor has been assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST?

    • That an audit clause is present in all contracts
    • That the SLA of each contract is substantiated by appropriate KPIs
    • That the contractual warranties of the providers support the business needs of the organization
    • That at contract termination, support is guaranteed by each outsourcer for new outsourcers
    The complexity of IT structures matched by the complexity and interplay of responsibilities and warranties may affect or void the effectiveness of those warranties and the reasonable certainty that the business needs will be met. All other choices are important, but not as potentially dangerous as the interplay of the diverse and critical areas of the contractual responsibilities of the outsourcers.
  7. With respect to the outsourcing of IT services, which of the following conditions should be of GREATEST concern to an IS auditor?

    • Outsourced activities are core and provide a differentiated advantage to the organization.
    • Periodic renegotiation is specified in the outsourcing contract.
    • The outsourcing contract fails to cover every action required by the arrangement.
    • Similar activities are outsourced to more than one vendor.
    An organization’s core activities generally should not be outsourced, because they are what the organization does best; an IS auditor observing that should be concerned. An IS auditor should not be concerned about the other conditions because specification of periodic renegotiation in the outsourcing contract is a best practice. Outsourcing contracts cannot be expected to cover every action and detail expected of the parties involved, while multi sourcing is an acceptable way to reduce risk.
  8. While conducting an audit of a service provider, an IS auditor observes that the service provider has outsourced a part of the work to another provider. Since the work involves confidential information, the IS auditor’s PRIMARY concern should be that the:

    • requirement for protecting confidentiality of information could be compromised.
    • contract may be terminated because prior permission from the outsourcer was not obtained.
    • other service provider to whom work has been outsourced is not subject to audit.
    • outsourcer will approach the other service provider directly for further work.
    Many countries have enacted regulations to protect the confidentiality of information maintained in their countries and/or exchanged with other countries. Where a service provider outsources part of its services to another service provider, there is a potential risk that the confidentiality of the information will be compromised. Choices B and C could be concerns but are no related to ensuring the confidentiality of information. There is no reason why an IS auditor should be concerned with choice D. 
  9. Which of the following is the BEST information source for management to use as an aid in the identification of assets that are subject to laws and regulations?

    • Security incident summaries
    • Vendor best practices
    • CERT coordination center
    • Significant contracts
    Contractual requirements are one of the sources that should be consulted to identify the requirements for the management of information assets. Vendor best practices provides a basis for evaluating how competitive an enterprise is, while security incident summaries are a source for assessing the vulnerabilities associated with the IT infrastructure. CERT ( is an information source for assessing vulnerabilities within the IT infrastructure.
  10. An organization has outsourced its help desk activities. An IS auditor’s GREATEST concern when reviewing the contract and associated service level agreement (SLA) between the organization and vendor should be the provisions for:

    • documentation of staff background checks.
    • independent audit reports or full audit access.
    • reporting the year-to-year incremental cost reductions.
    • reporting staff turnover, development or training.
    When the functions of an IS department are outsourced, an IS auditor should ensure that a provision is made for independent audit reports that cover all essential areas, or that the outsourcer has full audit access. Although it is necessary to document the fact that background checks are performed, this is not as important as provisions for audits. Financial measures such as year-to-year incremental cost reductions are desirable to have in a service level agreement (SLA); however, cost reductions are not as important as the availability of independent audit reports or full audit access. An SLA might include human relationship measures such as resource planning, staff turnover, development or training, but this is not as important as the requirements for independent reports or full audit access by the outsourcing organization.
  11. Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider:

    • meets or exceeds industry security standards.
    • agrees to be subject to external security reviews.
    • has a good market reputation for service and experience.
    • complies with security policies of the organization.
    It is critical that an independent security review of an outsourcing vendor be obtained because customer credit information will be kept there. Compliance with security standards or organization policies is important, but there is no way to verify or prove that that is the case without an independent review. Though long experience in business and good reputation is an important factor to assess service quality, the business cannot outsource to a provider whose security control is weak.
  12. The risks associated with electronic evidence gathering would MOST likely be reduced by an e- mail:

    • destruction policy.
    • security policy.
    • archive policy.
    • audit policy.
    With a policy of well-archived e-mail records, access to or retrieval of specific e-mail records is possible without disclosing other confidential e-mail records. Security and/or audit policies would not address the efficiency of record retrieval, and destroying e-mails may be an illegal act.
  13. The output of the risk management process is an input for making:

    • business plans.
    • audit charters.
    • security policy decisions.
    • software design decisions.
    The risk management process is about making specific, security-related decisions, such as the level of acceptable risk. Choices A, B and D are not ultimate goals of the risk management process.
  14. An IS auditor was hired to review e-business security. The IS auditor’s first task was to examine each existing e-business application looking for vulnerabilities. What would be the next task?

    • Report the risks to the CIO and CEO immediately
    • Examine e-business application in development
    • Identify threats and likelihood of occurrence
    • Check the budget available for risk management
    An IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence. Choices A, B and D should be discussed with the CIO, and a report should be delivered to the CEO. The report should include the findings along with priorities and costs. 
  15. Which of the following is a mechanism for mitigating risks?

    • Security and control practices
    • Property and liability insurance
    • Audit and certification
    • Contracts and service level agreements (SLAs)
    Risks are mitigated by implementing appropriate security and control practices. Insurance is a mechanism for transferring risk. Audit and certification are mechanisms of risk assurance, while contracts and SLAs are mechanisms of risk allocation.
  16. When developing a risk management program, what is the FIRST activity to be performed?

    • Threat assessment
    • Classification of data
    • Inventory of assets
    • Criticality analysis
    Identification of the assets to be protected is the first step in the development of a risk management program. A listing of the threats that can affect the performance of these assets and criticality analysis are later steps in the process. Data classification is required for defining access controls and in criticality analysis.
  17. A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential losses, the team should:

    • compute the amortization of the related assets.
    • calculate a return on investment (ROI).
    • apply a qualitative approach.
    • spend the time needed to define exactly the loss amount.
    The common practice, when it is difficult to calculate the financial losses, is to take a qualitative approach, in which the manager affected by the risk defines the financial loss in terms of a weighted factor {e.g., one is a very low impact to the business and five is a very high impact). An ROI is computed when there is predictable savings or revenues that can be compared to the investment needed to realize the revenues. Amortization is used in a profit and loss statement, not in computing potential losses. Spending the time needed to define exactly the total amount is normally a wrong approach. If it has been difficult to estimate potential losses (e.g., losses derived from erosion of public image due to a hack attack), that situation is not likely to change, ant at the end of the day, the result will be a not well-supported evaluation. 
  18. Which of the following provides the MOST helpful information to determine how much data an organization can afford to lose when a critical system failure occurs?

    • Industry data loss statistics
    • Risk assessment results
    • Recovery point objective (RPO)
    • Recovery time objective (RTO)
  19. In an online application, which of the following would provide the MOST information about the transaction audit trail?

    • File layouts
    • System/process flowchart 
    • Source code documentation
    • Data architecture
  20. Which of the following firewall technologies involves examining the header of every packet of data traveling between the Internet and the corporate network without examining the previous packets?

    • Proxy servers
    • Bastion host
    • Stateful filtering
    • Stateless filtering