Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 27

  1. Which of the following presents the GREATEST concern when implementing data flow across borders?

    • Software piracy laws
    • National privacy laws
    • Political unrest
    • Equipment incompatibilities
  2. When an organization is having new software implemented under contract, which of the following is key to controlling escalating costs due to scope creep?

    • Problem management
    • Quality management
    • Change management
    • Risk management
  3. Which of the following is the MOST important reason to use statistical sampling?

    • The results are more defensible
    • It ensures that all relevant cases are covered
    • It reduces time required for testing
    • The results can reduce error rates
  4. Which of the following is MOST critical to the success of an information security program?

    • Integration of business and information security
    • Alignment of information security with IT objectives
    • Management’s commitment to information security
    • User accountability for information security
  5. Which of the following is the MAIN purpose of data classification?

    • Applying the appropriate protective measures
    • Ensuring the segregation of duties
    • Defining parameter requirements for security labels
    • Ensuring integrity of sensitive information
  6. The decision to accept an IT control risk related to data quality should be the responsibility of the:

    • information security team
    • chief information officer (CIO)
    • business owner
    • IS audit manager
  7. Which of the following would be MOST time and cost efficient when performing a control self-assessment (CSA) for an organization with a large number of widely dispersed employees?

    • Top-down and bottom-up analysis
    • Face-to-face interviews
    • Survey questionnaire
    • Facilitated workshops
  8. In attribute sampling, what is the relationship between expected error rate and sample size?

    • The expected error rate does not affect the sample size
    • The greater the expected error rate, the smaller the sample size
    • The greater the expected error rate, the greater the sample size
    • The greater the sample size, the lower the expected error rate
  9. The MOST important reason why an IT risk assessment should be updated on a regular basis is to:

    • utilize IT resources in a cost-effective manner
    • comply with data classification changes
    • comply with risk management policies
    • react to changes in the IT environment
  10. An IT governance framework provides an organization with:

    • a basis for directing and controlling IT.
    • assurance that there will be IT cost reductions.
    • organizational structures to enlarge the market share through IT.
    • assurance that there are surplus IT investments.
  11. Which of the following is a key success factor for implementing IT governance?

    • Embedding quality assurance processes
    • Establishing an IT governance committee
    • Aligning IT and business strategies
    • Delivering IT projects within budget
  12. Which of the following groups is MOST likely responsible for the implementation of IT projects?

    • IT steering committee
    • IT compliance committee
    • IT strategy committee
    • IT governance committee
  13. The chief information officer (CIO) of an organization is concerned that the information security policies may not be comprehensive. Which of the following should an IS auditor recommend be performed FIRST?

    • Obtain a copy of their competitor’s policies.
    • Determine if there is a process to handle exceptions to the policies.
    • Establish a governance board to track compliance with the policies.
    • Compare the policies against an industry framework.
  14. An IS auditor can BEST help management fulfill risk management responsibilities by:

    • highlighting specific risks not being addressed.
    • ensuring the roles for managing IT risk are defined.
    • developing an IT risk management framework.
    • adopting a mechanism for reporting issues.
  15. Which of the following is the BEST source for describing the objectives of an organization’s information systems?

    • Business process owners
    • End users
    • IT management
    • Information security management
  16. Which of the following is the BEST way for management to ensure the effectiveness of the cybersecurity incident response process?

    • Periodic update of incident response process documentation
    • Periodic reporting of cybersecurity incidents to key stakeholders
    • Periodic tabletop exercises involving key stakeholders
    • Periodic cybersecurity training for staff involved in incident response
  17. An organization was recently notified by its regulatory body of significant discrepancies in its reporting data. A preliminary investigation revealed that the discrepancies were caused by problems with the organization’s data quality. Management has directed the data quality team to enhance their program. The audit committee has asked internal audit to be advisors to the process. To ensure that management concerns are addressed, which data set should internal audit recommend be reviewed FIRST?

    • Data impacting business objectives
    • Data supporting financial statements
    • Data reported to the regulatory body
    • Data with customer personal information
  18. An IS auditor has been asked to advise on the design and implementation of IT management best practices. Which of the following actions would impair the auditor’s independence?

    • Providing consulting advice for managing applications
    • Designing an embedded audit module
    • Implementing risk response on management’s behalf
    • Evaluating the risk management process
  19. Which of the following is the MOST effective means of helping management and the IT strategy committee to monitor IT performance?

    • End-user satisfaction surveys
    • Gap analysis
    • Measurement of service levels against metrics
    • Infrastructure monitoring reports
  20. Management decided to accept the residual risk of an audit finding and not take the recommended actions. The internal audit team believes the acceptance is inappropriate and has discussed the situation with executive management. After this discussion, there is still disagreement regarding the decision. Which of the following is the BEST course of action by internal audit?

    • Report this matter to the audit committee without notifying executive management.
    • Document in the audit report that management has accepted the residual risk and take no further actions.
    • Report the issue to the audit committee in a joint meeting with executive management for resolution.
    • Schedule another meeting with executive management to convince them of taking action as recommended.