Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 31

  1. When developing metrics to measure the contribution of IT to the achievement of business goals, the MOST important consideration is that the metrics:

    • measure the effectiveness of IT controls in the achievement of IT strategy.
    • provide quantitative measurement of IT initiatives in relation with business targets.
    • are expressed in terms of how IT risk impacts the achievement of business goals.
    • are used by similar industries to measure the effect of IT on business strategy.
  2. The performance, risks, and capabilities of an IT infrastructure are BEST measured using a:

    • balanced scorecard.
    • risk management review.
    • service level agreement (SLA).
    • control self-assessment (CSA).
  3. Which of the following is the PRIMARY risk when business units procure IT assets without IT involvement?

    • Corporate procurement standards are not followed.
    • The business units want IT to be responsible for maintenance costs.
    • Data security requirements are not considered.
    • System inventory becomes inaccurate.
  4. Which of the following would be MOST important to update once a decision has been made to outsource a critical application to a cloud service provider?

    • Project portfolio
    • IT resource plan
    • IT budget
    • Business impact analysis (BIA)
  5. Communicating which of the following would BEST encourage management to initiate appropriate actions following the receipt of report findings?

    • Risk implications of the observations
    • Strict deadlines to close all observations
    • Statistical sampling used to derive observations
    • Recommendations that align with the business strategy
  6. Which of the following is the BEST key performance indicator (KPI) for determining how well the IT policy is aligned to the business requirements?

    • Number of approved exceptions to the policy
    • Total cost of policy breaches
    • Total cost to support the policy
    • Number of inquiries regarding the policy
  7. What is the BEST method to determine if IT resource spending is aligned with planned project spending?

    • Earned value analysis (EVA)
    • Gantt chart
    • Return on investment (ROI) analysis
    • Critical path analysis
  8. An external audit team is deciding whether to rely on internal audit’s work for an annual compliance audit. Which of the following is the GREATEST consideration when making this decision?

    • Independence of the internal audit department from management’s influence
    • Professional certifications held by the internal audit team members
    • Years of experience each of the internal auditors have in performing compliance audits
    • The level of documentation maintained by internal audit and the methods used to collect evidence
  9. Which of the following methods would BEST ensure that IT strategy is in line with business strategy?

    • Break-even analysis
    • Value analysis
    • Critical path analysis
    • Business impact analysis (BIA)
  10. An information systems security officer’s PRIMARY responsibility for business process applications is to:

    • create role-based rules for each business process.
    • ensure access rules agree with policies.
    • authorize secured emergency access.
    • approve the organization’s security policy.
  11. An objective of capacity management is to ensure that:

    • organizational resources are used efficiently.
    • available resources are fully utilized.
    • new resources are allocated for new applications.
    • resource utilization does not drop below 85%.
  12. An information security team has discovered that users are sharing a login account to an application with sensitive information, in violation of the access policy. Business management indicates that the practice creates operational efficiencies. The information security manager’s BEST course of action should be to:

    • modify the policy
    • present the risk to senior management
    • enforce the policy
    • create an exception for the deviation
  13. A policy has been established requiring users to install mobile device management (MDM) software on their personal devices. Which of the following would BEST mitigate the risk created by noncompliance with this policy?

    • Issuing warnings and documenting noncompliance
    • Disabling remote access from the mobile device
    • Issuing company-configured mobile devices
    • Requiring users to sign-off on terms and conditions
  14. To address the issue that performance pressures on IT may conflict with information security controls, it is MOST important that:

    • the security policy is changed to accommodate IT performance pressure
    • noncompliance issues are reported senior management
    • senior management provides guidance and dispute resolution
    • information security management understands business performance issues
  15. The objectives of business process improvement should PRIMARILY include:

    • minimal impact on staff
    • incremental changes in productivity
    • changes of organizational boundaries
    • performance optimization
  16. During a review of the IT strategic plan, an IS auditor finds several IT initiatives focused on delivering new systems and technology are not aligned with the organization’s strategy. Witch of the following would be the IS auditor’s BEST recommendation?

    • Reassess the return on investment for the IT initiatives
    • Modify IT initiatives that do not map to business strategies
    • Utilize a balanced scorecard to align IT initiatives to business strategies
    • Reassess IT initiatives that do not map business strategies
  17. An organization has outsourced some of its sub processes to a service provider. When scoping the audit of the provider, the organization’s internal auditor should FIRST:

    • evaluate operational controls of the provider
    • discuss audit objectives with the provider
    • review internal audit reports of the provider
    • review the contract with the provider
  18. An organization was severely impacted after an advanced persistent threat (APT) attack. Afterwards, it was found that the initial breach happened a month prior to the attack. Management’s GREATEST concern should be:

    • results of the past internal penetration test
    • the effectiveness of monitoring processes
    • the installation of critical security patches
    • external firewall policies
  19. Software quality assurance (QA) reviews are planned as part of system development. At which stage in the development process should the first review be initiated?

    • At pre-implementation planning
    • As a part of the user requirements definition
    • Immediately prior to user acceptance testing
    • During the feasibility study
  20. An organization has made a strategic decision to split into separate operating entities to improve profitability. However, the IT infrastructure remains shared between the entities. Which of the following would BEST help to ensure that IS audit still covers key risk areas within the IT environment as part of its annual plan?

    • Increasing the frequency of risk-based IS audits for each business entity
    • Revising IS audit plans to focus on IT changes introduced after the split
    • Conducting an audit of newly introduced IT policies and procedures
    • Developing a risk-based plan considering each entity’s business processes