Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 36

  1. An organization recently implemented an industry-recognized IT framework to improve the overall effectiveness of IT governance. Which of the following would BEST enable an IS auditor to access the implementation against the framework?

    • Capability maturity model
    • Key risk indicators (KRIs)
    • Industry benchmarking
    • Balanced scorecard
  2. An organization plans to allow third parties to collect customer personal data from a retail loyalty platform via an application programming interface (API). Which of the following should be the PRIMARY consideration when designing this API?

    • Data governance policies
    • System resilience
    • Regulatory compliance
    • Data availability
  3. Which of the following would provide management with the MOST reasonable assurance that a new data warehouse will meet the needs of the organization?

    • Appointing data stewards to provide effective data governance
    • Classifying data quality issues by the severity of their impact to the organization
    • Integrating data requirements into the system development life cycle (SDLC)
    • Facilitating effective communication between management and developers
  4. Which of the following has the GREATEST influence on the success of IT governance?

    • IT strategy is embedded in all risk management processes
    • Alignment of IT strategies with the entity’s vision 
    • The CIO is a member of the audit committee
    • Clear, concise, and enforced IS policies
  5. Which of the following is the MOST important step in the development of an effective IT governance action plan?

    • Conducting a business impact analysis (BIA)
    • Preparing a statement of sensitivity
    • Setting up an IT governance framework for the process
    • Measuring IT governance key performance indicators (KPIs)
  6. Which of the following governance functions is responsible for ensuring IT projects have sufficient resources and are prioritized appropriately?

    • Board of directors
    • IT management
    • IT steering committee 
    • Executive management
  7. Which of the following is a benefit of requiring management to issue a report to stakeholders regarding the internal controls over IT?

    • Transparency of IT costs
    • Improved portfolio management
    • Improved cost management
    • Focus on IT governance
  8. An IS auditor’s role in privacy and security is to:

    • assist in developing an IS security strategy.
    • verify compliance with applicable laws.
    • implement risk management methodologies.
    • assist the governance steering committee with implementing a security policy.
  9. Which of the following should be of GREATEST concern to an IS auditor reviewing an organization’s initiative to adopt an enterprise governance framework?

    • The organization has not identified the business drivers for adopting the framework.
    • The organization’s security department has not been involved with the initiative.
    • The organization has tried to adopt the entire framework at once.
    • The organization has not provided employees with formal training on the framework.
  10. Which of the following IT processes is likely to have the GREATEST inherent regulatory risk?

    • IT project management
    • Data management
    • Capacity management
    • IT resource management
  11. Which of the following is the BEST indication that an organization has achieved legal and regulatory compliance?

    • The board of directors and senior management accept responsibility for compliance.
    • An independent consultant has been appointed to ensure legal and regulatory compliance.
    • Periodic external and internal audits have not identified instances of noncompliance. 
    • The risk management process incorporates noncompliance as a risk.
  12. Which of the following is the MOST significant obstacle to establishing a new privacy program?

    • Unresolved overlap of security and privacy roles and responsibilities
    • An insufficient privacy awareness training program
    • A Complex legal and regulatory landscape 
    • Failure to perform a business impact analysis (BIA)
  13. Which of the following is the BEST evidence that an organization is aware of applicable laws and regulations?

    • The organization’s compliance matrix 
    • History of legal actions and regulatory correspondence
    • The existence of an employee awareness training program
    • Industry benchmark results
  14. Which of the following is MOST important to consider when reviewing a third-party service agreement for disaster recovery services?

    • Recovery point objectives (RPOs) and recovery time objectives (RTOs) are included in the agreement.
    • The lowest price possible is obtained for the service rendered.
    • Security and regulatory requirements are addressed in the agreement. 
    • Provisions exist to retain ownership of intellectual property in the event of termination.
  15. A new regulation in one country of a global organization has recently prohibited cross-border transfer of personal data. An IS auditor has been asked to determine the organization’s level of exposure in the affected country. Which of the following would be MOST helpful in making this assessment?

    • Identifying data security threats in the affected jurisdiction
    • Reviewing data classification procedures associated with the affected jurisdiction
    • Identifying business processes associated with personal data exchange with the affected jurisdiction 
    • Developing an inventory of all business entities that exchange personal data with the affected jurisdiction
  16. A new regulatory standard for data privacy requires an organization to protect personally identifiable information (PII). Which of the following is MOST important to include in the audit engagement plan to access compliance with the new standard?

    • Identification of IT systems that host PII
    • Review of data loss risk scenarios
    • Identification of unencrypted PII
    • Review of data protection procedures
  17. Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?

    • Compliance with local laws and regulations
    • Compliance with the organization’s policies and procedures
    • Compliance with action plans resulting from recent audits
    • Compliance with industry standards and best practice
  18. Which of the following is the BEST source of information for an IS auditor to use as a baseline to assess the adequacy of an organization’s privacy policy?

    • Benchmark studies of similar organizations
    • Local privacy standards and regulations 
    • Historical privacy breaches and related root causes
    • Globally accepted privacy best practices
  19. An IS auditor is reviewing standards and compliance requirements related to an upcoming systems audit. The auditor notes that the industry standards are less stringent than local regulatory standards. How should the auditor proceed?

    • Audit to the standards with the highest requirements.
    • Audit exclusively to the industry standards.
    • Coordinate with regulatory officers to determine necessary requirements. 
    • Audit to the policies and procedures of the organization.
  20. A new regulation requires organizations to report significant security incidents to the regulator within 24 hours of identification. Which of the following is the IS auditor’s BEST recommendation to facilitate compliance with the regulation?

    • Include the requirement in the incident management response plan. 
    • Establish key performance indicators (KPIs) for timely identification of security incidents.
    • Enhance the alert functionality of the intrusion detection system (IDS).
    • Engage an external security incident response expert for incident handling.