Download CISA Exam 1 Questions with Correct Answers and more Exams Statistics in PDF only on Docsity! CISA EXAM 1 questions with correct answers 1. An IS auditor should expect which of the following items to be included in the request for proposal (RFP) when IS is procuring services from an independent service provider (ISP)? A References from other customers B Service level agreement (SLA) template C Maintenance agreement D Conversion plan Correct Answer-The answer is A An IS auditor should look for an independent verification that the ISP can perform the tasks being contracted for. References from other customers would provide an independent, external review and verification of procedures and processes the ISP follows—issues which would be of concern to an IS auditor. Checking references is a means of obtaining an independent verification that the vendor can perform the services it says it can. A maintenance agreement relates more to equipment than to services, and a conversion plan, while important, is less important than verification that the ISP can provide the services they propose. 2. To aid management in achieving IT and business alignment, an IS auditor should recommend the use of: A control self-assessments. B a business impact analysis. C an IT balanced scorecard. D business process reengineering. Correct Answer-The correct answer is C An IT balanced scorecard (BSC) provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, 2/11Latihan CISA Exam Chapter 2 if hardware or software is needed to achieve the organizational goals. 5. A local area network (LAN) administrator normally would be restricted from: A having end-user responsibilities. B reporting to the end-user manager. C having programming responsibilities. D being responsible for LAN security administration. Correct Answer-The correct answer is C A LAN administrator should not have programming responsibilities but may have end-user responsibilities. The LAN administrator may report to the director of the IPF or, in a decentralized operation, to the end-user manager. In small organizations, the LAN administrator may also be responsible for security administration over the LAN. 6. To minimize costs and improve service levels an outsourcer should seek which of the following contract clauses? A O/S and hardware refresh frequencies B Gain-sharing performance bonuses C Penalties for noncompliance D Charges tied to variable cost metrics Correct Answer-The correct answer is B Because the outsourcer will share a percentage of the achieved savings, gain- sharing performance bonuses provide a financial incentive to go above and beyond the stated terms of the contract and can lead to cost savings for the client. Refresh frequencies and penalties for noncompliance would only encourage the outsourcer to meet minimum requirements. Similarly, tying charges to variable cost metrics would not encourage the outsourcer to seek additional efficiencies that might benefit the client. 7. Which of the following is a mechanism for mitigating risks? A Security and control practices B Property and liability insurance C Audit and certification D Contracts and service level agreements (SLAs) Correct Answer-The answer is A Risks are mitigated by implementing appropriate security and control practices. Insurance is a mechanism for transferring risk. Audit and certification are mechanisms of risk assurance, while contracts and SLAs are mechanisms of risk allocation. 8. Which of the following is the BEST information source for management to use as an aid in the identification of assets that are subject to laws and regulations? A Security incident summaries D reuse. Correct Answer-The correct answer is B Besides being a good practice, laws and regulations may require that an organization keep information that has an impact on the financial statements. The prevalence of lawsuits in which e-mail communication is held in the same regard as the official form of classic "paper" makes the retention of corporate e-mail a necessity. All e-mail generated on an organization's hardware is the property of the organization, and an e-mail policy should address the retention of messages, considering both known and unforeseen litigation. The policy should also address the destruction of e-mails after a specified time to protect the nature and confidentiality of the messages themselves. Addressing the retention issue in the e-mail policy would facilitate recovery, rebuilding and reuse. 11. When performing a review of the structure of an electronic funds transfer (EFT) system, an IS auditor observes that the technological infrastructure is based on a centralized processing scheme that has been outsourced to a provider in another country. Based on this information, which of the following conclusions should be the main concern of the IS auditor? A There could be a question regarding the legal jurisdiction. B Having a provider abroad will cause excessive costs in future audits. C The auditing process will be difficult because of the distance. D There could be different auditing norms. Correct Answer-The answer is A In the funds transfer process, when the processing scheme is centralized in a different country, there could be legal issues of jurisdiction that might affect the right to perform a review in the other country. The other choices, though possible, are not as relevant as the issue of legal jurisdiction. 12. The risks associated with electronic evidence gathering would MOST likely be reduced by an e-mail: A destruction policy. B security policy. C archive policy. D audit policy. Correct Answer-The correct answer is C With a policy of well-archived e-mail records, access to or retrieval of specific e- mail records is possible without disclosing other confidential e-mail records. Security and/or audit policies would not address the efficiency of record retrieval, and destroying e-mails may be an illegal act. 13. Effective IT governance requires organizational structures and processes to ensure that: A the organization's strategies and objectives extend the IT strategy. B the business strategy is derived from an IT strategy. C IT governance is separate and distinct from the overall governance. CISA EXAM 1 questions with correct answers 1. An IS auditor should expect which of the following items to be included in the request for proposal (RFP) when IS is procuring services from an independent service provider (ISP)? A References from other customers B Service level agreement (SLA) template C Maintenance agreement D Conversion plan Correct Answer-The answer is A An IS auditor should look for an independent verification that the ISP can perform the tasks being contracted for. References from other customers would provide an independent, external review and verification of procedures and processes the ISP follows—issues which would be of concern to an IS auditor. Checking references is a means of obtaining an independent verification that the vendor can perform the services it says it can. A maintenance agreement relates more to equipment than to services, and a conversion plan, while important, is less important than verification that the ISP can provide the services they propose. 2. To aid management in achieving IT and business alignment, an IS auditor should recommend the use of: A control self-assessments. B a business impact analysis. C an IT balanced scorecard. D business process reengineering. Correct Answer-The correct answer is C An IT balanced scorecard (BSC) provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, 2/11Latihan CISA Exam Chapter 2 if hardware or software is needed to achieve the organizational goals. 5. A local area network (LAN) administrator normally would be restricted from: A having end-user responsibilities. B reporting to the end-user manager. C having programming responsibilities. D being responsible for LAN security administration. Correct Answer-The correct answer is C A LAN administrator should not have programming responsibilities but may have end-user responsibilities. The LAN administrator may report to the director of the IPF or, in a decentralized operation, to the end-user manager. In small organizations, the LAN administrator may also be responsible for security administration over the LAN. 6. To minimize costs and improve service levels an outsourcer should seek which of the following contract clauses? A O/S and hardware refresh frequencies B Gain-sharing performance bonuses C Penalties for noncompliance D Charges tied to variable cost metrics Correct Answer-The correct answer is B Because the outsourcer will share a percentage of the achieved savings, gain- sharing performance bonuses provide a financial incentive to go above and beyond the stated terms of the contract and can lead to cost savings for the client. Refresh frequencies and penalties for noncompliance would only encourage the outsourcer to meet minimum requirements. Similarly, tying charges to variable cost metrics would not encourage the outsourcer to seek additional efficiencies that might benefit the client. 7. Which of the following is a mechanism for mitigating risks? A Security and control practices B Property and liability insurance C Audit and certification D Contracts and service level agreements (SLAs) Correct Answer-The answer is A Risks are mitigated by implementing appropriate security and control practices. Insurance is a mechanism for transferring risk. Audit and certification are mechanisms of risk assurance, while contracts and SLAs are mechanisms of risk allocation. 8. Which of the following is the BEST information source for management to use as an aid in the identification of assets that are subject to laws and regulations? A Security incident summaries D reuse. Correct Answer-The correct answer is B Besides being a good practice, laws and regulations may require that an organization keep information that has an impact on the financial statements. The prevalence of lawsuits in which e-mail communication is held in the same regard as the official form of classic "paper" makes the retention of corporate e-mail a necessity. All e-mail generated on an organization's hardware is the property of the organization, and an e-mail policy should address the retention of messages, considering both known and unforeseen litigation. The policy should also address the destruction of e-mails after a specified time to protect the nature and confidentiality of the messages themselves. Addressing the retention issue in the e-mail policy would facilitate recovery, rebuilding and reuse. 11. When performing a review of the structure of an electronic funds transfer (EFT) system, an IS auditor observes that the technological infrastructure is based on a centralized processing scheme that has been outsourced to a provider in another country. Based on this information, which of the following conclusions should be the main concern of the IS auditor? A There could be a question regarding the legal jurisdiction. B Having a provider abroad will cause excessive costs in future audits. C The auditing process will be difficult because of the distance. D There could be different auditing norms. Correct Answer-The answer is A In the funds transfer process, when the processing scheme is centralized in a different country, there could be legal issues of jurisdiction that might affect the right to perform a review in the other country. The other choices, though possible, are not as relevant as the issue of legal jurisdiction. 12. The risks associated with electronic evidence gathering would MOST likely be reduced by an e-mail: A destruction policy. B security policy. C archive policy. D audit policy. Correct Answer-The correct answer is C With a policy of well-archived e-mail records, access to or retrieval of specific e- mail records is possible without disclosing other confidential e-mail records. Security and/or audit policies would not address the efficiency of record retrieval, and destroying e-mails may be an illegal act. 13. Effective IT governance requires organizational structures and processes to ensure that: A the organization's strategies and objectives extend the IT strategy. B the business strategy is derived from an IT strategy. C IT governance is separate and distinct from the overall governance. D Software development may require more detailed specifications. Correct Answer-The correct answer is C Privacy laws prohibiting the cross-border flow of personally identifiable information would make it impossible to locate a data warehouse containing customer information in another country. Time zone differences and higher telecommunications costs are more manageable. Software development typically requires more detailed specifications when dealing with offshore operations. 16. When reviewing IS strategies, an IS auditor can BEST assess whether IS strategy supports the organizations' business objectives by determining if IS: A has all the personnel and equipment it needs. B plans are consistent with management strategy. C uses its equipment and personnel efficiently and effectively. D has sufficient excess capacity to respond to changing directions. Correct Answer-The correct answer is B Determining if the IS plan is consistent with management strategy relates IS/IT planning to business plans. Choices A, C and D are effective methods for determining the alignment of IS plans with business objectives and the organization's strategies. 17. An IS auditor should be concerned when a telecommunication analyst: A monitors systems performance and tracks problems resulting from program changes. B reviews network load requirements in terms of current and future transaction volumes. C assesses the impact of the network load on terminal response times and network data transfer rates. D recommends network balancing procedures and improvements. Correct Answer- The answer is A The responsibilities of a telecommunications analyst include reviewing network load requirements in terms of current and future transaction volumes (choice B), assessing the impact of network load or terminal response times and network data transfer rates (choice C), and recommending network balancing procedures and improvements (choice D). Monitoring systems performance and tracking problems as a result of program changes (choice A) would put the analyst in a self- monitoring role. 18. In reviewing the IS short-range (tactical) plan, an IS auditor should determine whether: A there is an integration of IS and business staffs within projects. B there is a clear definition of the IS mission and vision. C a strategic information technology planning methodology is in place. D the plan correlates business objectives to IS goals and objectives. Correct Answer-The answer is A 5/11Latihan CISA Exam Chapter 2 The integration of IS and business staff in projects is an operational issue and should be considered not be in conflict with overall corporate policy and ensure consistency across the organization. 21. Is it appropriate for an IS auditor from a company that is considering outsourcing its IS processing to request and review a copy of each vendor's business continuity plan? A Yes, because an IS auditor will evaluate the adequacy of the service bureau's plan and assist their company in implementing a complementary plan. B Yes, because based on the plan, an IS auditor will evaluate the financial stability of the service bureau and its ability to fulfill the contract. C No, because the backup to be provided should be specified adequately in the contract. D No, because the service bureau's business continuity plan is proprietary information. Correct Answer-The answer is A The primary responsibility of an IS auditor is to assure that the company assets are being safeguarded. This is true even if the assets do not reside on the immediate premises. Reputable service bureaus will have a well-designed and tested business continuity plan. 22. A benefit of open system architecture is that it: A facilitates interoperability. B facilitates the integration of proprietary components. C will be a basis for volume discounts from equipment vendors. D allows for the achievement of more economies of scale for equipment. Correct Answer-The answer is A Open systems are those for which suppliers provide components whose interfaces are defined by public standards, thus facilitating interoperability between systems made by different vendors. In contrast, closed system components are built to proprietary standards so that other suppliers' systems cannot or will not interface with existing systems. 23. The ultimate purpose of IT governance is to: 6/11Latihan CISA Exam Chapter 2 A encourage optimal use of IT. B reduce IT costs. C decentralize IT resources across the organization. D centralize control of IT. Correct Answer-The answer is A IT governance is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise. Reducing IT costs may not be the best IT governance outcome for an enterprise. Decentralizing IT resources across the organization is not always desired, although it may be desired in a decentralized environment. Centralizing control of IT is not always desired. An example of where it might be desired is an enterprise desiring a single point of initiative? A Issues of privacy B Wavelength can be absorbed by the human body C RFID tags may not be removable D RFID eliminates line-of- sight reading Correct Answer-The answer is A The purchaser of an item will not necessarily be aware of the presence of the tag. If a tagged item is paid for by credit card, it would be possible to tie the unique ID of that item to the identity of the purchaser. Privacy violations are a significant concern because RFID can carry unique identifier numbers. If desired it would be possible for a firm to track individuals who purchase an item containing an RFID. Choices B and C are concerns of less importance. Choice D is not a concern. 27. Which of the following would an IS auditor consider the MOST relevant to short-term planning for an IS department? A Allocating resources B Keeping current with technology advances C Conducting control self-assessment D Evaluating hardware needs Correct Answer-The answer is A The IS department should specifically consider the manner in which resources are allocated in the short term. Investments in IT need to be aligned with top management strategies, rather than focusing on technology for technology's sake. Conducting control self-assessments and evaluating hardware needs are not as critical as allocating resources during short-term planning for the IS department. 28. When developing a risk management program, what is the FIRST activity to be performed? A Threat assessment B Classification of data C Inventory of assets D Criticality analysis Correct Answer-The correct answer is C Identification of the assets to be protected is the first step in the development of a risk management program. A listing of the threats that can affect the performance of these assets and criticality analysis are later steps in the process. Data classification is required for defining access controls and in criticality analysis. 29. A long-term IS employee with a strong technical background and broad managerial experience has applied for a vacant position in the IS audit department. Determining whether to hire this individual for this position should be based on the individual's experience and: A length of service, since this will help ensure technical competence. organization's security awareness training? A Senior management is aware of critical information assets and demonstrates an adequate concern for their protection. B Job descriptions contain clear statements of accountability for information security. C In accordance with the degree of risk and business impact, there is adequate funding for security efforts. D No actual incidents have occurred that have caused a loss or a public embarrassment. Correct Answer-The correct answer is B Inclusion in job descriptions of security responsibilities is a form of security training and helps ensure 8/11Latihan CISA Exam Chapter 2 that staff and management are aware of their roles with respect to information security. The other three choices are not criterion for evaluating security awareness training. Awareness is a criterion for evaluating the importance that senior management attaches to information assets and their protection. Funding is a criterion that aids in evaluating whether security vulnerabilities are being addressed, while the number of incidents that have occurred is a criterion for evaluating the adequacy of the risk management program. 32. Which of the following is a risk of cross-training? A Increases the dependence on one employee B Does not assist in succession planning C One employee may know all parts of a system D Does not help in achieving a continuity of operations Correct Answer-The correct answer is C When cross-training, it would be prudent to first assess the risk of any person knowing all parts of a system and what exposures this may cause. Cross-training has the advantage of decreasing dependence on one employee and, hence, can be part of succession planning. It also provides backup for personnel in the event of absence for any reason and thereby facilitates the continuity of operations. 33. To gain an understanding of the effectiveness of an organization's planning and management of investments in IT assets, an IS auditor should review the: A enterprise data model. B IT balanced scorecard (BSC). C IT organizational structure. D historical financial statements. Correct Answer-The correct answer is B The IT balanced scorecard (BSC) is a tool that provides the bridge between IT objectives and business B enhanced staff morale. C the use of new technology. D increased market penetration. Correct Answer-The correct answer is D A comprehensive business case for any proposed IT-related business investment should have clearly 9/11Latihan CISA Exam Chapter 2 defined business benefits to enable the expected return to be calculated. These benefits usually fall into two categories: direct and indirect, or soft. Direct benefits usually comprise the quantifiable financial benefits that the new system is expected to generate. The potential benefits of enhanced reputation and enhanced staff morale are difficult to quantify, but should be quantified to the extent possible. IT investments should not be made just for the sake of new technology but should be based on a quantifiable business need. 36. Which of the following should be considered FIRST when implementing a risk management program? A An understanding of the organization's threat, vulnerability and risk profile B An understanding of the risk exposures and the potential consequences of compromise C A determination of risk management priorities based on potential consequences D A risk mitigation strategy sufficient to keep risk consequences at an acceptable level Correct Answer-The answer is A Implementing risk management, as one of the outcomes of effective information security governance, would require a collective understanding of the organization's threat, vulnerability and risk profile as a first step. Based on this, an understanding of risk exposure and potential consequences of compromise could be determined. Risk management priorities based on potential consequences could then be developed. This would provide a basis for the formulation of strategies for risk mitigation sufficient to keep the consequences from risk at an acceptable level. 37. Which of the following is a function of an IS steering committee? A Monitoring vendor-controlled change control and testing B Ensuring a separation of duties within the information's processing environment C Approving and monitoring major projects, the status of IS plans and budgets D Liaising between the IS department and the end users Correct Answer-The correct answer is C The IS steering committee typically serves as a general review board for major IS projects and should not become involved in routine operations; therefore, one of its functions is to approve and monitor major projects, the status of IS plans and budgets. Vendor change control is an outsourcing issue and should be monitored by IS management. Ensuring a separation of duties within the information's management. It includes a definition of those authorized to grant access and the basis for granting the access. Choices A, B and C are more detailed than that which should be included in a policy. 40. When an employee is terminated from service, the MOST important action is to: A hand over all of the employee's files to another designated employee. B complete a backup of the employee's work. C notify other employees of the termination. D disable the employee's logical access. Correct Answer-The correct answer is D There is a probability that a terminated employee may misuse access rights; therefore, disabling the terminated employee's logical access is the most important action to take. All the work of the terminated employee needs to be handed over to a designated employee; however, this should be performed after implementing choice D. All the work of the terminated employee needs to be backed up and the employees need to be notified of the termination of the employee, but this should not precede the action in choice D. 41. The PRIMARY objective of an audit of IT security policies is to ensure that: A they are distributed and available to all staff. B security and control policies support business and IT objectives. C there is a published organizational chart with functional descriptions. D duties are appropriately segregated. Correct Answer-The correct answer is B Business orientation should be the main theme in implementing security. Hence, an IS audit of IT security policies should primarily focus on whether the IT and related security and control policies support business and IT objectives. Reviewing whether policies are available to all is an objective, but distribution does not ensure compliance. Availability of organizational charts with functional descriptions and segregation of duties might be included in the review, but are not the primary objective of an audit of security policies. 42. A top-down approach to the development of operational policies will help ensure: A that they are consistent across the organization. B that they are implemented as a part of risk assessment. C compliance with all policies. D that they are reviewed periodically. Correct Answer-The answer is A Deriving lower level policies from corporate policies (a top-down approach) aids in ensuring consistency across the organization and consistency with other policies. The bottom-up approach to the development of operational policies is derived as a result of risk assessment. A top-down approach would be an indication of a lack of top-level management commitment. This condition would increase the risk that IT would not be aligned with the organization's strategy. 45. An IS steering committee should: A include a mix of members from different departments and staff levels. B ensure that IS security policies and procedures have been executed properly. C have formal terms of reference and maintain minutes of its meetings. D be briefed about new trends and products at each meeting by a vendor. Correct Answer-The correct answer is C It is important to keep detailed steering committee minutes to document the decisions and activities of the IS steering committee, and the board of directors should be informed about those decisions on a timely basis. Choice A is incorrect because only senior management or high-level staff members should be on this committee because of its strategic mission. Choice B is not a responsibility of this committee, but the responsibility of the security administrator. Choice D is incorrect because a vendor should be invited to meetings only when appropriate.