Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

CISA > 2 - Governance and Management of IT > Flashcards

2 - Governance and Management of IT Flashcards

PASS THE CISA (107 cards)

Start Studying
1
Q

During a risk analysis, an IS auditor identifies threats and potential impacts. Next, the IS auditor should:

A.ensure the risk assessment is aligned to management’s risk assessment process.
B.identify information assets and the underlying systems.
C.disclose the threats and impacts to management.
D.identify and evaluate the existing controls.

A

D. identify and evaluate the existing controls.

It is important for an IS auditor to identify and evaluate the existence and effectiveness of existing and planned controls so that the risk level can be calculated after the potential threats and possible impacts are identified.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

After an organization completed a threat and vulnerability analysis as part of a risk assessment, the final report suggested that an intrusion prevention system (IPS) should be installed at the main Internet gateways and that all business units should be separated via a proxy firewall. Which of the following is the BEST method to determine whether the controls should be implemented?

A. A cost-benefit analysis
B. An annual loss expectancy calculation
C. A comparison of the cost of the IPS and firewall and the cost of the business systems
D. A business impact analysis

A

A. A cost-benefit analysis

In a cost-benefit analysis, the total expected purchase and operational/support costs, and a qualitative value for all actions are weighted against the total expected benefits to choose the best technical, most profitable, least expensive or acceptable risk option.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

The PRIMARY benefit of implementing a security program as part of a security governance framework is the:

A. alignment of the IT activities with IS audit recommendations.
B. enforcement of the management of security risk.
C. implementation of the chief information security officer’s recommendations.
D. reduction of the cost for IT security.

A

B. enforcement of the management of security risk.

The major benefit of implementing a security program is management’s assessment of risk and its mitigation to an appropriate level, and monitoring of the residual risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

An IS auditor reviewing the IT organization is MOST concerned if the IT steering committee:

A. is responsible for project approval and prioritization.
B. is responsible for developing the long-term IT plan.
C. reports the status of IT projects to the board of directors.
D. is responsible for determining business goals.

A

D. is responsible for determining business goals.

Determining the business goals is the responsibility of senior management and not of the IT steering committee. IT should support business goals and be driven by the business—not the other way around.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following insurance types provide for a loss arising from fraudulent acts by employees?

A. Business interruption
B. Fidelity coverage
C. Errors and omissions
D. Extra expense

A

B. Fidelity coverage

This type of insurance covers the loss arising from dishonest or fraudulent acts by employees.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following goals do you expect to find in an organization’s strategic plan?

A. Results of new software testing
B. An evaluation of information technology needs
C. Short-term project plans for a new planning system
D. Approved suppliers for products offered by the company

A

D. Approved suppliers for products offered by the company

Approved suppliers of choice for the product is a strategic business objective that is intended to focus the overall direction of the business and, thus, is a part of the organization’s strategic plan.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A business unit has selected a new accounting application and did not consult with IT early in the selection process. The PRIMARY risk is that:

A. the security controls of the application may not meet requirements.
B. the application may not meet the requirements of the business users.
C. the application technology may be inconsistent with the enterprise architecture.
D. the application may create unanticipated support issues for IT.

A

C. the application technology may be inconsistent with the enterprise architecture.

The primary focus of the enterprise architecture (EA) is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization. The EA defines both a current and future state in areas such as the use of standard platforms, databases or programming languages. If a business unit selected an application using a database or operating system that is not part of the EA for the business, this increases the cost and complexity of the solution and ultimately delivers less value to the business.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When auditing the IT governance framework and IT risk management practices that exist within an organization, the IS auditor identified some undefined responsibilities regarding IT management and governance roles. Which of the following recommendations is the MOST appropriate?

A. Review the strategic alignment of IT with the business.
B. Implement accountability rules within the organization.
C. Ensure that independent IS audits are conducted periodically.
D. Create a chief risk officer role in the organization.

A

B. Implement accountability rules within the organization.

IT risk is managed by embedding accountability into the enterprise. The IS auditor should recommend the implementation of accountability rules to ensure that all responsibilities are defined within the organization. Note that this question asks for the best recommendation—not about the finding itself.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following is an advantage of prototyping?

A. The finished system normally has strong internal controls.
B. Prototype systems can provide significant time and cost savings.
C. Change control is often less complicated with prototype systems.
D. It ensures that functions or extras are not added to the intended system.

A

B. Prototype systems can provide significant time and cost savings.

Prototype systems can provide significant time and cost savings through better user interaction and the ability to rapidly adapt to changing requirements; however, they also have several disadvantages, including loss of overall security focus, project oversight and implementation of a prototype that is not yet ready for production.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following inputs adds the MOST value to the strategic IT initiative decision-making process?

A. The maturity of the project management process
B. The regulatory environment
C. Past audit findings
D. The IT project portfolio analysis

A

D. The IT project portfolio analysis

Portfolio analysis provides the best input into the decision-making process relating to planning strategic IT initiatives. An analysis of the IT portfolio provides comparable information of planned initiatives, projects and ongoing IT services, which allows the IT strategy to be aligned with the business strategy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

An IS auditor is assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST?

A. An audit clause is present in all contracts.
B. The service level agreement of each contract is substantiated by appropriate key performance indicators.
C. The contractual warranties of the providers support the business needs of the organization.
D. At contract termination, support is guaranteed by each outsourcer for new outsourcers.

A

C. The contractual warranties of the providers support the business needs of the organization.

Aligns with business objectives: Ensuring that the outsourced services meet the organization’s specific needs is paramount.

Risk mitigation: By verifying that contractual warranties align with business needs, the auditor can identify potential gaps in service delivery.

Performance evaluation: Assessing the adequacy of service warranties provides a baseline for evaluating the vendor’s performance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

An IS auditor is performing a review of an organization’s governance model. Which of the following should be of MOST concern to the auditor?

A.The information security policy is not periodically reviewed by senior management.
B.A policy ensuring systems are patched in a timely manner does not exist.
C.The audit committee did not review the organization’s global mission statement.
D.An organizational policy related to information asset protection does not exist.

A

A.The information security policy is not periodically reviewed by senior management.

Data security policies should be reviewed/refreshed once every year to reflect changes in the organization’s environment. Policies are fundamental to the organization’s governance structure, and, therefore, this is the greatest concern.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Question
The MOST important point of consideration for an IS auditor while reviewing an enterprise’s project portfolio is that it:

A.does not exceed the existing IT budget.
B.is aligned with the investment strategy.
C.has been approved by the IT steering committee.
D.is aligned with the business plan.

A

D.is aligned with the business plan.

Portfolio management takes a holistic view of an enterprise’s overall IT strategy, which, in turn, should be aligned with the business strategy. A business plan provides the justification for each of the projects in the project portfolio, and that is the major consideration for an IS auditor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A local area network (LAN) administrator normally is restricted from:

A.having end-user responsibilities.
B.reporting to the end-user manager.
C.having programming responsibilities.
D.being responsible for LAN security administration.

A

C.having programming responsibilities.

A Local area network (LAN) Administrator is a person who manages and maintains the local network infrastructure—the interconnected computers, servers, switches, and other devices that form the backbone of communication within a specific physical area, such as an office building or campus.

A local area network (LAN) administrator should not have programming responsibilities because that could allow modification of production programs without proper separation of duties, but the LAN administrator may have end-user responsibilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

An IS auditor identifies that reports on product profitability produced by an organization’s finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different. What should the IS auditor recommend?

A.User acceptance testing occurs for all reports before release into production
B.Organizational data governance practices are put in place
C.Standard software tools are used for report development
D.Management signs-off on requirements for new reports

A

B.Organizational data governance practices are put in place

This choice directly addresses the problem. An organization-wide approach is needed to achieve effective management of data assets and reporting standards. This includes enforcing standard definitions of data elements, which is part of a data governance initiative.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

When implementing an IT governance framework in an organization the MOST important objective is:

A.IT alignment with the business.
B.accountability.
C.value realization with IT.
D.enhancing the return on IT investments.

A

A.IT alignment with the business.

The goals of IT governance are to improve IT performance, deliver optimum business value and ensure regulatory compliance. The key practice in support of these goals is the strategic alignment of IT with the business. To achieve alignment, all other choices need to be tied to business practices and strategies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Question
In a review of the human resources policies and procedures within an organization, an IS auditor is MOST concerned with the absence of a:

A.requirement for periodic job rotations.
B.process for formalized exit interviews.
C.termination checklist.
D.requirement for new employees to sign a nondisclosure agreement.

A

C.termination checklist.

A termination checklist is critical to ensure the logical and physical security of an enterprise. In addition to preventing the loss of enterprise property that was issued to the employee, there is the risk of unauthorized access, intellectual property theft and even sabotage by a disgruntled former employee.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

When reviewing the IT strategic planning process, an IS auditor should ensure that the plan:

A.incorporates state of the art technology.
B.addresses the required operational controls.
C.articulates the IT mission and vision.
D.specifies project management practices.

A

C.articulates the IT mission and vision.

The IT strategic plan must include a clear articulation of the IT mission and vision.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

The PRIMARY control purpose of required vacations or job rotations is to:

A.allow cross-training for development.
B.help preserve employee morale.
C.detect improper or illegal employee acts.
D.provide a competitive employee benefit.

A

C.detect improper or illegal employee acts.

The practice of having another individual perform a job function is a control used to detect possible irregularities or fraud.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

The PRIMARY benefit of an enterprise architecture initiative is to:

A.enable the organization to invest in the most appropriate technology.
B.ensure security controls are implemented on critical platforms.
C.allow development teams to be more responsive to business requirements.
D.provide business units with greater autonomy to select IT solutions that fit their needs.

A

A.enable the organization to invest in the most appropriate technology.

The primary focus of the enterprise architecture (EA) is to ensure that technology investments are consistent with the platform, data and development standards of the IT organization; therefore, the goal of the EA is to help the organization to implement the technology that is most effective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

To gain an understanding of the effectiveness of an organization’s planning and management of investments in IT assets, an IS auditor should review the:

A.enterprise data model.
B.IT balanced scorecard.
C.IT organizational structure.
D.historical financial statements.

A

B.IT balanced scorecard.

IT balanced Scorecard measures customer satisfaction, internal processes and the ability to innovate. In this way, the auditor can measure the success of the IT investment and strategy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

The risk associated with electronic evidence gathering is MOST likely reduced by an email:

A.destruction policy.
B.security policy.
C.archive policy.
D.audit policy.

A

C. Archive Policy

With a policy of well-archived email records, access to or retrieval of specific email records to comply with legal requirements is possible.

Can’t be destruction because there are rules on email retention

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Effective IT governance requires organizational structures and processes to ensure that:

A.risk is maintained at a level acceptable for IT management.
B.the business strategy is derived from an IT strategy.
C.IT governance is separate and distinct from the overall governance.
D.the IT strategy extends the organization’s strategies and objectives.

A

D.the IT strategy extends the organization’s strategies and objectives.

Effective IT governance requires that board and executive management extend governance to IT and provide the leadership, organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives, and that the strategy is aligned with business strategy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Question
Which of the following BEST supports the prioritization of new IT projects?

A.Internal control self-assessment
B.Information systems audit
C.Investment portfolio analysis
D.Business risk assessment

A

C.Investment portfolio analysis

An investment portfolio analysis, which will present not only a clear focus on investment strategy but also provide the rationale for terminating nonperforming IT projects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
The MOST important element for the effective design of an information security policy is the: A.threat landscape. B.prior security incidents. C.emerging technologies. D.enterprise risk appetite.
D.enterprise risk appetite. The risk appetite is the amount of risk that an entity is willing to accept in pursuit of its mission to meet its strategic objectives. The purpose of the information security policy is to manage information risk to an acceptable level, so that the policy is principally aligned with the risk appetite. Not threat landscape because this can change over time
26
From an IT governance perspective, what is the PRIMARY responsibility of the board of directors? To ensure that the IT strategy: A.is cost-effective. B.is future thinking and innovative. C.is aligned with the business strategy. D.has the appropriate priority level assigned.
C.is aligned with the business strategy. The board of directors is responsible for ensuring that the IT strategy is aligned with the business strategy.
27
An IS auditor of a large organization is reviewing the roles and responsibilities of the IT function and finds some individuals serving multiple roles. Which one of the following combinations of roles should be of GREATEST concern for the IS auditor? A.Network administrators are responsible for quality assurance. B.System administrators are application programmers. C.End users are security administrators for critical applications. D.Systems analysts are database administrators.
B.System administrators are application programmers. This represents a separation-of-duties problem. System administrators should not be application programmers, due to the associated rights of both functions. A person with both system and programming rights can do almost anything on a system, including creating a back door.
28
An IS auditor has been assigned to review an organization's information security policy. Which of the following issues represents the HIGHEST potential risk? A.The policy has not been updated in more than one year. B.The policy includes no revision history. C.The policy is approved by the security administrator. D.The company does not have an information security policy committee.
C.The policy is approved by the security administrator. The position of security administrator is typically a staff-level position (not management), and therefore does not have the authority to approve the policy. In addition, an individual in a more independent position should also review the policy. Without proper management approval, enforcing the policy may be problematic, leading to compliance or security issues.
29
A financial enterprise has had difficulties establishing clear responsibilities between its IT strategy committee and its IT steering committee. Which of the following responsibilities would MOST likely be assigned to its IT steering committee? A.Approving IT project plans and budgets B.Aligning IT to business objectives C.Advising on IT compliance risk D.Promoting IT governance practices
A.Approving IT project plans and budgets An IT steering committee typically has a variety of responsibilities, including approving IT project plans and budgets. Issues related to business objectives, risk and governance are responsibilities that are generally assigned to an IT strategy committee, because it provides insight and advice to the board.
30
When reviewing the development of information security policies, the PRIMARY focus of an IS auditor should be on assuring that these policies: A.are aligned with globally accepted industry good practices. B.are approved by the board of directors and senior management. C.strike a balance between business and security requirements. D.provide direction for implementing security procedures.
C.strike a balance between business and security requirements. Because information security policies must be aligned with an organization’s business and security objectives, this is the primary focus of the IS auditor when reviewing the development of information security policies.
31
Question Which of the following is of MOST interest to an IS auditor reviewing an organization's risk strategy? A.All risk is mitigated effectively. B.Residual risk is zero after control implementation. C.All likely risk is identified and ranked. D.The organization uses an established risk framework.
C.All likely risk is identified and ranked. Risk that is likely to impact the organization should be identified and documented as part of the risk strategy. Without knowing the risk, there is no risk strategy.
32
While reviewing a quality management system, the IS auditor should PRIMARILY focus on collecting evidence to show that: A.quality management systems comply with good practices. B.continuous improvement targets are being monitored. C.standard operating procedures of IT are updated annually. D.key performance indicators are defined.
B.continuous improvement targets are being monitored. Continuous and measurable improvement of quality is the primary requirement to achieve the business objective for the quality management system (QMS).
33
What is the primary focus of an IT steering committee?
Overseeing the day-to-day operations of the IT department and ensuring alignment with business strategy.
34
What is the primary focus of an IT strategy committee?
Developing and maintaining the long-term IT strategy for the organization.
35
Which committee is responsible for prioritizing IT projects based on business needs
IT Steering Committee
36
Which committee is typically composed of senior executives and board members?
IT Strategy Committee
37
A top-down approach to the development of operational policies helps to ensure: A.that they are consistent across the organization. B.that they are implemented as a part of risk assessment. C.compliance with all policies. D.that they are reviewed periodically.
Deriving lower-level policies from corporate policies (a top-down approach) aids in ensuring consistency across the organization and consistency with other policies.
38
What are the pros and cons of a top down approach?
Pros: - Clear direction and focus - Faster decision-making - Effective in crisis situations Cons: - Limited employee input: Can stifle creativity and innovation. - Potential for decreased morale: Employees may feel disengaged if not involved in decision-making. - Risk of overlooking valuable insights from frontline employees.
39
What are the pros and cons of a bottom-up approach?
Pros: - Increased employee engagement and morale: Employees feel valued and empowered. - Generates innovative ideas and solutions - Improves decision quality: Incorporates diverse perspectives and insights. Cons: - Slower decision-making process - Potential for conflicting ideas and priorities - Requires strong leadership to guide the process and make final decisions.
40
Which of the following should be of GREATEST concern to an IS auditor when reviewing an information security policy? The policy: A.is driven by an IT department's objectives. B.is published, but users are not required to read the policy. C.does not include information security procedures. D.has not been updated in over a year.
A.is driven by an IT department's objectives. Business objectives drive the information security policy, and the information security policy drives the selection of IT department objectives. A policy driven by IT objectives is at risk of not being aligned with business goals.
41
During an audit, the IS auditor discovers that the human resources (HR) department uses a cloud-based application to manage employee records. The HR department engaged in a contract outside of the normal vendor management process and manages the application on its own. Which of the following is of GREATEST concern? A.Maximum acceptable downtime metrics have not been defined in the contract. B.The IT department does not manage the relationship with the cloud vendor. C.The help desk call center is in a different country, with different privacy requirements. D.Organization-defined security policies are not applied to the cloud application.
D.Organization-defined security policies are not applied to the cloud application. Cloud applications should adhere to the organization-defined security policies to ensure that the data in the cloud are protected in a manner consistent with internal applications. These include, but are not limited to, the password policy, user access management policy and data classification policy.
42
Which of the following is MOST critical for the successful implementation and maintenance of a security policy? A.Assimilation of the framework and intent of a written security policy by all appropriate parties B.Management support and approval for the implementation and maintenance of a security policy C.Enforcement of security rules by providing punitive actions for any violation of security rules D.Stringent implementation, monitoring and enforcing of rules by the security officer through access control software
A.Assimilation of the framework and intent of a written security policy by all appropriate parties While management support is crucial, it's the understanding and acceptance of the policy by those who must implement and adhere to it that truly drives success. Without this assimilation, even with strong management backing, the policy's effectiveness can be compromised.
43
In reviewing the IT short-range (tactical) plan, an IS auditor should determine whether: A.there is an integration of IT and business personnel within projects. B.there is a clear definition of the IT mission and vision. C.a strategic information technology planning scorecard is in place. D.the plan correlates business objectives to IT goals and objectives.
A.there is an integration of IT and business personnel within projects. - Tactical plans - focus on immediate actions needed to achieve strategic goals. - By working together, IT and business teams can identify and address potential issues, optimize resource allocation, and improve overall project success.
44
Which of the following is the BEST way to ensure that organizational policies comply with legal requirements? A. Inclusion of a blanket legal statement in each policy B.Periodic review by subject matter experts C.Annual sign-off by senior management on organizational policies D.Policy alignment to the most restrictive regulations
B.Periodic review by subject matter experts Periodic review of policies by personnel with specific knowledge of regulatory and legal requirements best ensures that organizational policies are aligned with legal requirements.
45
What is an IT balanced scorecard?
Like the dashboard on a car. It's a tool that helps you measure how well your IT team is performing. Instead of just focusing on numbers (like how much money you're spending), it also considers how customers feel about your IT services, how efficient your IT processes are, and how well your IT team is learning and growing.  
46
Involvement of senior management is MOST important in the development of: A.strategic plans. B.IT policies. C.IT procedures. D.standards and guidelines.
A.strategic plans. These provide the basis for ensuring that the enterprise meets its goals and objectives. Involvement of senior management is critical to ensuring that the plan adequately addresses the established goals and objectives.
47
What is the role of BoD, Senior Management, and the IT steering committee in an organization?
- Board of Directors (CAPTAIN): Sets the overall course. Oversees the policies and procedures. - Senior Management (FIRST OFFICER): Executes the course. Executes the strategic plan. They also report to the board. - Steering Committee (NAVIGATOR): Navigates specific journeys within that course. They oversee specific projects.
48
Errors in audit procedures PRIMARILY impact which of the following risk types? A.Detection risk B.Inherent risk C.Control risk D.Business risk
A.Detection risk This is the probability that the audit procedures may fail to detect existence of a material error or fraud.
49
What is detection risk?
Simple terms: The risk that auditors or other reviewers won't find mistakes or problems. Example: The risk of auditors missing errors in financial statements during an audit.
50
What is Control Risk?
Simple terms: The risk that internal controls (rules and procedures) won't catch or prevent problems. Example: The risk of employees not following proper security protocols, leading to a data breach.
51
What is inherent Risk?
Simple terms: The risk that naturally exists without any safeguards in place. Example: The risk of a natural disaster damaging a company's physical location.
52
What is Business Risk?
Simple terms: The overall risk to an organization's ability to achieve its goals. Example: The risk of losing market share to competitors or economic downturns.
53
Question Which of the following user profiles should be of MOST concern to an IS auditor when performing an audit of an electronic funds transfer (EFT) system? A.Three users with the ability to capture and verify their own messages B.Five users with the ability to capture and send their own messages C.Five users with the ability to verify other users and to send their own messages D.Three users with the ability to capture and verify the messages of other users and to send their own messages
A.Three users with the ability to capture and verify their own messages The ability of one individual to capture and verify their own messages represents an inadequate segregation because messages can be taken as correct and as if they had already been verified. The verification of messages should not be allowed by the person who sent the message
54
An IS auditor found that the enterprise architecture (EA) recently adopted by an organization has an adequate current-state representation. However, the organization has started a separate project to develop a future-state representation. The IS auditor should: A.recommend that this separate project be completed as soon as possible. B.report this issue as a finding in the audit report. C.recommend the adoption of the Zachmann framework. D.re-scope the audit to include the separate project as part of the current audit.
B.report this issue as a finding in the audit report. It is critical for the EA to include the future state because the gap between the current state and the future state will determine IT strategic and tactical plans. If the EA does not include a future-state representation, it is not complete, and this issue should be reported as a finding.
55
When reviewing an organization's strategic IT plan, an IS auditor should expect to find: A.an assessment of the fit of the organization's application portfolio with business objectives. B.actions to reduce hardware procurement cost. C.a listing of approved suppliers of IT contract resources. D.a description of the technical architecture for the organization's network perimeter security.
A.an assessment of the fit of the organization's application portfolio with business objectives. This assessment drives the demand side of IT planning and should convert into a set of strategic IT intentions. Further assessment can then be made of how well the overall IT organization, encompassing applications, infrastructure, services, management processes, etc. can support the business objectives. The purpose of an IT strategic plan is to set out how IT will be used to achieve or support an organization’s business objectives.
56
Question A benefit of open system architecture is that it: A.facilitates interoperability within different systems. B.facilitates the integration of proprietary components. C.will be a basis for volume discounts from equipment vendors. D.allows for the achievement of more economies of scale for equipment.
A.facilitates interoperability within different systems. Open-faced system architecture is like building a computer with interchangeable parts. It means a system is designed using open standards, allowing different components from various manufacturers to work together seamlessly. It is also more cost-effective
57
An enterprise is looking to obtain cloud hosting services from a cloud vendor with a high level of maturity. Which of the following is MOST important for the auditor to ensure continued alignment with the enterprise's security requirements? A.The vendor provides the latest third-party audit report for verification. B.The vendor provides the latest internal audit report for verification. C.The vendor agrees to implement controls in alignment with the enterprise. D.The vendor agrees to provide annual external audit reports in the contract.
D.The vendor agrees to provide annual external audit reports in the contract. The question said 'CONTINUE' Independent verification: External audit reports provide an unbiased assessment of the vendor's security controls and practices. Ongoing monitoring: Annual audits ensure that the vendor maintains security standards over time. Risk mitigation: By requiring these reports, the organization can identify and address potential risks associated with the vendor.
58
On which of the following factors should an IS auditor PRIMARILY focus when determining the appropriate level of protection for an information asset? A.Results of a risk assessment B.Relative value to the business C.Results of a vulnerability assessment D.Cost of security controls
A.Results of a risk assessment The appropriate level of protection for an asset is determined based on the risk associated with the asset. The results of the risk assessment are, therefore, the primary information that the IS auditor should review.
59
Question An organization has contracted with a vendor for a turnkey solution for their electronic toll collection system (ETCS). The vendor has provided its proprietary application software as part of the solution. The contract should require that: A.a backup server is available to run ETCS operations with up-to-date data. B.a backup server is loaded with all relevant software and data. C.the systems staff of the organization is trained to handle any event. D.source code of the ETCS application is placed in escrow.
D.source code of the ETCS application is placed in escrow. Whenever proprietary application software is purchased, the contract should provide for a source code escrow agreement. This agreement ensures that the purchasing organization has the opportunity to modify the software should the vendor cease to be in business.
60
An IS auditor is evaluating a newly developed IT policy for an organization. Which of the following factors does the IS auditor consider MOST important to facilitate compliance with the policy upon its implementation? A.Existing IT mechanisms enabling compliance B.Alignment of the policy to the business strategy C.Current and future technology initiatives D.Regulatory compliance objectives defined in the policy
A.Existing IT mechanisms enabling compliance Question says 'to facilitate compliance with the policy'. The organization should be able to comply with a policy when it is implemented. The most important consideration when evaluating the new policy should be the existing mechanisms in place that enable the organization and its employees to comply with the policy.
61
Which of the following does an IS auditor consider the MOST relevant to short-term planning for an IT department? A.Allocating resources B.Adapting to changing technologies C.Conducting control self-assessments D.Evaluating hardware needs
A.Allocating resources The IT department should specifically consider the manner in which resources are allocated in the short term. The IS auditor ensures that the resources are being managed adequately.
62
An enterprise hosts its data center onsite and has outsourced the management of its key financial applications to a service provider. Which of the following controls BEST ensures that the service provider’s employees adhere to the security policies? A.Sign-off is required on the enterprise's security policies for all users. B.An indemnity clause is included in the contract with the service provider. C.Mandatory security awareness training is implemented for all users. D.Security policies should be modified to address compliance by third-party users.
B.An indemnity clause is included in the contract with the service provider. Having the service provider sign an indemnity clause will ensure compliance to the enterprise’s security policies, because any violations discovered will lead to a financial liability for the service provider. This will also prompt the enterprise to monitor security violations closely.
63
Question The ultimate purpose of IT governance is to: A.encourage optimal use of IT. B.reduce IT costs. C.decentralize IT resources across the organization. D.centralize control of IT.
A.encourage optimal use of IT. IT governance is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise.
64
Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider: A.claims to meet or exceed industry security standards. B.agrees to be subject to external security reviews. C.has a good market reputation for service and experience. D.complies with security policies of the organization.
B.agrees to be subject to external security reviews. It is critical that an independent security review of an outsourcing vendor be obtained, because customer credit information will be kept with the vendor.
65
Which of the following does an IS auditor FIRST reference when performing an IS audit? A.Implemented procedures B.Approved policies C.Internal standards D.Documented practices
B.Approved policies Policies are high-level documents that represent the corporate philosophy of an organization. Internal standards, procedures and practices are subordinate to policy.
66
What is the definition of each? - Implemented procedures - Approved policies - Internal standards - Documented practices
- Policies set the overall direction. - Standards provide specific technical guidelines. - Procedures outline the exact steps to be taken. - Practices are the actual actions performed, whether documented or not.
67
Which of the following should be included in an organization's information security policy? A.A list of key IT resources to be secured B.The basis for access control authorization C.Identity of sensitive security assets D.Relevant software security features
B.The basis for access control authorization An information security policy should outline the fundamental principles for granting and managing access to systems and data, ensuring that only authorized individuals can access sensitive information.   While options A, C, and D are important elements of a security program, they are more specific details that should be included within the broader framework established by the access control policy.
68
Question Which of the following is the BEST reference for an IS auditor to determine a vendor's ability to meet service level agreement (SLA) requirements for a critical IT security service? A.Compliance with the master agreement B.Agreed-on key performance metrics C.Results of business continuity tests D.Results of independent audit reports
B.Agreed-on key performance metrics By measuring performance against specific, agreed-upon metrics, an IS auditor can effectively assess whether the vendor is delivering the contracted level of service.
69
As a driver of IT governance, transparency of IT's cost, value and risk is primarily achieved through: A.performance measurement. B.strategic alignment. C.value delivery. D.resource management.
A.performance measurement. Performance measurement involves setting key performance indicators (KPIs) to track IT costs, benefits, and risks. By measuring these metrics, organizations can gain insights into IT's contribution to the business, identify areas for improvement, and make data-driven decisions.
70
While conducting an audit of a service provider, an IS auditor observes that the service provider has outsourced a part of the work to another provider. Because the work involves confidential information, the IS auditor's PRIMARY concern should be that the: A.requirement for protecting confidentiality of information can be compromised. B.contract may be terminated because prior permission from the outsourcer was not obtained. C.other service provider to whom work has been outsourced is not subject to audit. D.outsourcer will approach the other service provider directly for further work.
A.requirement for protecting confidentiality of information can be compromised. Many countries have enacted regulations to protect the confidentiality of information maintained in their countries and/or exchanged with other countries. When a service provider outsources part of its services to another service provider, there is a potential risk that the confidentiality of the information will be compromised.
71
When performing a review of a business process reengineering (BPR) effort, which of the following is of PRIMARY concern? A.Controls are eliminated as part of the streamlining BPR effort. B.Resources are not adequate to support the BPR process. C.The audit department does not have a consulting role in the BPR effort. D.The BPR effort includes employees with limited knowledge of the process area.
A.Controls are eliminated as part of the streamlining BPR effort. BPR is like completely rethinking how you make something. It's about looking at your business processes from scratch and finding radically different ways to do things. The goal is to dramatically improve efficiency, reduce costs, and increase customer satisfaction. This is the primary concern because eliminating controls can lead to significant risks, such as increased fraud, errors, or inefficiencies. The auditor must ensure that any process improvements do not compromise the organization's control environment.
72
During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization's operational risk documentation only contains a few broadly described types of IT risk. What is the MOST appropriate recommendation in this situation? A.Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts. B.Use common industry standard aids to divide the existing risk documentation into several individual types of risk which will be easier to handle. C.No recommendation is necessary because the current approach is appropriate for a medium-sized organization. D.Establish regular IT risk management meetings to identify and assess risk and create a mitigation plan as input to the organization's risk management.
D.Establish regular IT risk management meetings to identify and assess risk and create a mitigation plan as input to the organization's risk management. Establishing regular IT risk management meetings is the best way to identify and assess IT-related risk in a medium-sized organization, to address responsibilities to the respective management and to keep the risk register and mitigation plans up to date.
73
Question Regarding the outsourcing of IT services, which of the following conditions should be of GREATEST concern to an IS auditor? A.Core activities that provide a differentiated advantage to the organization have been outsourced. B.Periodic renegotiation is not specified in the outsourcing contract. C.The outsourcing contract fails to cover every action required by the business. D.Similar activities are outsourced to more than one vendor.
A.Core activities that provide a differentiated advantage to the organization have been outsourced. An organization’s core activities generally should not be outsourced because they are what the organization does best; an IS auditor observing that condition should be concerned.
74
Question An IS auditor is evaluating the IT governance framework of an organization. Which of the following is the GREATEST concern? A.Senior management has limited involvement. B.Return on investment is not measured. C.Chargeback of IT cost is not consistent. D.Risk appetite is not quantified.
A.Senior management has limited involvement. To ensure that the IT governance framework is effectively in place, senior management must be involved and aware of roles and responsibilities. Therefore, it is most essential to ensure the involvement of senior management when evaluating the soundness of IT governance.
75
Which of the following should an IS auditor recommend to BEST enforce alignment of an IT project portfolio with strategic organizational priorities? A. Define a balanced scorecard for measuring performance. B. Consider user satisfaction in the key performance indicators. C. Select projects according to business benefits and risk. D. Modify the yearly process of defining the project portfolio.
C. Select projects according to business benefits and risk. Prioritization of projects on the basis of their expected benefit(s) to business, and the related risk, is the best measure for achieving alignment of the project portfolio to an organization’s strategic priorities.
76
Question Before implementing an IT balanced scorecard, an organization must: A.deliver effective and efficient services. B.define key performance indicators. C.provide business value to IT projects. D.control IT expenses.
B.define key performance indicators. Because a balanced scorecard (BSC) is a way to measure performance, a definition of key performance indicators is required before implementing an IT BSC.
77
An IS auditor is reviewing the risk management process. Which of the following is the MOST important consideration during this review? A.Controls are implemented based on cost-benefit analysis. B.The risk management framework is based on global standards. C.The approval process for risk response is in place. D.IT risk is presented in business terms.
D.IT risk is presented in business terms. For risk management to be effective, it is necessary to align IT risk with business objectives. This can be done by adopting acceptable terminology that is understood by all, and the best way to achieve this is to present IT risk in business terms.
78
Question An enterprise's risk appetite is BEST established by: A.the chief legal officer. B.security management. C.the audit committee. D.the steering committee.
D.the steering committee. The steering committee, being responsible for strategic direction and resource allocation, is best positioned to establish the overall risk appetite for the organization. It represents a balance between business objectives and risk tolerance.
79
An IS auditor reviewing an outsourcing contract of IT facilities expects it to define the: A.hardware configuration. B.access control software. C.ownership of intellectual property. D.application development methodology.
C.ownership of intellectual property. The contract must specify who owns the intellectual property (i.e., information being processed and application programs). Ownership of intellectual property is a significant cost and is a key aspect to be defined in an outsourcing contract.
80
Question Which of the following is an implementation risk within the process of decision support systems? A.Management control B.Semistructured dimensions C.Inability to specify purpose and usage patterns D.Changes in decision processes
C.Inability to specify purpose and usage patterns By clearly defining the purpose and expected usage patterns of the DSS upfront, developers can design a system that effectively meets the needs of decision-makers. If these aspects are not clear, the system might be misaligned with user needs and expectations, leading to implementation failure.
81
What is decision support system?
a DSS helps you make better decisions by giving you the right information at the right time.
82
IT governance is PRIMARILY the responsibility of the: A.chief executive officer. B.board of directors. C.IT steering committee. D.audit committee.
B.board of directors. IT governance is primarily the responsibility of the executives and shareholders (as represented by the board of directors).
83
When developing a formal enterprise security program, the MOST critical success factor is the: A.establishment of a review board. B.creation of a security unit. C.effective support of an executive sponsor. D.selection of a security process owner.
C.effective support of an executive sponsor. The executive sponsor is in charge of supporting the organization’s strategic security program and aids in directing the organization’s overall security management activities. Therefore, support by the executive level of management is the most critical success factor.
84
An organization is considering making a major investment in upgrading technology. Which of the following choices is the MOST important to consider? A.A cost analysis B.The security risk of the current technology C.Compatibility with existing systems D.A risk analysis
D.A risk analysis By conducting a thorough risk analysis, an organization can identify potential threats, vulnerabilities, and impacts associated with the new technology. This information is crucial for making informed decisions, developing mitigation strategies, and ensuring business continuity. The other options (cost analysis, security risk, and compatibility) are important considerations, but they are components of a broader risk analysis.
85
An IS auditor finds that not all employees are aware of the enterprise's information security policy. The IS auditor should conclude that: A.this lack of knowledge may lead to unintentional disclosure of sensitive information. B.information security is not critical to all functions. C.IS audit should provide security training to the employees. D.the audit finding will cause management to provide continuous training to staff.
A.this lack of knowledge may lead to unintentional disclosure of sensitive information. All employees should be aware of the enterprise’s information security policy to prevent unintentional disclosure of sensitive information. Training is a preventive control. Security awareness programs for employees can prevent unintentional disclosure of sensitive information to outsiders.
86
The PRIMARY objective of implementing corporate governance is to: A.provide strategic direction. B.control business operations. C.align IT with business. D.implement good practices.
A.provide strategic direction. Corporate governance is fundamentally about ensuring that an organization is directed and controlled in a way that adds value to shareholders and other stakeholders. Providing strategic direction is the core function of this process. The other options are important aspects of corporate governance but are not the primary objective.
87
As result of profitability pressure, senior management of an enterprise decided to keep investments in information security at an inadequate level, which of the following is the BEST recommendation of an IS auditor? A.Use cloud providers for low-risk operations. B.Revise compliance enforcement processes. C.Request that senior management accept the risk. D.Postpone low-priority security procedures.
C.Request that senior management accept the risk. By formally requesting that senior management acknowledge and accept the increased risk associated with the reduced security investment, the IS auditor is: Highlighting the potential consequences: This action brings the risk into sharp focus for management. Shifting responsibility: The auditor is clearly placing the decision to accept the risk squarely on management's shoulders. Documenting the issue: This creates a formal record of the situation, which can be important for future reference and potential legal implications. The other options might be considered as part of a broader risk mitigation strategy, but they do not directly address the core issue of inadequate security investment.
88
Question An organization has a well-established risk management process. Which of the following risk management practices would MOST likely expose the organization to the greatest amount of compliance risk? A.Risk reduction B.Risk transfer C.Risk avoidance D.Risk mitigation
B.Risk transfer This typically addresses financial risk. For instance, an insurance policy is commonly used to transfer financial risk, while compliance risk continues to exist.
89
Which of the following is a function of an IT steering committee? A.Monitoring vendor-controlled change control and testing B.Ensuring a separation of duties within the information's processing environment C.Approving and monitoring the status of IT plans and budgets D.Liaising between the IT department and end users
C.Approving and monitoring the status of IT plans and budgets The IT steering committee typically serves as a general review board for major IT projects and should not become involved in routine operations; therefore, one of its functions is to approve and monitor major projects, such as the status of IT plans and budgets.
90
A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential impact, the team should: A. compute the amortization of the related assets. B.calculate a return on investment. C.apply a qualitative approach. D.spend the time needed to define the loss amount exactly.
C.apply a qualitative approach. The common practice when it is difficult to calculate the financial losses is to take a qualitative approach, in which the manager affected by the risk defines the impact in terms of a weighted factor (e.g., one is a very low impact to the business and five is a very high impact).
91
Question To support an organization's goals, an IT department should have: A.a low-cost philosophy. B.long- and short-term plans. C.leading-edge technology. D.plans to acquire new hardware and software.
B.long- and short-term plans. To ensure its contribution to the realization of an organization’s overall goals, the IT department should have long- and short-range plans that are consistent with the organization’s broader and strategic plans for attaining its goals.
92
Which of the following is the GREATEST risk of an inadequate policy definition for ownership of data and systems? A.User management coordination does not exist. B.Specific user accountability cannot be established. C.Unauthorized users may have access to modify data. D.Audit recommendations may not be implemented.
C.Unauthorized users may have access to modify data. An inadequate policy definition for ownership of data and systems means there is a lack of clarity about who is responsible for what data. This ambiguity can lead to situations where unauthorized individuals have access to modify data, potentially resulting in data breaches, loss, or corruption. The other options are important considerations, but they are more related to the consequences of inadequate ownership rather than the core risk itself.
93
An IS auditor is reviewing a contract management process to determine the financial viability of a software vendor for a critical business application. An IS auditor should determine whether the vendor being considered: A.can deliver on the immediate contract. B.is of similar financial standing as the organization. C.has significant financial obligations that can impose liability to the organization. D.can support the organization in the long term.
D.can support the organization in the long term. The long-term financial viability of a vendor is essential for deriving maximum value for the organization—it is more likely that a financially sound vendor would be in business for a long period of time and thereby more likely to be capable of providing long-term support for the purchased product.
94
An IS auditor reviews an organizational chart PRIMARILY for: A.an understanding of the complexity of the organizational structure. B.investigating various communication channels. C.understanding the responsibilities and authority of individuals. D.investigating the network connected to different employees.
C.understanding the responsibilities and authority of individuals. An organizational chart provides information about the responsibilities and authority of individuals in the organization. This helps an IS auditor to know if there is a proper segregation of functions.
95
What is a quality management system?
QMS is a roadmap for consistent quality. It's a structured approach to doing things right the first time and consistently.   Imagine you're baking a cake. A QMS is the recipe, the equipment, and the process you follow to ensure every cake tastes delicious.
96
What is a risk assessment?
It's a process of identifying possible dangers or threats, understanding their impact, and figuring out how to handle them. Think of it as a safety check for your plans.  
97
Which of the following is the BEST enabler for strategic alignment between business and IT? A.A maturity model B.Goals and metrics C.Control objectives D.A responsible, accountable, consulted and informed (RACI) chart
B.Goals and metrics These ensure that IT goals are set based on business goals, and they are the best enablers of strategic alignment.
98
Which of the following IT governance good practices improves strategic alignment? A.Supplier and partner risk is managed. B.A knowledge base on customers, products, markets and processes is in place. C.A structure is provided that facilitates the creation and sharing of business information. D.Top management mediates between the imperatives of business and technology.
D.Top management mediates between the imperatives of business and technology. This is an IT strategic alignment good practice.
99
Question The output of the risk management process is an input for making: A.business plans. B.audit charters. C.security policy decisions. D.software design decisions.
C.security policy decisions. The risk management process is about making specific, security-related decisions, such as the level of acceptable risk.
100
Question Which of the following is the MOST important element for the successful implementation of IT governance? A.Implementing an IT scorecard B.Identifying organizational strategies C.Performing a risk assessment D.Creating a formal security policy
B.Identifying organizational strategies The key objective of an IT governance program is to support the business; therefore, the identification of organizational strategies is necessary to ensure alignment between IT and corporate governance. Without identification of organizational strategies, the remaining choices—even if implemented—would be ineffective.
101
During an audit, which of the following situations are MOST concerning for an organization that significantly outsources IS processing to a private network? A.The contract does not contain a right-to-audit clause for the third party. B.The contract was not reviewed by an information security subject matter expert prior to signing. C.The IS outsourcing guidelines are not approved by the board of directors. D.There is a lack of well-defined IS performance evaluation procedures.
A.The contract does not contain a right-to-audit clause for the third party. Lack of a right-to-audit clause in the contract impacts the IS auditor’s ability to perform the IS audit. Hence, the IS auditor is most concerned with such a situation. In the case of outsourcing to a private network, the organization should ensure that the third party has a minimum set of IT security controls in place and that they are operating effectively.
102
Which of the following is MOST important to consider when reviewing the classification levels of information assets? A.Potential loss B.Financial cost C.Potential threats D.Cost of insurance
A.Potential loss The best basis for asset classification is an understanding of the total losses a business may incur if the asset is compromised. Typically, estimating these losses requires a review of criticality and sensitivity beyond financial cost, such as operational and strategic.
103
Question When developing a security architecture, which of the following steps should be executed FIRST? A.Developing security procedures B.Defining a security policy C.Specifying an access control methodology D.Defining roles and responsibilities
B.Defining a security policy Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technical staff. Security policies often set the stage in terms of the tools and procedures that are needed for an organization.
104
Why are goals and metrics the best enablers for strategic allignment between business and IT?
Shared goals and metrics unify the separate business and IT functions under 1 strategy.
105
What is the difference between IT value delivery and IT strategic alignment?
Strategic alignment is about making sure IT is heading in the right direction. Value delivery is about how do we achieve the strategy?
106
When conducting an audit of an outsourced IT function, what is the primary concern regarding the protection of sensitive information?
The potential for data breaches and unauthorized access due to the involvement of an external service provider.
107
Why is protecting confidential information generally considered more critical than ensuring the auditability of a secondary service provider?
Because a breach of confidential information can lead to significant financial loss, reputational damage, and legal consequences, while the inability to audit a service provider might impact internal process efficiency but not necessarily result in direct financial or reputational harm.

CISA (2 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions