Flashcards in CISA Refresher 4 Deck (181)
Who is responsible for imposing an IT governance model encompassing IT strategy, information security, and formal enterprise architectural mandates?
IT executives and the Board of Directors
The party that performs strategic planning, addresses near-term and long-term requirements aligning business objectives, and technology strategies.
The Steering Committee
What three elements allow validation of business practices against acceptable measures of regulatory compliance, performance, and standard operational guidelines.
(1.) Polices (2.) Procedures (3.) Standards
What activity involves the identification of potential risk and the appropriate response for each threat based on impact assessment using qualitative and/or quantitative measures for an enterprise-wide risk management strategy?
IT Governance is most concerned with....
Describe the advantages of outsourcing.
Outsourcing is an opportunity for the organization to focus on core competencies. When an organization oursources a business function, it no longer needs to be concerned about training employees in that function. Outsources does not always reduce costs, because cost reduction is not always the primary goal of oursourcing.
An external IS auditor has discovered a segregation of duties issue in a high value process. What is the best action for the auditor to take?
The external auditor can only document the finding in the audit report. An external auditor is not in a position to implement controls.
An organization has chosen to open a business office in another country where labor costs are lower and has hired workers to perform business functions there. This organization has done what?
The organization is insourcing - while they may have opened the office in a foreign country, they have hired locals to do the work as opposed to contracting with a third party.
An organization has discovered that some of its employees have criminal records. What is the best course of action for the organization to take?
The organization should have background checks performed on all of its existing employees and also begin instituting background checks of all new-hires. It is not necessarily required to terminate the employees - their offenses may not warrant termination.
The options for Risk Treatment are:
Risk Mitigation Risk Avoidance Risk Transfer Risk Acceptance
Annualized Loss Expectance (ALE) is defined as:
ALE is the annual expected loss to an asset. It is calculated as the single loss expectancy (SLE) X the annualized rate of occurrence (ARO.)
A quantitative risk analysis is more difficult to perform because:
It is difficult to get accurate figures on the frequency of specific threats. It is difficult to determine the probability that a threat will be realized. It is relatively easy to determine the value of an asset and the impact of a threat event.
An IS auditor is examining the IT standards document for an organization that was last reviewed two years earlier. The best course of action for the IS auditor is:
Report that the IT standards are not being reviewed often enough. Two years is far too long between reviews of IT standards.
The purpose of a Balanced Scorecard is:
To measure organizational performance and effectiveness against strategic goals.
The 4-item focus of a Balanced Scorecard is:
(1.) Financial (2.) Customer (3.) Internal processes (4.) Innovation / Learning
The audit program is an audit strategy and plans that include:
(1.) Scope (2.) Objectives (3.) Resources (4.) Procedures used to evaluation controls and processes
IS auditors can stay current with technology through the following means:
(1.) training courses (2.) webinars (3.) ISACA chapter training events (4.) Industry conferences
Name the three Types of Controls
(1.) Physical (2.) Technical (4.) Administrative
Name the two Categories of Controls
(1.) Automatic (2.) Manual
Name the Eight Types of Audits
(1.) Operational (2.) Financial (3.) Integrated (4.) IS (5.) Administrative (6.) Compliance (7.) Forensic (8.) Service Provider
What type of testing is performed to determine if control procedures have proper design and are operating properly?
What type of testing is performed to verify the accuracy and integrity of transactions as they flow through a system?
Audit Methodologies define what 10 elements of an Audit?
(1.) Subject of audit (2.) Audit Objective (3.) Type of audit (4.) Audit scope (5.) Pre-audit planning (6.) Audit procedures (7.) Communication plan (8.) Report Preparation (9.) Wrap-up (10.) Post-audit follow-up
Name the 5 types of Evidence that the auditor will collect during an audit.
(1.) Observations (2.) Written Notes (3.) Correspondence (4.) Process and Procedure documentation (5.) Business records
During an audit, the auditor should obtain what 6 types of documents?
(1.) Org charts (2.) Department Charters (3.) third-party contracts (4.) policies and procedures (5.) standards (6.) system documentation
What is the purpose of an auditor doing interviews?
To observe personnel to better understand their discipline, as well as organizational culture and maturity
Name the seven types of sampling an auditor can perform.
(1.) Statistical (2.) Judgmental (3.) Attribute (4.) Variable (5.) Stop-or-Go (6.) Discovery (7.) Stratified
Confidence coefficient means what?
The probability that a sample selected actually represents the entire population. This is usually expressed as a percentage.
Sampling Risk means what?
The probability that a sample selected does not represent the entire population. This is usually expressed as a percentage, as the numeric inverse of the confidence coefficient.