CISA Study Notes Questions With
Correct Answers!!
Who is responsible for imposing an IT governance model encompassing IT strategy,
information security, and formal enterprise architectural mandates? - ANSWERIT
executives and the Board of Directors
The party that performs strategic planning, addresses near-term and long-term
requirements aligning business objectives, and technology strategies. -
ANSWERThe Steering Committee
What three elements allow validation of business practices against acceptable
measures of regulatory compliance, performance, and standard operational
guidelines. - ANSWER(1.) Polices (2.) Procedures (3.) Standards
What activity involves the identification of potential risk and the appropriate response
for each threat based on impact assessment using qualitative and/or quantitative
measures for an enterprise-wide risk management strategy? - ANSWERRisk
Management
IT Governance is most concerned with.... - ANSWERIT Strategy
Describe the advantages of outsourcing. - ANSWEROutsourcing is an opportunity
for the organization to focus on core competencies. When an organization
oursources a business function, it no longer needs to be concerned about training
employees in that function. Outsources does not always reduce costs, because cost
reduction is not always the primary goal of oursourcing.
An external IS auditor has discovered a segregation of duties issue in a high value
process. What is the best action for the auditor to take? - ANSWERThe external
auditor can only document the finding in the audit report. An external auditor is not in
a position to implement controls.
An organization has chosen to open a business office in another country where labor
costs are lower and has hired workers to perform business functions there. This
organization has done what? - ANSWERThe organization is insourcing - while they
may have opened the office in a foreign country, they have hired locals to do the
work as opposed to contracting with a third party.
An organization has discovered that some of its employees have criminal records.
What is the best course of action for the organization to take? - ANSWERThe
organization should have background checks performed on all of its existing
employees and also begin instituting background checks of all new-hires. It is not
necessarily required to terminate the employees - their offenses may not warrant
termination.
The options for Risk Treatment are: - ANSWERRisk Mitigation Risk Avoidance Risk
Transfer Risk Acceptance
, Annualized Loss Expectance (ALE) is defined as: - ANSWERALE is the annual
expected loss to an asset. It is calculated as the single loss expectancy (SLE) X the
annualized rate of occurrence (ARO.)
A quantitative risk analysis is more difficult to perform because: - ANSWERIt is
difficult to get accurate figures on the frequency of specific threats. It is difficult to
determine the probability that a threat will be realized. It is relatively easy to
determine the value of an asset and the impact of a threat event.
An IS auditor is examining the IT standards document for an organization that was
last reviewed two years earlier. The best course of action for the IS auditor is: -
ANSWERReport that the IT standards are not being reviewed often enough. Two
years is far too long between reviews of IT standards.
The purpose of a Balanced Scorecard is: - ANSWERTo measure organizational
performance and effectiveness against strategic goals.
The 4-item focus of a Balanced Scorecard is: - ANSWER(1.) Financial (2.) Customer
(3.) Internal processes (4.) Innovation / Learning
The audit program is an audit strategy and plans that include: - ANSWER(1.) Scope
(2.) Objectives (3.) Resources (4.) Procedures used to evaluation controls and
processes
IS auditors can stay current with technology through the following means: -
ANSWER(1.) training courses (2.) webinars (3.) ISACA chapter training events (4.)
Industry conferences
Name the three Types of Controls - ANSWER(1.) Physical (2.) Technical (4.)
Administrative
Name the two Categories of Controls - ANSWER(1.) Automatic (2.) Manual
Name the Eight Types of Audits - ANSWER(1.) Operational (2.) Financial (3.)
Integrated (4.) IS (5.) Administrative (6.) Compliance (7.) Forensic (8.) Service
Provider
What type of testing is performed to determine if control procedures have proper
design and are operating properly? - ANSWERCompliance Testing
What type of testing is performed to verify the accuracy and integrity of transactions
as they flow through a system? - ANSWERSubstantive Testing
Audit Methodologies define what 10 elements of an Audit? - ANSWER(1.) Subject of
audit (2.) Audit Objective (3.) Type of audit (4.) Audit scope (5.) Pre-audit planning
(6.) Audit procedures (7.) Communication plan (8.) Report Preparation (9.) Wrap-up
(10.) Post-audit follow-up
Correct Answers!!
Who is responsible for imposing an IT governance model encompassing IT strategy,
information security, and formal enterprise architectural mandates? - ANSWERIT
executives and the Board of Directors
The party that performs strategic planning, addresses near-term and long-term
requirements aligning business objectives, and technology strategies. -
ANSWERThe Steering Committee
What three elements allow validation of business practices against acceptable
measures of regulatory compliance, performance, and standard operational
guidelines. - ANSWER(1.) Polices (2.) Procedures (3.) Standards
What activity involves the identification of potential risk and the appropriate response
for each threat based on impact assessment using qualitative and/or quantitative
measures for an enterprise-wide risk management strategy? - ANSWERRisk
Management
IT Governance is most concerned with.... - ANSWERIT Strategy
Describe the advantages of outsourcing. - ANSWEROutsourcing is an opportunity
for the organization to focus on core competencies. When an organization
oursources a business function, it no longer needs to be concerned about training
employees in that function. Outsources does not always reduce costs, because cost
reduction is not always the primary goal of oursourcing.
An external IS auditor has discovered a segregation of duties issue in a high value
process. What is the best action for the auditor to take? - ANSWERThe external
auditor can only document the finding in the audit report. An external auditor is not in
a position to implement controls.
An organization has chosen to open a business office in another country where labor
costs are lower and has hired workers to perform business functions there. This
organization has done what? - ANSWERThe organization is insourcing - while they
may have opened the office in a foreign country, they have hired locals to do the
work as opposed to contracting with a third party.
An organization has discovered that some of its employees have criminal records.
What is the best course of action for the organization to take? - ANSWERThe
organization should have background checks performed on all of its existing
employees and also begin instituting background checks of all new-hires. It is not
necessarily required to terminate the employees - their offenses may not warrant
termination.
The options for Risk Treatment are: - ANSWERRisk Mitigation Risk Avoidance Risk
Transfer Risk Acceptance
, Annualized Loss Expectance (ALE) is defined as: - ANSWERALE is the annual
expected loss to an asset. It is calculated as the single loss expectancy (SLE) X the
annualized rate of occurrence (ARO.)
A quantitative risk analysis is more difficult to perform because: - ANSWERIt is
difficult to get accurate figures on the frequency of specific threats. It is difficult to
determine the probability that a threat will be realized. It is relatively easy to
determine the value of an asset and the impact of a threat event.
An IS auditor is examining the IT standards document for an organization that was
last reviewed two years earlier. The best course of action for the IS auditor is: -
ANSWERReport that the IT standards are not being reviewed often enough. Two
years is far too long between reviews of IT standards.
The purpose of a Balanced Scorecard is: - ANSWERTo measure organizational
performance and effectiveness against strategic goals.
The 4-item focus of a Balanced Scorecard is: - ANSWER(1.) Financial (2.) Customer
(3.) Internal processes (4.) Innovation / Learning
The audit program is an audit strategy and plans that include: - ANSWER(1.) Scope
(2.) Objectives (3.) Resources (4.) Procedures used to evaluation controls and
processes
IS auditors can stay current with technology through the following means: -
ANSWER(1.) training courses (2.) webinars (3.) ISACA chapter training events (4.)
Industry conferences
Name the three Types of Controls - ANSWER(1.) Physical (2.) Technical (4.)
Administrative
Name the two Categories of Controls - ANSWER(1.) Automatic (2.) Manual
Name the Eight Types of Audits - ANSWER(1.) Operational (2.) Financial (3.)
Integrated (4.) IS (5.) Administrative (6.) Compliance (7.) Forensic (8.) Service
Provider
What type of testing is performed to determine if control procedures have proper
design and are operating properly? - ANSWERCompliance Testing
What type of testing is performed to verify the accuracy and integrity of transactions
as they flow through a system? - ANSWERSubstantive Testing
Audit Methodologies define what 10 elements of an Audit? - ANSWER(1.) Subject of
audit (2.) Audit Objective (3.) Type of audit (4.) Audit scope (5.) Pre-audit planning
(6.) Audit procedures (7.) Communication plan (8.) Report Preparation (9.) Wrap-up
(10.) Post-audit follow-up
