CISA EXAM 75 COMPLETE QUESTIONS WITH CORRECT ANSWERS
(100% VERIFIED)
An IS auditor is examining a wireless (Wi-Fi) network and has determined that the
network uses WEP encryption. What action should the auditor take?
A. Recommend that encryption be changed to WPA.
B. Recommend that encryption be changed to EAP.
C. Request documentation for the key management process
D. Request documentation for the authentication process.
A. The WEP protocol has been seriously compromised and should be replaced
with WPA or WPA2 encryption.
An external IS auditor has discovered a segregation of duties issue in a high-value
process. What is the best action for the auditor to take?
A. Implement a preventive control.
B. Implement a detective control.
C. Implement a compensating control.
D. Document the matter in the audit report.
D. The external auditor can only document the finding in the audit report. An
external auditor is not in a position to implement controls.
An organization has chosen to open a business office in another country where
labor costs are lower and has hired workers to perform business functions there.
This organization has
A. Outsourced the function
B. Outsourced the function offshore
C. Insourced the function on-site
D. Insourced the function at a remote location
D. An organization that opens a business office in another country and staffs the
office with its own employees is insourcing, not outsourcing. Outsourcing is the
practice of using contract labor, which is clearly not the case in this example. In
this case, the insourcing is taking place at a remote location.
An IS auditor is examining the IT standards document for an organization that was
last reviewed two years earlier. What is the best course of action for the IS auditor?
A. Locate the IT policy document and see how frequently IT standards should be
reviewed.
,B. Compare the standards with current practices and make a determination of
adequacy.
C. Report that IT standards are not being reviewed often enough.
D. Report that IT standards are adequate.
C. IT standards that have not been reviewed for two years are out of date. If the IS
auditor finds an IT policy that says that IT standards can be reviewed every two
years, then there is a problem with IT policy as well; two years is far too long
between reviews of IT standards.
What is the purpose of a criticality analysis?
A. Determine feasible recovery targets.
B. Determine which staff members are the most critical.
C. Determine which business processes are the most critical.
D. Determine maximum tolerable downtime.
C. A criticality analysis is used to determine which business processes are the most
critical by ranking them in order of criticality.
An organization needs to better understand whether one of its key business
processes is effective. What action should the organization consider?
A. Audit the process.
B. Benchmark the process.
C. Outsource the process.
D. Offshore the process.
B. An organization that needs to understand whether a key process is effective
should consider benchmarking the process. This will help the organization better
understand whether its approach is similar to that of other organizations.
Annualized loss expectancy (ALE) is defined as
A. Single loss expectancy (SLE) × annualized rate of occurrence (ARO)
B. Exposure factor (EF) × the annualized rate of occurrence (ARO)
C. Single loss expectancy (SLE) × the exposure factor (EF)
D. Asset value (AV) × the single loss expectancy (SLE)
A. Annualized loss expectancy (ALE) is the annual expected loss to an asset. It is
calculated by multiplying the single loss expectancy (SLE—the financial loss
experienced when the loss is realized one time) by the annualized rate of
occurrence (ARO—the number of times that the organization expects the loss to
occur).
, A quantitative risk analysis is more difficult to perform because
A. It is difficult to get accurate figures on the impact of a realized threat.
B. It is difficult to get accurate figures on the probability of specific threats.
C. It is difficult to get accurate figures on the value of assets.
D. It is difficult to calculate the annualized loss expectancy of a specific threat.
B. The most difficult part of a quantitative risk analysis is determining the
probability that a threat will actually be realized. It is relatively easy to determine
the value of an asset and the impact of a threat event.
During audit planning, an auditor has discovered that a key business process in the
auditee organization has been outsourced to an external service provider. Which
option should the auditor consider?
A. Audit the external service provider or rely on an SSAE 16 audit report if one is
available.
B. Audit the external service provider.
C. Determine that the business process is not effective.
D. Request that the external service provider submit its internal audit work papers.
A. An auditor who has determined that a key business process has been outsourced
needs to determine effectiveness of that process by auditing that process or by
relying on a separate audit report of that process.
Why should an auditor prefer bank statements over a department's own business
records that list bank transactions?
A. Bank statements can be provided in electronic format.
B. Bank statements contain data not found in internal records.
C. Bank statements are usually easier to obtain.
D. Bank statements are independent and objective.
D. An auditor would prefer bank statements over internal records because bank
statements are produced by a bank, which is independent and objective. A bank is
unlikely to alter its records to improve the audit outcome of one of its customers.
Which of the following statements is true about ISACA audit standards and
guidelines?
A. ISACA audit standards are mandatory, while ISACA audit guidelines are
optional.
B. ISACA audit standards are optional, while ISACA audit guidelines are
mandatory.
C. ISACA audit standards and guidelines are mandatory.
D. ISACA audit standards and guidelines are optional.
(100% VERIFIED)
An IS auditor is examining a wireless (Wi-Fi) network and has determined that the
network uses WEP encryption. What action should the auditor take?
A. Recommend that encryption be changed to WPA.
B. Recommend that encryption be changed to EAP.
C. Request documentation for the key management process
D. Request documentation for the authentication process.
A. The WEP protocol has been seriously compromised and should be replaced
with WPA or WPA2 encryption.
An external IS auditor has discovered a segregation of duties issue in a high-value
process. What is the best action for the auditor to take?
A. Implement a preventive control.
B. Implement a detective control.
C. Implement a compensating control.
D. Document the matter in the audit report.
D. The external auditor can only document the finding in the audit report. An
external auditor is not in a position to implement controls.
An organization has chosen to open a business office in another country where
labor costs are lower and has hired workers to perform business functions there.
This organization has
A. Outsourced the function
B. Outsourced the function offshore
C. Insourced the function on-site
D. Insourced the function at a remote location
D. An organization that opens a business office in another country and staffs the
office with its own employees is insourcing, not outsourcing. Outsourcing is the
practice of using contract labor, which is clearly not the case in this example. In
this case, the insourcing is taking place at a remote location.
An IS auditor is examining the IT standards document for an organization that was
last reviewed two years earlier. What is the best course of action for the IS auditor?
A. Locate the IT policy document and see how frequently IT standards should be
reviewed.
,B. Compare the standards with current practices and make a determination of
adequacy.
C. Report that IT standards are not being reviewed often enough.
D. Report that IT standards are adequate.
C. IT standards that have not been reviewed for two years are out of date. If the IS
auditor finds an IT policy that says that IT standards can be reviewed every two
years, then there is a problem with IT policy as well; two years is far too long
between reviews of IT standards.
What is the purpose of a criticality analysis?
A. Determine feasible recovery targets.
B. Determine which staff members are the most critical.
C. Determine which business processes are the most critical.
D. Determine maximum tolerable downtime.
C. A criticality analysis is used to determine which business processes are the most
critical by ranking them in order of criticality.
An organization needs to better understand whether one of its key business
processes is effective. What action should the organization consider?
A. Audit the process.
B. Benchmark the process.
C. Outsource the process.
D. Offshore the process.
B. An organization that needs to understand whether a key process is effective
should consider benchmarking the process. This will help the organization better
understand whether its approach is similar to that of other organizations.
Annualized loss expectancy (ALE) is defined as
A. Single loss expectancy (SLE) × annualized rate of occurrence (ARO)
B. Exposure factor (EF) × the annualized rate of occurrence (ARO)
C. Single loss expectancy (SLE) × the exposure factor (EF)
D. Asset value (AV) × the single loss expectancy (SLE)
A. Annualized loss expectancy (ALE) is the annual expected loss to an asset. It is
calculated by multiplying the single loss expectancy (SLE—the financial loss
experienced when the loss is realized one time) by the annualized rate of
occurrence (ARO—the number of times that the organization expects the loss to
occur).
, A quantitative risk analysis is more difficult to perform because
A. It is difficult to get accurate figures on the impact of a realized threat.
B. It is difficult to get accurate figures on the probability of specific threats.
C. It is difficult to get accurate figures on the value of assets.
D. It is difficult to calculate the annualized loss expectancy of a specific threat.
B. The most difficult part of a quantitative risk analysis is determining the
probability that a threat will actually be realized. It is relatively easy to determine
the value of an asset and the impact of a threat event.
During audit planning, an auditor has discovered that a key business process in the
auditee organization has been outsourced to an external service provider. Which
option should the auditor consider?
A. Audit the external service provider or rely on an SSAE 16 audit report if one is
available.
B. Audit the external service provider.
C. Determine that the business process is not effective.
D. Request that the external service provider submit its internal audit work papers.
A. An auditor who has determined that a key business process has been outsourced
needs to determine effectiveness of that process by auditing that process or by
relying on a separate audit report of that process.
Why should an auditor prefer bank statements over a department's own business
records that list bank transactions?
A. Bank statements can be provided in electronic format.
B. Bank statements contain data not found in internal records.
C. Bank statements are usually easier to obtain.
D. Bank statements are independent and objective.
D. An auditor would prefer bank statements over internal records because bank
statements are produced by a bank, which is independent and objective. A bank is
unlikely to alter its records to improve the audit outcome of one of its customers.
Which of the following statements is true about ISACA audit standards and
guidelines?
A. ISACA audit standards are mandatory, while ISACA audit guidelines are
optional.
B. ISACA audit standards are optional, while ISACA audit guidelines are
mandatory.
C. ISACA audit standards and guidelines are mandatory.
D. ISACA audit standards and guidelines are optional.
