CISA EXAM 1 COMPREHENSIVE QUESTIONS AND CORRECT
ANSWERS ALREADY GRADED A+
An IS auditor should expect which of the following items to be included in the
request for proposal (RFP) when IS is procuring services from an independent
service provider (ISP)?
A References from other customers
B Service level agreement (SLA) template
C Maintenance agreement
D Conversion plan
The answer is A
An IS auditor should look for an independent verification that the ISP can perform
the tasks being contracted for. References from other customers would provide an
independent, external review and verification of procedures and processes the ISP
follows issues which would be of concern to an IS auditor. Checking references is
a means of obtaining an independent verification that the vendor can perform the
services it says it can. A maintenance agreement relates more to equipment than to
services, and a conversion plan, while important, is less important than verification
that the ISP can provide the services they propose.
To aid management in achieving IT and business alignment, an IS auditor should
recommend the use of:
A control self-assessments.
B a business impact analysis.
C an IT balanced scorecard.
D business process reengineering.
The correct answer is C
An IT balanced scorecard (BSC) provides the bridge between IT objectives and
business objectives by supplementing the traditional financial evaluation with
measures to evaluate customer satisfaction, internal processes and the ability to
,innovate. Control self-assessment (CSA), business impact analysis (BIA) and
business process reengineering (BPR) are insufficient to align IT with
organizational objectives.
A poor choice of passwords and transmission over unprotected communications
lines are examples of:
A vulnerabilities.
B threats.
C probabilities.
D impacts.
The answer is A
Vulnerabilities represent characteristics of information resources that may be
exploited by a threat. Threats are circumstances or events with the potential to
cause harm to information resources. Probabilities represent the likelihood of the
occurrence of a threat, while impacts represent the outcome or result of a threat
exploiting a vulnerability.
To support an organization's goals, an IS department should have:
A low-cost philosophy.
B long- and short-range plans.
C leading-edge technology.
D plans to acquire new hardware and software.
The correct answer is B
To ensure its contribution to the realization of an organization's overall goals, the
IS department should have long- and short-range plans that are consistent with the
organization's broader plans for attaining its goals. Choices A and C are objectives,
and plans would be needed to delineate how each of the objectives would be
achieved. Choice D could be a part of the overall plan but would be required only
2/11Latihan CISA Exam Chapter 2 if hardware or software is needed to achieve
the organizational goals.
, When performing a review of the structure of an electronic funds transfer (EFT)
system, an IS auditor observes that the technological infrastructure is based on a
centralized processing scheme that has been outsourced to a provider in another
country. Based on this information, which of the following conclusions should be
the main concern of the IS auditor?
A There could be a question regarding the legal jurisdiction.
B Having a provider abroad will cause excessive costs in future audits.
C The auditing process will be difficult because of the distance.
D There could be different auditing norms.
The answer is A
In the funds transfer process, when the processing scheme is centralized in a
different country, there could be legal issues of jurisdiction that might affect the
right to perform a review in the other country. The other choices, though possible,
are not as relevant as the issue of legal jurisdiction.
The risks associated with electronic evidence gathering would MOST likely be
reduced by an e-mail:
A destruction policy.
B security policy.
C archive policy.
D audit policy.
The correct answer is C
With a policy of well-archived e-mail records, access to or retrieval of specific e-
mail records is possible without disclosing other confidential e-mail records.
Security and/or audit policies would not address the efficiency of record retrieval,
and destroying e-mails may be an illegal act.
Effective IT governance requires organizational structures and processes to ensure
that:
ANSWERS ALREADY GRADED A+
An IS auditor should expect which of the following items to be included in the
request for proposal (RFP) when IS is procuring services from an independent
service provider (ISP)?
A References from other customers
B Service level agreement (SLA) template
C Maintenance agreement
D Conversion plan
The answer is A
An IS auditor should look for an independent verification that the ISP can perform
the tasks being contracted for. References from other customers would provide an
independent, external review and verification of procedures and processes the ISP
follows issues which would be of concern to an IS auditor. Checking references is
a means of obtaining an independent verification that the vendor can perform the
services it says it can. A maintenance agreement relates more to equipment than to
services, and a conversion plan, while important, is less important than verification
that the ISP can provide the services they propose.
To aid management in achieving IT and business alignment, an IS auditor should
recommend the use of:
A control self-assessments.
B a business impact analysis.
C an IT balanced scorecard.
D business process reengineering.
The correct answer is C
An IT balanced scorecard (BSC) provides the bridge between IT objectives and
business objectives by supplementing the traditional financial evaluation with
measures to evaluate customer satisfaction, internal processes and the ability to
,innovate. Control self-assessment (CSA), business impact analysis (BIA) and
business process reengineering (BPR) are insufficient to align IT with
organizational objectives.
A poor choice of passwords and transmission over unprotected communications
lines are examples of:
A vulnerabilities.
B threats.
C probabilities.
D impacts.
The answer is A
Vulnerabilities represent characteristics of information resources that may be
exploited by a threat. Threats are circumstances or events with the potential to
cause harm to information resources. Probabilities represent the likelihood of the
occurrence of a threat, while impacts represent the outcome or result of a threat
exploiting a vulnerability.
To support an organization's goals, an IS department should have:
A low-cost philosophy.
B long- and short-range plans.
C leading-edge technology.
D plans to acquire new hardware and software.
The correct answer is B
To ensure its contribution to the realization of an organization's overall goals, the
IS department should have long- and short-range plans that are consistent with the
organization's broader plans for attaining its goals. Choices A and C are objectives,
and plans would be needed to delineate how each of the objectives would be
achieved. Choice D could be a part of the overall plan but would be required only
2/11Latihan CISA Exam Chapter 2 if hardware or software is needed to achieve
the organizational goals.
, When performing a review of the structure of an electronic funds transfer (EFT)
system, an IS auditor observes that the technological infrastructure is based on a
centralized processing scheme that has been outsourced to a provider in another
country. Based on this information, which of the following conclusions should be
the main concern of the IS auditor?
A There could be a question regarding the legal jurisdiction.
B Having a provider abroad will cause excessive costs in future audits.
C The auditing process will be difficult because of the distance.
D There could be different auditing norms.
The answer is A
In the funds transfer process, when the processing scheme is centralized in a
different country, there could be legal issues of jurisdiction that might affect the
right to perform a review in the other country. The other choices, though possible,
are not as relevant as the issue of legal jurisdiction.
The risks associated with electronic evidence gathering would MOST likely be
reduced by an e-mail:
A destruction policy.
B security policy.
C archive policy.
D audit policy.
The correct answer is C
With a policy of well-archived e-mail records, access to or retrieval of specific e-
mail records is possible without disclosing other confidential e-mail records.
Security and/or audit policies would not address the efficiency of record retrieval,
and destroying e-mails may be an illegal act.
Effective IT governance requires organizational structures and processes to ensure
that:
