CISA Review Questions & Answers
100% Correct!!
IT governance is most concerned with
A. Security policy
B. IT policy
C. IT strategy
D. IT executive compensation - ANSWERIT Strategy
IT governance is the mechanism through which IT strategy is established, controlled,
and monitored through the balanced scorecard. Long-term and other strategic
decisions are made in the context of IT governance.
One of the advantages of outsourcing is
A. It permits the organization to focus on core competencies.
B. It results in reduced costs.
C. It provides greater control over work performed by the outsourcing agency.
D. It eliminates segregation of duties issues. - ANSWERIt permits the organization to
focus on core competencies.
Outsourcing is an opportunity for the organization to focus on its core competencies.
When an organization outsources a business function, it no longer needs to be
concerned about training employees in that function. Outsourcing does not always
reduce costs, because cost reduction is not always the primary purpose for
outsourcing in the first place.
An organization has chosen to open a business office in another country where labor
costs are lower and has hired workers to perform business functions there. This
organization has
A. Outsourced the function
B. Outsourced the function offshore
C. Insourced the function on-site
D. Insourced the function at a remote location - ANSWERInsourced the function at a
remote location
An organization that opens a business office in another country and staffs the office
with its own employees is insourcing, not outsourcing. Outsourcing is the practice of
using contract labor, which is clearly not the case in this example. In this case, the
insourcing is taking place at a remote location.
An external IS auditor has discovered a segregation of duties issue in a high-value
process. What is the best action for the auditor to take?
A. Implement a preventive control.
B. Implement a detective control.
C. Implement a compensating control.
D. Document the matter in the audit report. - ANSWERDocument the matter in the
audit report.
The external auditor can only document the finding in the audit report. An external
auditor is not in a position to implement controls.
,What is the purpose of a criticality analysis?
A. Determine feasible recovery targets.
B. Determine which staff members are the most critical.
C. Determine which business processes are the most critical.
D. Determine maximum tolerable downtime. - ANSWERDetermine which business
processes are the most critical.
A criticality analysis is used to determine which business processes are the most
critical by ranking them in order of criticality.
An organization needs to better understand whether one of its key business
processes is effective. What action should the organization consider?
A. Audit the process.
B. Benchmark the process.
C. Outsource the process.
D. Offshore the process. - ANSWERBenchmark the process.
An organization that needs to understand whether a key process is effective should
consider benchmarking the process. This will help the organization better understand
whether its approach is similar to that of other organizations.
Annualized loss expectancy (ALE) is defined as
A. Single loss expectancy (SLE) × annualized rate of occurrence (ARO)
B. Exposure factor (EF) × the annualized rate of occurrence (ARO)
C. Single loss expectancy (SLE) × the exposure factor (EF)
D. Asset value (AV) × the single loss expectancy (SLE) - ANSWERSingle loss
expectancy (SLE) × annualized rate of occurrence (ARO)
Annualized loss expectancy (ALE) is the annual expected loss to an asset. It is
calculated by multiplying the single loss expectancy (SLE—the financial loss
experienced when the loss is realized one time) by the annualized rate of occurrence
(ARO—the number of times that the organization expects the loss to occur).
A quantitative risk analysis is more difficult to perform because
A. It is difficult to get accurate figures on the impact of a realized threat.
B. It is difficult to get accurate figures on the probability of specific threats.
C. It is difficult to get accurate figures on the value of assets.
D. It is difficult to calculate the annualized loss expectancy of a specific threat. -
ANSWERIt is difficult to get accurate figures on the probability of specific threats.
The most difficult part of a quantitative risk analysis is determining the probability that
a threat will actually be realized. It is relatively easy to determine the value of an
asset and the impact of a threat event.
A collection of servers that is designed to operate as a single logical server is known
as what?
A. Cluster
B. Grid
C. Cloud
D. Replicant - ANSWERCluster
A server cluster is a collection of two or more servers that is designed to appear as a
single server.
, What is the purpose of a balanced scorecard?
A. Measures the efficiency of an IT organization
B. Evaluates the performance of individual employees
C. Benchmarks a process in the organization against peer organizations
D. Measures organizational performance and effectiveness against strategic goals -
ANSWERMeasures organizational performance and effectiveness against strategic
goals
The balanced scorecard is a tool that is used to quantify the performance of an
organization against strategic objectives. The focuses of a balanced scorecard are
financial, customer, internal processes, and innovation/learning.
An organization has discovered that some of its employees have criminal records.
What is the best course of action for the organization to take?
A. Terminate the employees with criminal records.
B. Immediately perform background checks, including criminal history, on all existing
employees.
C. Immediately perform background checks, including criminal history, on all new
employees.
D. Immediately perform background checks on those employees with criminal
records. - ANSWERImmediately perform background checks, including criminal
history, on all existing employees.
An organization that has discovered that some employees have criminal records
should have background checks performed on all existing employees, and it should
also begin instituting background checks (which should include criminal history) for
all new employees. It is not necessarily required to terminate these employees; the
specific criminal offenses may not warrant termination.
The options for risk treatment are
A. Risk mitigation, risk reduction, and risk acceptance
B. Risk mitigation, risk reduction, risk transfer, and risk acceptance
C. Risk mitigation, risk avoidance, risk transfer, and risk acceptance
D. Risk mitigation, risk avoidance, risk transfer, and risk conveyance - ANSWERRisk
mitigation, risk avoidance, risk transfer, and risk acceptance
The options for risk treatment are the actions that management will take when a risk
has been identified. The options are risk mitigation (where the risk is reduced), risk
avoidance (where the activity is discontinued), risk transfer (where the risk is
transferred to an insurance company), and risk acceptance (where management
agrees to accept the risk as is).
An IS auditor is examining the IT standards document for an organization that was
last reviewed two years earlier. What is the best course of action for the IS auditor?
A. Locate the IT policy document and see how frequently IT standards should be
reviewed.
B. Compare the standards with current practices and make a determination of
adequacy.
C. Report that IT standards are not being reviewed often enough.
D. Report that IT standards are adequate. - ANSWERReport that IT standards are
not being reviewed often enough.
IT standards that have not been reviewed for two years are out of date. If the IS
auditor finds an IT policy that says that IT standards can be reviewed every two
100% Correct!!
IT governance is most concerned with
A. Security policy
B. IT policy
C. IT strategy
D. IT executive compensation - ANSWERIT Strategy
IT governance is the mechanism through which IT strategy is established, controlled,
and monitored through the balanced scorecard. Long-term and other strategic
decisions are made in the context of IT governance.
One of the advantages of outsourcing is
A. It permits the organization to focus on core competencies.
B. It results in reduced costs.
C. It provides greater control over work performed by the outsourcing agency.
D. It eliminates segregation of duties issues. - ANSWERIt permits the organization to
focus on core competencies.
Outsourcing is an opportunity for the organization to focus on its core competencies.
When an organization outsources a business function, it no longer needs to be
concerned about training employees in that function. Outsourcing does not always
reduce costs, because cost reduction is not always the primary purpose for
outsourcing in the first place.
An organization has chosen to open a business office in another country where labor
costs are lower and has hired workers to perform business functions there. This
organization has
A. Outsourced the function
B. Outsourced the function offshore
C. Insourced the function on-site
D. Insourced the function at a remote location - ANSWERInsourced the function at a
remote location
An organization that opens a business office in another country and staffs the office
with its own employees is insourcing, not outsourcing. Outsourcing is the practice of
using contract labor, which is clearly not the case in this example. In this case, the
insourcing is taking place at a remote location.
An external IS auditor has discovered a segregation of duties issue in a high-value
process. What is the best action for the auditor to take?
A. Implement a preventive control.
B. Implement a detective control.
C. Implement a compensating control.
D. Document the matter in the audit report. - ANSWERDocument the matter in the
audit report.
The external auditor can only document the finding in the audit report. An external
auditor is not in a position to implement controls.
,What is the purpose of a criticality analysis?
A. Determine feasible recovery targets.
B. Determine which staff members are the most critical.
C. Determine which business processes are the most critical.
D. Determine maximum tolerable downtime. - ANSWERDetermine which business
processes are the most critical.
A criticality analysis is used to determine which business processes are the most
critical by ranking them in order of criticality.
An organization needs to better understand whether one of its key business
processes is effective. What action should the organization consider?
A. Audit the process.
B. Benchmark the process.
C. Outsource the process.
D. Offshore the process. - ANSWERBenchmark the process.
An organization that needs to understand whether a key process is effective should
consider benchmarking the process. This will help the organization better understand
whether its approach is similar to that of other organizations.
Annualized loss expectancy (ALE) is defined as
A. Single loss expectancy (SLE) × annualized rate of occurrence (ARO)
B. Exposure factor (EF) × the annualized rate of occurrence (ARO)
C. Single loss expectancy (SLE) × the exposure factor (EF)
D. Asset value (AV) × the single loss expectancy (SLE) - ANSWERSingle loss
expectancy (SLE) × annualized rate of occurrence (ARO)
Annualized loss expectancy (ALE) is the annual expected loss to an asset. It is
calculated by multiplying the single loss expectancy (SLE—the financial loss
experienced when the loss is realized one time) by the annualized rate of occurrence
(ARO—the number of times that the organization expects the loss to occur).
A quantitative risk analysis is more difficult to perform because
A. It is difficult to get accurate figures on the impact of a realized threat.
B. It is difficult to get accurate figures on the probability of specific threats.
C. It is difficult to get accurate figures on the value of assets.
D. It is difficult to calculate the annualized loss expectancy of a specific threat. -
ANSWERIt is difficult to get accurate figures on the probability of specific threats.
The most difficult part of a quantitative risk analysis is determining the probability that
a threat will actually be realized. It is relatively easy to determine the value of an
asset and the impact of a threat event.
A collection of servers that is designed to operate as a single logical server is known
as what?
A. Cluster
B. Grid
C. Cloud
D. Replicant - ANSWERCluster
A server cluster is a collection of two or more servers that is designed to appear as a
single server.
, What is the purpose of a balanced scorecard?
A. Measures the efficiency of an IT organization
B. Evaluates the performance of individual employees
C. Benchmarks a process in the organization against peer organizations
D. Measures organizational performance and effectiveness against strategic goals -
ANSWERMeasures organizational performance and effectiveness against strategic
goals
The balanced scorecard is a tool that is used to quantify the performance of an
organization against strategic objectives. The focuses of a balanced scorecard are
financial, customer, internal processes, and innovation/learning.
An organization has discovered that some of its employees have criminal records.
What is the best course of action for the organization to take?
A. Terminate the employees with criminal records.
B. Immediately perform background checks, including criminal history, on all existing
employees.
C. Immediately perform background checks, including criminal history, on all new
employees.
D. Immediately perform background checks on those employees with criminal
records. - ANSWERImmediately perform background checks, including criminal
history, on all existing employees.
An organization that has discovered that some employees have criminal records
should have background checks performed on all existing employees, and it should
also begin instituting background checks (which should include criminal history) for
all new employees. It is not necessarily required to terminate these employees; the
specific criminal offenses may not warrant termination.
The options for risk treatment are
A. Risk mitigation, risk reduction, and risk acceptance
B. Risk mitigation, risk reduction, risk transfer, and risk acceptance
C. Risk mitigation, risk avoidance, risk transfer, and risk acceptance
D. Risk mitigation, risk avoidance, risk transfer, and risk conveyance - ANSWERRisk
mitigation, risk avoidance, risk transfer, and risk acceptance
The options for risk treatment are the actions that management will take when a risk
has been identified. The options are risk mitigation (where the risk is reduced), risk
avoidance (where the activity is discontinued), risk transfer (where the risk is
transferred to an insurance company), and risk acceptance (where management
agrees to accept the risk as is).
An IS auditor is examining the IT standards document for an organization that was
last reviewed two years earlier. What is the best course of action for the IS auditor?
A. Locate the IT policy document and see how frequently IT standards should be
reviewed.
B. Compare the standards with current practices and make a determination of
adequacy.
C. Report that IT standards are not being reviewed often enough.
D. Report that IT standards are adequate. - ANSWERReport that IT standards are
not being reviewed often enough.
IT standards that have not been reviewed for two years are out of date. If the IS
auditor finds an IT policy that says that IT standards can be reviewed every two
