CISA Study Notes – Questions With Applicable
Solutions
Save
Terms in this set (181)
Who is responsible for imposing an IT IT executives and the Board of Directors
governance model encompassing IT
strategy, information security, and
formal enterprise architectural
mandates?
The party that performs strategic The Steering Committee
planning, addresses near-term and
long-term requirements aligning
business objectives, and technology
strategies.
What three elements allow validation (1.) Polices (2.) Procedures (3.) Standards
of business practices against
acceptable measures of regulatory
compliance, performance, and
standard operational guidelines.
What activity involves the Risk Management
identification of potential risk and the
appropriate response for each threat
based on impact assessment using
qualitative and/or quantitative
measures for an enterprise-wide risk
management strategy?
IT Governance is most concerned IT Strategy
with....
,Describe the advantages of Outsourcing is an opportunity for the organization to
outsourcing. focus on core competencies. When an organization
oursources a business function, it no longer needs to
be concerned about training employees in that
function. Outsources does not always reduce costs,
because cost reduction is not always the primary
goal of oursourcing.
An external IS auditor has discovered The external auditor can only document the finding
a segregation of duties issue in a high in the audit report. An external auditor is not in a
value process. What is the best action position to implement controls.
for the auditor to take?
An organization has chosen to open a The organization is insourcing - while they may have
business office in another country opened the office in a foreign country, they have
where labor costs are lower and has hired locals to do the work as opposed to
hired workers to perform business contracting with a third party.
functions there. This organization has
done what?
An organization has discovered that The organization should have background checks
some of its employees have criminal performed on all of its existing employees and also
records. What is the best course of begin instituting background checks of all new-hires.
action for the organization to take? It is not necessarily required to terminate the
employees - their offenses may not warrant
termination.
The options for Risk Treatment are: Risk Mitigation Risk Avoidance Risk Transfer Risk
Acceptance
Annualized Loss Expectance (ALE) is ALE is the annual expected loss to an asset. It is
defined as: calculated as the single loss expectancy (SLE) X the
annualized rate of occurrence (ARO.)
A quantitative risk analysis is more It is difficult to get accurate figures on the frequency
difficult to perform because: of specific threats. It is difficult to determine the
probability that a threat will be realized. It is relatively
easy to determine the value of an asset and the
impact of a threat event.
, An IS auditor is examining the IT Report that the IT standards are not being reviewed
standards document for an often enough. Two years is far too long between
organization that was last reviewed reviews of IT standards.
two years earlier. The best course of
action for the IS auditor is:
The purpose of a Balanced Scorecard To measure organizational performance and
is: effectiveness against strategic goals.
The 4-item focus of a Balanced (1.) Financial (2.) Customer (3.) Internal processes (4.)
Scorecard is: Innovation / Learning
The audit program is an audit strategy (1.) Scope (2.) Objectives (3.) Resources (4.)
and plans that include: Procedures used to evaluation controls and
processes
IS auditors can stay current with (1.) training courses (2.) webinars (3.) ISACA chapter
technology through the following training events (4.) Industry conferences
means:
Name the three Types of Controls (1.) Physical (2.) Technical (4.) Administrative
Name the two Categories of Controls (1.) Automatic (2.) Manual
Name the Eight Types of Audits (1.) Operational (2.) Financial (3.) Integrated (4.) IS (5.)
Administrative (6.) Compliance (7.) Forensic (8.)
Service Provider
What type of testing is performed to Compliance Testing
determine if control procedures have
proper design and are operating
properly?
What type of testing is performed to Substantive Testing
verify the accuracy and integrity of
transactions as they flow through a
system?
Solutions
Save
Terms in this set (181)
Who is responsible for imposing an IT IT executives and the Board of Directors
governance model encompassing IT
strategy, information security, and
formal enterprise architectural
mandates?
The party that performs strategic The Steering Committee
planning, addresses near-term and
long-term requirements aligning
business objectives, and technology
strategies.
What three elements allow validation (1.) Polices (2.) Procedures (3.) Standards
of business practices against
acceptable measures of regulatory
compliance, performance, and
standard operational guidelines.
What activity involves the Risk Management
identification of potential risk and the
appropriate response for each threat
based on impact assessment using
qualitative and/or quantitative
measures for an enterprise-wide risk
management strategy?
IT Governance is most concerned IT Strategy
with....
,Describe the advantages of Outsourcing is an opportunity for the organization to
outsourcing. focus on core competencies. When an organization
oursources a business function, it no longer needs to
be concerned about training employees in that
function. Outsources does not always reduce costs,
because cost reduction is not always the primary
goal of oursourcing.
An external IS auditor has discovered The external auditor can only document the finding
a segregation of duties issue in a high in the audit report. An external auditor is not in a
value process. What is the best action position to implement controls.
for the auditor to take?
An organization has chosen to open a The organization is insourcing - while they may have
business office in another country opened the office in a foreign country, they have
where labor costs are lower and has hired locals to do the work as opposed to
hired workers to perform business contracting with a third party.
functions there. This organization has
done what?
An organization has discovered that The organization should have background checks
some of its employees have criminal performed on all of its existing employees and also
records. What is the best course of begin instituting background checks of all new-hires.
action for the organization to take? It is not necessarily required to terminate the
employees - their offenses may not warrant
termination.
The options for Risk Treatment are: Risk Mitigation Risk Avoidance Risk Transfer Risk
Acceptance
Annualized Loss Expectance (ALE) is ALE is the annual expected loss to an asset. It is
defined as: calculated as the single loss expectancy (SLE) X the
annualized rate of occurrence (ARO.)
A quantitative risk analysis is more It is difficult to get accurate figures on the frequency
difficult to perform because: of specific threats. It is difficult to determine the
probability that a threat will be realized. It is relatively
easy to determine the value of an asset and the
impact of a threat event.
, An IS auditor is examining the IT Report that the IT standards are not being reviewed
standards document for an often enough. Two years is far too long between
organization that was last reviewed reviews of IT standards.
two years earlier. The best course of
action for the IS auditor is:
The purpose of a Balanced Scorecard To measure organizational performance and
is: effectiveness against strategic goals.
The 4-item focus of a Balanced (1.) Financial (2.) Customer (3.) Internal processes (4.)
Scorecard is: Innovation / Learning
The audit program is an audit strategy (1.) Scope (2.) Objectives (3.) Resources (4.)
and plans that include: Procedures used to evaluation controls and
processes
IS auditors can stay current with (1.) training courses (2.) webinars (3.) ISACA chapter
technology through the following training events (4.) Industry conferences
means:
Name the three Types of Controls (1.) Physical (2.) Technical (4.) Administrative
Name the two Categories of Controls (1.) Automatic (2.) Manual
Name the Eight Types of Audits (1.) Operational (2.) Financial (3.) Integrated (4.) IS (5.)
Administrative (6.) Compliance (7.) Forensic (8.)
Service Provider
What type of testing is performed to Compliance Testing
determine if control procedures have
proper design and are operating
properly?
What type of testing is performed to Substantive Testing
verify the accuracy and integrity of
transactions as they flow through a
system?
