CISA Study Guide Correct Questions &
Answers(GRADED A+)
Most important step in risk analysis is to identify
a. Competitors
b. controls
c. vulnerabilities
d. liabilities - ANSWERc. vulnerabilities
In a risk based audit planning, an IS auditor's first step is to identify:
a. responsibilities of stakeholders
b. high-risk areas within the organization
c. cost centre
d. profit centre - ANSWERb. high-risk areas within the organization
When developing a risk-based audit strategy, an IS auditor should conduct a risk
assessment to ensure that:
a. segregation of duties to mitigate risks is in place
b. all the relevant vulnerabilities and threats are identified
c. regularity compliance is adhered to
d. business is profitable - ANSWERb. all the relevant vulnerabilities and threats are
identified
While determining the appropriate level of protection for an information asset an IS
auditor should primarily focus on:
a. Criticality of information assets
b. cost of information assets
c. Owner of information asset
d. result of vulnerability assessment - ANSWERa. Criticality of information assets
The decisions and actions of an IS auditor are MOST likely to affect which of the
following risks?
a. Inherent
b. Detection
c. Control
d. Business - ANSWERb. Detection
The risk of an IS auditor certifying existence of proper system and procedures
without using an inadequate test procedure is an example of:
a. internet risk
b. control risk
,c. detection risk
d. audit risk - ANSWERc. Detection risk
Overall business risk for a particular threat can be expressed as:
a. a product of the probability. and impact
b. probability of occurrence
c. magnitude of impact
d. assumption of the risk assessment team - ANSWERa. a product of the probability.
and impact
An IS auditor is evaluating management's risk assessment of information systems.
The IS auditor should FIRST review:
a. the controls already in place
b. the effectiveness of the controls in place
c. mechanism for monitoring the risks related to the assets
d. the threats/vulnerabilities affecting the assets - ANSWERd. the
threats/vulnerabilities affecting the assets
IS auditor identified certain threats and vulnerabilities in a business process. Next,
an IS auditor should:
a. identify stakeholder for that business process
b. identifies information. assets and the underlying systems
c. discloses the threats and impacts to management
d. identifies and evaluates the existing controls - ANSWERd. identifies and evaluates
the existing controls
Major advantaged of risk based approach for audit planning is:
a. Audit planning can be communicated to client in advance
b. Audit activity can be completed within allotted budget
c. use of latest technology for audit activities
d. Appropriate utilisation of resources for high risk areas - ANSWERd. Appropriate
utilisation of resources for high risk areas
An IS auditor is reviewing data centre security review. Which of the following steps
would an IS auditor normally perform FIRST:
a. evaluate physical access controls
b. determine the risks/threats to the data centre site
c. review screening process for hiring security staff
d. evaluate logical access control - ANSWERb. determine the risks/threats to the
data centre site
Risk Assessment approach is more suitable when determining the appropriate level
of protection for an information asset because it ensures:
,a. all information assets are protected
b. a basic level of protection is applied regardless of assets value
c. appropriate levels of protection are applied to information assets
d. only most sensitive information assets are protected - ANSWERc. appropriate
levels of protection are applied to information assets
In a risk-based audit approach, an IS auditor should FIRST complete a(n):
a. inherent risk assessment
b. control risk assessment
c. test of control assessment
d. substantive test assessment - ANSWERa. inherent risk assessment
In planning an audit, the MOST critical step is the identification of the:
a. areas of high risk
b. skill sets of the audit staff
c. test steps in the audit
d. time allotted for the audit - ANSWERa. areas of high risk
Risk assessment process is:
a. subjective
b. objective
c. mathematical
d. statistical - ANSWERa. subjective
The result of risk management process is used for:
a. forecasting profit
b. post implementation review
c. designing controls
d. user acceptance testing - ANSWERc. designing controls
Managing the risk up to acceptable level is tithe responsibility of:
a. risk management team
b. senior business management
c. the chief information officer
d. the chief security officer - ANSWERb. senior business management
Evaluation of IT risks can be done by:
a. finding threats/vulnerabilities associated with current IT assets
b. trend analysis on the basis of past year losses
c. industry benchmark
d. reviewing IT control weaknesses identified in audit reports - ANSWERa. finding
threats/vulnerabilities associated with current IT assets
, An IS auditor is reviewing payroll application. He identified some vulnerability in the
system. What would be the next task?
a. Report the vulnerabilities to the management immediately
b. examine application development process
c. identify threats and likelihood of occurrence
d. recommend for new application - ANSWERc. identify threats and likelihood of
occurrence
Absence of proper security measures represents a (n):
a. threat
b. asset
c. impact
d. vulnerability - ANSWERd. vulnerability
IS auditor is developing a risk management program, the FIRST activity to be
performed is a(n):
a. vulnerability assessment
b. evaluation of control
c. identification of assets
d. gap analysis - ANSWERc. identification of assets
Benefit of development of organizational policies buy bottom-up approach is that
they:
a. covers whole organization
b. is derived as a result of risk assessment
c. will be in line with overall corporate policy
d. ensures consistency across the organization - ANSWERb. is derived as a result of
risk assessment
Risk can be mitigated by:
a. implementing controls
b. insurance
d. audit and certification
d. contracts and service level agreements (SLAs) - ANSWERa. implementing
controls (security and control practices)
Most important factor while evaluating controls is to ensure that the controls:
a. addresses the risk
b. does not reduce productivity
c. is less costly than risk
d. is automotive - ANSWERa. addresses the risk
The susceptibility of a business or process to make an error that is material in
nature, assuming there were no internal controls:
Answers(GRADED A+)
Most important step in risk analysis is to identify
a. Competitors
b. controls
c. vulnerabilities
d. liabilities - ANSWERc. vulnerabilities
In a risk based audit planning, an IS auditor's first step is to identify:
a. responsibilities of stakeholders
b. high-risk areas within the organization
c. cost centre
d. profit centre - ANSWERb. high-risk areas within the organization
When developing a risk-based audit strategy, an IS auditor should conduct a risk
assessment to ensure that:
a. segregation of duties to mitigate risks is in place
b. all the relevant vulnerabilities and threats are identified
c. regularity compliance is adhered to
d. business is profitable - ANSWERb. all the relevant vulnerabilities and threats are
identified
While determining the appropriate level of protection for an information asset an IS
auditor should primarily focus on:
a. Criticality of information assets
b. cost of information assets
c. Owner of information asset
d. result of vulnerability assessment - ANSWERa. Criticality of information assets
The decisions and actions of an IS auditor are MOST likely to affect which of the
following risks?
a. Inherent
b. Detection
c. Control
d. Business - ANSWERb. Detection
The risk of an IS auditor certifying existence of proper system and procedures
without using an inadequate test procedure is an example of:
a. internet risk
b. control risk
,c. detection risk
d. audit risk - ANSWERc. Detection risk
Overall business risk for a particular threat can be expressed as:
a. a product of the probability. and impact
b. probability of occurrence
c. magnitude of impact
d. assumption of the risk assessment team - ANSWERa. a product of the probability.
and impact
An IS auditor is evaluating management's risk assessment of information systems.
The IS auditor should FIRST review:
a. the controls already in place
b. the effectiveness of the controls in place
c. mechanism for monitoring the risks related to the assets
d. the threats/vulnerabilities affecting the assets - ANSWERd. the
threats/vulnerabilities affecting the assets
IS auditor identified certain threats and vulnerabilities in a business process. Next,
an IS auditor should:
a. identify stakeholder for that business process
b. identifies information. assets and the underlying systems
c. discloses the threats and impacts to management
d. identifies and evaluates the existing controls - ANSWERd. identifies and evaluates
the existing controls
Major advantaged of risk based approach for audit planning is:
a. Audit planning can be communicated to client in advance
b. Audit activity can be completed within allotted budget
c. use of latest technology for audit activities
d. Appropriate utilisation of resources for high risk areas - ANSWERd. Appropriate
utilisation of resources for high risk areas
An IS auditor is reviewing data centre security review. Which of the following steps
would an IS auditor normally perform FIRST:
a. evaluate physical access controls
b. determine the risks/threats to the data centre site
c. review screening process for hiring security staff
d. evaluate logical access control - ANSWERb. determine the risks/threats to the
data centre site
Risk Assessment approach is more suitable when determining the appropriate level
of protection for an information asset because it ensures:
,a. all information assets are protected
b. a basic level of protection is applied regardless of assets value
c. appropriate levels of protection are applied to information assets
d. only most sensitive information assets are protected - ANSWERc. appropriate
levels of protection are applied to information assets
In a risk-based audit approach, an IS auditor should FIRST complete a(n):
a. inherent risk assessment
b. control risk assessment
c. test of control assessment
d. substantive test assessment - ANSWERa. inherent risk assessment
In planning an audit, the MOST critical step is the identification of the:
a. areas of high risk
b. skill sets of the audit staff
c. test steps in the audit
d. time allotted for the audit - ANSWERa. areas of high risk
Risk assessment process is:
a. subjective
b. objective
c. mathematical
d. statistical - ANSWERa. subjective
The result of risk management process is used for:
a. forecasting profit
b. post implementation review
c. designing controls
d. user acceptance testing - ANSWERc. designing controls
Managing the risk up to acceptable level is tithe responsibility of:
a. risk management team
b. senior business management
c. the chief information officer
d. the chief security officer - ANSWERb. senior business management
Evaluation of IT risks can be done by:
a. finding threats/vulnerabilities associated with current IT assets
b. trend analysis on the basis of past year losses
c. industry benchmark
d. reviewing IT control weaknesses identified in audit reports - ANSWERa. finding
threats/vulnerabilities associated with current IT assets
, An IS auditor is reviewing payroll application. He identified some vulnerability in the
system. What would be the next task?
a. Report the vulnerabilities to the management immediately
b. examine application development process
c. identify threats and likelihood of occurrence
d. recommend for new application - ANSWERc. identify threats and likelihood of
occurrence
Absence of proper security measures represents a (n):
a. threat
b. asset
c. impact
d. vulnerability - ANSWERd. vulnerability
IS auditor is developing a risk management program, the FIRST activity to be
performed is a(n):
a. vulnerability assessment
b. evaluation of control
c. identification of assets
d. gap analysis - ANSWERc. identification of assets
Benefit of development of organizational policies buy bottom-up approach is that
they:
a. covers whole organization
b. is derived as a result of risk assessment
c. will be in line with overall corporate policy
d. ensures consistency across the organization - ANSWERb. is derived as a result of
risk assessment
Risk can be mitigated by:
a. implementing controls
b. insurance
d. audit and certification
d. contracts and service level agreements (SLAs) - ANSWERa. implementing
controls (security and control practices)
Most important factor while evaluating controls is to ensure that the controls:
a. addresses the risk
b. does not reduce productivity
c. is less costly than risk
d. is automotive - ANSWERa. addresses the risk
The susceptibility of a business or process to make an error that is material in
nature, assuming there were no internal controls:
