Domain 4 (CISA Review Questions,
Answers & Explanations Manual, 12th
Edition | Print | English)
A4-1 An organization is considering using a new IT service provider. From an audit perspective,
which of the following would be the MOST important item to review?
A. References from other clients for the service provider
B. The physical security of the service provider site
C. The proposed service level agreement with the service provider
D. Background checks of the service provider's employees - correct answer ✔✔ C is the correct
answer. Justification:
A. A due diligenceactivitysuch as reviewingreferencesfrom otherclientsis a good practice,but the
service level agreement(SLA) wouldbe most criticalbecauseit woulddefine what specificlevelsof
performance wouldbe requiredand make the providercontractuallyobligatedto deliverwhat was
promised.
B. A due diligence activity such as reviewing physical security controls is a good practice, but the
SLA
would be most critical because it would define what specific levels of security would be
required and make the provider contractually obligated to deliver what was promised.
C. When contracting with a service provider, it is a good practice to enter into an SLA with the
provider. An SLA is a guarantee that the provider will deliver the services according to the
contract. The IS auditor will want to ensure that performance and security requirements are
clearly stated in the SLA.
D. A due diligence activity such as the use of background checks for the service provider's
employees is a good practice, but the SLA would be most critical because it would define what
specific levels of security and labor practices would be required and make the provider
contractually obligated to deliver what was promised.
,A4-2 An IS auditor is to assess the suitability of a service level agreement (SLA) between the
organization and the supplier of outsourced services. To which of the following observations
should the IS auditor pay the MOST attention? The SLA does not contain a:
A. transition clauses from the old supplier to a new supplier or back to internal in the case of
expiration or termination.
B. late payment clause between the customer and the supplier.
C. contractual commitment for service improvement.
D. dispute resolution procedure between the contracting parties. - correct answer ✔✔ A is the
correct answer. Justification:
A. The delivery of IT services for a specific customer always implies a dose linkage between the
client and the supplier of the service. If there are no contract terms to specify how the
transition to a new supplier may be performed, there is the risk that the old supplier may simply
"pull the plug" if the contract expires or is terminated or may not make data available to the
outsourcing organization or new supplier. This would be the greatest risk to the organization.
B. Contractual issues regarding payment, service improvement and dispute resolution are
important but not as critical as ensuring that service disruption, data loss, data retention, or
other significant events occur in the event that the organization switches to a new firm
providing outsourced services.
C. The service level agreement (SLA) should address performance requirements and metrics to
report on the status of services provided; it's nice to have commitment for performance
improvement, although it's not mandated.
D. The SLA should address a dispute resolution procedure and specify the jurisdiction in case of
a legal dispute, but this is not the most critical part of an SLA.
A4-3 An IS auditor reviewing a new outsourcing contract with a service provider would be MOST
concerned if which of the following was missing?
A. A clause providing a "right to audit" the service provider
B. A clause defining penalty payments for poor performance
C. Predefined service level report templates
,D. A clause regarding supplier limitation of liability - correct answer ✔✔ A is the correct answer.
Justification:
A. The absence of a "right to audit" clause or other form of attestation that the supplier was
compliant with a certain standard would potentially prevent the IS auditor from investigating
any aspect of supplier performance moving forward, including control deficiencies, poor
performance and adherence to legal requirements. This would be a major concern for the IS
auditor because it would be difficult for the organization to assess whether the appropriate
controls had been put in place.
B. While a clear definition of penalty payment terms is desirable, not all contracts require the
payment of
penalties for poor performance, and when performance penalties are required, these penalties
are often subject to negotiation on a case-by-case basis. As such, the absence of this
information would not be
as significant as a lack of right to audit.
C. While the inclusion of service level report templates would be desirable, as long as the
requirement for service level reporting is included in the contract, the absence of predefined
templates for reporting is not a significant concern.
D. The absence of a limitation of liability clause for the service provider would, theoretically,
expose the
provider to unlimited liability. This would be to the advantage of the outsourcing company so,
while the IS auditor might highlight the absence of such a clause, it would not constitute a
major concern.
A4-4 When reviewing the desktop software compliance of an organization, the IS auditor should
be MOST
concerned if the installed software:
A. was installed, but not documented in the IT department records.
B. was being used by users not properly trained in its use.
C. is not listed in the approved software standards document.
, D. license will expire in the next 15 days. - correct answer ✔✔ C is the correct answer.
Justification:
A. All software, including licenses, should be documented in IT department records, but this is
not as
serious as the violation of policy in installing unapproved software.
B. Discovering that users have not been formally trained in the use of a software product is
common, and while not ideal, most software includes help files and other tips that can assist in
learning how to use the software effectively.
C. The installation of software that is not allowed by policy is a serious violation and could put
the organization at security, legal and financial risk. Any software that is allowed should be
part of a standard software list. This is the first thing to review because this would also indicate
compliance with policies.
D. A software license that is about to expire is not a risk if there is a-process in place to renew it.
A4-5 An IS auditor of a health care organization is reviewing contractual terms and conditions of
a third-party cloud provider being considered to host patient health information. Which of the
follow contractual terms would be the GREATEST risk to the customer organization?
A. Data ownership is retained by the customer organization.
B. The third-party provider reserves the right to access data to perform certain operations.
C. Bulk data withdrawal mechanisms are undefined.
D. Thecustomerorganizationisresponsibleforbackup, archiveandrestore. - correct answer ✔✔ B
is the correct answer.
Justification:
A. The customer organization would want to retain data ownership and, therefore, this would
not be a risk.
B. Some service providers reserve the right to access customer information (third-party access)
to perform certain transactions and provide certain services. In the case of protected health
information, regulations may restrict certain access. Organizations must review the regulatory
environment in which the cloud provider operates because it may have requirements or
Answers & Explanations Manual, 12th
Edition | Print | English)
A4-1 An organization is considering using a new IT service provider. From an audit perspective,
which of the following would be the MOST important item to review?
A. References from other clients for the service provider
B. The physical security of the service provider site
C. The proposed service level agreement with the service provider
D. Background checks of the service provider's employees - correct answer ✔✔ C is the correct
answer. Justification:
A. A due diligenceactivitysuch as reviewingreferencesfrom otherclientsis a good practice,but the
service level agreement(SLA) wouldbe most criticalbecauseit woulddefine what specificlevelsof
performance wouldbe requiredand make the providercontractuallyobligatedto deliverwhat was
promised.
B. A due diligence activity such as reviewing physical security controls is a good practice, but the
SLA
would be most critical because it would define what specific levels of security would be
required and make the provider contractually obligated to deliver what was promised.
C. When contracting with a service provider, it is a good practice to enter into an SLA with the
provider. An SLA is a guarantee that the provider will deliver the services according to the
contract. The IS auditor will want to ensure that performance and security requirements are
clearly stated in the SLA.
D. A due diligence activity such as the use of background checks for the service provider's
employees is a good practice, but the SLA would be most critical because it would define what
specific levels of security and labor practices would be required and make the provider
contractually obligated to deliver what was promised.
,A4-2 An IS auditor is to assess the suitability of a service level agreement (SLA) between the
organization and the supplier of outsourced services. To which of the following observations
should the IS auditor pay the MOST attention? The SLA does not contain a:
A. transition clauses from the old supplier to a new supplier or back to internal in the case of
expiration or termination.
B. late payment clause between the customer and the supplier.
C. contractual commitment for service improvement.
D. dispute resolution procedure between the contracting parties. - correct answer ✔✔ A is the
correct answer. Justification:
A. The delivery of IT services for a specific customer always implies a dose linkage between the
client and the supplier of the service. If there are no contract terms to specify how the
transition to a new supplier may be performed, there is the risk that the old supplier may simply
"pull the plug" if the contract expires or is terminated or may not make data available to the
outsourcing organization or new supplier. This would be the greatest risk to the organization.
B. Contractual issues regarding payment, service improvement and dispute resolution are
important but not as critical as ensuring that service disruption, data loss, data retention, or
other significant events occur in the event that the organization switches to a new firm
providing outsourced services.
C. The service level agreement (SLA) should address performance requirements and metrics to
report on the status of services provided; it's nice to have commitment for performance
improvement, although it's not mandated.
D. The SLA should address a dispute resolution procedure and specify the jurisdiction in case of
a legal dispute, but this is not the most critical part of an SLA.
A4-3 An IS auditor reviewing a new outsourcing contract with a service provider would be MOST
concerned if which of the following was missing?
A. A clause providing a "right to audit" the service provider
B. A clause defining penalty payments for poor performance
C. Predefined service level report templates
,D. A clause regarding supplier limitation of liability - correct answer ✔✔ A is the correct answer.
Justification:
A. The absence of a "right to audit" clause or other form of attestation that the supplier was
compliant with a certain standard would potentially prevent the IS auditor from investigating
any aspect of supplier performance moving forward, including control deficiencies, poor
performance and adherence to legal requirements. This would be a major concern for the IS
auditor because it would be difficult for the organization to assess whether the appropriate
controls had been put in place.
B. While a clear definition of penalty payment terms is desirable, not all contracts require the
payment of
penalties for poor performance, and when performance penalties are required, these penalties
are often subject to negotiation on a case-by-case basis. As such, the absence of this
information would not be
as significant as a lack of right to audit.
C. While the inclusion of service level report templates would be desirable, as long as the
requirement for service level reporting is included in the contract, the absence of predefined
templates for reporting is not a significant concern.
D. The absence of a limitation of liability clause for the service provider would, theoretically,
expose the
provider to unlimited liability. This would be to the advantage of the outsourcing company so,
while the IS auditor might highlight the absence of such a clause, it would not constitute a
major concern.
A4-4 When reviewing the desktop software compliance of an organization, the IS auditor should
be MOST
concerned if the installed software:
A. was installed, but not documented in the IT department records.
B. was being used by users not properly trained in its use.
C. is not listed in the approved software standards document.
, D. license will expire in the next 15 days. - correct answer ✔✔ C is the correct answer.
Justification:
A. All software, including licenses, should be documented in IT department records, but this is
not as
serious as the violation of policy in installing unapproved software.
B. Discovering that users have not been formally trained in the use of a software product is
common, and while not ideal, most software includes help files and other tips that can assist in
learning how to use the software effectively.
C. The installation of software that is not allowed by policy is a serious violation and could put
the organization at security, legal and financial risk. Any software that is allowed should be
part of a standard software list. This is the first thing to review because this would also indicate
compliance with policies.
D. A software license that is about to expire is not a risk if there is a-process in place to renew it.
A4-5 An IS auditor of a health care organization is reviewing contractual terms and conditions of
a third-party cloud provider being considered to host patient health information. Which of the
follow contractual terms would be the GREATEST risk to the customer organization?
A. Data ownership is retained by the customer organization.
B. The third-party provider reserves the right to access data to perform certain operations.
C. Bulk data withdrawal mechanisms are undefined.
D. Thecustomerorganizationisresponsibleforbackup, archiveandrestore. - correct answer ✔✔ B
is the correct answer.
Justification:
A. The customer organization would want to retain data ownership and, therefore, this would
not be a risk.
B. Some service providers reserve the right to access customer information (third-party access)
to perform certain transactions and provide certain services. In the case of protected health
information, regulations may restrict certain access. Organizations must review the regulatory
environment in which the cloud provider operates because it may have requirements or
