Domain 2 (CISA Review Questions,
Answers & Explanations Manual, 12th
Edition | Print | English)
AZ-148 An enterprise's risk appetite is BEST established by:
A. The chief legal officer
B. Security management
C. The audit committee
D. The steering committee - correct answer ✔✔ D is the correct answer. Justification:
A. Although chief legal officers can give guidance regarding legal issues on the policy, they
cannot
determine the risk appetite.
B. The security management team is concerned with managing the security posture but not
with determining the posture.
C. The audit committee is not responsible for setting the risk tolerance or appetite of the
enterprise.
D, The steering committee is best suited to determine the enterprise's risk appetite because the
committee draws its representation from senior management.
Organizations requiring employees to take a mandatory vacation each year PRIMARILY want to
ensure:
A. adequate cross-training exists between functions.
B. an effective internal control environment is in place by increasing morale.
C. potential irregularities in processing are identified by a temporary replacement.
D. the risk of processing errors is reduced. - correct answer ✔✔ C is the correct answer.
Justification:
,A. Cross-training is a good practice to follow but can be achieved without the requirement for
mandatory vacation.
B. Good employee morale and high levels of employee satisfaction are worthwhile objectives,
but they should not be considered a means to achieve an effective internal control system.
C. Employees who perform critical and sensitive functions within an organization should be
required to take some time off to help ensure that irregularities and fraud are detected.
D. Although rotating employees could contribute to fewer processing errors, this is not typically
a reason to require a mandatory vacation policy.
A2-2 An IS auditor is verifying IT policies and finds that some of the policies have not been
approved by management (as required by policy), but the employees strictly follow the policies.
What should the IS auditor do FIRST?
A. Ignore the absence of management approval because employees follow-the policies.
B. Recommend immediate management approval of the policies.
C. Emphasize the importance of approval to management.
D. Report the absence of documented approval. - correct answer ✔✔ D is the correct answer.
Justification:
A. Absence of management approval is an important (material) finding and, although it is not
currently
an issue with relation to compliance because the employees are following the policy without
approval, it may be a problem at a later time and should be resolved.
B. Although the IS auditor would likely recommend that the policies should be approved as soon
as
possible and may also remind management of the critical nature of this issue, the first step is to
report this issue to the relevant stakeholders.
C. The first step is to report the finding and provide recommendations later.
,D. The IS auditor must report the finding. Unapproved policies may present a potential risk to
the organization, even if they are being followed, because this technicality may prevent
management from enforcing the policies in some cases and may present legal issues. For
example, if an employee was terminated as a result of violating an organization policy, and it
was discovered that the policies had not been approved, the organization may face an
expensive lawsuit.
A2-3 What is the PRIMARY consideration for an IS auditor reviewing the prioritization and
coordination of IT
projects and program management?
A. Projects are aligned with the organization's strategy.
B. Identified project risk is monitored and mitigated.
C. Controls related to project planning and budgeting are appropriate.
D.ITprojectmetricsarereportedaccurately. - correct answer ✔✔ A is the correct answer.
Justification:
A. The primary goal of IT projects is to add value to the business, so they must be aligned with
the business strategy to achieve the intended results. Therefore, the IS auditor should first focus
on ensuring this alignment.
B. An adequate process for monitoring and mitigating identified project risk is important;
however,
strategic alignment helps in assessing identified risk in business terms.
C. Completion of projects within a predefined time and budget is important; however, the focus
of project management should be on achieving the desired outcome of the project, which is
aligned with the business strategy.
D. Adequate reporting of project status is important but mayor may not help in providing the
strategic
perspective of project deliverables.
, A2-4 In a review ofthe human resources policies and procedures within an organization, an IS
auditor is MOST
concerned with the absence of a:
A. requirement for periodic job rotations.
B. process for formalized exit interviews.
C. termination checklist.
D.requirement for new employees to sign an on disclosure agreement. - correct answer ✔✔ C is
the correct answer.
Justification:
A. Job rotation is a valuable control to ensure continuity of operations, but not the most serious
human resources policy risk.
B. Holding an exit interview is desirable when possible to gain feedback but is not a serious risk.
e. A termination checklist is critical to ensure the logical and physical security of an enterprise.
In
addition to preventing the loss of enterprise property that was issued to the employee, there is
the risk of unauthorized access, intellectual property theft and even sabotage by a disgruntled
former employee.
D. Signing a nondisclosure agreement (NDA) is a recommended human resources practice, but a
lack of an NDA is not the most serious risk listed.
A2-5 Which of the following factors is MOST critical when evaluating the effectiveness of an IT
governance implementation?
A. Ensure that assurance objectives are defined.
B. Determine stakeholder requirements and involvement.
C. Identify relevant risk and related opportunities.
D.Determinerelevantenablersandtheirapplicability. - correct answer ✔✔ B is the correct answer.
Justification:
Answers & Explanations Manual, 12th
Edition | Print | English)
AZ-148 An enterprise's risk appetite is BEST established by:
A. The chief legal officer
B. Security management
C. The audit committee
D. The steering committee - correct answer ✔✔ D is the correct answer. Justification:
A. Although chief legal officers can give guidance regarding legal issues on the policy, they
cannot
determine the risk appetite.
B. The security management team is concerned with managing the security posture but not
with determining the posture.
C. The audit committee is not responsible for setting the risk tolerance or appetite of the
enterprise.
D, The steering committee is best suited to determine the enterprise's risk appetite because the
committee draws its representation from senior management.
Organizations requiring employees to take a mandatory vacation each year PRIMARILY want to
ensure:
A. adequate cross-training exists between functions.
B. an effective internal control environment is in place by increasing morale.
C. potential irregularities in processing are identified by a temporary replacement.
D. the risk of processing errors is reduced. - correct answer ✔✔ C is the correct answer.
Justification:
,A. Cross-training is a good practice to follow but can be achieved without the requirement for
mandatory vacation.
B. Good employee morale and high levels of employee satisfaction are worthwhile objectives,
but they should not be considered a means to achieve an effective internal control system.
C. Employees who perform critical and sensitive functions within an organization should be
required to take some time off to help ensure that irregularities and fraud are detected.
D. Although rotating employees could contribute to fewer processing errors, this is not typically
a reason to require a mandatory vacation policy.
A2-2 An IS auditor is verifying IT policies and finds that some of the policies have not been
approved by management (as required by policy), but the employees strictly follow the policies.
What should the IS auditor do FIRST?
A. Ignore the absence of management approval because employees follow-the policies.
B. Recommend immediate management approval of the policies.
C. Emphasize the importance of approval to management.
D. Report the absence of documented approval. - correct answer ✔✔ D is the correct answer.
Justification:
A. Absence of management approval is an important (material) finding and, although it is not
currently
an issue with relation to compliance because the employees are following the policy without
approval, it may be a problem at a later time and should be resolved.
B. Although the IS auditor would likely recommend that the policies should be approved as soon
as
possible and may also remind management of the critical nature of this issue, the first step is to
report this issue to the relevant stakeholders.
C. The first step is to report the finding and provide recommendations later.
,D. The IS auditor must report the finding. Unapproved policies may present a potential risk to
the organization, even if they are being followed, because this technicality may prevent
management from enforcing the policies in some cases and may present legal issues. For
example, if an employee was terminated as a result of violating an organization policy, and it
was discovered that the policies had not been approved, the organization may face an
expensive lawsuit.
A2-3 What is the PRIMARY consideration for an IS auditor reviewing the prioritization and
coordination of IT
projects and program management?
A. Projects are aligned with the organization's strategy.
B. Identified project risk is monitored and mitigated.
C. Controls related to project planning and budgeting are appropriate.
D.ITprojectmetricsarereportedaccurately. - correct answer ✔✔ A is the correct answer.
Justification:
A. The primary goal of IT projects is to add value to the business, so they must be aligned with
the business strategy to achieve the intended results. Therefore, the IS auditor should first focus
on ensuring this alignment.
B. An adequate process for monitoring and mitigating identified project risk is important;
however,
strategic alignment helps in assessing identified risk in business terms.
C. Completion of projects within a predefined time and budget is important; however, the focus
of project management should be on achieving the desired outcome of the project, which is
aligned with the business strategy.
D. Adequate reporting of project status is important but mayor may not help in providing the
strategic
perspective of project deliverables.
, A2-4 In a review ofthe human resources policies and procedures within an organization, an IS
auditor is MOST
concerned with the absence of a:
A. requirement for periodic job rotations.
B. process for formalized exit interviews.
C. termination checklist.
D.requirement for new employees to sign an on disclosure agreement. - correct answer ✔✔ C is
the correct answer.
Justification:
A. Job rotation is a valuable control to ensure continuity of operations, but not the most serious
human resources policy risk.
B. Holding an exit interview is desirable when possible to gain feedback but is not a serious risk.
e. A termination checklist is critical to ensure the logical and physical security of an enterprise.
In
addition to preventing the loss of enterprise property that was issued to the employee, there is
the risk of unauthorized access, intellectual property theft and even sabotage by a disgruntled
former employee.
D. Signing a nondisclosure agreement (NDA) is a recommended human resources practice, but a
lack of an NDA is not the most serious risk listed.
A2-5 Which of the following factors is MOST critical when evaluating the effectiveness of an IT
governance implementation?
A. Ensure that assurance objectives are defined.
B. Determine stakeholder requirements and involvement.
C. Identify relevant risk and related opportunities.
D.Determinerelevantenablersandtheirapplicability. - correct answer ✔✔ B is the correct answer.
Justification:
