CISA : Certified Information Systems Auditor : Part 138

  1. An organization globally distributes a free phone application that includes a module to gather and report user information. The application includes a privacy notice alerting users to the data gathering. Which of the following presents the GREATEST risk?

    • The data gathering notice is available in only one language.
    • There is no framework to delete personal data.
    • There may be a backlash among users when the data gathering is revealed.
    • The data is not properly encrypted on the application server.
  2. Which of the following metrics would BEST measure the agility of an organization’s IT function?

    • Average time to turn strategic IT objectives into an agreed upon and approved initiative
    • Average number of learning and training hours per IT staff member
    • Frequency of security assessments against the most recent standards and guidelines
    • Percentage of staff with sufficient IT-related skills for the competency required of their roles.
  3. Which of the following should be performed FIRST when preparing to deploy a major upgrade to a critical online application?

    • Update the disaster recovery process.
    • Update the business impact analysis (BIA).
    • Test the rollback process.
    • Review data backup procedures.
  4. Which of the following is the BEST detective control for a job scheduling process involving data transmission?

    • Metrics denoting the volume of monthly job failures are reported and reviewed by senior management.
    • Job failure alerts are automatically generated and routed to support personnel.
    • Jobs are scheduled and a log of this activity is retained for subsequent review.
    • Jobs are scheduled to be completed daily and data is transmitted using a secure File Transfer Protocol (FTP).
  5. Which of the following is the MOST important consideration when deploying closed-circuit television (CCTV) systems that use wireless communication links to transmit images between cameras and a receiver?

    • Encryption of transmissions
    • Monitoring by security guards
    • Retention period of recordings
    • Strategic placement of cameras
  6. An organization is running servers with critical business applications that are in an area subject to frequent but brief power outages. Knowledge of which of the following would allow the organization’s management to monitor the ongoing adequacy of the uninterruptible power supply (UPS)?

    • Duration and interval of the power outages
    • Business impact of server downtime
    • Number of servers supported by the UPS
    • Mean time to recover servers after failure
  7. Which of the following is an example of audit risk?

    • Audit work may be lost due to a malware attack.
    • Management may disagree with audit conclusions.
    • Sampling methods may not detect a material error.
    • Newer auditors may require additional supervision and training.
  8. The GREATEST risk of database denormalization is:

    • decreased performance.
    • loss of data confidentiality.
    • loss of database integrity.
    • incorrect metadata.
  9. Which of the following provides the MOST comprehensive description of IT’s role in an organization?

    • IT organizational chart
    • IT project portfolio
    • IT charter
    • IT job descriptions
  10. Which of the following would MOST effectively aid executive management in achieving IT and business alignment?

    • Risk assessment
    • Value delivery assessment
    • Balanced scorecard
    • Performance measurement
  11. Which of the following is BEST enabled by following a configuration management process for new applications?

    • Deploying approved emergency changes to production
    • Ensuring proper testing of code before deployment
    • Managing successful implementation of acquired software
    • Maintaining adequate control over changes to production
  12. Loading of illegal software packages onto a network by an employee is MOST effectively detected by:

    • diskless workstations.
    • regular scanning of hard drives
    • maintaining current antivirus software.
    • logging of activity on network drives.
  13. Effective IT governance requires organizational structures and processes to ensure that:

    • the organization’s strategies and objectives extend the IT strategy.
    • the business strategy is derived from an IT strategy.
    • IT governance is separate and distinct from the overall governance.
    • the IT strategy extends the organization’s strategies and objectives.

    Explanation: 
    Effective IT governance requires that board and executive management extend governance to IT and provide the leadership, organizational structures and processes that ensure that the organization’s IT sustains and extends the organization’s strategies and objectives, and that the strategy is aligned with business strategy. Choice A is incorrect because it is the IT strategy that extends the organizational objectives, not the opposite. IT governance is not an isolated discipline; it must become an integral part of the overall enterprise governance.

  14. Which of the following is the MOST important element for the successful implementation of IT governance?

    • Implementing an IT scorecard
    • Identifying organizational strategies
    • Performing a risk assessment
    • Creating a formal security policy
    Explanation: 
    The key objective of an IT governance program is to support the business, thus the identification of organizational strategies is necessary to ensure alignment between IT and corporate governance. Without identification of organizational strategies, the remaining choices-even if implemented-would be ineffective.
  15. The MAJOR consideration for an IS auditor reviewing an organization’s IT project portfolio is the:

    • IT budget.
    • existing IT environment.
    • business plan.
    • investment plan.
    Explanation: 
    One of the most important reasons for which projects get funded is how well a project meets an organization’s strategic objectives. Portfolio management takes a holistic view of a company’s overall IT strategy. IT strategy should be aligned with the business strategy and, hence, reviewing the business plan should be the major consideration. Choices A, B and D are important but secondary to the importance of reviewing the business plan,
  16. When implementing an IT governance framework in an organization the MOST important objective is:

    • IT alignment with the business.
    • accountability.
    • value realization with IT.
    • enhancing the return on IT investments.
    Explanation: 
    The goals of IT governance are to improve IT performance, to deliver optimum business value and to ensure regulatory compliance. The key practice in support of these goals is the strategic alignment of IT with the business {choice A). To achieve alignment, all other choices need to be tied to business practices and strategies.
  17. The ultimate purpose of IT governance is to:

    • encourage optimal use of IT.
    • reduce IT costs.
    • decentralize IT resources across the organization.
    • centralize control of IT.
    Explanation: 
    IT governance is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise. Reducing IT costs may not be the best IT governance outcome for an enterprise. Decentralizing IT resources across the organization is not always desired, although it may be desired in a decentralized environment. Centralizing control of IT is not always desired. An example of where it might be desired is an enterprise desiring a single point of customer contact.
  18. What is the lowest level of the IT governance maturity model where an IT balanced scorecard exists?

    • Repeatable but Intuitive
    • Defined
    • Managed and Measurable
    • Optimized
    Explanation: 
    Defined (level 3) is the lowest level at which an IT balanced scorecard is defined.
  19. Responsibility for the governance of IT should rest with the:

    • IT strategy committee.
    • chief information officer (CIO).
    • audit committee.
    • board of directors.
    Explanation: 
    Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly. The audit committee, the chief information officer (CIO) and the IT strategy committee all play a significant role in the successful implementation of IT governance within an organization, but the ultimate accountability resides with the board of directors.
  20. An IS auditor identifies that reports on product profitability produced by an organization’s finance and marketing departments give different results. Further investigation reveals that the product definition being used by the two departments is different. What should the IS auditor recommend?

    • User acceptance testing (UAT) occur for all reports before release into production
    • Organizational data governance practices be put in place
    • Standard software tools be used for report development
    • Management sign-off on requirements for new reports
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments