CISA benefits both individuals and corporations. Because CISAs all speak the same language, having CISA-certified employees allows a company to fully comprehend its external audit requirements. This also helps the organization handle and organize external auditing more effectively.
01. An audit charter should:
A. be dynamic and change to coincide with the changing nature of technology and the audit profession.
B. clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls.
C. document the audit procedures designed to achieve the planned audit objectives.
D. outline the overall authority, scope and responsibilities of the audit function.
CORRECT ANSWER: D. outline the overall authority, scope and responsibilities of the audit function.
EXPLANATION: An audit charter will state the authority and reporting requirements for the audit but not the details of maintenance of internal controls.
02. An IS auditor finds a small number of user access requests that had not been authorized by managers through the normal predefined workflow steps and escalation rules. The IS auditor should:
A. perform an additional analysis.
B. report the problem to the audit committee.
C. conduct a security risk assessment.
D. recommend that the owner of the identity management (IDM) system fix the workflow issues.
CORRECT ANSWER: A. perform an additional analysis.
EXPLANATION: The IS auditor must first determine the root cause and impact of the findings and does not have enough information to recommend fixing the workflow issues.
03. An IS auditor observes that an enterprise has outsourced software development to a third party that is a startup company. To ensure that the enterprise’s investment in software is protected, which of the following should be recommended by the IS auditor?
A. Due diligence should be performed on the software vendor.
B. A quarterly audit of the vendor facilities should be performed.
C. There should be a source code escrow agreement in place.
D. A high penalty clause should be included in the contract.
CORRECT ANSWER: C. There should be a source code escrow agreement in place.
EXPLANATION: While a quarterly audit of vendor facilities is a good practice, it does not ensure availability of the source code in the event of failure of the start-up vendor.
04. An enterprise’s risk appetite is BEST established by:
A. the chief legal officer.
B. security management.
C. the audit committee.
D. the steering committee.
CORRECT ANSWER: D. the steering committee.
EXPLANATION: The steering committee is best suited to determine the enterprise’s risk appetite because the committee draws its representation from senior management.
05. When identifying an earlier project completion time, which is to be obtained by paying a premium for early completion, the activities that should be selected are those:
A. whose sum of activity time is the shortest.
B. that have zero slack time.
C. that give the longest possible completion time.
D. whose sum of slack time is the shortest.
CORRECT ANSWER: B. that have zero slack time.
EXPLANATION: A critical path’s activity time is longer than that for any other path through the network. This path is important because if everything goes as scheduled, its length gives the shortest possible completion time for the overall project. Activities on the critical path become candidates for crashing (i.e., for reduction in their time by payment of a premium for early completion). Activities on the critical path have zero slack time and conversely, activities with zero slack time are on a critical path. By successively relaxing activities on a critical path, a curve showing total project costs versus time can be obtained.
06. An IS auditor is assigned to audit a software development project, which is more than 80 percent complete, but has already overrun time by 10 percent and costs by 25 percent. Which of the following actions should the IS auditor take?
A. Report that the organization does not have effective project management.
B. Recommend the project manager be changed.
C. Review the IT governance structure.
D. Review the conduct of the project and the business case.
CORRECT ANSWER: D. Review the conduct of the project and the business case.
EXPLANATION: The organization may have sound IT governance and still be behind schedule or over budget.
07. A programmer maliciously modified a production program to change data and then restored the original code. Which of the following would MOST effectively detect the malicious activity?
A. Comparing source code
B. Reviewing system log files
C. Comparing object code
D. Reviewing executable and source code integrity
CORRECT ANSWER: B. Reviewing system log files
EXPLANATION: Reviewing executable and source code integrity is an ineffective control, because the source code was changed back to the original and will agree with the current executable.
08. Which of the following would BEST ensure continuity of a wide area network (WAN) across the organization?
A. Built-in alternative routing
B. Complete full system backup daily
C. A repair contract with a service provider
D. A duplicate machine alongside each server
CORRECT ANSWER: A. Built-in alternative routing
EXPLANATION: Alternative routing would ensure that the network would continue if a communication device fails or if a link is severed because message rerouting could be automatic.
09. An IS auditor is reviewing the physical security controls of a data center and notices several areas for concern. Which of the following areas is the MOST important?
A. The emergency power off button cover is missing.
B. Scheduled maintenance of the fire suppression system was not performed.
C. There are no security cameras inside the data center.
D. The emergency exit door is blocked.
CORRECT ANSWER: D. The emergency exit door is blocked.
EXPLANATION: Life safety is always the highest priority; therefore, the blocking of the emergency exit is the most serious problem.
10. Which of the following choices BEST helps information owners to properly classify data?
A. Understanding of technical controls that protect data
B. Training on organizational policies and standards
C. Use of an automated data leak prevention (DLP) tool
D. Understanding which people need to access the data
CORRECT ANSWER: B. Training on organizational policies and standards
EXPLANATION: While an automated data leak prevention (DLP) tool may enhance productivity, the users of the application would still need to understand what classification schema was in place.
Conclusion
SPOTO dumps will be the most beneficial option for people who need aid with their preparation. When you take the SPOTO Dumps Exam using our Verified Exam Questions, you’ll notice that every question on the test matches to the SPOTO Dumps.
Comments