An IT balanced scorecard is the MOST effective means of monitoring:
A
Explanation:
An IT balanced scorecard is a strategic management tool that aligns IT objectives with business goals
and measures the performance of IT processes using key performance indicators (KPIs). It is the most
effective means of monitoring governance of enterprise IT, which is the process of ensuring that IT
supports the organization’s strategy and objectives. Governance of enterprise IT covers aspects such
as IT value delivery, IT risk management, IT resource management, and IT performance
measurement. An IT balanced scorecard can help monitor these aspects and provide feedback to
improve IT governance. Reference: ISACA Frameworks: Blueprints for Success, CISA Review Manual
(Digital Version)
When reviewing an organization's information security policies, an IS auditor should verify that the
policies have been defined PRIMARILY on the basis of:
A
Explanation:
Information security policies are high-level statements that define the organization’s approach to
protecting its information assets from threats and risks. They should be based primarily on a risk
management process, which is a systematic method of identifying, analyzing, evaluating, treating,
and monitoring information security risks. A risk management process can help ensure that the
policies are aligned with the organization’s risk appetite, business objectives, legal and regulatory
requirements, and stakeholder expectations. An information security framework is a set of
standards, guidelines, and best practices that provide a structure for implementing information
security policies. It can support the risk management process, but it is not the primary basis for
defining the policies. Past information security incidents and industry best practices can also provide
valuable inputs for defining the policies, but they are not sufficient to address the organization’s
specific context and needs. Reference: Insights and Expertise, CISA Review Manual (Digital Version)
Which of the following would be an IS auditor's GREATEST concern when reviewing the early stages
of a software development project?
C
Explanation:
User requirements are statements that describe what the users expect from the software system in
terms of functionality, quality, and usability. They are essential inputs for the software development
process, as they guide the design, implementation, testing, and deployment of the system.
Therefore, an IS auditor’s greatest concern when reviewing the early stages of a software
development project would be the lack of acceptance criteria behind user requirements. Acceptance
criteria are measurable conditions that define when a user requirement is met or satisfied. They help
ensure that the user requirements are clear, complete, consistent, testable, and verifiable. Without
acceptance criteria, it would be difficult to evaluate whether the system meets the user expectations
and delivers value to the organization. Technical documentation, such as program code, is usually
produced in later stages of the software development process. Completion of all requirements at the
end of each sprint is not mandatory in agile software development methods, as long as there is a
prioritized backlog of requirements that can be delivered incrementally. A detailed unit and system
test plan is also important for ensuring software quality, but it depends on well-defined user
requirements andacceptance criteria. Reference: Information Systems Acquisition, Development &
Implementation, CISA ReviewManual (Digital Version)
Which of the following is the BEST data integrity check?
C
Explanation:
Data integrity is the property that ensures that data is accurate, complete, consistent, and reliable
throughout its lifecycle. The best data integrity check is tracing data back to the point of origin, which
is the source where the data was originally created or captured. This check can verify that data has
not been altered or corrupted during transmission, processing, or storage. It can also identify any
errors or discrepancies in data entry or conversion. Counting the transactions processed per day is a
performance measure that does not directly assess data integrity. Performing a sequence check is a
validity check that ensures that data follows a predefined order or pattern. It can detect missing or
out-of-order data elements, but it cannot verify their accuracy or completeness. Preparing and
running test data is a testing technique that simulates real data to evaluate how a system handles
different scenarios. It can help identify errors or bugs in the system logic or functionality, but it
cannot ensure data integrity in production environments. Reference: Information Systems
Operations and Business Resilience, CISA Review Manual (Digital Version)
Spreadsheets are used to calculate project cost estimates. Totals for each cost category are then
keyed into the job-costing system. What is the BEST control to ensure that data is accurately entered
into the system?
A
Explanation:
Reconciliation of total amounts by project is the best control to ensure that data is accurately entered
into the job-costing system from spreadsheets. Reconciliation is a process of comparing two sets of
data to identify any differences or discrepancies between them. By reconciling the total amounts by
project from spreadsheets with those from the job-costing system, any errors or omissions in data
entry can be detected and corrected. Validity checks are controls that verify that data conforms to
predefined formats or ranges. They can prevent entry of character data into numeric fields, but they
cannot ensure that the numeric data is correct or complete. Reasonableness checks are controls that
verify that data is within expected or acceptable limits. They can detect outliers or anomalies in data,
but they cannot ensure that the data matches the source. Display back of project detail after entry is
a control that allows the user to review and confirm the data entered into the system. It can help
reduce human errors, but it cannot guarantee that the data is accurate or consistent with the
source. Reference: Information Systems Operations and Business Resilience, CISA Review Manual
(Digital Version)
An incorrect version of the source code was amended by a development team. This MOST likely
indicates a weakness in:
C
Explanation:
A weakness in change management is the most likely cause of an incorrect version of source code
being amended by a development team. Change management is the process of controlling and
documenting changes to IT systems and software. It ensures that changes are authorized, tested, and
implemented in a controlled manner. If change management is weak, there is a risk of using
outdated or incorrect versions of source code, which can lead to errors, defects, or security
vulnerabilities in the software.
An organizations audit charier PRIMARILY:
A
Explanation:
An organization’s audit charter primarily describes the auditors’ authority to conduct audits. The
audit charter is a formal document that defines the purpose, scope, responsibilities, and reporting
relationships of the internal audit function. It also establishes the auditors’ right of access to
information, records, personnel, and physical properties relevant to their work. The audit charter
provides the basis for the auditors’ independence and accountability to the governing body and
senior management.
The decision to accept an IT control risk related to data quality should be the responsibility of the:
D
Explanation:
The decision to accept an IT control risk related to data quality should be the responsibility of the
business owner. The business owner is the person who has the authority and accountability for the
business process that relies on the data quality. The business owner should understand the impact of
data quality issues on the business objectives, performance, and compliance. The business owner
should also be involved in defining the data quality requirements, assessing the data quality risks,
and implementing the data quality controls or mitigation strategies.
Which of the following data would be used when performing a business impact analysis (BIA)?
D
Explanation:
The expected costs for recovering the business would be used when performing a business impact
analysis (BIA). A BIA is a process of identifying and evaluating the potential effects ofdisruptions to
critical business functions or processes. A BIA helps to determine the recovery priorities, strategies,
and resources needed to resume normal operations after a disruption. One of the key outputs of a
BIA is an estimate of the financial losses or costs associated with different types of disruptions, such
as lost revenue, increased expenses, contractual penalties, or regulatory fines.
During the evaluation of controls over a major application development project, the MOST effective
use of an IS auditor's time would be to review and evaluate:
A
Explanation:
Reviewing and evaluating application test cases is the most effective use of an IS auditor’s time
during the evaluation of controls over a major application development project. Application test
cases are designed to verify that the application meets the functional and non-functional
requirements and specifications. They also help to identify and correct any errors, defects, or
vulnerabilities in the application before it is deployed. By reviewing and evaluating the test cases, the
IS auditor can assess the quality, reliability, security, and performance of the application and provide
recommendations for improvement.
An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following
should be the auditor's NEXT course of action?
D
Explanation:
The IS auditor’s next course of action after finding that firewalls are outdated and not supported by
vendors should be to determine the risk of not replacing the firewall. Outdated firewalls may have
known vulnerabilities that can be exploited by attackers to bypass security controls and access the
network. They may also lack compatibility with newer technologies or standards that are required for
optimal network performance and protection. Not replacing the firewall could expose the
organization to various threats, such as data breaches, denial-of-service attacks, malware infections,
or regulatory non-compliance. The IS auditor should assess the likelihood and impact of these
threats and quantify the risk level for management to make informed decisions.
Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP)
was successful?
A
Explanation:
The best way to determine whether a test of a disaster recovery plan (DRP) was successful is to
analyze whether predetermined test objectives were met. Test objectives are specific, measurable,
achievable, relevant, and time-bound (SMART) goals that define what the test aims to accomplish
and how it will be evaluated. Test objectives should be aligned with the DRP objectives and scope,
and should cover aspects such as recovery time objectives (RTOs), recovery point objectives (RPOs),
critical business functions, roles and responsibilities, communication channels, backup systems, and
contingency procedures. By comparing the actual test results with the expected test objectives, the
IS auditor can measure the effectiveness and efficiency of the DRP and identify any gaps or
weaknesses that need to be addressed.
An IS auditor found that a company executive is encouraging employee use of social networking sites
for business purposes. Which of the following recommendations would BEST help to reduce the risk
of data leakage?
C
Explanation:
The best recommendation to reduce the risk of data leakage from employee use of social
networking sites for business purposes is to provide education and guidelines to employees on use
of social networking sites. Education and guidelines can help employees understand the benefits and
risks of using social media for business purposes, such as enhancing brand awareness, engaging with
customers, or sharing industry insights. They can also inform employees about the dos and don’ts of
social media etiquette, such as respecting privacy, protecting intellectual property, avoiding conflicts
of interest, or complying with legal obligations. Education and guidelines can also raise awareness of
potential data leakage scenarios, such as phishing attacks, malicious links, fake profiles, or
oversharing sensitive information, and provide tips on how to prevent or respond to them.
An IS auditor notes that several employees are spending an excessive amount of time using social
media sites for personal reasons. Which of the following should the auditor recommend be
performed FIRST?
D
Explanation:
The first course of action that the auditor should recommend after finding that several employees
are spending an excessive amount of time using social media sites for personal reasons is to
implement policies addressing acceptable usage of social media during working hours. Policies can
help define the scope, purpose, rules, and expectations of using social media in the workplace, both
for personal and professional reasons. Policies can also specify the consequences of violating the
policies, such as disciplinary actions or termination. Policies can help deter employees from misusing
social media at work, which could affect their productivity, performance, or security. Policies can also
help protect the organization from legal liabilities or reputational damages that could arise from
inappropriate or unlawful employee behavior on social media.
Which of the following fire suppression systems needs to be combined with an automatic switch to
shut down the electricity supply in the event of activation?
A
Explanation:
Carbon dioxide fire suppression systems need to be combined with an automatic switch to shut
down the electricity supply in the event of activation. This is because carbon dioxide displaces
oxygen in the air and can create a suffocation hazard for people in the protected area. Therefore, it is
essential to cut off the power source before releasing carbon dioxide to avoid electrical shocks and
sparks that could ignite the fire again. Carbon dioxide systems are typically used for total flooding
applications in spaces that are not habitable, such as server rooms or data centers.