Isaca- CISA

Question ID 22440	When performing a review of the structure of an electronic funds transfer (EFT) system, an IS auditor observes that the technological infrastructure is based on a centralized processing scheme that has been outsourced to a provider in another country. Based on this information, which of the following conclusions should be the main concern of the IS auditor?
Option A	There could be a question regarding the legal jurisdiction.
Option B	Having a provider abroad will cause excessive costs in future audits.
Option C	The auditing process will be difficult because of the distance.
Option D	There could be different auditing norms.
Correct Answer	A

Description Explanation: In the funds transfer process, when the processing scheme is centralized in a different country, there could be legal issues of jurisdiction that might affect the right to perform a review in the other country. The other choices, though possible, are not as relevant as the issue of legal jurisdiction.
Update Date and Time 2018-03-26 05:02:55

 

Question ID 22441	An IS auditor should expect which of the following items to be included in the request for proposal (RFP) when IS is procuring services from an independent service provider (ISP)?
Option A	References from other customers
Option B	Service level agreement (SLA) template
Option C	Maintenance agreement
Option D	Conversion plan
Correct Answer	A

Description An IS auditor should look for an independent verification that the ISP can perform the tasks being contracted for. References from other customers would provide an independent, external review and verification of procedures and processes the ISP follows-issues which would be of concern to an IS auditor. Checking references is a means of obtaining an independent verification that the vendor can perform the services it says it can. A maintenance agreement relates more to equipment than to services, and a conversion plan, while important, is less important than verification that the ISP can provide the services they propose.
Update Date and Time 2018-03-26 05:03:51

Question ID 22442	To minimize costs and improve service levels an outsourcer should seek which of the following contract clauses?
Option A	O/S and hardware refresh frequencies
Option B	Gain-sharing performance bonuses
Option C	Penalties for noncompliance
Option D	Charges tied to variable cost metrics
Correct Answer	B

Description Because the outsourcer will share a percentage of the achieved savings, gain-sharing performance bonuses provide a financial incentive to go above and beyond the stated terms of the contract and can lead to cost savings for the client. Refresh frequencies and penalties for noncompliance would only encourage the outsourcer to meet minimum requirements. Similarly, tying charges to variable cost metrics would not encourage the outsourcer to seek additional efficiencies that might benefit the client.
Update Date and Time 2018-03-26 05:04:36

 

Question ID 22443	When an organization is outsourcing their information security function, which of the following should be kept in the organization?
Option A	Accountability for the corporate security policy
Option B	Defining the corporate security policy
Option C	Implementing the corporate security policy
Option D	Defining security procedures and guidelines
Correct Answer	A

Description Accountability cannot be transferred to external parties. Choices B, C and D can be performed by outside entities as long as accountability remains within the organization.
Update Date and Time 2018-03-26 05:05:33

Question ID 22444	An IS auditor has been assigned to review IT structures and activities recently outsourced to various providers. Which of the following should the IS auditor determine FIRST?
Option A	That an audit clause is present in all contracts
Option B	That theSLA of each contract is substantiated by appropriate KPIs
Option C	That the contractual warranties of the providers support the business needs of the organization
Option D	That at contract termination, support is guaranteed by each outsourcer for new outsourcers
Correct Answer	C

Description The complexity of IT structures matched by the complexity and interplay of responsibilities and warranties may affect or void the effectiveness of those warranties and the reasonable certainty that the business needs will be met. All other choices are important, but not as potentially dangerous as the interplay of the diverse and critical areas of the contractual responsibilities of the outsourcers.
Update Date and Time 2018-03-26 06:11:05

 

Question ID 22448	While conducting an audit of a service provider, an IS auditor observes that the service provider has outsourced a part of the work to another provider. Since the work involves confidential information, the IS auditor's PRIMARY concern shouldbe that the:
Option A	requirement for protecting confidentiality of information could be compromised
Option B	contract may be terminated because prior permission from the outsourcer was not obtained.
Option C	other service provider to whom work has been outsourced is not subject to audit.
Option D	outsourcer will approach the other service provider directly for further work.
Correct Answer	A

Description Many countries have enacted regulations to protect the confidentiality of information maintained in their countries and/or exchanged with other countries. Where a service provider outsources part of its services to another service provider, there is a potential risk that the confidentiality of the information will be compromised. Choices B and C could be concerns but are not related to ensuring the confidentiality of information. There is no reason why an IS auditor should be concerned with choice D.
Update Date and Time 2018-03-29 06:52:51

Question ID 22449	Which of the following is the BEST information source for management to use as an aid in the identification of assets that are subject to laws and regulations?
Option A	Security incident summaries
Option B	Vendor best practices
Option C	CERT coordination center
Option D	Significant contracts
Correct Answer	D

Description Contractual requirements are one of the sources that should be consulted to identify the requirements for the management of information assets. Vendor best practices provides a basis for evaluating how competitive an enterprise is, while security incident summaries are a source for assessing the vulnerabilities associated with the IT infrastructure. CERT {www.cert.org) is an information source for assessing vulnerabilities within the IT infrastructure.
Update Date and Time 2018-03-30 05:05:40

 

Question ID 22450	An organization has outsourced its help desk activities. An IS auditor's GREATEST concern when reviewing the contract and associated service level agreement (SLA) between the organization and vendor should be the provisions for:
Option A	documentation of staff background checks.
Option B	independent audit reports or full audit access.
Option C	reporting the year-to-year incremental cost reductions.
Option D	reporting staff turnover, development or training.
Correct Answer	B

Description When the functions of an IS department are outsourced, an IS auditor should ensure that a provision is made for independent audit reports that cover all essential areas, or that the outsourcer has full audit access. Although it is necessary to document the fact that background checks are performed, this is not as important as provisions for audits. Financial measures such as year-to-year incremental cost reductions are desirable to have in a service level agreement ( SLA ); however, cost reductions are not as important as the availability of independent audit reports or full audit access. An SLA might include human relationship measures such as resource planning, staff turnover, development or training, but this is not as important as the requirements for independent reports or full audit access by the outsourcing organization.
Update Date and Time 2018-03-30 05:07:19

Question ID 22451	Which of the following is the MOST important IS audit consideration when an organization outsources a customer credit review system to a third-party service provider? The provider:
Option A	meets or exceeds industry security standards.
Option B	agrees to be subject to external security reviews.
Option C	has a good market reputation for service and experience.
Option D	complies with security policies of the organization.
Correct Answer	B

Description It is critical that an independent security review of an outsourcing vendor be obtained because customer credit information will be kept there. Compliance with security standards or organization policies is important, but there is no way to verify orprove that that is the case without an independent review. Though long experience in business and good reputation is an important factor to assess service quality, the business cannot outsource to a provider whose security control is weak.
Update Date and Time 2018-03-30 05:08:22

 

Question ID 22452	The risks associated with electronic evidence gathering would MOST likely be reduced by an e- mail:
Option A	destruction policy.
Option B	security policy.
Option C	archive policy.
Option D	audit policy.
Correct Answer	C

Description With a policy of well-archived e-mail records, access to or retrieval of specific e-mail records is possible without disclosing other confidential e-mail records. Security and/or audit policies would not address the efficiency of record retrieval, and destroying e-mails may be an illegal act.
Update Date and Time 2018-03-30 05:09:04

Question ID 22453	The output of the risk management process is an input for making:
Option A	business plans.
Option B	audit charters.
Option C	security policy decisions.
Option D	software design decisions.
Correct Answer	C

Description The risk management process is about making specific, security-related decisions, such as the level of acceptable risk. Choices A, B and D are not ultimate goals of the risk management process.
Update Date and Time 2018-03-30 05:11:14

 

Question ID 22454	An IS auditor was hired to review e-business security. The IS auditor's first task was to examine each existing e-business application looking for vulnerabilities. What would be the next task?
Option A	Report the risks to the CIO and CEO immediately
Option B	Examine e-business application in development
Option C	Identify threats and likelihood of occurrence
Option D	Check the budget available for risk management
Correct Answer	C

Description An IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence. Choices A, B and D should be discussed with the CIO, and a report should be delivered to the CEO. The report should include the findings along with priorities and costs.
Update Date and Time 2018-03-30 05:12:20

Question ID 22455	Which of the following is a mechanism for mitigating risks?
Option A	Security and control practices
Option B	Property and liability insurance
Option C	Audit and certification
Option D	Contracts and service level agreements (SLAs)
Correct Answer	A

Description Risks are mitigated by implementing appropriate security and control practices. Insurance is a mechanism for transferring risk. Audit and certification are mechanisms of risk assurance, while contracts and SLAs are mechanisms of risk allocation.
Update Date and Time 2018-03-30 05:13:34

 

Question ID 22456	When developing a risk management program, what is the FIRST activity to be performed?
Option A	Threat assessment
Option B	Classification of data
Option C	Inventory of assets
Option D	Criticality analysis
Correct Answer	C

Description Identification of the assets to be protected is the first step in the development of a risk management program. A listing of the threats that can affect the performance of these assets and criticality analysis are later steps in the process. Data classification is required for defining access controls and in criticality analysis.
Update Date and Time 2018-03-30 05:14:21

Question ID 22457	A team conducting a risk analysis is having difficulty projecting the financial losses that could result from a risk. To evaluate the potential losses, the team should:
Option A	compute the amortization of the related assets.
Option B	calculate a return on investment (ROI).
Option C	apply a qualitative approach.
Option D	spend the time needed to define exactly the loss amount.
Correct Answer	C

Description The common practice, when it is difficult to calculate the financial losses, is to take a qualitative approach, in which the manager affected by the risk defines the financial loss in terms of a weighted factor {e.g., one is a very low impact to thebusiness and five is a very high impact). An ROI is computed when there is predictable savings or revenues that can be compared to the investment needed to realize the revenues. Amortization is used in a profit and loss statement, not in computing potential losses. Spending the time needed to define exactly the total amount is normally a wrong approach. If it has been difficult to estimate potential losses (e.g., losses derived from erosion of public image due to a hack attack), that situation is not likely to change, and at the end of the day, the result will be a not well-supported evaluation.
Update Date and Time 2018-03-30 05:19:28

 

Question ID 22490	Before implementing an IT balanced scorecard, an organization must:
Option A	deliver effective and efficient services.
Option B	define key performance indicators.
Option C	provide business value to IT projects.
Option D	control IT expenses.
Correct Answer	B

Description A definition of key performance indicators is required before implementing an IT balanced scorecard. Choices A, C and D are objectives.
Update Date and Time 2018-04-03 06:30:53

Question ID 22491	Which of the following is the PRIMARY objective of an IT performance measurement process?
Option A	Minimize errors
Option B	Gather performance data
Option C	Establish performance baselines
Option D	Optimize performance
Correct Answer	D

Description An IT performance measurement process can be used to optimize performance, measure and manage products/services, assure accountability and make budget decisions. Minimizing errors is an aspect of performance, but not the primary objective of performance management. Gathering performance data is a phase of IT measurement process and would be used to evaluate the performance against previously established performance baselines.
Update Date and Time 2018-04-03 06:32:05

 

Question ID 22492	The IT balanced scorecard is a business governance tool intended to monitor IT performance evaluation indicators other than:
Option A	financial results.
Option B	customer satisfaction.
Option C	internal process efficiency.
Option D	innovation capacity.
Correct Answer	A

Description Financial results have traditionally been the sole overall performance metric. The IT balanced scorecard (BSC) is an IT business governance tool aimed at monitoring IT performance evaluation indicators other than financial results. The IT BSC considers other key success factors, such as customer satisfaction, innovation capacity and processing.
Update Date and Time 2018-04-03 06:34:07

Question ID 22493	During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization's operational risk documentation only contains a few broadly described IT risks. What is the MOST appropriate recommendation in this situation?
Option A	Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts.
Option B	Use common industry standard aids to divide the existing risk documentation into several individual risks which will be easier to handle.
Option C	No recommendation is necessary since the current approach is appropriate for a medium-sized organization.
Option D	Establish regular IT risk management meetings to identify and assess risks, and create a mitigation plan as input to the organization's risk management.
Correct Answer	D

Description Establishing regular meetings is the best way to identify and assess risks in a medium-sized organization, to address responsibilities to the respective management and to keep the risk list and mitigation plans up to date. A medium-sized organizationwould normally not have a separate IT risk management department. Moreover, the risks are usually manageable enough so that external help would not be needed. While common risks may be covered by common industry standards, they cannot address the specific situation of an organization. Individual risks will not be discovered without a detailed assessment from within the organization. Splitting the one risk position into several is not sufficient.
Update Date and Time 2018-04-03 06:35:18

 

Question ID 22525	During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization's operational risk documentation only contains a few broadly described IT risks. What is the MOST appropriate recommendation in this situation?
Option A	Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts.
Option B	Use common industry standard aids to divide the existing risk documentation into several individual risks which will be easier to handle.
Option C	No recommendation is necessary since the current approach is appropriate for a medium-sized organization.
Option D	Establish regular IT risk management meetings to identify and assess risks, and create a mitigation plan as input to the organization's risk management.
Correct Answer	D

Description Establishing regular meetings is the best way to identify and assess risks in a medium-sized organization, to address responsibilities to the respective management and to keep the risk list and mitigation plans up to date. A medium-sized organizationwould normally not have a separate IT risk management department. Moreover, the risks are usually manageable enough so that external help would not be needed. While common risks may be covered by common industry standards, they cannot address the specific situation of an organization. Individual risks will not be discovered without a detailed assessment from within the organization. Splitting the one risk position into several is not sufficient.
Update Date and Time 2018-04-04 05:07:22

Question ID 22526	The IT balanced scorecard is a business governance tool intended to monitor IT performance evaluation indicators other than:
Option A	financial results.
Option B	customer satisfaction.
Option C	internal process efficiency.
Option D	innovation capacity.
Correct Answer	A

Description Financial results have traditionally been the sole overall performance metric. The IT balanced scorecard (BSC) is an IT business governance tool aimed at monitoring IT performance evaluation indicators other than financial results. The IT BSC considers other key success factors, such as customer satisfaction, innovation capacity and processing.
Update Date and Time 2018-04-04 05:08:05

 

Question ID 22527	Before implementing an IT balanced scorecard, an organization must:
Option A	deliver effective and efficient services.
Option B	define key performance indicators.
Option C	provide business value to IT projects.
Option D	control IT expenses.
Correct Answer	B

Description A definition of key performance indicators is required before implementing an IT balanced scorecard. Choices A, C and D are objectives.
Update Date and Time 2018-04-04 05:08:50

Question ID 22528	Which of the following is the PRIMARY objective of an IT performance measurement process?
Option A	Minimize errors
Option B	Gather performance data
Option C	Establish performance baselines
Option D	Optimize performance
Correct Answer	D

Description An IT performance measurement process can be used to optimize performance, measure and manage products/services, assure accountability and make budget decisions. Minimizing errors is an aspect of performance, but not the primary objective of performance management. Gathering performance data is a phase of IT measurement process and would be used to evaluate the performance against previously established performance baselines.
Update Date and Time 2018-04-04 05:09:38

 

Question ID 22529	Which of the following risks could result from inadequate software baselining?
Option A	Scope creep
Option B	Sign-off delays
Option C	Software integrity violations
Option D	inadequate controls
Correct Answer	A

Description A software baseline is the cut-off point in the design and development of a system beyond which additional requirements or modifications to the design do not or cannot occur without undergoing formal strict procedures for approval based on a businesscost -benefit analysis. Failure to adequately manage the requirements of a system through baselining can result in a number of risks. Foremost among these risks is scope creep, the process through which requirements change during development. ChoicesB , C and D may not always result, but choice A is inevitable.
Update Date and Time 2018-04-04 05:54:48

Question ID 22530	Many IT projects experience problems because the development time and/or resource requirements are underestimated. Which of the following techniques would provide the GREATEST assistance in developing an estimate of project duration?
Option A	Function point analysis
Option B	PERT chart
Option C	Rapid application development
Option D	Object-oriented system development
Correct Answer	B

Description A PERT chart will help determine project duration once all the activities and the work involved with those activities are known. Function point analysis is a technique for determining the size of a development task based on the number of function points. Function points are factors such as inputs, outputs, inquiries, logical internal files, etc. While this will help determine the size of individual activities, it will not assist in determining project duration since there are many overlapping tasks. Rapid application development is a methodology that enables organizations to develop strategically important systems faster while reducing development costs and maintaining quality, while object-oriented system development is the process of solution specification and modeling.
Update Date and Time 2018-04-04 05:57:31

 

Question ID 22531	The reason for establishing a stop or freezing point on the design of a new system is to:
Option A	prevent further changes to a project in process.
Option B	indicate the point at which the design is to be completed.
Option C	require that changes after that point be evaluated for cost-effectiveness.
Option D	provide the project management team with more control over the project design.
Correct Answer	C

Description Projects often have a tendency to expand, especially during the requirements definition phase. This expansion often grows to a point where the originally anticipated cost-benefits are diminished because the cost of the project has increased. When this occurs, it is recommended that the project be stopped or frozen to allow a review of all of the cost-benefits and the payback period.
Update Date and Time 2018-04-04 05:58:20

Question ID 22532	Change control for business application systems being developed using prototyping could be complicated by the:
Option A	iterative nature of prototyping.
Option B	rapid pace of modifications in requirements and design.
Option C	emphasis on reports and screens.
Option D	lack of integrated tools.
Correct Answer	B

Description Changes in requirements and design happen so quickly that they are seldom documented or approved. Choices A, C and D are characteristics of prototyping, but they do not have an adverse effect on change control.
Update Date and Time 2018-04-04 05:59:06

 

Question ID 22533	An IS auditor finds that a system under development has 12 linked modules and each item of data can carry up to 10 definable attribute fields. The system handles several million transactions a year. Which of these techniques could an IS auditor use to estimate the size of the development effort?
Option A	Program evaluation review technique (PERT)
Option B	Counting source lines of code (SLOC)
Option C	Function point analysis
Option D	White box testing
Correct Answer	C

Description Function point analysis is an indirect method of measuring the size of an application by considering the number and complexity of its inputs, outputs and files. It is useful for evaluating complex applications. PERT is a project management techniquethat helps with both planning and control. SLOC gives a direct measure of program size, but does not allow for the complexity that may be caused by having multiple, linked modules and a variety of inputs and outputs. White box testing involves a detailed review of the behavior of program code, and is a quality assurance technique suited to simpler applications during the design and build stage of development.
Update Date and Time 2018-04-04 06:00:05

Description Since adding resources may change the route of the critical path, the critical path must be reevaluated to ensure that additional resources will in fact shorten the project duration. Given that there may be slack time available on some of the other tasks not on the critical path, factors such as the project budget, the length of other tasks and the personnel assigned to them may or may not be affected.
Update Date and Time 2018-04-04 06:00:50