CISA Review Questions, Answers & Explanations Manual 2014 Supplement by ISACA ISACA. (c) 2013. Copying Prohibited.
Reprinted for Kiran Khan, ISACA
[email protected] Reprinted with permission as a subscription benefit of Books24x7, http://www.books24x7.com/
All rights reserved. Reproduction and/or distribution in whole or in part in electronic,paper or other forms without written permission is prohibited.
CISA Review Questions, Answers & Explanations Manual 2014 Supplement
Questions, Answers & Explanations by Domain Domain 1—The Process of Auditing Information Systems (14%) AS1-1 When planning an IS audit, the auditor should FIRST: A. identify the business process to be audited. B. perform a risk assessment. C. determine the objective of the audit. D. identify needed audit resources. C is the correct answer. Justification: A. The business process to be audited cannot be identified until the audit objective has been determined. B. The risk-based approach requires the IS auditor to first understand the entity and its environment in order to identify risk. The risk assessment cannot be performed until the audit objective is determined. C. The IS auditor should develop an audit plan that takes into consideration the objectives of the auditee relevant to the audit area and its technology infrastructure. D. Audit resources needed for the audit can only be determined after the scope of the audit has been set. AS1-2 What is the MAJOR benefit of conducting a control self-assessment (CSA) over a traditional audit? A. It detects risk sooner. B. It replaces the audit function. C. It reduces audit workload. D. It reduces audit resources. A is the correct answer. Justification: A. CSAs require employees to assess the control stature of their own function. CSAs help increase the understanding of business risk and internal controls. Because they are conducted more frequently than audits, CSAs help identify risk in a more timely manner. B. CSAs do not replace the audit function; an audit must still be performed to ensure that controls are present. C. CSAs may not reduce the audit function’s workload and are not a major difference between the two approaches. D. CSAs do not affect the need for audit resources. While the results of the CSA may serve as a reference point for the audit process, they do not affect the scope or depth of audit work that needs to be performed. AS1-3 An IS auditor is reviewing a project risk assessment and notices that the overall risk level is high due to confidentiality requirements. Which of the following types of risk is normally high due to the number of users and business areas the project may affect? A. Control risk B. Compliance risk C. Inherent risk D. Residual risk Page 2 / 17 Reprinted for isaca\449222, ISACA
ISACA (c) 2013, Copying Prohibited.
CISA Review Questions, Answers & Explanations Manual 2014 Supplement
C is the correct answer. Justification: A. Control risk can be high, but it would be due to internal controls not being identified, evaluated or tested, and would not be due to the number of users or business areas affected. B. Compliance risk is the penalty applied to current and future earnings for nonconformance to laws and regulations, and may not be impacted by the number of users and business areas affected. C. Inherent risk is normally high due to the number of users and business areas that may be affected. Inherent risk is the risk level or exposure without taking into account the actions that management has taken or might take. D. Residual risk is the remaining risk after management has implemented a risk response, and is not based on the number of user or business areas affected. AS1-4 An IS auditor discovers a potential material finding. The BEST course of action is to: A. report the potential finding to business management. B. discuss the potential finding with the audit committee. C. increase the scope of the audit. D. perform additional testing. D is the correct answer. Justification: A. The item should be confirmed through additional testing before it is reported to management. B. The item should be confirmed through additional testing before it is discussed with the audit committee. C. Additional testing to confirm the potential finding should be within the scope of the engagement. D. The IS auditor should perform additional testing to ensure that it is a finding. An auditor can lose credibility if it is later discovered that the finding was not justified. AS1-5 Which of the following is in the BEST position to approve changes to the audit charter? A. Board of directors B. Audit committee C. Executive management D. Director of internal audit B is the correct answer. Justification: A. The board of directors does not need to approve the charter; it is best presented to the audit committee for approval. B. The audit committee is a subgroup of the board of directors. The audit department should report to the audit committee and the audit charter should be approved by the committee. C. Executive management is not required to approve the audit charter. The audit committee is in the best position to approve the charter. D. While the director of internal audit may draft the charter and make changes, the audit committee should have the final approval of the charter. Page 3 / 17 Reprinted for isaca\449222, ISACA
ISACA (c) 2013, Copying Prohibited.
CISA Review Questions, Answers & Explanations Manual 2014 Supplement
AS1-6 An IS auditor reviewing the process to monitor access logs wishes to evaluate the manual log review process. Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose? A. Inspection B. Inquiry C. Walk-through D. Reperformance C is the correct answer. Justification: A. Inspection is just one component of a walk-through and by itself does not supply enough information to provide a full understanding of the overall process and identify potential control weaknesses. B. Inquiry provides only general information on how the control is executed. It does not necessarily enable the IS auditor to determine whether the control performer has an in-depth understanding of the control. C. Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant documentation and reperformance of controls. A walk-through of the manual log review process follows the manual log review process from start to finish to gain a thorough understanding of the overall process and identify potential control weaknesses. D. Reperformance of the control is carried out by the IS auditor and does not provide assurance of the competency of the auditee. AS1-7 An IS auditor is evaluating processes put in place by management at a storage location containing computer equipment. One of the test procedures compares the equipment on location with the inventory records. This type of testing procedure executed by the IS auditor is an example of: A. substantive testing. B. compliance testing. C. analytical testing. D. control testing. A is the correct answer. Justification: A. Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or transactions during the audit period. B. Compliance testing is evidence gathering for the purpose of testing an enterprise’s compliance with control procedures. This differs from substantive testing in which evidence is gathered to evaluate the integrity of individual transactions, data or other information. C. Analytical testing evaluates the relationship of two sets of data and discerns inconsistencies in the relationship. D. Control testing is the same as compliance testing. AS1-8 Which of the following does a lack of adequate controls represent? A. An impact B. A vulnerability C. An asset Page 4 / 17 Reprinted for isaca\449222, ISACA
ISACA (c) 2013, Copying Prohibited.
CISA Review Questions, Answers & Explanations Manual 2014 Supplement
D. A threat B is the correct answer. Justification: A. Impact is the measure of the financial loss that a threat event may have. B. The lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers. This could result in a loss of sensitive information, financial loss, legal penalties or other losses. C. An asset is something of either tangible or intangible value worth protecting, including people, systems, infrastructure, finances and reputation. D. A threat is a potential cause of an unwanted incident. AS1-9 An IS auditor is evaluating the controls around provisioning visitor access cards to the organization’s IT facility. The IS auditor notes that daily reconciliation of visitor card inventory is not carried out as mandated. However, an inventory count carried out by the IS auditor reveals no missing access cards. In this context, the IS auditor should: A. disregard the lack of reconciliation because no discrepancies were discovered. B. recommend regular physical inventory counts be performed in lieu of daily reconciliation. C. report the lack of daily reconciliation as an exception. D. recommend the implementation of a biometric access system. C is the correct answer. Justification: A. Absence of discrepancy in physical count only confirms absence of any impact, but cannot be a reason to overlook failure of operation of the control. B. While the IS auditor may in some cases recommend a change in procedures, the primary goal is to observe and report when the current process is deficient. C. The IS auditor should report the lack of daily reconciliation as an exception because a physical inventory count gives assurance only at a point in time and is not a management-mandated activity. D. While the IS auditor may in some cases recommend a solution, the primary goal is to observe and report when the current process is deficient. AS1-10 During an audit, the IS auditor notes that the application developer also performs quality assurance testing on a particular application. Which of the following should the IS auditor do? A. Recommend compensating controls. B. Review the code created by the developer. C. Analyze the quality assurance dashboards. D. Report the identified condition. D is the correct answer. Justification: A. While compensating controls may be a good idea, the primary response in this case should be to report the condition. B. Evaluating the code created by the application developer is not the appropriate response in this case. The IS auditor may evaluate a sample of changes to determine whether the developer tested his/her own code, but the primary response Page 5 / 17 Reprinted for isaca\449222, ISACA
ISACA (c) 2013, Copying Prohibited.
CISA Review Questions, Answers & Explanations Manual 2014 Supplement
should be to report the condition. C. Analyzing the quality assurance dashboards can help evaluate the actual impact of the lack of segregation of duties, but does not address the underlying risk. The primary response should be to report the condition. D. The software quality assurance role should be independent and separate from development and development activities. The same person should not hold both roles because this would cause a segregation of duties concern. The IS auditor should report this condition when identified. AS1-11 An IS auditor is reviewing risk and controls of a bank wire transfer system. To ensure that the bank’s financial risk is properly addressed, the IS auditor will most likely review which of the following? A. Privileged access to the wire transfer system B. Wire transfer procedures C. Fraud monitoring controls D. Employee background checks B is the correct answer. Justification: A. Privileged access, such as administrator access, is necessary to manage user account privileges and should not be granted to end users. The wire transfer procedures are a better control to review to ensure that there is segregation of duties of the end users to help prevent fraud. B. Wire transfer procedures include segregation of duties controls. This helps prevent internal fraud by not allowing one person to initiate, approve and send a wire. Therefore, the IS auditor should review the procedures as they relate to the wire system. C. Fraud monitoring is a detective control and does not prevent financial loss. Segregation of duties is a preventive control. D. While controls related to background checks are important, the controls related to segregation of duties as found in the wire transfer procedures are more critical. AS1-12 An IS auditor is determining the appropriate sample size for testing the existence of program change approvals. Previous audits did not indicate any exceptions, and management has confirmed that no exceptions have been reported for the review period. In this context, the IS auditor can adopt a: A. lower confidence coefficient, resulting in a smaller sample size. B. higher confidence coefficient, resulting in a smaller sample size. C. higher confidence coefficient, resulting in a larger sample size. D. lower confidence coefficient, resulting in a larger sample size. A is the correct answer. Justification: A. When internal controls are strong, a lower confidence coefficient can be adopted, which will enable the use of a smaller sample size. B. A higher confidence coefficient will result in the use of a larger sample size. C. A higher confidence coefficient need not be adopted in this situation because internal controls are strong. D. A lower confidence coefficient will result in the use of a smaller sample size. AS1-13 Why does an audit manager review audit papers from an IS auditor, even when the auditor has more than 10 years of experience? Page 6 / 17 Reprinted for isaca\449222, ISACA
ISACA (c) 2013, Copying Prohibited.
CISA Review Questions, Answers & Explanations Manual 2014 Supplement
A. Supervision is required to comply with internal quality requirements. B. Supervision is required to comply with the audit guidelines. C. Supervision is required to comply with the audit methodology. D. Supervision is required to comply with professional standards. D is the correct answer. Justification: A. Internal quality requirements may exist, but are superseded by the requirement of supervision to comply with professional standards. B. Audit guidelines exist to provide guidance on how to achieve compliance with professional standards. For example, they may provide insights on the purpose of supervision and examples of how supervisory duties are to be performed to achieve compliance with professional standards. C. An audit methodology is a well-configured process/procedure to achieve audit objectives. While an audit methodology is a meaningful tool, supervision is generally driven by compliance with professional standards. D. Professional standards from ISACA, The Institute of Internal Auditors (IIA) and the International Federation of Accountants (IFAC) require supervision of audit staff to accomplish audit objectives and comply with competence, professional proficiency and documentation requirements, and more. AS1-14 Which of the following is the PRIMARY reason IS auditors conduct risk assessments? A. To focus effort on areas of highest business impact B. To maintain the organization’s risk register C. To enable management to choose the correct risk response D. To provide assurance on the risk management process A is the correct answer. Justification: A. Risk assessments form the basis of audit department management and are used to determine potential areas on which to focus audit efforts and resources. A risk assessment is the process used to identify and evaluate risk and its potential effects. B. Updating the risk register is the responsibility of operations management, not the IT audit department. C. Management chooses the correct risk response strategy based on the enterprisewide risk assessment, evaluation and analysis. D. Assurance on risk management is not the main reason why risk assessments are performed by the audit department. The IT department performs risk assessments for two purposes: to create a risk-based audit schedule and to manage the risk related to each audit engagement from a delivery and project management perspective. Domain 2—Governance and Management of IT (14%) AS2-1 An IS auditor is reviewing the disaster recovery plan (DRP) for a large organization with multiple locations requiring high systems availability. Which of the following causes the GREATEST concern? A. There is no agreement for a third-party alternate processing center. B. Backup media are not tested. C. The entire DRP is not periodically tested. Page 7 / 17 Reprinted for isaca\449222, ISACA
ISACA (c) 2013, Copying Prohibited.
CISA Review Questions, Answers & Explanations Manual 2014 Supplement
D. A physical copy of the plan is not available at the alternate processing site. B is the correct answer. Justification: A. While an agreement for an alternate processing site is important, a large organization with multiple locations will most likely have other alternate processing sites within the organization without needing a third-party processing center. Data could be sent to another site within the organization, but if the backup data are not reliable, the risk to availability is not managed. B. Testing backups provides assurance that the backup data are reliable and will be available when needed. Without backup data, the organization is not addressing the risk of availability. C. While it is important to periodically test the DRP, it is also effective to periodically test the plan using certain scenarios instead of testing the entire plan. In many cases the restoration of backup media will not change for different disasters. For organizations with high availability requirements, data must be reliable and available when needed. If the primary processing center is not available, recovery of backup media is typically the same for each location as long as it is reliable and available. D. The DRP must be available to all personnel involved with recovery efforts. With the availability of the Internet, there are alternative methods of delivery/retrieval of the plan. Reliability and availability of backup data are priorities for organizations that require high availability. AS2-2 An IS auditor reviewing a project’s risk and related risk responses would be MOST concerned with a lack of management sign-off for a risk that was: A. avoided. B. transferred. C. mitigated. D. accepted. D is the correct answer. Justification: A. The avoidance strategy involves not implementing certain activities or processes that incur risk, thus eliminating the risk. The IS auditor would not expect a formal sign-off for an avoided risk. B. Risk that is transferred is shared among partners such as through insurance or contractual agreement. Lack of a documented management sign-off would be of concern, but not as high a concern as with an accepted risk because the overall risk to the organization is reduced. C. Because the risk has been mitigated, management has signed off and approved the approach used to mitgate the risk. The IS auditor would be more concerned if management did not approve a risk that was accepted. D. In order to accept the risk, management must first be made aware of the risk and its consequences. This includes a formal acceptance of the risk, which is usually evidenced by a sign-off. AS2-3 For key performance indicators (KPIs) to be an effective and useful metric, it is MOST important that: A. KPIs are measured at consistent intervals. B. specific goals are defined. C. critical success factors (CSFs) are considered. D. KPIs are purely quantitative measures. B is the correct answer.
Page 8 / 17 Reprinted for isaca\449222, ISACA
ISACA (c) 2013, Copying Prohibited.
CISA Review Questions, Answers & Explanations Manual 2014 Supplement
Justification: A. Measurement at consistent intervals is not likely to be important because trends and the extent to which goals are achieved can be determined. B. The most important metric is the extent to which the key goal indicators (KGIs) are achieved. C. CSFs are important considerations for determining that a goal is being achieved, but are not a metric. D. Quantitative measures are usually preferable, but not always possible and not essential. AS2-4 Which of the following documents is the BEST source for an IS auditor to understand the requirements for employee awareness training? A. Information security policy B. Acceptable usage policy C. Human resources (HR) policy D. End-user computing policy A is the correct answer. Justification: A. The information security policy states the organization’s approach to managing information security. The policy contains the company’s security objectives and explains the security policies, principles and standards. In addition, the policy outlines requirements such as compliance with regulations and employee education, training and awareness. B. The acceptable usage policy outlines guidelines and rules for employee use of the company’s information resources. It is focused and does not include requirements for security awareness training. C. The HR policy refers to the information security policy, but does not specifically list the requirements for security awareness training. Instead, this document contains broader information such as hiring practices, commitments to diversity and ethics, and compliance with regulations. D. The end-user computing policy describes the parameters and usage of desktop tools by users. It does not contain requirements for security awareness training. AS2-5 To be effective, risk management should be applied to: A. those elements identified by a risk assessment. B. any area that exceeds acceptable risk levels. C. all organizational activities. D. only areas that have potential impact. C is the correct answer. Justification: A. Elements of unacceptable risk will require treatment, but all activities are subject to risk management oversight. Assessing risk and determining which risk is acceptable and which risk has the potential for impact are functions of risk management. B. Risk management must be holistic and should not be limited to areas that exceed acceptable risk levels. Areas within acceptable risk levels may be optimized by reducing control measures or assuming more risk. C. While not all organizational activities will pose an unacceptable risk, the practice of risk management is still applied to determine which risk requires treatment. Page 9 / 17 Reprinted for isaca\449222, ISACA
ISACA (c) 2013, Copying Prohibited.
CISA Review Questions, Answers & Explanations Manual 2014 Supplement
D. When assessing risk, determining which risk is acceptable, which risk exceeds acceptable levels and which risk has the potential for impact are functions of risk management. AS2-6 The goal of IT risk analysis is to: A. enable the alignment of IT risk management with enterprise risk management (ERM). B. enable the prioritization of risk responses. C. satisfy legal and regulatory compliance requirements. D. identify known threats and vulnerabilities to information assets. B is the correct answer. Justification: A. Aligning IT risk management with ERM is important to ensure the cost-effectiveness of the overall risk management process. However, risk analysis does not enable such an alignment. B. Risk analysis is a process by which the likelihood and magnitude of IT risk scenarios are estimated. Risk analysis is conducted to ensure that the information assets with the greatest risk likelihood and impact are managed before addressing risk with a lower likelihood and impact. Prioritization of IT risk helps maximize return on investment for risk responses. C. Risk analysis evaluates risk on the basis of likelihood and impact and includes financial, environmental, regulatory and other risk. It looks at regulatory risk as one type of risk that the organization faces, but is not specifically designed to satisfy legal and regulatory compliance requirements. D. Risk analysis occurs after risk identification and evaluation. Risk identification determines known threats and vulnerabilities. Risk evaluation assesses the risk and creates valid risk scenarios. Risk analysis quantifies risk along the vectors of likelihood and impact to facilitate the prioritization of risk responses. AS2-7 Which of the following is a PRIMARY objective of an acceptable use policy? A. Creating awareness about the secure use of proprietary resources B. Ensuring compliance with information security policies C. Defining sanctions for noncompliance D. Controlling how proprietary information systems are used D is the correct answer. Justification: A. Employee orientations and user awareness training are the most effective processes to raise user awareness about the acceptable use of proprietary IT resources. The acceptable use policy is one of the topics covered during training and is often signed after employee orientation and during periodic user awareness training. B. The acceptable use policy is a subset of the information security policies that focus on the end user and a specific topic. Information security policies are much broader in overall content and include a wider audience. C. Although the policy may include a statement regarding the sanctions for noncompliance, sanctions are not the primary objective of the acceptable use policy; prevention is the primary objective. D. Inappropriate use of proprietary IT resources by users exposes enterprises to a variety of risk scenarios, including malware attacks, compromise and unavailability of critical systems, and legal issues. To address such risk, a policy supported by guidelines is put into effect to define how information system resources will be used. An acceptable use policy ensures that users are made aware of acceptable usage and the need to acknowledge that they are aware. AS2-8 What is the GREATEST risk of a bank outsourcing its data center? Page 10 / 17 Reprinted for isaca\449222, ISACA
ISACA (c) 2013, Copying Prohibited.
CISA Review Questions, Answers & Explanations Manual 2014 Supplement
A. Loss or leakage of information B. Noncompliance with regulatory requirements C. Vendor failure or bankruptcy D. Loss of internal knowledge and experience A is the correct answer. Justification: A. The risk of loss or leakage of information is the greatest risk because it can subject the company to regulatory fines, lawsuits and reputation risk. B. Although noncompliance with regulations subjects a company to potential fines, it is not necessarily as great a risk as a security breach. C. The risk of vendor failure or bankruptcy can be mitigated in the contract through such clauses as code escrow as well as a robust recovery process. Although this risk is inherent in any contractual relationship, if the correct controls are in place then it should not materially affect the bank as much as a loss or leakage of information. D. The risk of a lack of internal IS staff knowledge through outsourcing, although valid, is not as great a risk as that resulting from a loss or leakage of information. Contractual controls, such as a turnover period in the event of contract termination, can also help mitigate the risk of loss of internal knowledge. AS2-9 Which of the following should be of GREATEST concern to an IS auditor reviewing the business continuity plan (BCP) of an organization? A. Daily full backups are not performed for critical production files. B. A team of IT and information security staff conducted the business impact analysis (BIA). C. Sensitive information processes are manually performed during a disruption. D. An annual test of the BCP is not being performed. B is the correct answer. Justification: A. Daily full backups may not be required if incremental or differential backups are in place. B. To be effective, the BIA should be conducted with input from a wide array of stakeholders. The business requirements included within the BIA are integral in defining mean-time-to-repair and the data point recovery. Without business stakeholder input, these critical requirements may not be correctly defined, leading to critical assets being overlooked. C. As long as the service delivery objective is met and data are handled in alignment with the data classification and handling policy, it is appropriate for “sensitive” functions to be performed manually in the case of a BCP event. D. The frequency of testing is less important than business involvement in the creation of the BCP. AS2-10 Which of the following compensating controls should management implement when a segregation of duties conflict exists because an organization has a small IT department? A. More frequent review of audit logs B. Tighter controls over user provisioning C. More frequent reviews of administrative access D. Independent review of exception reports
Page 11 / 17 Reprinted for isaca\449222, ISACA
ISACA (c) 2013, Copying Prohibited.
CISA Review Questions, Answers & Explanations Manual 2014 Supplement
D is the correct answer. Justification: A. While frequent review of audit logs is a compensating control, if there is no clear segregation of duties, this is an ineffective control. An IT person with administrative access to a system could potentially delete audit logs or disable audit logging altogether. From a practical perspective, logs typically contain large volumes of data; an in-depth review of these data would be a time-consuming and impractical method for finding issues related to segregation of duties conflicts. B. User provisioning is the process of granting access to an application or system. While a normal part of the provisioning process is to make sure that no segregation of duties conflicts exist, this cannot be done in the present case due to the small size of the IT department. Therefore, tighter controls over user provisioning would be of limited value. C. While it important to ensure that only authorized individuals have administrative access to critical systems to prevent segregation of duties conflicts, in this case those conflicts cannot be prevented. Therefore, a frequent review of administrative access would be of limited value as a control. D. Assuming that the integrity of the exception reporting process can be validated through audit testing, an independent review of the exception reports is the best compensating control. AS2-11 An IS auditor is reviewing the IT governance practices. Which of the following BEST helps the IS auditor evaluate the quality of alignment between IT and the business? A. Security policies B. Operational procedures C. Project portfolio D. IT balanced scorecard (IT BSC) D is the correct answer. Justification: A. Security policies are important; however, they are not designed to align IT to the business. B. Operational procedures do not provide the IS auditor assurance of the alignment between IT and the business. C. The project portfolio is the set of projects owned by the organization. The portfolio provides a status quo, but is not a good basis to assess alignment of IT with the business. D. The IT BSC represents the translation of the business objectives into what IT needs to do to achieve these objectives. AS2-12 Value delivery from IT to the business is MOST effectively achieved by: A. aligning the IT strategy with the enterprise strategy. B. embedding accountability in the enterprise. C. providing a positive return on investment (ROI). D. establishing an enterprisewide risk management process. A is the correct answer. Justification: A. IT’s value delivery to the business is driven by aligning IT with the enterprise’s strategy. B. Embedding accountability in the enterprise promotes risk management (another element of corporate governance). C. While ROI is important, it is not the only criterion by which the value of IT is assessed. Page 12 / 17 Reprinted for isaca\449222, ISACA
ISACA (c) 2013, Copying Prohibited.
CISA Review Questions, Answers & Explanations Manual 2014 Supplement
D. Enterprisewide risk management is critical to IT governance; however, by itself it will not guarantee that IT delivers value to the business unless the IT strategy is aligned with the enterprise strategy. AS2-13 Which of the following BEST indicates that a business continuity plan (BCP) will function as intended in the event of a disaster? A. Enforced procedures for regular plan updates B. A tabletop exercise with disaster scenarios C. A comprehensive reciprocal agreement D. Long-haul diversity and last-mile redundancy B is the correct answer. Justification: A. While recovery plans should be kept current, the use of a tabletop exercise to test the plan is a better option because it involves people and processes. B. A tabletop exercise is used to test the effectiveness of a BCP without the interruption of a full-scale drill. The test team walks through a simulated disaster to determine whether the plan will work as designed. Of the options given, a tabletop exercise is the best way to ensure that the BCP will function as intended without live testing to reveal plan deficiencies. C. Reciprocal agreements will specify the conditions among counterparties for sharing facilities in case of disaster, but provide no assurance plans that the BCPs will work. D. Long-haul diversity and last-mile redundancy are important considerations for business continuity planning, but by themselves are insufficient to ensure that the plans will work. AS2-14 Which of the following is the BEST indicator of IT alignment with organizational strategies and objectives? A. A well-defined enterprise architecture B. Established policy compliance metrics C. The results of a business process owner survey D. The findings of an internal controls assessment C is the correct answer. Justification: A. EA helps define standards and designs for IT systems; however, it does not measure how IT is aligned with the business. B. Policy compliance metrics do not indicate IT’s alignment with the business. C. Business owners are in the best position to provide direct feedback on the extent to which IT provides support for business objectives and strategies. D. An internal controls assessment will not provide evidence of IT’s alignment with the business. Domain 3—Information Systems Acquisition, Development and Implementation (19%) AS3-1 An IS auditor is reviewing a monthly accounts payable transaction register using audit software. For what purpose would the auditor be interested in using a check digit? A. To detect data transposition errors. B. To ensure that transactions do not exceed predetermined amounts.
Page 13 / 17 Reprinted for isaca\449222, ISACA
ISACA (c) 2013, Copying Prohibited.
CISA Review Questions, Answers & Explanations Manual 2014 Supplement
C. To ensure that data entered are within reasonable limits. D. To ensure that data entered are within a predetermined range of values. A is the correct answer. Justification: A. A check digit is a numeric value added to data to ensure that original data are correct and have not been altered. B. Ensuring that data have not exceeded a predetermined amount is a limit check. C. Ensuring that data entered are within predetermined reasonable limits is a reasonableness check. D. Ensuring that data entered are within a predetermined range of values is a range check. AS3-2 Which of the following is the BEST indicator that a newly developed system will be used after it is in production? A. Regression testing B. User acceptance testing (UAT) C. Sociability testing D. Parallel testing B is the correct answer. Justification: A. Regression test results do not assist with the user experience and are primarily concerned with new functionality or processes and whether those changes altered or broke previous functionality. B. UAT is undertaken to provide confidence that a system or system component operates as intended, to provide a basis for evaluating the implementation of the requirements, or to demonstrate the effectiveness or efficiency of the system or component. If the results of the testing are poor, then the system is unlikely to be adopted by the users. C. Sociability test results indicate how the application works with other components within the environment and is not indicative of the user experience. D. Parallel testing is performed when the comparison of two applications is needed, but will not provide feedback on user satisfaction. AS3-3 The project steering committee is ultimately responsible for: A. day-to-day management and leadership of the project. B. allocating the funding for the project. C. project deliverables, costs and timetables. D. ensuring that system controls are in place. C is the correct answer. Justification: A. Day-to-day management and leadership of the project is the function of the project manager. B. Providing the funding for the project is the function of the project sponsor. C. The project steering committee provides overall direction; ensures appropriate representation of the major stakeholders in the project’s outcome; and takes ultimate responsibility for the deliverables, costs and Page 14 / 17 Reprinted for isaca\449222, ISACA
ISACA (c) 2013, Copying Prohibited.
CISA Review Questions, Answers & Explanations Manual 2014 Supplement
timetables. D. Ensuring that system controls are in place is the function of the project security officer. AS3-4 Which of the following BEST helps ensure that deviations from the project plan are identified? A. A project management framework B. A project management approach C. A project resource plan D. Project performance criteria D is the correct answer. Justification: A. Establishment of a project management framework identifies the scope and boundaries of managing projects and the consistent method to be applied when initiating a project, but does not define the criteria used to measure project success. B. A project management approach defines guidelines for project management processes and deliverables, but does not define the criteria used to measure project success. C. A project resource plan defines the responsibilities, relationships, authorities and performance criteria of project team members, but does not wholly define the criteria used to measure project success. D. In order to identify deviations from the project plan, project performance criteria must be established as a baseline. Successful completion of the project plan is indicative of project success. AS3-5 An IS auditor is reviewing a project for the implementation of a mission-critical system and notes that, instead of parallel implementation, the team opted for an immediate cutover to the new system. Which of the following is the GREATEST concern? A. The implementation phase of the project has no backout plan. B. User acceptance testing (UAT) was not properly documented. C. Software functionality tests were completed, but stress testing was not performed. D. The go-live date is over a holiday weekend when key IT staff are on vacation. A is the correct answer. Justification: A. One of the benefits of deploying a new system in parallel with an existing system is that the original system can always be used as a backout plan. In an immediate cutover scenario, not having a backout plan can create significant issues because it can take considerable time and cost to restore operations to the prior state if there is no viable plan to do so. B. The documentation of UAT is a much less important concern than not having a viable backout plan; therefore, this is not the correct answer. C. The lack of stress testing is a much less important concern than not having a viable backout plan; therefore, this is not the correct answer. D. If there are support issues, having the go-live date happen over a holiday weekend may create some delays, but project managers should account for this to ensure that the required staff are available as needed. The greater risk is if there is no backout plan. AS3-6 Which of the following software testing methods provides the BEST feedback on how software will perform in the live environment?
Page 15 / 17 Reprinted for isaca\449222, ISACA
ISACA (c) 2013, Copying Prohibited.
CISA Review Questions, Answers & Explanations Manual 2014 Supplement
A. Alpha testing B. Regression testing C. Beta testing D. White box testing C is the correct answer. Justification: A. Alpha testing is often performed only by users within the organization developing the software. Alpha testing generally involves a software version that does not contain all the features of the final product and may be a simulated test. B. Regression testing is used to determine whether system changes have introduced new errors to existing functionality. C. Beta testing follows alpha testing and involves real-world exposure with external user involvement. Beta testing is the last stage of testing, and involves sending the beta version of the product to independent beta test sites or offering it free to interested users. D. White box testing is used to assess the effectiveness of program logic. AS3-7 Which of the following is the BEST method of controlling scope creep in a system development project? A. Defining penalties for changes in requirements B. Establishing a software baseline C. Adopting a matrix project management structure D. Identifying the critical path of the project B is the correct answer. Justification: A. While defining penalties for changes in requirements may help to prevent scope creep, software baselining is a better way to accomplish this goal. B. Software baselining, the cutoff point in the design phase, occurs after a rigorous review of user requirements. Any changes thereafter will undergo strict formal change control and approval procedures. Scope creep refers to uncontrolled change within a project resulting from improperly managed requirements. C. In a matrix project organization, management authority is shared between the project manager and the department heads. Adopting a matrix project management structure will not address the problem of scope creep. D. Although the critical path is important, it will change over time and will not control scope creep. AS3-8 Which of the following is a PRIMARY objective of embedding an audit module while developing online application systems? A. To collect evidence while transactions are processed B. To reduce requirements for periodic internal audits C. To identify and report fraudulent transactions D. To increase efficiency of the audit function A is the correct answer. Justification: A. Embedding a module for continuous auditing within an application processing a large number of transactions Page 16 / 17 Reprinted for isaca\449222, ISACA
ISACA (c) 2013, Copying Prohibited.
CISA Review Questions, Answers & Explanations Manual 2014 Supplement
provides timely collection of audit evidence during processing and is the primary objective. The continuous auditing approach allows the IS auditor to monitor system reliability on a continuous basis and to gather selective audit evidence through the computer. B. An embedded audit module enhances the effectiveness of internal audit by ensuring timely availability of required evidence. It may not reduce the requirements for periodic internal audits, but it will increase their efficiency. Also, the question pertains to the development process for new application systems, and not to subsequent internal audits. C. An audit module collects data on transactions that may help identify fraudulent transactions, but it does not identify fraudulent transactions inherently. D. Although increased efficiency may be an added benefit of an embedded audit module, it is not the primary objective.
Page 17 / 17 Reprinted for isaca\449222, ISACA
ISACA (c) 2013, Copying Prohibited.
