Professional Documents
Culture Documents
Supplement
by ISACA
ISACA. (c) 2013. Copying Prohibited.
CISAReviewQuestions,Answers&ExplanationsManual2014Supplement
ISACA(c)2013,CopyingProhibited.
CISAReviewQuestions,Answers&ExplanationsManual2014Supplement
ISACA(c)2013,CopyingProhibited.
CISAReviewQuestions,Answers&ExplanationsManual2014Supplement
AS1-6 An IS auditor reviewing the process to monitor access logs wishes to evaluate the manual log review process.
Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose?
A. Inspection
B. Inquiry
C. Walk-through
D. Reperformance
C is the correct answer.
Justification:
A. Inspection is just one component of a walk-through and by itself does not supply enough information to provide a full
understanding of the overall process and identify potential control weaknesses.
B. Inquiry provides only general information on how the control is executed. It does not necessarily enable the IS auditor to
determine whether the control performer has an in-depth understanding of the control.
C. Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant
documentation and reperformance of controls. A walk-through of the manual log review process follows the
manual log review process from start to finish to gain a thorough understanding of the overall process and
identify potential control weaknesses.
D. Reperformance of the control is carried out by the IS auditor and does not provide assurance of the competency of the
auditee.
AS1-7 An IS auditor is evaluating processes put in place by management at a storage location containing computer
equipment. One of the test procedures compares the equipment on location with the inventory records. This type of testing
procedure executed by the IS auditor is an example of:
A. substantive testing.
B. compliance testing.
C. analytical testing.
D. control testing.
A is the correct answer.
Justification:
A. Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or
transactions during the audit period.
B. Compliance testing is evidence gathering for the purpose of testing an enterprises compliance with control procedures.
This differs from substantive testing in which evidence is gathered to evaluate the integrity of individual transactions, data
or other information.
C. Analytical testing evaluates the relationship of two sets of data and discerns inconsistencies in the relationship.
D. Control testing is the same as compliance testing.
AS1-8 Which of the following does a lack of adequate controls represent?
A. An impact
B. A vulnerability
C. An asset
Page 4 / 17
Reprintedforisaca\449222,ISACA
ISACA(c)2013,CopyingProhibited.
CISAReviewQuestions,Answers&ExplanationsManual2014Supplement
D. A threat
B is the correct answer.
Justification:
A. Impact is the measure of the financial loss that a threat event may have.
B. The lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk
of malicious damage, attack or unauthorized access by hackers. This could result in a loss of sensitive
information, financial loss, legal penalties or other losses.
C. An asset is something of either tangible or intangible value worth protecting, including people, systems, infrastructure,
finances and reputation.
D. A threat is a potential cause of an unwanted incident.
AS1-9 An IS auditor is evaluating the controls around provisioning visitor access cards to the organizations IT facility. The
IS auditor notes that daily reconciliation of visitor card inventory is not carried out as mandated. However, an inventory
count carried out by the IS auditor reveals no missing access cards. In this context, the IS auditor should:
A. disregard the lack of reconciliation because no discrepancies were discovered.
B. recommend regular physical inventory counts be performed in lieu of daily reconciliation.
C. report the lack of daily reconciliation as an exception.
D. recommend the implementation of a biometric access system.
C is the correct answer.
Justification:
A. Absence of discrepancy in physical count only confirms absence of any impact, but cannot be a reason to overlook
failure of operation of the control.
B. While the IS auditor may in some cases recommend a change in procedures, the primary goal is to observe and report
when the current process is deficient.
C. The IS auditor should report the lack of daily reconciliation as an exception because a physical inventory
count gives assurance only at a point in time and is not a management-mandated activity.
D. While the IS auditor may in some cases recommend a solution, the primary goal is to observe and report when the
current process is deficient.
AS1-10 During an audit, the IS auditor notes that the application developer also performs quality assurance testing on a
particular application. Which of the following should the IS auditor do?
A. Recommend compensating controls.
B. Review the code created by the developer.
C. Analyze the quality assurance dashboards.
D. Report the identified condition.
D is the correct answer.
Justification:
A. While compensating controls may be a good idea, the primary response in this case should be to report the condition.
B. Evaluating the code created by the application developer is not the appropriate response in this case. The IS auditor
may evaluate a sample of changes to determine whether the developer tested his/her own code, but the primary response
Page 5 / 17
Reprintedforisaca\449222,ISACA
ISACA(c)2013,CopyingProhibited.
CISAReviewQuestions,Answers&ExplanationsManual2014Supplement
ISACA(c)2013,CopyingProhibited.
CISAReviewQuestions,Answers&ExplanationsManual2014Supplement
ISACA(c)2013,CopyingProhibited.
CISAReviewQuestions,Answers&ExplanationsManual2014Supplement
D. A physical copy of the plan is not available at the alternate processing site.
B is the correct answer.
Justification:
A. While an agreement for an alternate processing site is important, a large organization with multiple locations will most
likely have other alternate processing sites within the organization without needing a third-party processing center. Data
could be sent to another site within the organization, but if the backup data are not reliable, the risk to availability is not
managed.
B. Testing backups provides assurance that the backup data are reliable and will be available when needed.
Without backup data, the organization is not addressing the risk of availability.
C. While it is important to periodically test the DRP, it is also effective to periodically test the plan using certain scenarios
instead of testing the entire plan. In many cases the restoration of backup media will not change for different disasters. For
organizations with high availability requirements, data must be reliable and available when needed. If the primary
processing center is not available, recovery of backup media is typically the same for each location as long as it is reliable
and available.
D. The DRP must be available to all personnel involved with recovery efforts. With the availability of the Internet, there are
alternative methods of delivery/retrieval of the plan. Reliability and availability of backup data are priorities for organizations
that require high availability.
AS2-2 An IS auditor reviewing a projects risk and related risk responses would be MOST concerned with a lack of
management sign-off for a risk that was:
A. avoided.
B. transferred.
C. mitigated.
D. accepted.
D is the correct answer.
Justification:
A. The avoidance strategy involves not implementing certain activities or processes that incur risk, thus eliminating the risk.
The IS auditor would not expect a formal sign-off for an avoided risk.
B. Risk that is transferred is shared among partners such as through insurance or contractual agreement. Lack of a
documented management sign-off would be of concern, but not as high a concern as with an accepted risk because the
overall risk to the organization is reduced.
C. Because the risk has been mitigated, management has signed off and approved the approach used to mitgate the risk.
The IS auditor would be more concerned if management did not approve a risk that was accepted.
D. In order to accept the risk, management must first be made aware of the risk and its consequences. This
includes a formal acceptance of the risk, which is usually evidenced by a sign-off.
AS2-3 For key performance indicators (KPIs) to be an effective and useful metric, it is MOST important that:
A. KPIs are measured at consistent intervals.
B. specific goals are defined.
C. critical success factors (CSFs) are considered.
D. KPIs are purely quantitative measures.
B is the correct answer.
Page 8 / 17
Reprintedforisaca\449222,ISACA
ISACA(c)2013,CopyingProhibited.
CISAReviewQuestions,Answers&ExplanationsManual2014Supplement
Justification:
A. Measurement at consistent intervals is not likely to be important because trends and the extent to which goals are
achieved can be determined.
B. The most important metric is the extent to which the key goal indicators (KGIs) are achieved.
C. CSFs are important considerations for determining that a goal is being achieved, but are not a metric.
D. Quantitative measures are usually preferable, but not always possible and not essential.
AS2-4 Which of the following documents is the BEST source for an IS auditor to understand the requirements for
employee awareness training?
A. Information security policy
B. Acceptable usage policy
C. Human resources (HR) policy
D. End-user computing policy
A is the correct answer.
Justification:
A. The information security policy states the organizations approach to managing information security. The
policy contains the companys security objectives and explains the security policies, principles and standards.
In addition, the policy outlines requirements such as compliance with regulations and employee education,
training and awareness.
B. The acceptable usage policy outlines guidelines and rules for employee use of the companys information resources. It
is focused and does not include requirements for security awareness training.
C. The HR policy refers to the information security policy, but does not specifically list the requirements for security
awareness training. Instead, this document contains broader information such as hiring practices, commitments to diversity
and ethics, and compliance with regulations.
D. The end-user computing policy describes the parameters and usage of desktop tools by users. It does not contain
requirements for security awareness training.
AS2-5 To be effective, risk management should be applied to:
A. those elements identified by a risk assessment.
B. any area that exceeds acceptable risk levels.
C. all organizational activities.
D. only areas that have potential impact.
C is the correct answer.
Justification:
A. Elements of unacceptable risk will require treatment, but all activities are subject to risk management oversight.
Assessing risk and determining which risk is acceptable and which risk has the potential for impact are functions of risk
management.
B. Risk management must be holistic and should not be limited to areas that exceed acceptable risk levels. Areas within
acceptable risk levels may be optimized by reducing control measures or assuming more risk.
C. While not all organizational activities will pose an unacceptable risk, the practice of risk management is still
applied to determine which risk requires treatment.
Page 9 / 17
Reprintedforisaca\449222,ISACA
ISACA(c)2013,CopyingProhibited.
CISAReviewQuestions,Answers&ExplanationsManual2014Supplement
D. When assessing risk, determining which risk is acceptable, which risk exceeds acceptable levels and which risk has the
potential for impact are functions of risk management.
AS2-6 The goal of IT risk analysis is to:
A. enable the alignment of IT risk management with enterprise risk management (ERM).
B. enable the prioritization of risk responses.
C. satisfy legal and regulatory compliance requirements.
D. identify known threats and vulnerabilities to information assets.
B is the correct answer.
Justification:
A. Aligning IT risk management with ERM is important to ensure the cost-effectiveness of the overall risk management
process. However, risk analysis does not enable such an alignment.
B. Risk analysis is a process by which the likelihood and magnitude of IT risk scenarios are estimated. Risk
analysis is conducted to ensure that the information assets with the greatest risk likelihood and impact are
managed before addressing risk with a lower likelihood and impact. Prioritization of IT risk helps maximize
return on investment for risk responses.
C. Risk analysis evaluates risk on the basis of likelihood and impact and includes financial, environmental, regulatory and
other risk. It looks at regulatory risk as one type of risk that the organization faces, but is not specifically designed to satisfy
legal and regulatory compliance requirements.
D. Risk analysis occurs after risk identification and evaluation. Risk identification determines known threats and
vulnerabilities. Risk evaluation assesses the risk and creates valid risk scenarios. Risk analysis quantifies risk along the
vectors of likelihood and impact to facilitate the prioritization of risk responses.
AS2-7 Which of the following is a PRIMARY objective of an acceptable use policy?
A. Creating awareness about the secure use of proprietary resources
B. Ensuring compliance with information security policies
C. Defining sanctions for noncompliance
D. Controlling how proprietary information systems are used
D is the correct answer.
Justification:
A. Employee orientations and user awareness training are the most effective processes to raise user awareness about the
acceptable use of proprietary IT resources. The acceptable use policy is one of the topics covered during training and is
often signed after employee orientation and during periodic user awareness training.
B. The acceptable use policy is a subset of the information security policies that focus on the end user and a specific topic.
Information security policies are much broader in overall content and include a wider audience.
C. Although the policy may include a statement regarding the sanctions for noncompliance, sanctions are not the primary
objective of the acceptable use policy; prevention is the primary objective.
D. Inappropriate use of proprietary IT resources by users exposes enterprises to a variety of risk scenarios,
including malware attacks, compromise and unavailability of critical systems, and legal issues. To address such
risk, a policy supported by guidelines is put into effect to define how information system resources will be
used. An acceptable use policy ensures that users are made aware of acceptable usage and the need to
acknowledge that they are aware.
AS2-8 What is the GREATEST risk of a bank outsourcing its data center?
Page 10 / 17
Reprintedforisaca\449222,ISACA
ISACA(c)2013,CopyingProhibited.
CISAReviewQuestions,Answers&ExplanationsManual2014Supplement
Page 11 / 17
Reprintedforisaca\449222,ISACA
ISACA(c)2013,CopyingProhibited.
CISAReviewQuestions,Answers&ExplanationsManual2014Supplement
ISACA(c)2013,CopyingProhibited.
CISAReviewQuestions,Answers&ExplanationsManual2014Supplement
D. Enterprisewide risk management is critical to IT governance; however, by itself it will not guarantee that IT delivers
value to the business unless the IT strategy is aligned with the enterprise strategy.
AS2-13 Which of the following BEST indicates that a business continuity plan (BCP) will function as intended in the event
of a disaster?
A. Enforced procedures for regular plan updates
B. A tabletop exercise with disaster scenarios
C. A comprehensive reciprocal agreement
D. Long-haul diversity and last-mile redundancy
B is the correct answer.
Justification:
A. While recovery plans should be kept current, the use of a tabletop exercise to test the plan is a better option because it
involves people and processes.
B. A tabletop exercise is used to test the effectiveness of a BCP without the interruption of a full-scale drill. The
test team walks through a simulated disaster to determine whether the plan will work as designed. Of the
options given, a tabletop exercise is the best way to ensure that the BCP will function as intended without live
testing to reveal plan deficiencies.
C. Reciprocal agreements will specify the conditions among counterparties for sharing facilities in case of disaster, but
provide no assurance plans that the BCPs will work.
D. Long-haul diversity and last-mile redundancy are important considerations for business continuity planning, but by
themselves are insufficient to ensure that the plans will work.
AS2-14 Which of the following is the BEST indicator of IT alignment with organizational strategies and objectives?
A. A well-defined enterprise architecture
B. Established policy compliance metrics
C. The results of a business process owner survey
D. The findings of an internal controls assessment
C is the correct answer.
Justification:
A. EA helps define standards and designs for IT systems; however, it does not measure how IT is aligned with the
business.
B. Policy compliance metrics do not indicate ITs alignment with the business.
C. Business owners are in the best position to provide direct feedback on the extent to which IT provides
support for business objectives and strategies.
D. An internal controls assessment will not provide evidence of ITs alignment with the business.
Domain 3Information Systems Acquisition, Development and Implementation (19%)
AS3-1 An IS auditor is reviewing a monthly accounts payable transaction register using audit software. For what purpose
would the auditor be interested in using a check digit?
A. To detect data transposition errors.
B. To ensure that transactions do not exceed predetermined amounts.
Page 13 / 17
Reprintedforisaca\449222,ISACA
ISACA(c)2013,CopyingProhibited.
CISAReviewQuestions,Answers&ExplanationsManual2014Supplement
ISACA(c)2013,CopyingProhibited.
CISAReviewQuestions,Answers&ExplanationsManual2014Supplement
timetables.
D. Ensuring that system controls are in place is the function of the project security officer.
AS3-4 Which of the following BEST helps ensure that deviations from the project plan are identified?
A. A project management framework
B. A project management approach
C. A project resource plan
D. Project performance criteria
D is the correct answer.
Justification:
A. Establishment of a project management framework identifies the scope and boundaries of managing projects and the
consistent method to be applied when initiating a project, but does not define the criteria used to measure project success.
B. A project management approach defines guidelines for project management processes and deliverables, but does not
define the criteria used to measure project success.
C. A project resource plan defines the responsibilities, relationships, authorities and performance criteria of project team
members, but does not wholly define the criteria used to measure project success.
D. In order to identify deviations from the project plan, project performance criteria must be established as a
baseline. Successful completion of the project plan is indicative of project success.
AS3-5 An IS auditor is reviewing a project for the implementation of a mission-critical system and notes that, instead of
parallel implementation, the team opted for an immediate cutover to the new system. Which of the following is the
GREATEST concern?
A. The implementation phase of the project has no backout plan.
B. User acceptance testing (UAT) was not properly documented.
C. Software functionality tests were completed, but stress testing was not performed.
D. The go-live date is over a holiday weekend when key IT staff are on vacation.
A is the correct answer.
Justification:
A. One of the benefits of deploying a new system in parallel with an existing system is that the original system
can always be used as a backout plan. In an immediate cutover scenario, not having a backout plan can create
significant issues because it can take considerable time and cost to restore operations to the prior state if there
is no viable plan to do so.
B. The documentation of UAT is a much less important concern than not having a viable backout plan; therefore, this is not
the correct answer.
C. The lack of stress testing is a much less important concern than not having a viable backout plan; therefore, this is not
the correct answer.
D. If there are support issues, having the go-live date happen over a holiday weekend may create some delays, but project
managers should account for this to ensure that the required staff are available as needed. The greater risk is if there is no
backout plan.
AS3-6 Which of the following software testing methods provides the BEST feedback on how software will perform in the
live environment?
Page 15 / 17
Reprintedforisaca\449222,ISACA
ISACA(c)2013,CopyingProhibited.
CISAReviewQuestions,Answers&ExplanationsManual2014Supplement
A. Alpha testing
B. Regression testing
C. Beta testing
D. White box testing
C is the correct answer.
Justification:
A. Alpha testing is often performed only by users within the organization developing the software. Alpha testing generally
involves a software version that does not contain all the features of the final product and may be a simulated test.
B. Regression testing is used to determine whether system changes have introduced new errors to existing functionality.
C. Beta testing follows alpha testing and involves real-world exposure with external user involvement. Beta
testing is the last stage of testing, and involves sending the beta version of the product to independent beta
test sites or offering it free to interested users.
D. White box testing is used to assess the effectiveness of program logic.
AS3-7 Which of the following is the BEST method of controlling scope creep in a system development project?
A. Defining penalties for changes in requirements
B. Establishing a software baseline
C. Adopting a matrix project management structure
D. Identifying the critical path of the project
B is the correct answer.
Justification:
A. While defining penalties for changes in requirements may help to prevent scope creep, software baselining is a better
way to accomplish this goal.
B. Software baselining, the cutoff point in the design phase, occurs after a rigorous review of user
requirements. Any changes thereafter will undergo strict formal change control and approval procedures.
Scope creep refers to uncontrolled change within a project resulting from improperly managed requirements.
C. In a matrix project organization, management authority is shared between the project manager and the department
heads. Adopting a matrix project management structure will not address the problem of scope creep.
D. Although the critical path is important, it will change over time and will not control scope creep.
AS3-8 Which of the following is a PRIMARY objective of embedding an audit module while developing online application
systems?
A. To collect evidence while transactions are processed
B. To reduce requirements for periodic internal audits
C. To identify and report fraudulent transactions
D. To increase efficiency of the audit function
A is the correct answer.
Justification:
A. Embedding a module for continuous auditing within an application processing a large number of transactions
Page 16 / 17
Reprintedforisaca\449222,ISACA
ISACA(c)2013,CopyingProhibited.
CISAReviewQuestions,Answers&ExplanationsManual2014Supplement
provides timely collection of audit evidence during processing and is the primary objective. The continuous
auditing approach allows the IS auditor to monitor system reliability on a continuous basis and to gather
selective audit evidence through the computer.
B. An embedded audit module enhances the effectiveness of internal audit by ensuring timely availability of required
evidence. It may not reduce the requirements for periodic internal audits, but it will increase their efficiency. Also, the
question pertains to the development process for new application systems, and not to subsequent internal audits.
C. An audit module collects data on transactions that may help identify fraudulent transactions, but it does not identify
fraudulent transactions inherently.
D. Although increased efficiency may be an added benefit of an embedded audit module, it is not the primary objective.
Page 17 / 17
Reprintedforisaca\449222,ISACA
ISACA(c)2013,CopyingProhibited.