Certified Information Systems Auditor (CISA) - Practice Exams by Karamagi Robert

Certified Information Systems Auditor (CISA) - Practice Exams by Karamagi Robert

Author:Karamagi, Robert [Karamagi, Robert]
Language: eng
Format: epub
Published: 2021-04-25T16:00:00+00:00


Practice Exam 2

1. A. The best first step in aligning an IT department to the organization’s strategic objectives is to better understand those objectives, including the resources and activities that will be employed to achieve them. B is incorrect because without a dialogue with business leaders, simply identifying supporting activities is more likely to miss important details. C is incorrect because proper alignment of an IT department does not generally begin with the selection or implementation of controls. In fact, the implementation of controls may play only a minor part (if any) in support of strategic objectives. D is incorrect because proper alignment of an IT department does not generally involve identifying relevant security policies. This may be a minor, supporting activity, but would not be a primary activity when aligning an IT department to the business.

2. C. A risk appetite statement (sometimes known as a risk tolerance statement or risk capacity statement) provides guidance on the types of risk and the amount of risk an organization may be willing to accept versus what risks an organization may instead prefer to mitigate, avoid, or transfer. Risk appetite statements are most often created in financial services organizations, although they are seen in other types of organizations as well. They help management seek a more consistent approach to risk treatment decisions. In part, this can help management avoid the appearance of being biased or preferential through the use of objective or measurable means for risk treatment decisions. A is incorrect because security policy is not a primary means for making risk treatment decisions. B is incorrect because an organization’s control framework is not typically used for making risk treatment decisions. D is incorrect because control testing procedures are not related to risk treatment decisions.

3. D. All of the audit types are valid except procedural, SAS-74, verification, and regulatory (which are all distracters). The valid audit types are financial, operational (SAS-70), integrated (SAS-94), compliance, administrative, forensic, and information systems. A forensic audit is used to discover information about a possible crime.

4. C. The recovery point objective (RPO) indicates the fallback position and duration of loss that has occurred. A valid RPO example is to recover by using backup data from last night’s backup tape, meaning that the more-recent transactions would be lost. The recovery time objective (RTO) indicates a point in time that the restored data should be available for the user to access.

5. B. The auditor must be independent of personal and organizational relationships with the auditee, which could imply a biased opinion. The auditor is not permitted to audit a system for which they participated in the support, configuration, or design. An auditor may not audit any system that they helped to remediate.

6. A. Notice that analyzing the business impact is always the first step. Then criteria are selected to guide the strategy selection. A detailed plan is written by using the strategy. The written plan is then implemented. After implementation, the plan and staff are tested for effectiveness. The plan is revised, and then the testing and maintenance cycle begins.



Download



Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.