CISA Exam-Test 13 /30 222 Sorry, Your time is over. CISA EXAM-TEST 13 1 / 30 1. The success of control self-assessment (CSA) depends highly on: the implementation of supervision and the monitoring of controls of assigned duties. the implementation of a stringent control policy and rule-driven controls. having line managers assume a portion of the responsibility for control monitoring. assigning staff managers the responsibility for building, but not monitoring, controls. The primary objective of a control self-assessment (CSA) program is to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional area line managers. The success of a CSA program depends on the degree to which line managers assume responsibility for controls. This enables line managers to detect and respond to control errors promptly. 2 / 30 2. During a review of a business continuity plan, an IS auditor noticed that the point at which a situation is declared to be a crisis has not been defined. The MAJOR risk associated with this is that: potential crisis recognition might be delayed. execution of the disaster recovery plan could be impacted. notification of the teams might not occur. assessment of the situation may be delayed. Execution of the business continuity and disaster recovery plans would be impacted if the organization does not know when to declare a crisis. 3 / 30 3. Which of the following testing procedure is used by an auditor to check whether a firm is following the rules and regulations applicable to an activity or practice? Substantive testing Compliance testing Sanity testing Recovery testing 4 / 30 4. To gain an understanding of the effectiveness of an organization's planning and management of investments in IT assets, an IS auditor should review the: IT organizational structure. enterprise data model. historical financial statements. IT balanced scorecard (BSC). The IT balanced scorecard (BSC) is a tool that provides the bridge between IT objectives and business objectives by supplementing the traditional financial evaluation with measures to evaluate customer satisfaction, internal processes and the ability to innovate. In this way the auditor can measure the success of the IT investment and strategy. 5 / 30 5. Which of the following should be the PRIMARY concern of an IS auditor during a review of an external IT service level agreement (SLA) for computer operations? Changes in services are not tracked Vendor has exclusive control of IT resources No employee succession plan Lack of software escrow provisions 6 / 30 6. Which of the following is the most important benefit of control self-assessment (CSA)? In CSA, resources are being used in an effective manner CSA is a policy/rule driven CSA requires limited employee participations - In CSA approach, risk is identified sooner 7 / 30 7. During the design of a business continuity plan, the business impact analysis (BIA) identifies critical processes and supporting applications. This will PRIMARILY influence the: responsibilities of key personnel. criteria for selecting a recovery site provider. recovery strategy. responsibility for maintaining the business continuity plan. The most appropriate strategy is selected based on the relative risk level, time lines and criticality identified in the business impact analysis (BIA). 8 / 30 8. Which of the following would be MOST important for an IS auditor to verify while conducting a business continuity audit? A recovery site is contracted for and available as needed. Human safety procedures are in place. Insurance coverage is adequate and premiums are current. Data backups are performed on a timely basis. The most important element in any business continuity process is the protection of human life. This takes precedence over all other aspects of the plan. 9 / 30 9. For an auditor, it is very important to understand the different forms of project organization and their implication in the control of project management activities. In which of the following project organization form is management authority shared Forward project organization Influence project organization - Matrix project organization Pure project organization 10 / 30 10. Which of the following statement correctly describes the difference between QAT and UAT? QAT focuses on technical aspect of the application &UAT focus on the functional aspect of the application UAT focus on the technical aspect of the application & QAT focuses on the functional aspect of the application UAT and QAT both focuses on functional aspect of the application UAT and QAT both focuses on technical aspect of the application 11 / 30 11. Which of the following is MOST likely to be included in computer operating procedures in a large data center? Procedures for utility configuration Guidance on setting security parameters Instructions for job scheduling Procedures for resequencing source code 12 / 30 12. In determining the acceptable time period for the resumption of critical business processes: both downtime costs and recovery costs need to be evaluated. only downtime costs need to be considered. recovery operations should be analyzed. indirect downtime costs should be ignored. Both downtime costs and recovery costs need to be evaluated in determining the acceptable time period before the resumption of critical business processes. The outcome of the business impact analysis (BIA) should be a recovery strategy that represents the optimal balance. 13 / 30 13. With respect to business continuity strategies, an IS auditor interviews key stakeholders in an organization to determine whether they understand their roles and responsibilities. The IS auditor is attempting to evaluate the: effectiveness of the business continuity plans. adequacy of the business continuity plans. ability of IS and end-user personnel to respond effectively in emergencies. clarity and simplicity of the business continuity plans. The IS auditor should interview key stakeholders to evaluate how well they understand their roles and responsibilities. When all stakeholders have a detailed understanding of their roles and responsibilities in the event of a disaster, an IS auditor can deem the business continuity plan to be clear and simple. 14 / 30 14. While observing a full simulation of the business continuity plan, an IS auditor notices that the notification systems within the organizational facilities could be severely impacted by infrastructure damage. The BEST recommendation the IS auditor can provide to the organization is to ensure: redundancies are built into the notification system. the notification system provides for the recovery of the backup. the notification systems are stored in a vault. the salvage team is trained to use the notification system. If the notification system has been severely impacted by the damage, redundancy would be the best control. 15 / 30 15. An IS auditor can verify that an organization's business continuity plan (BCP) is effective by reviewing the: alignment of the BCP with industry good practices. annual financial cost of the BCP activities versus the expected benefit of the implementation of the plan. offsite facility, its contents, security and environmental controls. results of business continuity tests performed by IS and end-user personnel. The effectiveness of the BCP can best be evaluated by reviewing the results from previous business continuity tests for thoroughness and accuracy in accomplishing their stated objectives. 16 / 30 16. Which of the following business continuity plan (BCP) tests involves participation of relevant members of the crisis management/response team to practice proper coordination? Tabletop Full-scale Deskcheck Functional The primary purpose of tabletop testing is to practice proper coordination because it involves all or some of the crisis team members and is focused more on coordination and communication issues than on technical process details. 17 / 30 17. A medium-sized organization, whose IT disaster recovery measures have been in place and regularly tested for years, has just developed a formal business continuity plan (BCP). A basic BCP tabletop exercise has been performed successfully. Which testing should an IS auditor recommend be performed NEXT to verify the adequacy of the new BCP? Full-scale test with relocation of all departments, including IT, to the contingency site Walk-through test of a series of predefined scenarios with all critical personnel involved IT disaster recovery test with business departments involved in testing the critical applications Functional test of a scenario with limited IT involvement After a tabletop exercise has been performed, the next step would be a functional test, which includes the mobilization of staff to exercise the administrative and organizational functions of a recovery. Because the IT part of the recovery has been tested for years, it would be more efficient to verify and optimize the BCP before actually involving IT in a full-scale test. The full-scale test would be the last step of the verification process before entering into a regular annual testing schedule. 18 / 30 18. The BEST method for assessing the effectiveness of a business continuity plan is to review the: results from previous tests. emergency procedures and employee training. plans and compare them to appropriate standards. offsite storage and environmental controls. Previous test results will provide evidence of the effectiveness of the business continuity plan. 19 / 30 19. An IS auditor is reviewing an organization's recovery from a disaster in which not all the critical data needed to resume business operations were retained. Which of the following was incorrectly defined? The recovery point objective (RPO) The interruption window The service delivery objective (SDO) The recovery time objective (RTO) The recovery point objective (RPO) is determined based on the acceptable data loss in the case of a disruption of operations. RPO defines the point in time from which it is necessary to recover the data and quantifies, in terms of time, the permissible amount of data loss in the case of interruption. 20 / 30 20. An organization has just completed its annual risk assessment. Regarding the business continuity plan, what should an IS auditor recommend as the next step for the organization? Perform a full simulation of the business continuity plan Review and evaluate the business continuity plan for adequacy Train and educate employees regarding the business continuity plan Notify critical contacts in the business continuity plan The business continuity plan should be reviewed every time a risk assessment is completed for the organization. 21 / 30 21. The activation of an enterprise's business continuity plan should be based on predetermined criteria that address the: probability of the outage. duration of the outage. type of outage. cause of the outage. The initiation of a business continuity plan (action) should primarily be based on the maximum period for which a business function can be disrupted before the disruption threatens the achievement of organizational objectives. 22 / 30 22. Which of the following is the MOST effective control for protecting the confidentiality and integrity of data stored unencrypted on virtual machines? Restrict access to images and snapshots of virtual machines Review logical access controls on virtual machines regularly Limit creation of virtual machine images and snapshots Monitor access To stored images and snapshots of virtual machines 23 / 30 23. To optimize an organization's business continuity plan (BCP), an IS auditor should recommend a business impact analysis (BIA) to determine: the business processes that must be recovered following a disaster to ensure the organization's survival. the priorities and order for recovery to ensure alignment with the organization's business strategy. the business processes that generate the most financial value for the organization and, therefore, must be recovered first. the priorities and order of recovery, which will recover the greatest number of systems in the shortest time frame. To ensure the organization's survival following a disaster, it is important to recover the most critical business processes first. 24 / 30 24. Why would a database be renormalized? To save storage space To ensure data integrity To prevent duplication of data To increase processing efficiency 25 / 30 25. The PRIMARY advantage of object-oriented technology is enhanced: management of a restricted variety of data types for a data object efficiency due to the re-use of elements of logic grouping of objects into methods for data access management of sequential program execution for data access 26 / 30 26. Which of the following is MOST important to ensure that effective application controls are maintained? Manager involvement Peer review Control self-assessment (CSA) Exception reporting CSA is the review of business objectives and internal controls in a formal and documented collaborative process. It includes testing the design of automated application controls. 27 / 30 27. An IS auditor is performing an audit in the data center when the fire alarm begins sounding. The audit scope includes disaster recovery, so the auditor observes the data center staff response to the alarm. Which of the following is the MOST important action for the data center staff to complete in this scenario? Prepare to activate the fire suppression system. Remove all backup tapes from the data center. Notify the local fire department of the alarm condition. Ensure that all persons in the data center are evacuated. In an emergency, safety of life is always the first priority; therefore, the complete and orderly evacuation of the facility staff would be the most important activity 28 / 30 28. Which of the following is an IS auditor's BEST course of action upon learning that preventive controls have been replaced with detective and corrective controls Report the issue to management as the risk level has increased. Verify the revised controls enhance the efficiency of related business processes Evaluate whether new controls manage the risk at an acceptable level Recommend the implementation of preventive controls in addition to the other controls. 29 / 30 29. Integrating the business continuity plan (BCP) into IT project management aids in: the development of a more comprehensive set of requirements. the testing of the business continuity requirements. ensuring the application meets the user's needs. the development of a transaction flowchart. Integrating the BCP into the development process ensures complete coverage of the requirements through each phase of the project. 30 / 30 30. The PRIMARY objective of testing a business continuity plan is to: exercise all possible disaster scenarios. familiarize employees with the business continuity plan. identify limitations of the business continuity plan. ensure that all residual risk is addressed. Testing the business continuity plan provides the best evidence of any limitations that may exist Your score is LinkedIn Facebook Twitter Exit Canvas & Cotton Laundry Bags in Dubai | Canvas & Cotton Garbage Bags in Dubai
