CISA Exam-Test 30 /30 318 Sorry, Your time is over. CISA EXAM-TEST 30 1 / 30 1. Which of the following is of GREATEST concern to an IS auditor when performing an audit of a client relationship management (CRM) system migration project? Five weeks prior to the target date, there are still numerous defects in the printing functionality of the new system's software. The technical migration is planned for a Friday preceding a long weekend, and the time window is too short for completing all tasks. Employees pilot-testing the system are concerned that the data representation in the new system is completely different from the old system. A single implementation is planned, immediately decommissioning the legacy system. Major system migrations should include a phase of parallel operation or a phased cut-over to reduce implementation risk. Decommissioning or disposing of the old hardware would complicate any fallback strategy, should the new system not operate correctly. 2 / 30 2. Which of the following BEST mitigates the risk of backup media containing irreplaceable information being lost or stolen while in transit? Maintain a duplicate copy. Maintain chain of custody. Ensure that personnel are bonded. Ensure that media are encrypted. Sensitive data should always be fully backed up before being transmitted or moved. Backups of sensitive information should be treated with the same control considerations as the actual data. 3 / 30 3. Which of the following BEST ensures the quality and integrity of test procedures used in audit analytics? Developing and communicating test procedure best practices to audit teams Developing and implementing an audit data repository Centralizing procedures and implementing change control Decentralizing procedures and implementing periodic peer review 4 / 30 4. A new application will require multiple interfaces. Which of the following testing methods can be used to detect interface errors early in the development life cycle1? Bottom up Sociability Acceptance Top down 5 / 30 5. With respect to the outsourcing of IT services, which of the following conditions should be of GREATEST concern to an IS auditor? Outsourced activities are core and provide a differentiated advantage to the organization Similar activities are outsourced to more than one vendor. Periodic renegotiation is specified in the outsourcing contract The outsourcing contract fails to cover every action required by the arrangement 6 / 30 6. When developing a risk management program, what is the FIRST activity to be performed? Inventory of assets Criticality analysis Classification of data Threat assessment 7 / 30 7. When evaluating the recent implementation of an intrusion detection system (IDS), an IS auditor should be MOST concerned with inappropriate: encryption tuning training patching 8 / 30 8. Recovery procedures for an information processing facility are BEST based on: information security policy. recovery time objective (RTO). recovery point objective (RPO). maximum tolerable outage (MTO). The recovery time objective (RTO) is the amount of time allowed for the recovery of a business function or resource after a disaster occurs; the RTO is the desired recovery timeframe based on maximum tolerable outage (MTO) and available recovery alternatives. 9 / 30 9. Of the following alternatives, the FIRST approach to developing a disaster recovery strategy would be to assess whether: the recovery time objective (RTO) can be optimized. all threats can be completely removed. a cost-effective, built-in resilience can be implemented. the cost of recovery can be minimized. It is critical to initially identify information assets that can be made more resilient to disasters (e.g., diverse routing, alternate paths or multiple communication carriers). Preventing a problem is always better than planning to address a problem when it happens. 10 / 30 10. Which of the following issues should be the GREATEST concern to the IS auditor when reviewing an IT disaster recovery test? The procedures to shut down and secure the original production site before starting the backup site required far more time than planned. Due to the limited test time window, only the most essential systems were tested. The other systems were tested separately during the rest of the year. Every year, the same employees perform the test. The recovery plan documents are not used because every step is well known by all participants. During the test, some of the backup systems were defective or not working, causing the test of these systems to fail. The purpose of the test is to test the backup plan. When the backup systems are not working then the plan cannot be counted on in a real disaster. This is the most serious problem. 11 / 30 11. During an IS audit of the disaster recovery plan (DRP) of a global enterprise, the auditor observes that some remote offices have very limited local IT resources. Which of the following observations would be the MOST critical for the IS auditor? A test has not been made to ensure that tape backups from the remote offices are usable. The corporate business continuity plan (BCP) does not accurately document the systems that exist at remote offices. A test has not been made to ensure that local resources could maintain security and service standards when recovering from a disaster or incident. Corporate security measures have not been incorporated into the test plan. Regardless of the capability of local IT resources, the most critical risk would be the lack of testing, which would identify quality issues in the recovery process. 12 / 30 12. An organization has a business process with a recovery time objective (RTO) equal to zero and a recovery point objective (RPO) close to one minute. This implies that the process can tolerate: a processing interruption of one minute or more. a one-minute processing interruption but cannot tolerate any data loss. both a data loss and a processing interruption longer than one minute. a data loss of up to one minute, but the processing must be continuous. Recovery time objective (RTO) measures an organization's tolerance for downtime and recovery point objective (RPO) measures how much data loss can be accepted. 13 / 30 13. During a disaster recovery test, an IS auditor observes that the performance of the disaster recovery site's server is slow. To find the root cause of this, the IS auditor should FIRST review the: event error log generated at the disaster recovery site. disaster recovery test plan. configurations and alignment of the primary and disaster recovery sites. disaster recovery plan (DRP). Because the configuration of the system is the most probable cause, the IS auditor should review that first. 14 / 30 14. While conducting an audit of a service provider, an IS auditor observes that the service provider has outsourced a part of the work to another provider. Since the work involves confidential information,the IS auditor's PRIMARY concern should be that the another service provider to whom work has been outsourced is not subject to audit. requirement for protecting the confidentiality of information could be compromise contract may be terminated because prior permission from the outsourcer was not obtained outsourcer will approach the other service provider directly for further work. 15 / 30 15. The MOST effective audit practice to determine whether the operational effectiveness of controls is properly applied to transaction processing is: perform tests on risk prevention. substantive testing. inspection of relevant documentation. control design testing. Among other methods, such as document review or walk-through, tests of controls are the most effective procedure to assess whether controls accurately support operational effectiveness. 16 / 30 16. In a disaster recovery situation, which of the following is the MOST important metric to ensure that data are synchronized between critical systems? Recovery point objective (RPO) Recovery service scalability Recovery time objective (RTO) Recovery service resilience Establishing a common recovery point objective (RPO) is most critical for ensuring that interdependencies between systems are properly synchronized. It ensures that systems do not contain data from different points in time that may result in accounting transactions that cannot be reconciled and a loss of referential integrity. 17 / 30 17. It is MOST appropriate to implement an incremental backup scheme when: online disk-based media are preferred. there is limited media capacity. a random selection of backup sets is required. there is limited recovery time for critical data. In an incremental backup, after the full backup, only the files that have changed are backed up, thus minimizing media storage. 18 / 30 18. Which of the following is the BEST information source for management to use as an aid in the identification of assets that are subject to laws and regulations? Vendor best practices Significant contracts CERT coordination center Security incident summaries 19 / 30 19. The frequent updating of which of the following is key to the continued effectiveness of a disaster recovery plan (DRP)? Procedures for declaring a disaster Server inventory documentation Contact information of key personnel Individual roles and responsibilities In the event of a disaster, it is important to have a current updated list of personnel who are key to the operation of the plan. 20 / 30 20. If the recovery time objective (RTO) increases: the disaster tolerance increases. the cost of recovery increases. the data backup frequency increases. a cold site cannot be used. The longer the recovery time objective (RTO), the higher disaster tolerance. The disaster tolerance is the amount of time the business can afford to be disrupted before resuming critical operations. 21 / 30 21. Which of the following is the MOST important difference between end-user computing (EUC) applications and traditional applications? Traditional applications require roll-back procedures whereas EUC applications do not. Traditional application documentation is typically less comprehensive than EUC application documentation. Traditional applications require periodic patching whereas EUC applications do not Traditional application input controls are typically more robust than EUC application input controls. An End-User Computing application or EUC is any application that is not managed and developed in an environment that employs robust IT general controls. 22 / 30 22. A lower recovery time objective (RTO) results in: wider interruption windows. higher cost. higher disaster tolerance. more permissive data loss. Recovery time objective (RTO) is based on the acceptable down time in case of a disruption of operations. The lower the RTO, the higher the cost of recovery strategies. 23 / 30 23. Due to changes in IT, the disaster recovery plan (DRP) of a large organization has been changed. What is the PRIMARY risk if the new plan is not tested? Catastrophic service interruption Users and recovery teams may face severe difficulties when activating the plan High consumption of resources Total cost of the recovery may not be minimized If a new disaster recovery plan (DRP) is not tested, the possibility of a catastrophic service interruption that the organization cannot recover from is the most critical of all risk. 24 / 30 24. When developing a disaster recovery plan (DRP), the criteria for determining the acceptable downtime should be the: service delivery objective. maximum tolerable outage. quantity of orphan data. annual loss expectancy (ALE). Recovery time objective (RTO) is determined based on the acceptable downtime in case of a disruption of operations. It indicates the maximum tolerable outage that an organization considers to be acceptable before a system or process must resume following a disaster. 25 / 30 25. When preparing to evaluate the effectiveness of an organizations IT strategy, an IS auditor should FIRST review: the IT processes and procedures. the IT governance framework. Information security procedures. the most recent audit results. 26 / 30 26. After a disaster declaration, the media creation date at a warm recovery site is based on the: recovery point objective (RPO). service delivery objective (SDO). recovery time objective (RTO). maximum tolerable outage (MTO). The recovery point objective (RPO) is determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data. The RPO effectively quantifies the permissible amount of data loss in case of interruption. The media creation date will reflect the point to which data are to be restored or the RPO. 27 / 30 27. Which of the following groups is the BEST source of information for determining the criticality of application systems as part of a business impact analysis (BIA)? IT management Business processes owners Senior business management Industry experts Business process owners have the most relevant information to contribute because the business impact analysis (BIA) is designed to evaluate criticality and recovery time lines, based on business needs. 28 / 30 28. An organization has outsourced its help desk activities. An IS auditor's GREATEST concern when reviewing the contract and associated service level agreement (SLA) between the organization and vendor should be the provisions for: reporting the year-to-year incremental cost reductions documentation of staff background checks independent audit reports or full audit access reporting staff turnover, development or training 29 / 30 29. An IS auditor is reviewing an organization's disaster recovery plan (DRP) implementation. The project was completed on time and on budget. During the review, the auditor uncovers several areas of concern. Which of the following presents the GREATEST risk? Testing of the DRP has not been performed. The business impact analysis (BIA) was conducted, but the results were not used. The disaster recovery strategy does not specify use of a hot site. The disaster recovery project manager for the implementation has recently left the organization. The risk of not using the results of the business impact analysis (BIA) for disaster recovery planning means that the DRP may not be designed to recover the most critical assets in the correct order. As a result, the plan may not be adequate to allow the organization to recover from a disaster. 30 / 30 30. During an audit of a small company that provides medical transcription services, an IS auditor observes several issues related to the backup and restore process. Which of the following should be the auditor's GREATEST concern? Restoration testing for backup media is not performed; however, all data restore requests have been successful. Failed backup alerts for the marketing department data files are not followed up on or resolved by the IT administrator. The policy for data backup and retention has not been reviewed by the business owner for the past three years. The company stores transcription backup tapes offsite using a third-party service provider, which inventories backup tapes annually. For a company working with confidential patient data, the loss of a backup tape is a significant incident. Privacy laws specify severe penalties for such an event, and the company's reputation could be damaged due to mandated reporting requirements. To gain assurance that tapes are being handled properly, the organization should perform audit tests that include frequent physical inventories and an evaluation of the controls in place at the third-party provider. Your score is LinkedIn Facebook Twitter Exit