★ Pass on Your First TRY ★ 100% Money Back Guarantee ★ Realistic Practice Exam Questions
100% Guarantee of CISA actual exam materials and pdf for Isaca certification for IT specialist, Real Success Guaranteed with Updated CISA pdf dumps vce Materials. 100% PASS Isaca CISA exam Today!
2016 Aug CISA exam question
Q251. - (Topic 3)
Responsibility for the governance of IT should rest with the:
A. IT strategy committee.
B. chief information officer (CIO).
C. audit committee.
D. board of directors.
Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly. The audit committee, the chief information officer (CIO) and the IT strategy committee all play a significant role in the successful implementation of IT governance within an organization, but the ultimate accountability resides with the board of directors.
Q252. - (Topic 3)
An IS auditor was hired to review e-business security. The IS auditor's first task was to examine each existing e-business application looking for vulnerabilities. What would be the next task?
A. Report the risks to the CIO and CEO immediately
B. Examine e-business application in development
C. Identify threats and likelihood of occurrence
D. Check the budget available for risk management
An IS auditor must identify the assets, look for vulnerabilities, and then identify the threats and the likelihood of occurrence. Choices A, B and D should be discussed with the CIO, and a report should be delivered to the CEO. The report should include the findings along with priorities and costs.
Q253. - (Topic 1)
Which of the following would be the BEST method for ensuring that critical fields in a master record have been updated properly?
A. Field checks
B. Control totals
C. Reasonableness checks
D. A before-and-after maintenance report
A before-and-after maintenance report is the best answer because a visual review would provide the most positive verification that updating was proper.
Q254. - (Topic 3)
Which of the following would an IS auditor consider to be the MOST important when evaluating an organization's IS strategy? That it:
A. has been approved by line management.
B. does not vary from the IS department's preliminary budget.
C. complies with procurement procedures.
D. supports the business objectives of the organization.
Strategic planning sets corporate or department objectives into motion. Both long-term and short-term strategic plans should be consistent with the organization's broader plans and business objectives for attaining these goals. Choice A is incorrectsince line management prepared the plans.
Q255. - (Topic 2)
Which of the following is a benefit of a risk-based approach to audit planning? Audit:
A. scheduling may be performed months in advance.
B. budgets are more likely to be met by the IS audit staff.
C. staff will be exposed to a variety of technologies.
D. resources are allocated to the areas of highest concern
The risk-based approach is designed to ensure audit time is spent on the areas of highest risk. The development of an audit schedule is not addressed by a risk-based approach. Audit schedules may be prepared months in advance using various schedulingmethods. A risk approach does not have a direct correlation to the audit staff meeting time budgets on a particular audit, nor does it necessarily mean a wider variety of audits will be performed in a given year.
Improve CISA practice:
Q256. - (Topic 3)
During an audit, an IS auditor notices that the IT department of a medium-sized organization has no separate risk management function, and the organization's operational risk documentation only contains a few broadly described IT risks. What is the MOST appropriate recommendation in this situation?
A. Create an IT risk management department and establish an IT risk framework with the aid of external risk management experts.
B. Use common industry standard aids to divide the existing risk documentation into several individual risks which will be easier to handle.
C. No recommendation is necessary since the current approach is appropriate for a medium-sized organization.
D. Establish regular IT risk management meetings to identify and assess risks, and create a mitigation plan as input to the organization's risk management.
Establishing regular meetings is the best way to identify and assess risks in a medium-sized organization, to address responsibilities to the respective management and to keep the risk list and mitigation plans up to date. A medium-sized organizationwould normally not have a separate IT risk management department. Moreover, the risks are usually manageable enough so that external help would not be needed. While common risks may be covered by common industry standards, they cannot address the specific situation of an organization. Individual risks will not be discovered without a detailed assessment from within the organization. Splitting the one risk position into several is not sufficient.
Q257. - (Topic 3)
Which of the following should be considered FIRST when implementing a risk management program?
A. An understanding of the organization's threat, vulnerability and risk profile
B. An understanding of the risk exposures and the potential consequences of compromise
C. A determination of risk management priorities based on potential consequences
D. A risk mitigation strategy sufficient to keep risk consequences at an acceptable level
Implementing risk management, as one of the outcomes of effective information security governance, would require a collective understanding of the organization's threat, vulnerability and risk profile as a first step. Based on this, an understanding of risk exposure and potential consequences of compromise could be determined. Risk management priorities based on potential consequences could then be developed. This would provide a basis for the formulation of strategies for risk mitigation sufficient to keep the consequences from risk at an acceptable level.
Q258. - (Topic 4)
Which testing approach is MOST appropriate to ensure that internal application interface errors are identified as soon as possible?
A. Bottom up
B. Sociability testing
D. System test
The top-down approach to testing ensures that interface errors are detected early and that testing of major functions is conducted early. A bottom-up approach to testing begins with atomic units, such as programs and modules, and works upward until acomplete system test has taken place. Sociability testing and system tests take place at a later stage in the development process.
Q259. - (Topic 2)
After initial investigation, an IS auditor has reasons to believe that fraud may be present. The IS auditor should:
A. expand activities to determine whether an investigation is warranted.
B. report the matter to the audit committee.
C. report the possibility of fraud to top management and ask how they would like to proceed.
D. consult with external legal counsel to determine the course of action to be taken.
An IS auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended. The IS auditor should notify the appropriate authorities within the organization only if it has determined that the indicators of fraud are sufficient to recommend an investigation. Normally, the IS auditor does not have authority to consult with external legal counsel.
Q260. - (Topic 1)
What are used as the framework for developing logical access controls?
A. Information systems security policies
B. Organizational security policies
C. Access Control Lists (ACL)
D. Organizational charts for identifying roles and responsibilities
Explanation: Information systems security policies are used as the framework for developing logical access controls.
see more Isaca CISA