Вы находитесь на странице: 1из 17

CISA Review Questions, Answers & Explanations Manual 2014

Supplement
by ISACA
ISACA. (c) 2013. Copying Prohibited.

Reprinted for Kiran Khan, ISACA


jamil.kiran@gmail.com
Reprinted with permission as a subscription benefit of Books24x7,
http://www.books24x7.com/

All rights reserved. Reproduction and/or distribution in whole or in part in electronic,paper or


other forms without written permission is prohibited.

CISAReviewQuestions,Answers&ExplanationsManual2014Supplement

Questions, Answers & Explanations by Domain


Domain 1The Process of Auditing Information Systems (14%)
AS1-1 When planning an IS audit, the auditor should FIRST:
A. identify the business process to be audited.
B. perform a risk assessment.
C. determine the objective of the audit.
D. identify needed audit resources.
C is the correct answer.
Justification:
A. The business process to be audited cannot be identified until the audit objective has been determined.
B. The risk-based approach requires the IS auditor to first understand the entity and its environment in order to identify
risk. The risk assessment cannot be performed until the audit objective is determined.
C. The IS auditor should develop an audit plan that takes into consideration the objectives of the auditee
relevant to the audit area and its technology infrastructure.
D. Audit resources needed for the audit can only be determined after the scope of the audit has been set.
AS1-2 What is the MAJOR benefit of conducting a control self-assessment (CSA) over a traditional audit?
A. It detects risk sooner.
B. It replaces the audit function.
C. It reduces audit workload.
D. It reduces audit resources.
A is the correct answer.
Justification:
A. CSAs require employees to assess the control stature of their own function. CSAs help increase the
understanding of business risk and internal controls. Because they are conducted more frequently than audits,
CSAs help identify risk in a more timely manner.
B. CSAs do not replace the audit function; an audit must still be performed to ensure that controls are present.
C. CSAs may not reduce the audit functions workload and are not a major difference between the two approaches.
D. CSAs do not affect the need for audit resources. While the results of the CSA may serve as a reference point for the
audit process, they do not affect the scope or depth of audit work that needs to be performed.
AS1-3 An IS auditor is reviewing a project risk assessment and notices that the overall risk level is high due to
confidentiality requirements. Which of the following types of risk is normally high due to the number of users and business
areas the project may affect?
A. Control risk
B. Compliance risk
C. Inherent risk
D. Residual risk
Page 2 / 17
Reprintedforisaca\449222,ISACA

ISACA(c)2013,CopyingProhibited.

CISAReviewQuestions,Answers&ExplanationsManual2014Supplement

C is the correct answer.


Justification:
A. Control risk can be high, but it would be due to internal controls not being identified, evaluated or tested, and would not
be due to the number of users or business areas affected.
B. Compliance risk is the penalty applied to current and future earnings for nonconformance to laws and regulations, and
may not be impacted by the number of users and business areas affected.
C. Inherent risk is normally high due to the number of users and business areas that may be affected. Inherent
risk is the risk level or exposure without taking into account the actions that management has taken or might
take.
D. Residual risk is the remaining risk after management has implemented a risk response, and is not based on the number
of user or business areas affected.
AS1-4 An IS auditor discovers a potential material finding. The BEST course of action is to:
A. report the potential finding to business management.
B. discuss the potential finding with the audit committee.
C. increase the scope of the audit.
D. perform additional testing.
D is the correct answer.
Justification:
A. The item should be confirmed through additional testing before it is reported to management.
B. The item should be confirmed through additional testing before it is discussed with the audit committee.
C. Additional testing to confirm the potential finding should be within the scope of the engagement.
D. The IS auditor should perform additional testing to ensure that it is a finding. An auditor can lose credibility if
it is later discovered that the finding was not justified.
AS1-5 Which of the following is in the BEST position to approve changes to the audit charter?
A. Board of directors
B. Audit committee
C. Executive management
D. Director of internal audit
B is the correct answer.
Justification:
A. The board of directors does not need to approve the charter; it is best presented to the audit committee for approval.
B. The audit committee is a subgroup of the board of directors. The audit department should report to the audit
committee and the audit charter should be approved by the committee.
C. Executive management is not required to approve the audit charter. The audit committee is in the best position to
approve the charter.
D. While the director of internal audit may draft the charter and make changes, the audit committee should have the final
approval of the charter.
Page 3 / 17
Reprintedforisaca\449222,ISACA

ISACA(c)2013,CopyingProhibited.

CISAReviewQuestions,Answers&ExplanationsManual2014Supplement

AS1-6 An IS auditor reviewing the process to monitor access logs wishes to evaluate the manual log review process.
Which of the following audit techniques would the auditor MOST likely employ to fulfill this purpose?
A. Inspection
B. Inquiry
C. Walk-through
D. Reperformance
C is the correct answer.
Justification:
A. Inspection is just one component of a walk-through and by itself does not supply enough information to provide a full
understanding of the overall process and identify potential control weaknesses.
B. Inquiry provides only general information on how the control is executed. It does not necessarily enable the IS auditor to
determine whether the control performer has an in-depth understanding of the control.
C. Walk-through procedures usually include a combination of inquiry, observation, inspection of relevant
documentation and reperformance of controls. A walk-through of the manual log review process follows the
manual log review process from start to finish to gain a thorough understanding of the overall process and
identify potential control weaknesses.
D. Reperformance of the control is carried out by the IS auditor and does not provide assurance of the competency of the
auditee.
AS1-7 An IS auditor is evaluating processes put in place by management at a storage location containing computer
equipment. One of the test procedures compares the equipment on location with the inventory records. This type of testing
procedure executed by the IS auditor is an example of:
A. substantive testing.
B. compliance testing.
C. analytical testing.
D. control testing.
A is the correct answer.
Justification:
A. Substantive testing obtains audit evidence on the completeness, accuracy or existence of activities or
transactions during the audit period.
B. Compliance testing is evidence gathering for the purpose of testing an enterprises compliance with control procedures.
This differs from substantive testing in which evidence is gathered to evaluate the integrity of individual transactions, data
or other information.
C. Analytical testing evaluates the relationship of two sets of data and discerns inconsistencies in the relationship.
D. Control testing is the same as compliance testing.
AS1-8 Which of the following does a lack of adequate controls represent?
A. An impact
B. A vulnerability
C. An asset
Page 4 / 17
Reprintedforisaca\449222,ISACA

ISACA(c)2013,CopyingProhibited.

CISAReviewQuestions,Answers&ExplanationsManual2014Supplement

D. A threat
B is the correct answer.
Justification:
A. Impact is the measure of the financial loss that a threat event may have.
B. The lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk
of malicious damage, attack or unauthorized access by hackers. This could result in a loss of sensitive
information, financial loss, legal penalties or other losses.
C. An asset is something of either tangible or intangible value worth protecting, including people, systems, infrastructure,
finances and reputation.
D. A threat is a potential cause of an unwanted incident.
AS1-9 An IS auditor is evaluating the controls around provisioning visitor access cards to the organizations IT facility. The
IS auditor notes that daily reconciliation of visitor card inventory is not carried out as mandated. However, an inventory
count carried out by the IS auditor reveals no missing access cards. In this context, the IS auditor should:
A. disregard the lack of reconciliation because no discrepancies were discovered.
B. recommend regular physical inventory counts be performed in lieu of daily reconciliation.
C. report the lack of daily reconciliation as an exception.
D. recommend the implementation of a biometric access system.
C is the correct answer.
Justification:
A. Absence of discrepancy in physical count only confirms absence of any impact, but cannot be a reason to overlook
failure of operation of the control.
B. While the IS auditor may in some cases recommend a change in procedures, the primary goal is to observe and report
when the current process is deficient.
C. The IS auditor should report the lack of daily reconciliation as an exception because a physical inventory
count gives assurance only at a point in time and is not a management-mandated activity.
D. While the IS auditor may in some cases recommend a solution, the primary goal is to observe and report when the
current process is deficient.
AS1-10 During an audit, the IS auditor notes that the application developer also performs quality assurance testing on a
particular application. Which of the following should the IS auditor do?
A. Recommend compensating controls.
B. Review the code created by the developer.
C. Analyze the quality assurance dashboards.
D. Report the identified condition.
D is the correct answer.
Justification:
A. While compensating controls may be a good idea, the primary response in this case should be to report the condition.
B. Evaluating the code created by the application developer is not the appropriate response in this case. The IS auditor
may evaluate a sample of changes to determine whether the developer tested his/her own code, but the primary response
Page 5 / 17
Reprintedforisaca\449222,ISACA

ISACA(c)2013,CopyingProhibited.

CISAReviewQuestions,Answers&ExplanationsManual2014Supplement

should be to report the condition.


C. Analyzing the quality assurance dashboards can help evaluate the actual impact of the lack of segregation of duties, but
does not address the underlying risk. The primary response should be to report the condition.
D. The software quality assurance role should be independent and separate from development and
development activities. The same person should not hold both roles because this would cause a segregation of
duties concern. The IS auditor should report this condition when identified.
AS1-11 An IS auditor is reviewing risk and controls of a bank wire transfer system. To ensure that the banks financial risk
is properly addressed, the IS auditor will most likely review which of the following?
A. Privileged access to the wire transfer system
B. Wire transfer procedures
C. Fraud monitoring controls
D. Employee background checks
B is the correct answer.
Justification:
A. Privileged access, such as administrator access, is necessary to manage user account privileges and should not be
granted to end users. The wire transfer procedures are a better control to review to ensure that there is segregation of
duties of the end users to help prevent fraud.
B. Wire transfer procedures include segregation of duties controls. This helps prevent internal fraud by not
allowing one person to initiate, approve and send a wire. Therefore, the IS auditor should review the
procedures as they relate to the wire system.
C. Fraud monitoring is a detective control and does not prevent financial loss. Segregation of duties is a preventive control.
D. While controls related to background checks are important, the controls related to segregation of duties as found in the
wire transfer procedures are more critical.
AS1-12 An IS auditor is determining the appropriate sample size for testing the existence of program change approvals.
Previous audits did not indicate any exceptions, and management has confirmed that no exceptions have been reported for
the review period. In this context, the IS auditor can adopt a:
A. lower confidence coefficient, resulting in a smaller sample size.
B. higher confidence coefficient, resulting in a smaller sample size.
C. higher confidence coefficient, resulting in a larger sample size.
D. lower confidence coefficient, resulting in a larger sample size.
A is the correct answer.
Justification:
A. When internal controls are strong, a lower confidence coefficient can be adopted, which will enable the use
of a smaller sample size.
B. A higher confidence coefficient will result in the use of a larger sample size.
C. A higher confidence coefficient need not be adopted in this situation because internal controls are strong.
D. A lower confidence coefficient will result in the use of a smaller sample size.
AS1-13 Why does an audit manager review audit papers from an IS auditor, even when the auditor has more than
10 years of experience?
Page 6 / 17
Reprintedforisaca\449222,ISACA

ISACA(c)2013,CopyingProhibited.

CISAReviewQuestions,Answers&ExplanationsManual2014Supplement

A. Supervision is required to comply with internal quality requirements.


B. Supervision is required to comply with the audit guidelines.
C. Supervision is required to comply with the audit methodology.
D. Supervision is required to comply with professional standards.
D is the correct answer.
Justification:
A. Internal quality requirements may exist, but are superseded by the requirement of supervision to comply with
professional standards.
B. Audit guidelines exist to provide guidance on how to achieve compliance with professional standards. For example, they
may provide insights on the purpose of supervision and examples of how supervisory duties are to be performed to achieve
compliance with professional standards.
C. An audit methodology is a well-configured process/procedure to achieve audit objectives. While an audit methodology is
a meaningful tool, supervision is generally driven by compliance with professional standards.
D. Professional standards from ISACA, The Institute of Internal Auditors (IIA) and the International Federation of
Accountants (IFAC) require supervision of audit staff to accomplish audit objectives and comply with
competence, professional proficiency and documentation requirements, and more.
AS1-14 Which of the following is the PRIMARY reason IS auditors conduct risk assessments?
A. To focus effort on areas of highest business impact
B. To maintain the organizations risk register
C. To enable management to choose the correct risk response
D. To provide assurance on the risk management process
A is the correct answer.
Justification:
A. Risk assessments form the basis of audit department management and are used to determine potential
areas on which to focus audit efforts and resources. A risk assessment is the process used to identify and
evaluate risk and its potential effects.
B. Updating the risk register is the responsibility of operations management, not the IT audit department.
C. Management chooses the correct risk response strategy based on the enterprisewide risk assessment, evaluation and
analysis.
D. Assurance on risk management is not the main reason why risk assessments are performed by the audit department.
The IT department performs risk assessments for two purposes: to create a risk-based audit schedule and to manage the
risk related to each audit engagement from a delivery and project management perspective.
Domain 2Governance and Management of IT (14%)
AS2-1 An IS auditor is reviewing the disaster recovery plan (DRP) for a large organization with multiple locations requiring
high systems availability. Which of the following causes the GREATEST concern?
A. There is no agreement for a third-party alternate processing center.
B. Backup media are not tested.
C. The entire DRP is not periodically tested.
Page 7 / 17
Reprintedforisaca\449222,ISACA

ISACA(c)2013,CopyingProhibited.

CISAReviewQuestions,Answers&ExplanationsManual2014Supplement

D. A physical copy of the plan is not available at the alternate processing site.
B is the correct answer.
Justification:
A. While an agreement for an alternate processing site is important, a large organization with multiple locations will most
likely have other alternate processing sites within the organization without needing a third-party processing center. Data
could be sent to another site within the organization, but if the backup data are not reliable, the risk to availability is not
managed.
B. Testing backups provides assurance that the backup data are reliable and will be available when needed.
Without backup data, the organization is not addressing the risk of availability.
C. While it is important to periodically test the DRP, it is also effective to periodically test the plan using certain scenarios
instead of testing the entire plan. In many cases the restoration of backup media will not change for different disasters. For
organizations with high availability requirements, data must be reliable and available when needed. If the primary
processing center is not available, recovery of backup media is typically the same for each location as long as it is reliable
and available.
D. The DRP must be available to all personnel involved with recovery efforts. With the availability of the Internet, there are
alternative methods of delivery/retrieval of the plan. Reliability and availability of backup data are priorities for organizations
that require high availability.
AS2-2 An IS auditor reviewing a projects risk and related risk responses would be MOST concerned with a lack of
management sign-off for a risk that was:
A. avoided.
B. transferred.
C. mitigated.
D. accepted.
D is the correct answer.
Justification:
A. The avoidance strategy involves not implementing certain activities or processes that incur risk, thus eliminating the risk.
The IS auditor would not expect a formal sign-off for an avoided risk.
B. Risk that is transferred is shared among partners such as through insurance or contractual agreement. Lack of a
documented management sign-off would be of concern, but not as high a concern as with an accepted risk because the
overall risk to the organization is reduced.
C. Because the risk has been mitigated, management has signed off and approved the approach used to mitgate the risk.
The IS auditor would be more concerned if management did not approve a risk that was accepted.
D. In order to accept the risk, management must first be made aware of the risk and its consequences. This
includes a formal acceptance of the risk, which is usually evidenced by a sign-off.
AS2-3 For key performance indicators (KPIs) to be an effective and useful metric, it is MOST important that:
A. KPIs are measured at consistent intervals.
B. specific goals are defined.
C. critical success factors (CSFs) are considered.
D. KPIs are purely quantitative measures.
B is the correct answer.

Page 8 / 17
Reprintedforisaca\449222,ISACA

ISACA(c)2013,CopyingProhibited.

CISAReviewQuestions,Answers&ExplanationsManual2014Supplement

Justification:
A. Measurement at consistent intervals is not likely to be important because trends and the extent to which goals are
achieved can be determined.
B. The most important metric is the extent to which the key goal indicators (KGIs) are achieved.
C. CSFs are important considerations for determining that a goal is being achieved, but are not a metric.
D. Quantitative measures are usually preferable, but not always possible and not essential.
AS2-4 Which of the following documents is the BEST source for an IS auditor to understand the requirements for
employee awareness training?
A. Information security policy
B. Acceptable usage policy
C. Human resources (HR) policy
D. End-user computing policy
A is the correct answer.
Justification:
A. The information security policy states the organizations approach to managing information security. The
policy contains the companys security objectives and explains the security policies, principles and standards.
In addition, the policy outlines requirements such as compliance with regulations and employee education,
training and awareness.
B. The acceptable usage policy outlines guidelines and rules for employee use of the companys information resources. It
is focused and does not include requirements for security awareness training.
C. The HR policy refers to the information security policy, but does not specifically list the requirements for security
awareness training. Instead, this document contains broader information such as hiring practices, commitments to diversity
and ethics, and compliance with regulations.
D. The end-user computing policy describes the parameters and usage of desktop tools by users. It does not contain
requirements for security awareness training.
AS2-5 To be effective, risk management should be applied to:
A. those elements identified by a risk assessment.
B. any area that exceeds acceptable risk levels.
C. all organizational activities.
D. only areas that have potential impact.
C is the correct answer.
Justification:
A. Elements of unacceptable risk will require treatment, but all activities are subject to risk management oversight.
Assessing risk and determining which risk is acceptable and which risk has the potential for impact are functions of risk
management.
B. Risk management must be holistic and should not be limited to areas that exceed acceptable risk levels. Areas within
acceptable risk levels may be optimized by reducing control measures or assuming more risk.
C. While not all organizational activities will pose an unacceptable risk, the practice of risk management is still
applied to determine which risk requires treatment.
Page 9 / 17
Reprintedforisaca\449222,ISACA

ISACA(c)2013,CopyingProhibited.

CISAReviewQuestions,Answers&ExplanationsManual2014Supplement

D. When assessing risk, determining which risk is acceptable, which risk exceeds acceptable levels and which risk has the
potential for impact are functions of risk management.
AS2-6 The goal of IT risk analysis is to:
A. enable the alignment of IT risk management with enterprise risk management (ERM).
B. enable the prioritization of risk responses.
C. satisfy legal and regulatory compliance requirements.
D. identify known threats and vulnerabilities to information assets.
B is the correct answer.
Justification:
A. Aligning IT risk management with ERM is important to ensure the cost-effectiveness of the overall risk management
process. However, risk analysis does not enable such an alignment.
B. Risk analysis is a process by which the likelihood and magnitude of IT risk scenarios are estimated. Risk
analysis is conducted to ensure that the information assets with the greatest risk likelihood and impact are
managed before addressing risk with a lower likelihood and impact. Prioritization of IT risk helps maximize
return on investment for risk responses.
C. Risk analysis evaluates risk on the basis of likelihood and impact and includes financial, environmental, regulatory and
other risk. It looks at regulatory risk as one type of risk that the organization faces, but is not specifically designed to satisfy
legal and regulatory compliance requirements.
D. Risk analysis occurs after risk identification and evaluation. Risk identification determines known threats and
vulnerabilities. Risk evaluation assesses the risk and creates valid risk scenarios. Risk analysis quantifies risk along the
vectors of likelihood and impact to facilitate the prioritization of risk responses.
AS2-7 Which of the following is a PRIMARY objective of an acceptable use policy?
A. Creating awareness about the secure use of proprietary resources
B. Ensuring compliance with information security policies
C. Defining sanctions for noncompliance
D. Controlling how proprietary information systems are used
D is the correct answer.
Justification:
A. Employee orientations and user awareness training are the most effective processes to raise user awareness about the
acceptable use of proprietary IT resources. The acceptable use policy is one of the topics covered during training and is
often signed after employee orientation and during periodic user awareness training.
B. The acceptable use policy is a subset of the information security policies that focus on the end user and a specific topic.
Information security policies are much broader in overall content and include a wider audience.
C. Although the policy may include a statement regarding the sanctions for noncompliance, sanctions are not the primary
objective of the acceptable use policy; prevention is the primary objective.
D. Inappropriate use of proprietary IT resources by users exposes enterprises to a variety of risk scenarios,
including malware attacks, compromise and unavailability of critical systems, and legal issues. To address such
risk, a policy supported by guidelines is put into effect to define how information system resources will be
used. An acceptable use policy ensures that users are made aware of acceptable usage and the need to
acknowledge that they are aware.
AS2-8 What is the GREATEST risk of a bank outsourcing its data center?
Page 10 / 17
Reprintedforisaca\449222,ISACA

ISACA(c)2013,CopyingProhibited.

CISAReviewQuestions,Answers&ExplanationsManual2014Supplement

A. Loss or leakage of information


B. Noncompliance with regulatory requirements
C. Vendor failure or bankruptcy
D. Loss of internal knowledge and experience
A is the correct answer.
Justification:
A. The risk of loss or leakage of information is the greatest risk because it can subject the company to
regulatory fines, lawsuits and reputation risk.
B. Although noncompliance with regulations subjects a company to potential fines, it is not necessarily as great a risk as a
security breach.
C. The risk of vendor failure or bankruptcy can be mitigated in the contract through such clauses as code escrow as well
as a robust recovery process. Although this risk is inherent in any contractual relationship, if the correct controls are in
place then it should not materially affect the bank as much as a loss or leakage of information.
D. The risk of a lack of internal IS staff knowledge through outsourcing, although valid, is not as great a risk as that
resulting from a loss or leakage of information. Contractual controls, such as a turnover period in the event of contract
termination, can also help mitigate the risk of loss of internal knowledge.
AS2-9 Which of the following should be of GREATEST concern to an IS auditor reviewing the business continuity plan
(BCP) of an organization?
A. Daily full backups are not performed for critical production files.
B. A team of IT and information security staff conducted the business impact analysis (BIA).
C. Sensitive information processes are manually performed during a disruption.
D. An annual test of the BCP is not being performed.
B is the correct answer.
Justification:
A. Daily full backups may not be required if incremental or differential backups are in place.
B. To be effective, the BIA should be conducted with input from a wide array of stakeholders. The business
requirements included within the BIA are integral in defining mean-time-to-repair and the data point recovery.
Without business stakeholder input, these critical requirements may not be correctly defined, leading to critical
assets being overlooked.
C. As long as the service delivery objective is met and data are handled in alignment with the data classification and
handling policy, it is appropriate for sensitivefunctions to be performed manually in the case of a BCP event.
D. The frequency of testing is less important than business involvement in the creation of the BCP.
AS2-10 Which of the following compensating controls should management implement when a segregation of duties conflict
exists because an organization has a small IT department?
A. More frequent review of audit logs
B. Tighter controls over user provisioning
C. More frequent reviews of administrative access
D. Independent review of exception reports

Page 11 / 17
Reprintedforisaca\449222,ISACA

ISACA(c)2013,CopyingProhibited.

CISAReviewQuestions,Answers&ExplanationsManual2014Supplement

D is the correct answer.


Justification:
A. While frequent review of audit logs is a compensating control, if there is no clear segregation of duties, this is an
ineffective control. An IT person with administrative access to a system could potentially delete audit logs or disable audit
logging altogether. From a practical perspective, logs typically contain large volumes of data; an in-depth review of these
data would be a time-consuming and impractical method for finding issues related to segregation of duties conflicts.
B. User provisioning is the process of granting access to an application or system. While a normal part of the provisioning
process is to make sure that no segregation of duties conflicts exist, this cannot be done in the present case due to the
small size of the IT department. Therefore, tighter controls over user provisioning would be of limited value.
C. While it important to ensure that only authorized individuals have administrative access to critical systems to prevent
segregation of duties conflicts, in this case those conflicts cannot be prevented. Therefore, a frequent review of
administrative access would be of limited value as a control.
D. Assuming that the integrity of the exception reporting process can be validated through audit testing, an
independent review of the exception reports is the best compensating control.
AS2-11 An IS auditor is reviewing the IT governance practices. Which of the following BEST helps the IS auditor evaluate
the quality of alignment between IT and the business?
A. Security policies
B. Operational procedures
C. Project portfolio
D. IT balanced scorecard (IT BSC)
D is the correct answer.
Justification:
A. Security policies are important; however, they are not designed to align IT to the business.
B. Operational procedures do not provide the IS auditor assurance of the alignment between IT and the business.
C. The project portfolio is the set of projects owned by the organization. The portfolio provides a status quo, but is not a
good basis to assess alignment of IT with the business.
D. The IT BSC represents the translation of the business objectives into what IT needs to do to achieve these
objectives.
AS2-12 Value delivery from IT to the business is MOST effectively achieved by:
A. aligning the IT strategy with the enterprise strategy.
B. embedding accountability in the enterprise.
C. providing a positive return on investment (ROI).
D. establishing an enterprisewide risk management process.
A is the correct answer.
Justification:
A. ITs value delivery to the business is driven by aligning IT with the enterprises strategy.
B. Embedding accountability in the enterprise promotes risk management (another element of corporate governance).
C. While ROI is important, it is not the only criterion by which the value of IT is assessed.
Page 12 / 17
Reprintedforisaca\449222,ISACA

ISACA(c)2013,CopyingProhibited.

CISAReviewQuestions,Answers&ExplanationsManual2014Supplement

D. Enterprisewide risk management is critical to IT governance; however, by itself it will not guarantee that IT delivers
value to the business unless the IT strategy is aligned with the enterprise strategy.
AS2-13 Which of the following BEST indicates that a business continuity plan (BCP) will function as intended in the event
of a disaster?
A. Enforced procedures for regular plan updates
B. A tabletop exercise with disaster scenarios
C. A comprehensive reciprocal agreement
D. Long-haul diversity and last-mile redundancy
B is the correct answer.
Justification:
A. While recovery plans should be kept current, the use of a tabletop exercise to test the plan is a better option because it
involves people and processes.
B. A tabletop exercise is used to test the effectiveness of a BCP without the interruption of a full-scale drill. The
test team walks through a simulated disaster to determine whether the plan will work as designed. Of the
options given, a tabletop exercise is the best way to ensure that the BCP will function as intended without live
testing to reveal plan deficiencies.
C. Reciprocal agreements will specify the conditions among counterparties for sharing facilities in case of disaster, but
provide no assurance plans that the BCPs will work.
D. Long-haul diversity and last-mile redundancy are important considerations for business continuity planning, but by
themselves are insufficient to ensure that the plans will work.
AS2-14 Which of the following is the BEST indicator of IT alignment with organizational strategies and objectives?
A. A well-defined enterprise architecture
B. Established policy compliance metrics
C. The results of a business process owner survey
D. The findings of an internal controls assessment
C is the correct answer.
Justification:
A. EA helps define standards and designs for IT systems; however, it does not measure how IT is aligned with the
business.
B. Policy compliance metrics do not indicate ITs alignment with the business.
C. Business owners are in the best position to provide direct feedback on the extent to which IT provides
support for business objectives and strategies.
D. An internal controls assessment will not provide evidence of ITs alignment with the business.
Domain 3Information Systems Acquisition, Development and Implementation (19%)
AS3-1 An IS auditor is reviewing a monthly accounts payable transaction register using audit software. For what purpose
would the auditor be interested in using a check digit?
A. To detect data transposition errors.
B. To ensure that transactions do not exceed predetermined amounts.

Page 13 / 17
Reprintedforisaca\449222,ISACA

ISACA(c)2013,CopyingProhibited.

CISAReviewQuestions,Answers&ExplanationsManual2014Supplement

C. To ensure that data entered are within reasonable limits.


D. To ensure that data entered are within a predetermined range of values.
A is the correct answer.
Justification:
A. A check digit is a numeric value added to data to ensure that original data are correct and have not been
altered.
B. Ensuring that data have not exceeded a predetermined amount is a limit check.
C. Ensuring that data entered are within predetermined reasonable limits is a reasonableness check.
D. Ensuring that data entered are within a predetermined range of values is a range check.
AS3-2 Which of the following is the BEST indicator that a newly developed system will be used after it is in production?
A. Regression testing
B. User acceptance testing (UAT)
C. Sociability testing
D. Parallel testing
B is the correct answer.
Justification:
A. Regression test results do not assist with the user experience and are primarily concerned with new functionality or
processes and whether those changes altered or broke previous functionality.
B. UAT is undertaken to provide confidence that a system or system component operates as intended, to
provide a basis for evaluating the implementation of the requirements, or to demonstrate the effectiveness or
efficiency of the system or component. If the results of the testing are poor, then the system is unlikely to be
adopted by the users.
C. Sociability test results indicate how the application works with other components within the environment and is not
indicative of the user experience.
D. Parallel testing is performed when the comparison of two applications is needed, but will not provide feedback on user
satisfaction.
AS3-3 The project steering committee is ultimately responsible for:
A. day-to-day management and leadership of the project.
B. allocating the funding for the project.
C. project deliverables, costs and timetables.
D. ensuring that system controls are in place.
C is the correct answer.
Justification:
A. Day-to-day management and leadership of the project is the function of the project manager.
B. Providing the funding for the project is the function of the project sponsor.
C. The project steering committee provides overall direction; ensures appropriate representation of the major
stakeholders in the projects outcome; and takes ultimate responsibility for the deliverables, costs and
Page 14 / 17
Reprintedforisaca\449222,ISACA

ISACA(c)2013,CopyingProhibited.

CISAReviewQuestions,Answers&ExplanationsManual2014Supplement

timetables.
D. Ensuring that system controls are in place is the function of the project security officer.
AS3-4 Which of the following BEST helps ensure that deviations from the project plan are identified?
A. A project management framework
B. A project management approach
C. A project resource plan
D. Project performance criteria
D is the correct answer.
Justification:
A. Establishment of a project management framework identifies the scope and boundaries of managing projects and the
consistent method to be applied when initiating a project, but does not define the criteria used to measure project success.
B. A project management approach defines guidelines for project management processes and deliverables, but does not
define the criteria used to measure project success.
C. A project resource plan defines the responsibilities, relationships, authorities and performance criteria of project team
members, but does not wholly define the criteria used to measure project success.
D. In order to identify deviations from the project plan, project performance criteria must be established as a
baseline. Successful completion of the project plan is indicative of project success.
AS3-5 An IS auditor is reviewing a project for the implementation of a mission-critical system and notes that, instead of
parallel implementation, the team opted for an immediate cutover to the new system. Which of the following is the
GREATEST concern?
A. The implementation phase of the project has no backout plan.
B. User acceptance testing (UAT) was not properly documented.
C. Software functionality tests were completed, but stress testing was not performed.
D. The go-live date is over a holiday weekend when key IT staff are on vacation.
A is the correct answer.
Justification:
A. One of the benefits of deploying a new system in parallel with an existing system is that the original system
can always be used as a backout plan. In an immediate cutover scenario, not having a backout plan can create
significant issues because it can take considerable time and cost to restore operations to the prior state if there
is no viable plan to do so.
B. The documentation of UAT is a much less important concern than not having a viable backout plan; therefore, this is not
the correct answer.
C. The lack of stress testing is a much less important concern than not having a viable backout plan; therefore, this is not
the correct answer.
D. If there are support issues, having the go-live date happen over a holiday weekend may create some delays, but project
managers should account for this to ensure that the required staff are available as needed. The greater risk is if there is no
backout plan.
AS3-6 Which of the following software testing methods provides the BEST feedback on how software will perform in the
live environment?

Page 15 / 17
Reprintedforisaca\449222,ISACA

ISACA(c)2013,CopyingProhibited.

CISAReviewQuestions,Answers&ExplanationsManual2014Supplement

A. Alpha testing
B. Regression testing
C. Beta testing
D. White box testing
C is the correct answer.
Justification:
A. Alpha testing is often performed only by users within the organization developing the software. Alpha testing generally
involves a software version that does not contain all the features of the final product and may be a simulated test.
B. Regression testing is used to determine whether system changes have introduced new errors to existing functionality.
C. Beta testing follows alpha testing and involves real-world exposure with external user involvement. Beta
testing is the last stage of testing, and involves sending the beta version of the product to independent beta
test sites or offering it free to interested users.
D. White box testing is used to assess the effectiveness of program logic.
AS3-7 Which of the following is the BEST method of controlling scope creep in a system development project?
A. Defining penalties for changes in requirements
B. Establishing a software baseline
C. Adopting a matrix project management structure
D. Identifying the critical path of the project
B is the correct answer.
Justification:
A. While defining penalties for changes in requirements may help to prevent scope creep, software baselining is a better
way to accomplish this goal.
B. Software baselining, the cutoff point in the design phase, occurs after a rigorous review of user
requirements. Any changes thereafter will undergo strict formal change control and approval procedures.
Scope creep refers to uncontrolled change within a project resulting from improperly managed requirements.
C. In a matrix project organization, management authority is shared between the project manager and the department
heads. Adopting a matrix project management structure will not address the problem of scope creep.
D. Although the critical path is important, it will change over time and will not control scope creep.
AS3-8 Which of the following is a PRIMARY objective of embedding an audit module while developing online application
systems?
A. To collect evidence while transactions are processed
B. To reduce requirements for periodic internal audits
C. To identify and report fraudulent transactions
D. To increase efficiency of the audit function
A is the correct answer.
Justification:
A. Embedding a module for continuous auditing within an application processing a large number of transactions
Page 16 / 17
Reprintedforisaca\449222,ISACA

ISACA(c)2013,CopyingProhibited.

CISAReviewQuestions,Answers&ExplanationsManual2014Supplement

provides timely collection of audit evidence during processing and is the primary objective. The continuous
auditing approach allows the IS auditor to monitor system reliability on a continuous basis and to gather
selective audit evidence through the computer.
B. An embedded audit module enhances the effectiveness of internal audit by ensuring timely availability of required
evidence. It may not reduce the requirements for periodic internal audits, but it will increase their efficiency. Also, the
question pertains to the development process for new application systems, and not to subsequent internal audits.
C. An audit module collects data on transactions that may help identify fraudulent transactions, but it does not identify
fraudulent transactions inherently.
D. Although increased efficiency may be an added benefit of an embedded audit module, it is not the primary objective.

Page 17 / 17
Reprintedforisaca\449222,ISACA

ISACA(c)2013,CopyingProhibited.