Free ISACA CISA Übungsprüfungen - Seite 41 von 55

Question #401

To help determine whether a controls-reliant approach to auditing financial systems in a company should be used, which sequence of IS audit work is MOST appropriate?

A . Review of the general IS controls followed by a review of the application controls
B . Detailed examination of financial transactions followed by review of the general ledger
C . Review of major financial applications followed by a review of IT governance processes
D . Review of application controls followed by a test of key business process controls

Lösung einblenden Lösung ausblenden

Question #402

Which of the following is a detective control?

A . Programmed edit checks for data entry
B . Backup procedures
C . Use of pass cards to gain access to physical facilities
D . Verification of hash totals

Lösung einblenden Lösung ausblenden

Question #403

An external attacker spoofing an internal Internet Protocol (IP) address can BEST be detected by which of the following?

A . Comparing the source address to the domain name server (DNS) entry
B . Using static IP addresses for identification
C . Comparing the source address to the interface used as the entry point
D . Using a state table to compare the message states of each packet as it enters the system

Lösung einblenden Lösung ausblenden

Question #404

An IS auditor engaged in developing the annual internal audit plan learns that the chief information officer (CIO) has requested there be no IS audits in the upcoming year as more time is needed to address a large number of recommendations from the previous year.

Which of the following should the auditor do FIRST

A . Escalate to audit management to discuss the audit plan
B . Notify the chief operating officer (COO) and discuss the audit plan risks
C . Exclude IS audits from the upcoming year’s plan
D . Increase the number of IS audits in the clan

Lösung einblenden Lösung ausblenden

Question #405

An organization wants to classify database tables according to its data classification scheme From an IS auditor’s perspective the tables should be classified based on the:

A . specific functional contents of each single table.
B . frequency of updates to the table.
C . descriptions of column names in the table.
D . number of end users with access to the table.

Lösung einblenden Lösung ausblenden

Question #406

A CFO has requested an audit of IT capacity management due to a series of finance system slowdowns during month-end reporting.

What would be MOST important to consider before including this audit in the program?

A . Whether system delays result in more frequent use of manual processing
B . Whether the system’s performance poses a significant risk to the organization
C . Whether stakeholders are committed to assisting with the audit
D . Whether internal auditors have the required skills to perform the audit

Lösung einblenden Lösung ausblenden

Richtige Antwort: B
B

Explanation:

The most important thing to consider before including an audit of IT capacity management in the program is whether the system’s performance poses a significant risk to the organization. IT capacity management is a process that ensures that IT resources are sufficient to meet current and future business needs, and that they are optimized for cost and performance. A poor IT capacity management can result in system slowdowns, outages, failures, or breaches, which can affect the availability, reliability, security, and efficiency of IT services and business processes. Therefore, before conducting an audit of IT capacity management, the auditor should assess the potential impact and likelihood of these risks on the organization’s objectives, reputation, compliance, and customer satisfaction.

Whether system delays result in more frequent use of manual processing (option A) is not the most important thing to consider before including an audit of IT capacity management in the program, as it is only one possible consequence of poor IT capacity management. Manual processing can introduce errors, delays, inefficiencies, and inconsistencies in the data and reports, which can affect the quality and accuracy of financial information. However, manual processing is not the only or the worst outcome of poor IT capacity management; there may be other more severe or frequent risks that need to be considered.

Whether stakeholders are committed to assisting with the audit (option C) is also not the most important thing to consider before including an audit of IT capacity management in the program, as it is a factor that affects the feasibility and effectiveness of the audit, not the necessity or priority of it. Stakeholder commitment is important for ensuring that the auditor has access to relevant information, documents, data, and personnel, as well as for facilitating communication, collaboration, and feedback during the audit process. However, stakeholder commitment is not a sufficient reason to conduct an audit of IT capacity management; there must be a clear risk-based rationale for selecting this area for audit.

Whether internal auditors have the required skills to perform the audit (option D) is also not the most important thing to consider before including an audit of IT capacity management in the program, as it is a factor that affects the quality and credibility of the audit, not the urgency or importance of it. Internal auditors should have the appropriate knowledge, skills, and experience to perform an audit of IT capacity management, which may include technical, business, analytical, and communication skills. However, internal auditors can also acquire or supplement these skills through training, coaching, consulting, or outsourcing. Therefore, internal auditors’ skills are not a decisive factor for choosing this area for audit.

Therefore, option B is the correct answer.

References:

Guide to IT Capacity Management | Smartsheet

ISO 27001 capacity management: How to implement control A.12.1.3 – Advisera

ISO 27002:2022 C Control 8.6 C Capacity Management

Question #407

Which of the following approaches will ensure recovery time objectives (RTOs) are met for an organization’s disaster recovery plan (DRP)?

A . Performing a cyber resilience test
B . Performing a full interruption test
C . Performing a tabletop test
D . Performing a parallel test

Lösung einblenden Lösung ausblenden

Question #408

Which of the following BEST enables an organization to determine the effectiveness of its information security awareness program?

A . Measuring user satisfaction with the quality of the training
B . Evaluating the results of a social engineering exercise
C . Reviewing security staff performance evaluations
D . Performing an analysis of the number of help desk calls

Lösung einblenden Lösung ausblenden

Question #409

Which of the following documents should define roles and responsibilities within an IT audit organization?

A . Audit charter
B . Annual audit plan
C . Engagement letter
D . Audit scope letter

Lösung einblenden Lösung ausblenden

Question #410

Which of the following is a method to prevent disclosure of classified documents printed on a shared printer?

A . Using passwords to allow authorized users to send documents to the printer
B . Requiring a key code to be entered on the printer to produce hard copy
C . Encrypting the data stream between the user’s computer and the printer
D . Producing a header page with classification level for printed documents

Lösung einblenden Lösung ausblenden