Free ISACA CISA Übungsprüfungen - Seite 43 von 55

Question #421

In the development of a new financial application, the IS auditor’s FIRST involvement should be in the:

A . control design.
B . feasibility study.
C . application design.
D . system test.

Richtige Antwort: B
B

Explanation:

In the development of a new financial application, the IS auditor’s first involvement should be in the feasibility study. A feasibility study is a preliminary analysis that evaluates the technical, operational, economic, and legal aspects of a proposed project or system. A feasibility study helps determine whether the project or system is viable, feasible, and desirable for the organization and its stakeholders.

The IS auditor’s role in the feasibility study is to provide an independent and objective assessment of the project or system’s risks, benefits, costs, and impacts. The IS auditor should also ensure that the feasibility study follows a structured and systematic approach, considers all relevant factors and alternatives, and complies with the organization’s policies and standards. The IS auditor should also verify that the feasibility study is documented and communicated to the appropriate decision-makers.

The IS auditor’s involvement in the feasibility study is important because it can help:

Identify and mitigate potential risks and issues that could affect the project or system’s success Evaluate and justify the project or system’s alignment with the organization’s strategy, goals, and value proposition

Estimate and optimize the project or system’s resources, budget, schedule, and quality

Assess and enhance the project or system’s security, reliability, performance, and usability

Ensure that the project or system meets the expectations and requirements of the users and other stakeholders

The other three options are not the first involvement of the IS auditor in the development of a new financial application, although they may be part of the subsequent stages of the development process. Control design is the process of defining and implementing controls that ensure the security, integrity, availability, and efficiency of the system. Application design is the process of specifying the functional and technical features of the system. System test is the process of verifying that the system meets the specifications and requirements.

Therefore, feasibility study is the best answer.

References:

[Feasibility Study – ISACA]

[IS Auditing Guideline G13 Performing an IS Audit Engagement – ISACA]

Question #422

Which of the following analytical methods would be MOST useful when trying to identify groups with similar behavior or characteristics in a large population?

A . Deviation detection
B . Cluster sampling
C . Random sampling
D . Classification

Lösung einblenden Lösung ausblenden

Question #423

Which of the following types of environmental equipment will MOST likely be deployed below the floor tiles of a data center?

A . Temperature sensors
B . Humidity sensors
C . Water sensors
D . Air pressure sensors

Lösung einblenden Lösung ausblenden

Question #424

A startup organization wants to develop a data loss prevention (DLP) program. The FIRST step should be to implement:

A . Security awareness training
B . Data encryption
C . Data classification
D . Access controls

Lösung einblenden Lösung ausblenden

Question #425

One advantage of monetary unit sampling is the fact that

A . results are stated m terms of the frequency of items in error
B . it can easily be applied manually when computer resources are not available
C . large-value population items are segregated and audited separately
D . it increases the likelihood of selecting material items from the population

Lösung einblenden Lösung ausblenden

Question #426

Which of the following weaknesses would have the GREATEST impact on the effective operation of a perimeter firewall?

A . Use of stateful firewalls with default configuration
B . Ad hoc monitoring of firewall activity
C . Misconfiguration of the firewall rules
D . Potential back doors to the firewall software

Lösung einblenden Lösung ausblenden

Question #427

Which type of risk would MOST influence the selection of a sampling methodology?

A . Inherent
B . Residual
C . Control
D . Detection

Lösung einblenden Lösung ausblenden

Richtige Antwort: D
D

Explanation:

The type of risk that would most influence the selection of a sampling methodology is detection risk (option D).

This is because:

Detection risk is the risk that the auditor will not detect a material misstatement that exists in an assertion1. Detection risk depends on the effectiveness of the audit procedures and how well they are applied by the auditor1.

The selection of a sampling methodology is part of the design of audit procedures, which aims to reduce detection risk to an acceptable level1. The auditor should consider the following factors when

selecting a sampling methodology23:

The objectives of the audit procedure and the related assertions.

The characteristics of the population from which the sample will be drawn, such as its size, homogeneity, and structure.

The sampling technique to be used, such as random, systematic, haphazard, or judgmental.

The sample size and the method of selecting sample items.

The evaluation of the sample results and the projection of errors to the population.

The auditor should also consider the advantages and disadvantages of different sampling methodologies, such as statistical and non-statistical sampling23. Statistical sampling is a sampling technique that uses random selection and probability theory to evaluate sample results. Non-statistical sampling is a sampling technique that does not use random selection or probability theory to evaluate sample results. Some of the advantages and disadvantages are as follows23:

Statistical sampling allows the auditor to measure and control sampling risk, which is the risk that the sample is not representative of the population. Statistical sampling also allows the auditor to quantify the precision and reliability of the sample results. However, statistical sampling requires more technical knowledge and skills, as well as more time and cost, than non-statistical sampling.

Non-statistical sampling relies on the auditor’s professional judgment and experience to select and evaluate sample items. Non-statistical sampling is more flexible and less complex than statistical sampling. However, non-statistical sampling does not provide an objective basis for measuring and controlling sampling risk, nor does it allow the auditor to quantify the precision and reliability of the sample results.

Therefore, the type of risk that would most influence the selection of a sampling methodology is detection risk (option D), as it determines how effective and efficient the audit procedures should be in order to provide sufficient appropriate audit evidence.

References: 1: Audit Sampling – Overview, Purpose, Importance, and Types 2: Audit Sampling | Auditing and Attestation | CPA Exam FAR 3: Audit Sampling | ACCA Qualification | Students | ACCA Global

Question #428

Who is PRIMARILY responsible for the design of IT controls to meet control objectives?

A . Risk management
B . Business management
C . IT manager
D . Internal auditor

Lösung einblenden Lösung ausblenden

Question #429

Which of the following would be the GREATEST concern to an IS auditor when reviewing the outsourcing contract for an organization’s cloud service provider?

A . There is no change management process defined in the contract.
B . There are no procedures for incident escalation.
C . There is no dispute resolution process defined in the contract.
D . There is no right-to-audit clause defined in the contract.

Lösung einblenden Lösung ausblenden

Question #430

Which of the following should be of GREATEST concern to an IS auditor performing a review of information security controls?

A . The information security policy has not been approved by the chief audit executive (CAE).
B . The information security policy does not include mobile device provisions
C . The information security policy is not frequently reviewed
D . The information security policy has not been approved by the policy owner

Lösung einblenden Lösung ausblenden