CISA TESTBANK QUESTIONS WITH
100% CORRECT ANSWERS
Which of the following is MOST critical for the successful implementation and
maintenance of a security policy?
A. Assimilation of the framework and intent of a written security policy by all appropriate
parties
B. Management support and approval for the implementation and maintenance of a
security policy
C. Enforcement of security rules by providing punitive actions for any violation of
security rules
D. Stringent implementation, monitoring and enforcing of rules by the security officer
through access control software - Answer- The correct answer is A.
Assimilation of the framework and intent of a written security policy by the users of the
system is critical to the successful implementation and maintenance of the security
policy. A good password system may exist, but if the users of the system keep
passwords written on their desk, the password is of little value. Management support
and commitment is, no doubt, important, but for successful implementation and
maintenance of a security policy, educating the users on the importance of security is
paramount. The stringent implementation, monitoring and enforcing of rules by the
security officer through access control software, and provision for punitive actions for
violation of security rules, is also required, along with the user's education on the
importance of security.
For effective implementation after a business continuity plan (BCP) has been
developed, it is MOST important that the BCP be:
A. stored in a secure, offsite facility.
B. approved by senior management
C. communicated to appropriate personnel.
D. made available through the enterprise's intranet. - Answer- The correct answer is C.
The implementation of a BCP will be effective only if appropriate personnel are informed
and aware of all the aspects of the BCP. The BCP, if kept in a safe place, will not reach
the users; users will never implement the BCP and, thus, the BCP will be ineffective.
Senior management approval is a prerequisite for designing the BCP. Making a BCP
available on an enterprise's intranet does not guarantee that personnel will read or
understand it.
Which of the following would contribute MOST to an effective business continuity plan
(BCP)?
A. The document is circulated to all interested parties.
,B. Planning involves all user departments.
C. The plan is approved by senior management.
D. An audit is performed by an external IS auditor. - Answer- You are correct, the
answer is B.
The involvement of user departments in the BCP is crucial for the identification of the
business processing priorities. The BCP circulation will ensure that the BCP document
is received by all users. Although essential, this does not contribute significantly to the
success of the BCP. A BCP approved by senior management would not ensure the
quality of the BCP, nor would an audit necessarily improve the quality of the BCP.
Which of the following is the MOST effective when determining the correctness of
individual account balances migrated from one database to another?
A. Compare the hash total before and after the migration.
B. Verify that the number of records is the same for both databases.
C. Perform sample testing of the migrated account balances.
D. Compare the control totals of all of the transactions. - Answer- You are correct, the
answer is C.
Performing sample testing of the migrated account balances will involve the comparison
of a selection of individual transactions from the database before the migration. The
hash total will only validate the data integrity at a batch level rather than at a transaction
level. Databases are composed of records that can contain multiple fields. The number
of records will not allow an IS auditor to ascertain whether some of these fields have
been successfully migrated. Comparing the control totals does not imply that the
records are complete.
When reviewing a disaster recovery plan (DRP), an IS auditor should be MOST
concerned with the lack of:
A. process owner involvement.
B. well-documented testing procedures.
C. an alternate processing facility.
D. a well-documented data classification scheme. - Answer- The answer is A.
Process owner involvement is a critical part of the business impact analysis (BIA), which
is used to create the DRP. If the IS auditor determined that process owners were not
involved, this would be a significant concern. While well-documented testing procedures
are important, unless process owners are involved there is no way to know whether the
testing procedures are valid. An alternate processing facility may be a requirement to
meet the needs of the business; however, such a decision needs to be based on the
BIA. A data classification scheme is important to ensure that controls over data are
appropriate; however, this is a lesser concern than a lack of process owner
involvement.
Once an organization has finished the business process reengineering (BPR) of all its
critical operations, an IS auditor would MOST likely focus on a review of:
A. pre-BPR process flowcharts.
B. post-BPR process flowcharts.
C. BPR project plans.
, D. continuous improvement and monitoring plans. - Answer- The correct answer is B.
An IS auditor's task is to identify and ensure that key controls have been incorporated
into the reengineered process. Choice A is incorrect because an IS auditor must review
the process as it is today, not as it was in the past. Choices C and D are incorrect
because they are steps within a BPR project.
General ledger (GL) data are required for an audit. Instead of asking IT to extract the
data, the IS auditor is granted direct access to the data. What is the MAIN advantage of
this approach?
A. Reduction of IT person-hours to support the audit
B. Reduction of the likelihood of errors in the extraction process
C. Greater flexibility for the audit department
D. Greater assurance of data validity - Answer- The answer is D.
A. While the burden on IT staff to support the audit may decrease if the IS auditor
directly extracts the dates, this advantage is not as significant as the increased data
validity.
B. The risk of errors would increase because IS auditors generally have a wider, but
less detailed, technical knowledge of the internal data structure and database
technicalities.
C. This task requires a precise coordination with the database and operations
departments to avoid interference with operations and assure data consistency and
completeness.
D. If the IS auditor executes the data extraction, there is greater assurance that the
extraction criteria will not interfere with the required completeness and therefore all
required data will be collected. Asking IT to extract the data may expose the risk of
filtering out exceptions that should be seen by the auditor. Also, if the IS auditor collects
the data, all internal references correlating the various data tables/elements will be
understood, and this knowledge may reveal vital elements to the completeness and
correctness of the overall audit activity.
A legacy payroll application is migrated to a new application. Which of the following
stakeholders should be PRIMARILY responsible for reviewing and signing-off on the
accuracy and completeness of the data before going live?
A. IS auditor
B. Database administrator
C. Project manager
D. Data owner - Answer- D
Upon receipt of the initial signed digital certificate the user will decrypt the certificate
with the public key of the:
A. registration authority (RA).
B. certificate authority (CA).
C. certificate repository.
D. receiver. - Answer- B
100% CORRECT ANSWERS
Which of the following is MOST critical for the successful implementation and
maintenance of a security policy?
A. Assimilation of the framework and intent of a written security policy by all appropriate
parties
B. Management support and approval for the implementation and maintenance of a
security policy
C. Enforcement of security rules by providing punitive actions for any violation of
security rules
D. Stringent implementation, monitoring and enforcing of rules by the security officer
through access control software - Answer- The correct answer is A.
Assimilation of the framework and intent of a written security policy by the users of the
system is critical to the successful implementation and maintenance of the security
policy. A good password system may exist, but if the users of the system keep
passwords written on their desk, the password is of little value. Management support
and commitment is, no doubt, important, but for successful implementation and
maintenance of a security policy, educating the users on the importance of security is
paramount. The stringent implementation, monitoring and enforcing of rules by the
security officer through access control software, and provision for punitive actions for
violation of security rules, is also required, along with the user's education on the
importance of security.
For effective implementation after a business continuity plan (BCP) has been
developed, it is MOST important that the BCP be:
A. stored in a secure, offsite facility.
B. approved by senior management
C. communicated to appropriate personnel.
D. made available through the enterprise's intranet. - Answer- The correct answer is C.
The implementation of a BCP will be effective only if appropriate personnel are informed
and aware of all the aspects of the BCP. The BCP, if kept in a safe place, will not reach
the users; users will never implement the BCP and, thus, the BCP will be ineffective.
Senior management approval is a prerequisite for designing the BCP. Making a BCP
available on an enterprise's intranet does not guarantee that personnel will read or
understand it.
Which of the following would contribute MOST to an effective business continuity plan
(BCP)?
A. The document is circulated to all interested parties.
,B. Planning involves all user departments.
C. The plan is approved by senior management.
D. An audit is performed by an external IS auditor. - Answer- You are correct, the
answer is B.
The involvement of user departments in the BCP is crucial for the identification of the
business processing priorities. The BCP circulation will ensure that the BCP document
is received by all users. Although essential, this does not contribute significantly to the
success of the BCP. A BCP approved by senior management would not ensure the
quality of the BCP, nor would an audit necessarily improve the quality of the BCP.
Which of the following is the MOST effective when determining the correctness of
individual account balances migrated from one database to another?
A. Compare the hash total before and after the migration.
B. Verify that the number of records is the same for both databases.
C. Perform sample testing of the migrated account balances.
D. Compare the control totals of all of the transactions. - Answer- You are correct, the
answer is C.
Performing sample testing of the migrated account balances will involve the comparison
of a selection of individual transactions from the database before the migration. The
hash total will only validate the data integrity at a batch level rather than at a transaction
level. Databases are composed of records that can contain multiple fields. The number
of records will not allow an IS auditor to ascertain whether some of these fields have
been successfully migrated. Comparing the control totals does not imply that the
records are complete.
When reviewing a disaster recovery plan (DRP), an IS auditor should be MOST
concerned with the lack of:
A. process owner involvement.
B. well-documented testing procedures.
C. an alternate processing facility.
D. a well-documented data classification scheme. - Answer- The answer is A.
Process owner involvement is a critical part of the business impact analysis (BIA), which
is used to create the DRP. If the IS auditor determined that process owners were not
involved, this would be a significant concern. While well-documented testing procedures
are important, unless process owners are involved there is no way to know whether the
testing procedures are valid. An alternate processing facility may be a requirement to
meet the needs of the business; however, such a decision needs to be based on the
BIA. A data classification scheme is important to ensure that controls over data are
appropriate; however, this is a lesser concern than a lack of process owner
involvement.
Once an organization has finished the business process reengineering (BPR) of all its
critical operations, an IS auditor would MOST likely focus on a review of:
A. pre-BPR process flowcharts.
B. post-BPR process flowcharts.
C. BPR project plans.
, D. continuous improvement and monitoring plans. - Answer- The correct answer is B.
An IS auditor's task is to identify and ensure that key controls have been incorporated
into the reengineered process. Choice A is incorrect because an IS auditor must review
the process as it is today, not as it was in the past. Choices C and D are incorrect
because they are steps within a BPR project.
General ledger (GL) data are required for an audit. Instead of asking IT to extract the
data, the IS auditor is granted direct access to the data. What is the MAIN advantage of
this approach?
A. Reduction of IT person-hours to support the audit
B. Reduction of the likelihood of errors in the extraction process
C. Greater flexibility for the audit department
D. Greater assurance of data validity - Answer- The answer is D.
A. While the burden on IT staff to support the audit may decrease if the IS auditor
directly extracts the dates, this advantage is not as significant as the increased data
validity.
B. The risk of errors would increase because IS auditors generally have a wider, but
less detailed, technical knowledge of the internal data structure and database
technicalities.
C. This task requires a precise coordination with the database and operations
departments to avoid interference with operations and assure data consistency and
completeness.
D. If the IS auditor executes the data extraction, there is greater assurance that the
extraction criteria will not interfere with the required completeness and therefore all
required data will be collected. Asking IT to extract the data may expose the risk of
filtering out exceptions that should be seen by the auditor. Also, if the IS auditor collects
the data, all internal references correlating the various data tables/elements will be
understood, and this knowledge may reveal vital elements to the completeness and
correctness of the overall audit activity.
A legacy payroll application is migrated to a new application. Which of the following
stakeholders should be PRIMARILY responsible for reviewing and signing-off on the
accuracy and completeness of the data before going live?
A. IS auditor
B. Database administrator
C. Project manager
D. Data owner - Answer- D
Upon receipt of the initial signed digital certificate the user will decrypt the certificate
with the public key of the:
A. registration authority (RA).
B. certificate authority (CA).
C. certificate repository.
D. receiver. - Answer- B
