ISACA Exam Questions & Answers
(Grade A+)
Which of the following is an appropriate test method to apply to a
business continuity plan?
Pilot
Paper
Unit
System - B is the correct answer.
Justification
A pilot test is used for implementing a new process or technology
and is not appropriate for a BCP.
A paper test (sometimes called a deskcheck) is appropriate for
testing a business continuity plan (BCP). It is a walk-through of the
entire BCP, or part of the BCP, involving major players in the BCP's
execution who reason out what may happen in a particular disaster.
A unit test is used to test new software components and is not
appropriate for a BCP.
A system test is an integrated test used to test a new IT system but
is not appropriate for a BCP.
A company has implemented a new client-server enterprise
resource planning (ERP) system. Local branches transmit customer
orders to a central manufacturing facility. Which of the following
,ISACA Exam Questions & Answers
(Grade A+)
would BEST ensure that the orders are processed accurately, and
the corresponding products are produced?
Verifying production of customer orders
Logging all customer orders in the ERP system
Using hash totals in the order transmitting process
Approving (production supervisor) orders prior to production - A is
the correct answer.
Justification
Verification of the products produced will ensure that the produced
products match the orders in the order system.
Logging can be used to detect inaccuracies but does not, in itself,
guarantee accurate processing.
Hash totals will ensure accurate order transmission, but not
accurate processing centrally.
Production supervisory approval is a time consuming, manual
process that does not guarantee proper control.
An IS auditor is reviewing system access and discovers an excessive
number of users with privileged access. The IS auditor discusses the
situation with the system administrator, who states that some
personnel in other departments need privileged access and
,ISACA Exam Questions & Answers
(Grade A+)
management has approved the access. Which of the following
would be the BEST course of action for the IS auditor?
Determine whether compensating controls are in place.
Document the issue in the audit report.
Recommend an update to the procedures.
Discuss the issue with senior management. - A is the correct
answer.
Justification
An excessive number of users with privileged access is not
necessarily an issue if compensating controls are in place.
An IS auditor should gather additional information before
presenting the situation in the report.
An update to procedures would not address a potential weakness
in logical security and may not be feasible if individuals are required
to have this access to perform their jobs.
The IS auditor should gather additional information before
reporting the item to senior management.
An organization has a business process with a recovery time
objective equal to zero and a recovery point objective close to one
minute. This implies that the process can tolerate:
, ISACA Exam Questions & Answers
(Grade A+)
a data loss of up to one minute, but the processing must be
continuous.
a one-minute processing interruption but cannot tolerate any data
loss.
a processing interruption of one minute or more.
both a data loss and a processing interruption longer than one
minute. - A is the correct answer.
Justification
Recovery time objective (RTO) measures an organization's tolerance
for downtime and recovery point objective (RPO) measures how
much data loss can be accepted.
A processing interruption of one minute would exceed the zero RTO
set by the organization.
This would exceed the continuous availability requirements of an
RTO of zero.
An RPO of one minute would only allow data loss of one minute.
A certificate authority (CA) can delegate the processes of:
revocation and suspension of a subscriber's certificate.
generation and distribution of the CA public key.
establishing a link between the requesting entity and its public key.
(Grade A+)
Which of the following is an appropriate test method to apply to a
business continuity plan?
Pilot
Paper
Unit
System - B is the correct answer.
Justification
A pilot test is used for implementing a new process or technology
and is not appropriate for a BCP.
A paper test (sometimes called a deskcheck) is appropriate for
testing a business continuity plan (BCP). It is a walk-through of the
entire BCP, or part of the BCP, involving major players in the BCP's
execution who reason out what may happen in a particular disaster.
A unit test is used to test new software components and is not
appropriate for a BCP.
A system test is an integrated test used to test a new IT system but
is not appropriate for a BCP.
A company has implemented a new client-server enterprise
resource planning (ERP) system. Local branches transmit customer
orders to a central manufacturing facility. Which of the following
,ISACA Exam Questions & Answers
(Grade A+)
would BEST ensure that the orders are processed accurately, and
the corresponding products are produced?
Verifying production of customer orders
Logging all customer orders in the ERP system
Using hash totals in the order transmitting process
Approving (production supervisor) orders prior to production - A is
the correct answer.
Justification
Verification of the products produced will ensure that the produced
products match the orders in the order system.
Logging can be used to detect inaccuracies but does not, in itself,
guarantee accurate processing.
Hash totals will ensure accurate order transmission, but not
accurate processing centrally.
Production supervisory approval is a time consuming, manual
process that does not guarantee proper control.
An IS auditor is reviewing system access and discovers an excessive
number of users with privileged access. The IS auditor discusses the
situation with the system administrator, who states that some
personnel in other departments need privileged access and
,ISACA Exam Questions & Answers
(Grade A+)
management has approved the access. Which of the following
would be the BEST course of action for the IS auditor?
Determine whether compensating controls are in place.
Document the issue in the audit report.
Recommend an update to the procedures.
Discuss the issue with senior management. - A is the correct
answer.
Justification
An excessive number of users with privileged access is not
necessarily an issue if compensating controls are in place.
An IS auditor should gather additional information before
presenting the situation in the report.
An update to procedures would not address a potential weakness
in logical security and may not be feasible if individuals are required
to have this access to perform their jobs.
The IS auditor should gather additional information before
reporting the item to senior management.
An organization has a business process with a recovery time
objective equal to zero and a recovery point objective close to one
minute. This implies that the process can tolerate:
, ISACA Exam Questions & Answers
(Grade A+)
a data loss of up to one minute, but the processing must be
continuous.
a one-minute processing interruption but cannot tolerate any data
loss.
a processing interruption of one minute or more.
both a data loss and a processing interruption longer than one
minute. - A is the correct answer.
Justification
Recovery time objective (RTO) measures an organization's tolerance
for downtime and recovery point objective (RPO) measures how
much data loss can be accepted.
A processing interruption of one minute would exceed the zero RTO
set by the organization.
This would exceed the continuous availability requirements of an
RTO of zero.
An RPO of one minute would only allow data loss of one minute.
A certificate authority (CA) can delegate the processes of:
revocation and suspension of a subscriber's certificate.
generation and distribution of the CA public key.
establishing a link between the requesting entity and its public key.
