Page 1 of 173
CISA Exam 3 (Certified Information Systems Auditor)
NEWEST VERSION WITH COMPLETE 400 QUESTIONS
AND CORRECT DETAILED SOLUTIONS LATEST UPDATED
VERSION JUST RELEASED
Question: Q01)
A company's development team does not follow generally accepted system development life
cycle practices. Which of the following is MOST likely to cause problems for software
development projects?
A) Functional verification of the prototypes is assigned to end users.
B) Project responsibilities are not formally defined at the beginning of a project.
C) Program documentation is inadequate.
D) The project is implemented while minor issues are open from user acceptance testing. -
CORRECT ANSWER✔✔B) IS CORRECT. Project responsibilities are not formally defined at the
beginning of a project is correct. Errors or lack of attention in the initial phases of a project may
cause costly errors and inefficiencies in later phases. Proper planning is required at the
beginning of a project.
A) INCORRECT. Functional verification of the prototypes is assigned to end users is incorrect.
Prototypes are verified by users.
D) INCORRECT. The project is implemented while minor issues are open from user acceptance
testing is incorrect. User acceptance testing is seldom completely successful. If errors are not
critical, they may be corrected after implementation without seriously affecting usage.
, Page 2 of 173
C) INCORRECT. Program documentation is inadequate is incorrect. Lack of adequate program
documentation, while a concern, is not as big a risk as the lack of assigned responsibilities
during the initial stages of the project.
Question: Q06)
Which of the following is the MOST important skill that an IS auditor should develop to
understand the constraints of conducting an audit?
A) Allocating resources
B) Attention to detail
C) Managing audit staff
D) Project management - CORRECT ANSWER✔✔D) IS CORRECT. Project management is correct.
Audits often involve resource management, deliverables, scheduling and deadlines that are
similar to project management good practices.
C) INCORRECT. Managing audit staff is incorrect. This is not the only aspect of conducting an
audit.
A) Allocating resources is incorrect. These resources, including time and personnel, are needed
for overall project management skills.
B) Attention to detail is incorrect. This is needed, but it is not a constraint of conducting audits.
, Page 3 of 173
Question: Q07)
Which of the following BEST helps prioritize the recovery of IT assets when planning for a
disaster?
A) Business impact analysis
B) Incident response plan
C) Recovery time objective
D) Threat and risk analysis - CORRECT ANSWER✔✔A) IS CORRECT. Business impact analysis is
correct. Incorporating the business impact analysis (BIA) into the IT disaster recovery planning
process is critical to ensure that IT assets are prioritized to align with the business.
B) INCORRECT. Incident response plan is incorrect. An incident response plan is an organized
approach to addressing and managing a security breach or attack. The plan defines what
constitutes an incident and the process to follow when an incident occurs. It does not prioritize
recovery during a disaster.
D) INCORRECT. Threat and risk analysis is incorrect. Identifying threats and analyzing risk to the
business is an important part of disaster planning, but it does not determine the priority of
recovery.
C) INCORRECT. Recovery time objective is incorrect. The recovery time objective is the amount
of time allowed for the recovery of a business function or resource after a disaster occurs. This
is included as part of the BIA and used to represent the prioritization of recovery.
Question: Q08)
An IS auditor reviewing an outsourcing contract of IT facilities expects it to define the:
, Page 4 of 173
A) hardware configuration.
B) ownership of intellectual property.
C) application development methodology.
D) access control software. - CORRECT ANSWER✔✔B) IS CORRECT. Ownership of intellectual
property is correct. The contract must specify who owns the intellectual property (i.e.,
information being processed and application programs). Ownership of intellectual property is a
significant cost and is a key aspect to be defined in an outsourcing contract.
A) INCORRECT. Hardware configuration is incorrect. The hardware configuration is generally
irrelevant as long as the functionality, availability and security can be affected, which are
specific contractual obligations.
D) INCORRECT. Access control software is incorrect. The access control software is generally
irrelevant as long as the functionality, availability and security can be affected, which are
specific contractual obligations.
C) INCORRECT. Application development methodology is incorrect. The development
methodology should be of no real concern in an outsourcing contract.
Q:Q01)
The success of control self-assessment depends highly on:
A) assigning staff managers, the responsibility for building controls.
B) the implementation of a stringent control policy and rule-driven controls.
CISA Exam 3 (Certified Information Systems Auditor)
NEWEST VERSION WITH COMPLETE 400 QUESTIONS
AND CORRECT DETAILED SOLUTIONS LATEST UPDATED
VERSION JUST RELEASED
Question: Q01)
A company's development team does not follow generally accepted system development life
cycle practices. Which of the following is MOST likely to cause problems for software
development projects?
A) Functional verification of the prototypes is assigned to end users.
B) Project responsibilities are not formally defined at the beginning of a project.
C) Program documentation is inadequate.
D) The project is implemented while minor issues are open from user acceptance testing. -
CORRECT ANSWER✔✔B) IS CORRECT. Project responsibilities are not formally defined at the
beginning of a project is correct. Errors or lack of attention in the initial phases of a project may
cause costly errors and inefficiencies in later phases. Proper planning is required at the
beginning of a project.
A) INCORRECT. Functional verification of the prototypes is assigned to end users is incorrect.
Prototypes are verified by users.
D) INCORRECT. The project is implemented while minor issues are open from user acceptance
testing is incorrect. User acceptance testing is seldom completely successful. If errors are not
critical, they may be corrected after implementation without seriously affecting usage.
, Page 2 of 173
C) INCORRECT. Program documentation is inadequate is incorrect. Lack of adequate program
documentation, while a concern, is not as big a risk as the lack of assigned responsibilities
during the initial stages of the project.
Question: Q06)
Which of the following is the MOST important skill that an IS auditor should develop to
understand the constraints of conducting an audit?
A) Allocating resources
B) Attention to detail
C) Managing audit staff
D) Project management - CORRECT ANSWER✔✔D) IS CORRECT. Project management is correct.
Audits often involve resource management, deliverables, scheduling and deadlines that are
similar to project management good practices.
C) INCORRECT. Managing audit staff is incorrect. This is not the only aspect of conducting an
audit.
A) Allocating resources is incorrect. These resources, including time and personnel, are needed
for overall project management skills.
B) Attention to detail is incorrect. This is needed, but it is not a constraint of conducting audits.
, Page 3 of 173
Question: Q07)
Which of the following BEST helps prioritize the recovery of IT assets when planning for a
disaster?
A) Business impact analysis
B) Incident response plan
C) Recovery time objective
D) Threat and risk analysis - CORRECT ANSWER✔✔A) IS CORRECT. Business impact analysis is
correct. Incorporating the business impact analysis (BIA) into the IT disaster recovery planning
process is critical to ensure that IT assets are prioritized to align with the business.
B) INCORRECT. Incident response plan is incorrect. An incident response plan is an organized
approach to addressing and managing a security breach or attack. The plan defines what
constitutes an incident and the process to follow when an incident occurs. It does not prioritize
recovery during a disaster.
D) INCORRECT. Threat and risk analysis is incorrect. Identifying threats and analyzing risk to the
business is an important part of disaster planning, but it does not determine the priority of
recovery.
C) INCORRECT. Recovery time objective is incorrect. The recovery time objective is the amount
of time allowed for the recovery of a business function or resource after a disaster occurs. This
is included as part of the BIA and used to represent the prioritization of recovery.
Question: Q08)
An IS auditor reviewing an outsourcing contract of IT facilities expects it to define the:
, Page 4 of 173
A) hardware configuration.
B) ownership of intellectual property.
C) application development methodology.
D) access control software. - CORRECT ANSWER✔✔B) IS CORRECT. Ownership of intellectual
property is correct. The contract must specify who owns the intellectual property (i.e.,
information being processed and application programs). Ownership of intellectual property is a
significant cost and is a key aspect to be defined in an outsourcing contract.
A) INCORRECT. Hardware configuration is incorrect. The hardware configuration is generally
irrelevant as long as the functionality, availability and security can be affected, which are
specific contractual obligations.
D) INCORRECT. Access control software is incorrect. The access control software is generally
irrelevant as long as the functionality, availability and security can be affected, which are
specific contractual obligations.
C) INCORRECT. Application development methodology is incorrect. The development
methodology should be of no real concern in an outsourcing contract.
Q:Q01)
The success of control self-assessment depends highly on:
A) assigning staff managers, the responsibility for building controls.
B) the implementation of a stringent control policy and rule-driven controls.
