Download New Updated (July) Isaca CISA Actual Test 291-300

Ensurepass

 

QUESTION 291

The success of control self-assessment (CSA) highly depends on:

 

A.

having line managers assume a portion of the responsibility for control monitoring.

B.

assigning staff managers the responsibility for building, but not monitoring, controls.

C.

the implementation of a stringent control policy and rule-driven controls.

D.

the implementation of supervision and the monitoring of controls of assigned duties.

 

Correct Answer: A

Explanation:

The primary objective of a CSA program is to leverage the internal audit function by shifting some of the control monitoring responsibilities to the functional area line managers. The success of a control sel
f-assessment (CSA) program depends on thedegree to which line managers assume responsibility for controls- Choices B, C and D are characteristics of a traditional audit approach, not a CSA approach.

 

 

QUESTION 292

The vice president of human resources has requested an audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation?

 

A.

Test data

B.

Generalized audit software

C.

Integrated test facility

D.

Embedded audit module

 

Correct Answer: B

 

 

QUESTION 293

Which of the following is an attribute of the control self-assessment (CSA) approach?

 

A.

Broad stakeholder involvement

B.

Auditors are the primary control analysts

C.

Limited employee participation

D.

Policy driven

Correct Answer: A

Explanation:

The control self-assessment (CSA) approach emphasizes management of and accountability for developing and monitoring the controls of an organization’s business processes. The attributes of CSA include empowered employees, continuous improvement, extensive employee participation and training, at! of which are representations of broad stakeholder involvement. Choices B, C and D are attributes of a traditional audit approach.

 

 

QUESTION 294

The MAJOR advantage of the risk assessment approach over the baseline approach to information security management is that it ensures:

 

A.

information assets are overprotected.

B.

a basic level of protection is applied regardless of asset value.

C.

appropriate levels of protection are applied to information assets.

D.

an equal proportion of resources are devoted to protecting all information assets.

 

Correct Answer: C

Explanation:

Full risk assessment determines the level of protection most appropriate to a given level of risk, while the baseline approach merely applies a standard set of protection regardless of risk. There is a cost advantage in not overprotecting information. However, an even bigger advantage is making sure that no information assets are over- or u
nderprotected. The risk assessment approach will ensure an appropriate level of protection is applied, commensurate with the level of risk and asset value and, therefore, considering asset value. The baseline approach does not allow more resources to be directed toward the assets at greater risk, rather than equally directing resources to all assets.

 

 

QUESTION 295

An IS auditor is performing an audit of a remotely managed server backup. The IS auditor reviews the logs for one day and finds one case where logging on a server has failed with the result that backup restarts cannot be confirmed. What should the auditor do?

 

A.

Issue an audit finding

B.

Seek an explanation from IS management

C.

Review the classifications of data held on the server

D.

Expand the sample of logs reviewed

 

Correct Answer: D

< span lang="EN-US" style="font-family: ; mso-font-kerning: 0pt; mso-no-proof: yes">Explanation:

Audit standards require that an IS auditor gather sufficient and appropriate audit evidence. The auditor has found a potential problem and now needs to determine if this is an isolated incident or a systematic control failure. At this stage it is too preliminary to issue an audit finding and seeking an explanation from management is advisable, but it would be better to gather additional evidence to properly evaluate the seriousness of the situation. A backup failure, which has not been established at this point, will be serious if it involves critical datA. However, the issue is not the importance of the data on the server, where a problem has been detected, but whether a systematic control failure that impacts other servers exists.

 

 

 

 

 

QUESTION 296

In the process of evaluating program change controls, an IS auditor would use source code comparison software to:

 

A.

examine source program changes without information from IS personnel.

B.

detect a source program change made between acquiring a copy of the source and the comparison run.

C.

confirm that the control copy is the current version of the production program.

D.

ensure that all changes made in the current source copy are detected.

 

Correct Answer: A

Explanation:

An IS auditor has an objective, independent and relatively complete assurance of program changes because the source code comparison will identify changes. Choice B is incorrect, because the changes made since the acquisition of the copy are not included in the copy of the software. Choice C is incorrect, as an IS auditor will have to gain this assurance separately. Choice D is incorrect, because any changes made between the time the control copy was acquired and the source code comparison is made will not be detected.

 

 

QUESTION 297

During an exit interview, in cases where there is disagreement regarding the impact of a finding, an IS auditor should:

 

A.

ask the auditee to sign a release form accepting full legal responsibility.

B.

elaborate on the significance of the finding and the risks of not correcting it.

C.

report the disagreement to the audit committee for resolution.

D.

accept the auditee’s position since they are the process owners.

 

Correct Answer: B

Explanation:

If the auditee disagrees with the impact of a finding, it is important for an IS auditor to elaborate and clarify the risks and exposures, as the auditee may not fully appreciate the magnitude of the exposure. The goal should be to enlighten the auditee or uncover new information of which an IS auditor may not have been aware. Anything that appears to threaten the auditee will lessen effective communications and set up an adversarial relationship. By the same token, an IS auditor should not automatically agree just because the auditee expresses an alternate point of view.

 

 

QUESTION 298

An IS auditor evaluating logical access controls should FIRST:

 

A.

document the controls applied to the potential access paths to the system.

B.

test controls over the access paths to determine if they are functional.

C.

evaluate the security environment in relation to written policies and practices

D.

obtain an understanding of the security risks to information processing.

 

Correct Answer: D

Explanation:

When evaluating logical access controls, an IS auditor should first obtain an understanding of the security risks facing information processing by reviewing relevant documentation, by inquiries, and by conducting a risk assessment. Documentation andevaluation is the second step in assessing the adequacy, efficiency and effectiveness, thus identifying deficiencies or redundancy in controls. The third step is to test the access paths-to determine if the controls are functioning. Lastly, thelS auditor evaluates the security environment to assess its adequacy by reviewing the written policies, observing practices and comparing them to appropriate security best practices.

 

 

QUESTION 299

An organization’s IS audit charter should specify the:

 

A.

short- and long-term plans for IS audit engagements

B.

objectives and scope of IS audit engagements.

C.

detailed training plan for the IS audit staff.

D.

role of the IS audit function.

 

Correct Answer: D

Explanation:

An IS audit charter establishes the role of the information systems audit function. The charter should describe the overall authority, scope, and responsibilities of the audit function. It should be approved by the highest level of management and, if available, by the audit committee. Short-term and long-term planning is the responsibility of audit management. The objectives and scope of each IS audit should be agreed to in an engagement letter. A training plan, based on the audit plan, should be developed by audit management.

 

 

QUESTION 300

When performing a computer forensic investigation, in regard to the evidence gathered, an IS auditor should be MOST concerned with:

 

A.

analysis.

B.

evaluation.

C.

preservation.

D.

disclosure.

 

Correct Answer: C

Explanation:

Preservation and documentation of evidence for review by law enforcement and judicial authorities are of primary concern when conducting an investigation. Failure to properly preserve the evidence could jeopardize the acceptance of the evidence in legal proceedings. Analysis, evaluation and disclosure are important but not of primary concern in a forensic investigation.

 

Free VCE & PDF File for Isaca CISA Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …