CISA Study Notes
Who is responsible for imposing an IT governance model encompassing IT strategy, information
security, and formal enterprise architectural mandates? - ANS-IT executives and the Board of
Directors
The party that performs strategic planning, addresses near-term and long-term requirements
aligning business objectives, and technology strategies. - ANS-The Steering Committee
What three elements allow validation of business practices against acceptable measures of
regulatory compliance, performance, and standard operational guidelines. - ANS-(1.) Polices
(2.) Procedures (3.) Standards
What activity involves the identification of potential risk and the appropriate response for each
threat based on impact assessment using qualitative and/or quantitative measures for an
enterprise-wide risk management strategy? - ANS-Risk Management
IT Governance is most concerned with.... - ANS-IT Strategy
Describe the advantages of outsourcing. - ANS-Outsourcing is an opportunity for the
organization to focus on core competencies. When an organization oursources a business
function, it no longer needs to be concerned about training employees in that function.
Outsources does not always reduce costs, because cost reduction is not always the primary
goal of oursourcing.
An external IS auditor has discovered a segregation of duties issue in a high value process.
What is the best action for the auditor to take? - ANS-The external auditor can only document
the finding in the audit report. An external auditor is not in a position to implement controls.
An organization has chosen to open a business office in another country where labor costs are
lower and has hired workers to perform business functions there. This organization has done
what? - ANS-The organization is insourcing - while they may have opened the office in a foreign
country, they have hired locals to do the work as opposed to contracting with a third party.
An organization has discovered that some of its employees have criminal records. What is the
best course of action for the organization to take? - ANS-The organization should have
background checks performed on all of its existing employees and also begin instituting
background checks of all new-hires. It is not necessarily required to terminate the employees -
their offenses may not warrant termination.
The options for Risk Treatment are: - ANS-Risk Mitigation Risk Avoidance Risk Transfer Risk
Acceptance
, Annualized Loss Expectance (ALE) is defined as: - ANS-ALE is the annual expected loss to an
asset. It is calculated as the single loss expectancy (SLE) X the annualized rate of occurrence
(ARO.)
A quantitative risk analysis is more difficult to perform because: - ANS-It is difficult to get
accurate figures on the frequency of specific threats. It is difficult to determine the probability
that a threat will be realized. It is relatively easy to determine the value of an asset and the
impact of a threat event.
An IS auditor is examining the IT standards document for an organization that was last reviewed
two years earlier. The best course of action for the IS auditor is: - ANS-Report that the IT
standards are not being reviewed often enough. Two years is far too long between reviews of IT
standards.
The purpose of a Balanced Scorecard is: - ANS-To measure organizational performance and
effectiveness against strategic goals.
The 4-item focus of a Balanced Scorecard is: - ANS-(1.) Financial (2.) Customer (3.) Internal
processes (4.) Innovation / Learning
The audit program is an audit strategy and plans that include: - ANS-(1.) Scope (2.) Objectives
(3.) Resources (4.) Procedures used to evaluation controls and processes
IS auditors can stay current with technology through the following means: - ANS-(1.) training
courses (2.) webinars (3.) ISACA chapter training events (4.) Industry conferences
Name the three Types of Controls - ANS-(1.) Physical (2.) Technical (4.) Administrative
Name the two Categories of Controls - ANS-(1.) Automatic (2.) Manual
Name the Eight Types of Audits - ANS-(1.) Operational (2.) Financial (3.) Integrated (4.) IS (5.)
Administrative (6.) Compliance (7.) Forensic (8.) Service Provider
What type of testing is performed to determine if control procedures have proper design and are
operating properly? - ANS-Compliance Testing
What type of testing is performed to verify the accuracy and integrity of transactions as they flow
through a system? - ANS-Substantive Testing
Audit Methodologies define what 10 elements of an Audit? - ANS-(1.) Subject of audit (2.) Audit
Objective (3.) Type of audit (4.) Audit scope (5.) Pre-audit planning (6.) Audit procedures (7.)
Communication plan (8.) Report Preparation (9.) Wrap-up (10.) Post-audit follow-up
The benefits of buying summaries with Stuvia:
Guaranteed quality through customer reviews
Stuvia customers have reviewed more than 700,000 summaries. This how you know that you are buying the best documents.
Quick and easy check-out
You can quickly pay through credit card or Stuvia-credit for the summaries. There is no membership needed.
Focus on what matters
Your fellow students write the study notes themselves, which is why the documents are always reliable and up-to-date. This ensures you quickly get to the core!
Frequently asked questions
What do I get when I buy this document?
You get a PDF, available immediately after your purchase. The purchased document is accessible anytime, anywhere and indefinitely through your profile.
Satisfaction guarantee: how does it work?
Our satisfaction guarantee ensures that you always find a study document that suits you well. You fill out a form, and our customer service team takes care of the rest.
Who am I buying these notes from?
Stuvia is a marketplace, so you are not buying this document from us, but from seller lydiaomutho. Stuvia facilitates payment to the seller.
Will I be stuck with a subscription?
No, you only buy these notes for $7.99. You're not tied to anything after your purchase.