oe CISA THIS MUCH !! One Stop Solution for CISA Aspirants By Achy. CpCopyright © 2020. All rights reserved. No part of this book may be reproduced, or copied on any form or by any means (graphical, electronic or mechanical, including photocopying, recording, taping, or information retrieval system) or reproduced on any disk, tape, perforated media or any other information storage device, etc., without the prior written permission of Aaditya Parameswaran (Founder of This-Much Learning Solutions). Breach of this condition is liable for legal action. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. Examples and resources used in this book are only meant for education purpose and to make learning more interesting. However, the Information comained in this book Is sold without warranty, either express or implied. Neither the author (Aaditya P), nor This-Much Learning Solutions will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book. CISA-THIS-MUCH !! SERIES. One-Stop Solution for all CISA Aspirants. Aaditya P Founder of This-Much Learning SolutionsQUESTIONS ON 2.1 1. The effectiveness of an IT governance implementation can be MOST effectively known by: A. Ensuring that the objectives are defined B. Ensuring the involvement of stakeholders C. The identification of emerging risks D. Ensuring that relevant enablers are determined 2. The IS auditor noted that roles and responsibilities in terms of IT governance and management are not properly documented and defined. What is the most PROPER recommendation? A. To review the alignment of IT with business objectives B. To define the accountability for each critical function C. To conduct an IS audit on an ongoing basis D. To create the role of CRO in the organization 3. Which of the following is REGARDING strategic planning? A. Software testing methodology and results B.A short-term plan for a new system C. An approved supplier for the company's all products D. Evaluation of project requirements 4, The MOST important factor regarding the effective implementation of IT governance is: A. A documented IT Balanced Scorecard B. Identified organizational strategies C. Conducting risk assessments D. Documenting an IT policy5. Which of the following is the PRIMARY purpose of corporate governance? A. To provide strategic direction B. To control business functions C. To align IT and business needs D. To implement a reporting hierarchy 6. What will be the BIGGEST concern of Mr James, an IS Auditor, when reviewing security policy?/ A. Information Security Policy is driven by IT objectives. B. Users have not read the policy but is complying with the same. C. Does not include procedures. D Not updated since more than a year. C. Business objective is derived from IT strategy.Questions on 2.3 & 2.4 Question No 7 belongs to 2.9 IT Resource Management (HR Management) 1. Mr James, an IS Auditor was reviewing HR Management policies of Galaxy Inc. While reviewing, he found out that there is no policy that restricts Secondary Employment. The issue was discussed with Mr Robert, a senior IS Auditor of the same firm. Mr Robert, although felt it was important, still neglected the issue feeling that the above point won't make much difference. Now, You are appointed as an IS Auditor of Galaxy Inc. What according to you would be the MAIN reason for an organisation to have a policy that restricts a secondary employment? A. To protect against the misuse of an organisation’s asset. B. To prevent a conflict of interest. C. To ensure better productivity on the part of the employee. D.To restrict monetary benefits of employees. Ans :-B Leakage of information > Biggest Threat (and it will happen only when employee’s intentions are affected.)Q.2 Whenever any IT policy is implemented, one of the major concern for an IS Auditor is regarding the ‘actual compliance’ of such implemented policy. Which of the following factor will an IS Auditor consider MOST important to facilitate compliance? A. Existing mechanism in place that could enable the employees and organisation to comply with the policy. B. Alignment of the policy to the business strategy. C. XXX D. XXX Ans:A ¢ Policies shbuld be aligned. But this will never affect an organisation’s ability to comply. e Existing mechanism like how well the policy is communicated among employees, proper training for its compliance, penalty for non- compliance etc will make difference.3) My. ALF, an Ts Auditor is Yeviewin Ofyaneaban's eVernone mode}. Which of the fallewine Should be the Bisoes Cancesn ia My. AL? g + No Pevodical sevrew of in Prmetio q I by fence Monas oprent - 7 Sees Y fli m Polic yeleeQ to Systen Patchins y: MY Som:thes Ad oe yee the’ OGonizoz'ony mission Staterrent . Organ:zotionad Policy Yeleted 40 Thf meting Asset Rotectvn does net exist- ¥ oe An. A _ c. Bo/ag __ ast

frac toostdn't hove any Read to wordy Fox mrtadiog te mission stoteret ohjectres .4. Which of the following Is a first step for the auditor having observed that IT policies are not approved by management? A. To ignore the requirement for management approval as the policy is being observed by all employees B. To recommend that the policy should be approved immediately C. To guide management regarding the importance of approval D. To include this as non-compliance in an audit report 5. An area of most concern while reviewing HR policy is the absence of a: A. Rotation process B. Exit interview process C. Termination process D. Process of entering into an NDA with employees7. Information security policy should include: A. Details of critical assets to be protected B. The basis of access control authorization C. The SDLC methodology and procedure D. The identification of sensitive assets 8. The most important factor while developing information security policy is: A. Alignment with industry best practices B. Approval of the Board of Directors C. The consideration of business requirements D. An annual review of policy9. The most important factor in developing an information| security policy is: A.A vulnerability analysis B.A threat analysis C. Emerging risks D. The appetite for risk on the part of an enterpriseQUESTIONS ON 2.6 1. Mr Garry Kasparov, an IS auditor was reviewing EA. During the process of reviewing, he found out that EA has only considered current-state representation & the organisation claims to start a separate project to develop a future-state representation. What should Kasparov do? A. Suggest finishing this separate project as early as possible B. Report this problem in the audit report as an observation C. Suggest implementation of the Zachman Framework D. Extend the scope of the audit to include the separate project as part of the current audit au vill have to Repost thi os 2 Find:ng - i a much Pent fx EA Dood, Fature Stote becanse the Gop bebwun Contnt Q Foto Wilk deteiming IT Shety ic & Tosti Flans . C— Oyyeniteban has ERX oun choite to choose on Lrontauraik TS Auditor Con't mondota spreifi Forrework . folk oud: ?- Rescoping is nod YepaNtd, folly -up audit rey br Conducted .QZ MAIN beredit of EA ss to id a * frsting the enbeypise b invert in the most prepen. 6. Enobing Rent enbiols on cibiel plotfoums. C. Enabling davtiopment brow to be mote veponne to bwin st ARmnants* D- Enoblony busines bo select ony TT Sahation which wil) ib then needs - ars- A 3. XYZ Inc. is a large financial services company in North America offering services in portfolio management, investment management, private equity and more. A vendor has been hired by a XYZ Inc. to find a software solution for their financial targets in challenging market conditions. As part of the solution, the vendor has developed their own application software. The contract is supposed to include: A. The requirements for a backup system B. A requirement for the automatic updating of related files and data C. Training requirements for the organization's staff D. The inclusion of source code in escrow 4. ABC Inc. is considering investing significantly for technological development. Which of the following will be the most critical consideration? A. A cost analysis B. The safety risks associated with the latest technology C. Compatibility with existing systems D. A risk analysis5. First step for designing Security Architecture will be which of the following? A. Document security guidelines B. Define a security policy C. Develop an access control matrix D. Define roles and responsibilities 6. Transparency on the part of Value or cost or risk from IT can be primarily known by A. Performance measurement B. Strategic alignment C. Value delivery D. Resource management. Transparency is primarily achieved through performance measurement, and not strategic alignment. Strategic alignment focus on aligning IT and business whereas Value delivery ensures that IT investments deliver promised values.# ABC Inc. and LMN Inc, are getting merged into new merged organisation XYZ Inc. , anew common interface would replace several self-developed legacy applications. What can be the biggest risk out of the following situations? A. Project management and progress reporting is combined in a project management office that is driven by external consultants. . B. The replacement effort consists of several seperate projects without integrating the resource allocation in a portfolio management approach. C. The development of new integrated systems require some knowledge of the legacy systems to gain an understanding of each business process. D. The new platform will resulting in extensive training requirements Ans B The effort should be consolidated to ensure alignment with the overall strategy of the post merger organization. The resource allocation should be centralized and integrated.QUESTIONS ON 2.5 1. In which of the following options, Top Management's involvement is the most important: A. Strategic plans B. Information security standards C. The information security framework D. The system audit framework 2. Which of the following is the main role of IT Steering Committee out of the following options :- A. Managing third-party service providers B. Maintaining the segregation of duties for critical functions C. Approving and monitoring major projects, the status of IS plans, and budgets D. Managing the IS audit 3. Which of the following is MAINLY responsible for System Development Project's responsibility: A. The IS auditor B, The project steering committee C. The IS strategy committee D. The CIO 4, Who approves Request for Proposal (RFP)? A. The project steering committee B. The person in charge of the project C. The strategy committee D. The system development manager5. A steering Committee is involved in which of the following functions ? A. To design requirement specifications B, To escalate project issues C. To design system controls D. To document system architecture They are basically responsible for successful implementation of the project, so if any issues come they are supposed to escalate them. 6. An IT steering Committee is involved in which of the following functions: A. To suggest a technology strategy B. To approve and control funds for IT initiatives C. To monitor the outsourcing of contracts D. To review IT frameworks They are basically responsible for approving project plans and budgets. 7. Who is responsible for tuning project with business need: A. The IT strategy committee B. The IT steering committee C. Business functions D. System developers * Approving project plans, budgets, *setting priorities and milestones and even *ensuring that project meets business requirements.8. An IT steering Committee is involved in which of the following functions: A. To issue advice to the IT department B. To provide technical support to the IT department C. To prioritize IT projects as per business requirements D. To advise the board on IT strategy 9. Which of the following will be the most suitable person for getting appointed as chair of the steering committe: A. A member of the board B. Executive-level officer C. The CTO D. The CIO Chairperson is supposed to be an executive-level officer who has the authority to make decisions, Board members generally are not expected to be involved in implementation. 10 BIGGEST control weakness is seen in which of the following situations mentioned below? A. The board is selective about approving recommendations from the IT strategy committee B. The project does not have a specified deadline ©. The project does not have a project manager D. The organization does not have a project steering committeeQUESTIONS ON 2.7 & 2.8 1 Which of the following Risk treating strategy cover only financial risk : A. Risk acceptance B. Risk mitigation C. Risk avoidance D. Risk transfer 2.Mr Thomas, an IS Auditor was reviewing the Risk Management Program. Which of the following thing will be given more importance? A. The implementation of a cost benefit-based control B. The incorporation of an industry standard-based risk management framework C. The fact that a risk response approval process is in place D. The fact that IT risk is presented from a business Perspective3. Mr Alex, an IS Auditor was reviewing the Risk Strategy. Which of the following thing will be given more importance? A. All threats are successfully mitigated B. Residual risk is zero following control implementation C. All risks are identified and categorized D. The organization uses a defined risk framework 4, There is always a risk of employee’s fraud in an organisation Which of the following insurance covers that? A. Disaster impact B. Fidelity coverage C. Errors and omissions D. Business continuity Fidelity Insurance protects businesses from costs incurred as a result of forgery, defalcation, embezzlement and other fraudulent acts by employees.5. How can the Management assess the IT Risk of the organisation? A. Assessing the risks and vulnerabilities relevant to the current IT infrastructure and IT programs. B. Using the past experience of failure on the part of the company C. Studying reports released by similar organizations regarding losses D. Reviewing the weak points of IT control identified in audit Reports 6. After looking at the vulnerabilities, what should be the next step for an IS Auditor? A. To report the risk immediately B. To examine the technology framework of the business C. To identify risks and the possibility of occurrence D. To review the appropriate risk management budget7. Risk management process is undertaken MAINLY for which of the following things: A. Business plans B. Audit charters C. Security policy decisions D. Software design decisions 8. Who will establish Risk appetite/ acceptable level of risk? A. Quality assurance management B. Senior business management Cc. The CIO D. The CSO9. When you have difficulty assessing the risk in exact financial terms, you should go with which of the following things: A. Estimate the related cost amortization B. Calculate an investment return C. Apply a qualitative approach D. Spend time defining the amount of loss precisely 10. FIRST thing to be reviewed while establishing a Risk Management process? A. Existing controls B. The risk monitoring process C. The efficiency of controls D. Threats/vulnerabilities affecting the assets11, Mr Alex, an IS Auditor of XYZ Inc. sees that the organisation is using cloud services, which of the following factor would he be most concerned about? A. The high cost of maintenance B. Compliance with laws and regulations C. The data retrieval turnaround time D. Network bandwidth 12. Mr Alex, an IS Auditor of XYZ Inc. sees that the organisation is using cloud services for storing sensitive data, which of the following factor would he be most concerned about? A. Inadequate storage capability B. Data confidentiality C. Inadequate disaster recovery arrangements D. The high cost of cloud services13. Mr John, an IS Auditor of ABC Inc. wants to know the most important factor out of the following options to consider for the success of IT is: A. To analyse the performance balance scorecard B. To analyse the IT budget spending C. To analyse IT support for compliance with regulatory requirements D. To analyse the utilization of manpower 14, The BIGGEST concern for Mr Sam, an IS Auditor of PQR Inc. when reviewing compliance with laws and regulations is? A. A lack of documented processes for reporting offences B. A lack of staff training regarding regulatory requirements C. Junior staff are in charge of monitoring regulatory compliance D. No list of applicable laws and regulations is maintained