Professional Documents
Culture Documents
FT13 VISA4DISA GKR Day2 06122022
FT13 VISA4DISA GKR Day2 06122022
13th
Batch
Basic
Additional
gkr@icai.org | www.3spro.blogspot.com
ISA 2.0 (Old) and ISA 3.0 (New)
Module ISA 2.0 ISA 3.0
1 Primer on Information Technology, IS Information Systems Process Audit
Infrastructure and Emerging Technology
gkr@icai.org | www.3spro.blogspot.com
gkr@icai.org | www.3spro.blogspot.com
1. Who is responsible for establishing right
structure of decision-making accountabilities?
a) Senior management
b) Operational management
d) IT steering committee
a) Shareholders
b) Stakeholders
c) Investors
d) Regulators
a) Employee rights
b) Security policy
c) Transparency
d) Risk assessment
gkr@icai.org | www.3spro.blogspot.com
7. Business Governance helps the Board by
enabling them to understand:
a) enterprise functions
b) risk assessment
d) Key controls
Key performance drivers (KPDs) are the day-to-day activities that are required in order to produce the
desired KPI results. If the KPDs are correctly identified, then, for the most part, positive results in KPDs
should lead to positive KPIs.
gkr@icai.org | www.3spro.blogspot.com
8. The effectiveness of the IT governance structure
and processes are directly dependent upon level
of involvement of
c) Technology management
d) Board/senior management
gkr@icai.org | www.3spro.blogspot.com
10. Which of the following is the primary objective
for implementing ERM?
Risk comes from not knowing what you’re doing. Risk is just an expensive substitute for
information.
gkr@icai.org | www.3spro.blogspot.com
gkr@icai.org | www.3spro.blogspot.com
11. The most important requirement for IT
governance function to be effective is:
a) Monitoring
b) Evaluation
c) Directing
d) Managing
IT governance ensures that IT decisions focus on: Evaluating and directing the use of IT to support
the organization. Monitoring the use of IT to achieve plans. Using the IT strategy and policies to
accomplish its purpose.
gkr@icai.org | www.3spro.blogspot.com
12. The MOST important benefit of implementing IT
risk management process is that it helps in:
gkr@icai.org | www.3spro.blogspot.com
Residual Risk
• The residual risk is the amount of risk or danger associated with an action or
event remaining after natural or inherent risks have been reduced by risk
controls. The general formula to calculate residual risk is
• Residual Risk = Inherent Risk – Impact of Risk Controls
• where the general concept of risk is (threats × vulnerability) or, alternatively,
(severity × probability).
• An example of residual risk is given by the use of automotive seat-belts.
Installation and use of seat-belts reduces the overall severity and probability of
injury in an automotive accident; however, probability of injury remains when in
use, that is, a remainder of residual risk.
• In the economic context, residual means “the quantity left over at the end of a
process; a remainder”
• In the property rights model it is the shareholder that holds the residual risk and
therefore the residual profit.
gkr@icai.org | www.3spro.blogspot.com
13. Which of the following is a major risk factor?
gkr@icai.org | www.3spro.blogspot.com
14. The level to which an enterprise can accept
financial loss from a new initiative is:
a) Risk tolerance
b) Risk management
c) Risk appetite
d) Risk acceptance
Risk appetite is the level of risk that an organization is prepared to accept in pursuit of its
objectives, before action is deemed necessary to reduce the risk. It represents a balance between
the potential benefits of innovation and the threats, that change inevitably brings.
gkr@icai.org | www.3spro.blogspot.com
15. Designing and implementing a control to
reduce the likelihood and/or impact of risk
materializing is a:
a) Risk acceptance
b) Risk transfer
c) Risk treatment
d) Risk appetite
Risk tolerance is an investor's ability to psychologically endure the potential of losing money on an
investment. A person's risk tolerance can change throughout his life and determines what type of
investments he or she is likely to make.
gkr@icai.org | www.3spro.blogspot.com
16. Which of the following is a valid risk
statement?
Page 26
gkr@icai.org | www.3spro.blogspot.com
17. Which of the following is primary reason for
periodic review of risk? The changes in:
a) risk factors
b) risk appetite
c) budget
d) risk strategy
gkr@icai.org | www.3spro.blogspot.com
19. Which of the following is the most essential
action after evaluation of inherent risks?
gkr@icai.org | www.3spro.blogspot.com
gkr@icai.org | www.3spro.blogspot.com
20. Which of the following is most important
resource of the organization?
c) Reviewed periodically.
a) Defining designations.
b) Delegating responsibility.
c) Recommendations of CIO
d) Rate of obsolescence of IT
gkr@icai.org | www.3spro.blogspot.com
25. Primary objective of IT steering committee is
to:
gkr@icai.org | www.3spro.blogspot.com
gkr@icai.org | www.3spro.blogspot.com
27. Which of the following is best approach for
monitoring the performance of IT resources?
gkr@icai.org | www.3spro.blogspot.com
28. Performance monitoring using Balanced Score
Card is most useful since it primarily focuses on:
a) Management perspective
c) Customer perspectives
gkr@icai.org | www.3spro.blogspot.com
gkr@icai.org | www.3spro.blogspot.com
29. Which of the following is considered as an
example of a lead indicator?
gkr@icai.org | www.3spro.blogspot.com
gkr@icai.org | www.3spro.blogspot.com
30. The PRIMARY objective of base lining IT
resource performance with business process
owners is to:
gkr@icai.org | www.3spro.blogspot.com
31. Which of the following is BEST measure to
optimize performance of skilled IT human
resources?
gkr@icai.org | www.3spro.blogspot.com
32. IT resource optimization plan should primarily
focus on:
b) Ensuring availability
gkr@icai.org | www.3spro.blogspot.com
33. The PRIMARY objective of implementing
performance measurement metrics for information
assets is to:
a) decide appropriate controls to be implemented to
protect IT assets.
gkr@icai.org | www.3spro.blogspot.com
35. While monitoring the performance of IT
resources the PRIMARY focus of senior
management is to ensure that:
a) IT sourcing strategies focus on using third party
services.
gkr@icai.org | www.3spro.blogspot.com
36. Organization considering deploying application
using cloud computing services provided
by third party service provider. The MAIN
advantage of this arrangement is that it will:
gkr@icai.org | www.3spro.blogspot.com
gkr@icai.org | www.3spro.blogspot.com
37. Which of the following is MOST important to
have in a disaster recovery plan?
b) Evaluation stage.
c) Maintenance stage.
d) Testing Stage.
gkr@icai.org | www.3spro.blogspot.com
40. An advantage of the use of hot sites as a
backup alternative is:
• In a communications system, deadlocks occur mainly due to lost or corrupt signals rather
than resource contention.
gkr@icai.org | www.3spro.blogspot.com
41. All of the following are security and control
concerns associated with disaster recovery
procedures EXCEPT:
gkr@icai.org | www.3spro.blogspot.com
gkr@icai.org | www.3spro.blogspot.com
gkr@icai.org | www.3spro.blogspot.com
42. As updates to an online order entry system are processed, the
updates are recorded on a transaction tape and a hard copy
transaction log. At the end of the day, the order entry files are
backed up onto tape. During the backup procedure, the disk drive
malfunctions and the order entry files are lost. Which of the
following are necessary to restore these files?
a) The previous day's backup file and the current transaction tape
b) The previous day's transaction file and the current transaction tape
c) The current transaction tape and the current hardcopy transaction log
gkr@icai.org | www.3spro.blogspot.com
43. An IS auditor reviewing an organisation's
information systems disaster recovery plan should
verify that it is:
gkr@icai.org | www.3spro.blogspot.com
44. Which of the following offsite information
processing facility conditions would cause an IS
auditor the GREATEST concern?
b) Measurement of accuracy
gkr@icai.org | www.3spro.blogspot.com
gkr@icai.org | www.3spro.blogspot.com
gkr@icai.org | www.3spro.blogspot.com
46. The scope of ISO/IEC 27031:2011 encompasses the following
…… except
a) all events and incidents (including security related) that could have an
impact on ICT infrastructure and systems
a) Checklist test
d) Parallel test
a) Electronic Vaulting
b) Remote Journaling
c) Database Shadowing
d) Disk Imaging
e) Remote Mirroring
gkr@icai.org | www.3spro.blogspot.com
50. The basic characteristics of fault tolerance requires the
following; except
a) Problem/Incident
b) Minor disaster
c) Major disaster
d) Catastrophic disaster
2 d 12 b 21 d 28 c 38 c 52
3 c 13 d 22 a 29 a 39 a
4 b 14 c 23 b 30 d 40 d
5 c 15 c 24 b 31 a 41 d
6 d 16 d 25 a 32 b 42 a
7 c 17 a 26 c 33 c 43 b
8 d 18 d 47 d 34 a 44 a
9 b 19 a 48 e 35 d 45 a
10 a 50 d 49 a 36 b 46 c
CA Dr GOPAL KRISHNA RAJU
Chartered Accountant, Insolvency Professional & Registered Valuer
Partner : K GOPAL RAO & CO | Chartered Accountants | Mumbai, Chennai, Bengaluru, Hyderabad, Trichy, Madurai & Tiruvallur