Ensurepass

 

QUESTION 311

Overall business risk for a particular threat can be expressed as:

 

A.

a product of the probability and magnitude of the impact if a threat successfully exploits a vulnerability.

B.

the magnitude of the impact should a threat source successfully exploit the vulnerability.

C.

the likelihood of a given threat source exploiting a given vulnerability.

D.

the collective judgment of the risk assessment team.

 

Correct Answer: A

Explanation:

Choice A takes into consideration the likelihood and magnitude of the impact and provides the best measure of the risk to an asset. Choice B provides only the likelihood of a threat exploiting a vulnerability in
the asset but does not provide the magnitude of the possible damage to the asset. Similarly, choice C considers only the magnitude of the damage and not the possibility of a threat exploiting a vulnerability. Choice D defines the risk on an arbitrary basis and is not suitable for a scientific risk management process.

 

 

QUESTION 312

An IS auditor performing a review of an application’s controls would evaluate the:

 

A.

efficiency of the application in meeting the business processes.

B.

impact of any exposures discovered.

C.

business processes served by the application.

D.

application’s optimization.

 

Correct Answer: B

Explanation:

An application control review involves the evaluation of the application’s automated controls and an assessment of any exposures resulting from the control weaknesses. The other choices may be objectives of an application audit but are not part of anaudit restricted to a review of controls.

 

 

QUESTION 313

Which of the following is the PRIMARY advantage of using computer forensic software for investigations?

 

A.

The preservation of the chain of custody for electronic evidence

B.

Time and cost savings

C.

Efficiency and effectiveness

D.

Ability to search for violations of intellectual property rights

 

Correct Answer: A

Explanation:

The primary objective of forensic software is to preserve electronic evidence to meet the rules of evidence. Choice B, time and cost savings, and choice C, efficiency and effectiveness, are legitimate concerns that differentiate good from poor forensic software packages. Choice D, the ability to search for intellectual property rights violations, is an example of a use of forensic software.

 

 

QUESTION 314

An IS auditor conducting a review of software usage and licensing discovers that numerous PCs contain unauthorized software. Which of the following actions should the IS auditor take?

 

A.

Personally delete all copies of the unauthorized software.

B.

Inform the auditee of the unauthorized software, and follow up to confirm deletion.

C.

Report the use of the unauthorized software and the need to prevent recurrence to auditee management.

D.

Take no action, as it is a commonly accepted practice and operations management is responsible for monitoring such use.

 

Correct Answer: C

Explanation:

The use of unauthorized or illegal software should be prohibited by an organization. Software piracy results in inherent exposure and can result in severe fines. An IS auditor must convince the user and user management of the risk and the need to eliminate the risk. An IS auditor should not assume the role of the enforcing officer and take on any personal involvement in removing or deleting the unauthorized software.

 

 

QUESTION 315

An IS auditor who was involved in designing an organization’s business continuity plan (BCP) has been assigned to audit the plan. The IS auditor should:

 

A.

decline the assignment.

B.

inform management of the possible conflict of interest after completing the audit assignment.

C.

inform the business continuity planning (BCP) team of the possible conflict of interest prior to beginning the assignment.

D.

communicate the possibility of conflict of interest to management prior to starting the assignment.

 

Correct Answer: D

Explanation:

Communicating the possibility of a conflict of interest to management prior to starting the assignment is the correct answer. A possible conflict of interest, likely to affect the auditor’s independence, should be brought to the attention of management prior to starting the assignment. Declining the assignment is not the correct answer because the assignment could be accepted after obtaining management approval. Informing management of the possible conflict of interest after completion of the audit assignment is not correct because approval should be obtained prior to commencement and not after the completion of the assignment. Informing the business continuity planning (BCP) team of the possible conflict of interest prior to starting of the assignment is not the correct answer since the BCP team would not have the authority to decide on this issue.

 

 

QUESTION 316

Which of the following sampling methods is MOST useful when testing for compliance?

 

A.

Attribute sampling

B.

Variable sampling

C.

Stratified mean per unit

D.

Difference estimation

 

Correct Answer: A

Explanation:

Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testingto confirm whether the quality exists. The other choices are used in substantive testing, which involves testing of details or quantity.

 

 

QUESTION 317

When evaluating the collective effect of preventive, detective or corrective controls within a process, an IS auditor should be aware of which of the following?

 

A.

The point at which controls are exercised as data flow through the system

B.

Only preventive and detective controls are relevant

C.

Corrective controls can only be regarded as compensating

D.

Classification allows an IS auditor to determine which controls are missing

 

Correct Answer: A

Explanation:

An IS auditor should focus on when controls are exercised as data flow through a computer system. Choice B is incorrect since corrective controls may also be relevant. Choice C is incorrect, since corrective controls remove or reduce the effects of errors or irregularities and are exclusively regarded as compensating controls. Choice D is incorrect and irrelevant since the existence and function of controls is important, not the classification.

 

 

QUESTION 318

Which of the following is a substantive test?

 

A.

Checking a list of exception reports

B.

Ensuring approval for parameter changes

C.

Using a statistical sample to inventory the tape library

D.

Reviewing password history reports

Correct Answer: C

Explanation:

A substantive test confirms the integrity of actual processing. A substantive test would determine if the tape library records are stated correctly. A compliance test determines if controls are being applied in a manner that is consistent with management policies and procedures. Checking the authorization of exception reports, reviewing authorization for changing parameters and reviewing password history reports are all compliance tests.

 

 

QUESTION 319

Which of the following audit techniques would BEST aid an auditor in determining whether there have been unauthorized program changes since the last authorized program update?

 

A.

Test data run

B.

Code review

C.

Automated code comparison

D.

Review of code migration procedures

 

Correct Answer: C

Explanation:

An automated code comparison is the process of comparing two versions of the same program to determine whether the two correspond. It is an efficient technique because it is an automated procedure. Test data runs permit the auditor to verify the processing of preselected transactions, but provide no evidence about unexercised portions of a program. Code review is the process of reading program source code listings to determine whether the code contains potential errors or inefficient statements.A code review can be used as a means of code comparison but it is inefficient. The review of code migration procedures would not detect program changes.

 

 

QUESTION 320

Which of the following is the BEST performance criterion for evaluating the adequacy of an organization’s security awareness training?

 

A.

Senior management is aware of critical information assets and demonstrates an adequate concern for their protection.

B.

Job descriptions contain clear statements of accountability for information security.

C.

In accordance with the degree of risk and business impact, there is adequate funding for security efforts.

D.

No actual incidents have occurred that have caused a loss or a public embarrassment.

 

Correct Answer: B

Explanation:

Inclusion in job descriptions of security responsibilities is a form of security training and helps ensure that staff and management are aware of their roles with respect to information security. The other three choices are not criterion for evaluating security awareness training. Awareness is a criterion for evaluating the importance that senior management attaches to information assets and their protection. Funding is a criterion that aids in evaluating whether security vulnerabilities are being addressed, while the number of incidents that have occurred is a criterion for evaluating the adequacy of the risk management program.

 

Free VCE & PDF File for Isaca CISA Real Exam

Instant Access to Free VCE Files: CompTIA | VMware | SAP …
Instant Access to Free PDF Files: CompTIA | VMware | SAP …

Comments are closed.