Skip to Content

ISACA CISA Certified Information Systems Auditor Exam Questions and Answers – 7

The latest ISACA CISA (Certified Information Systems Auditor) certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the ISACA CISA exam and earn ISACA CISA certification.

ISACA Certified Information Systems Auditor (CISA) Exam Questions and Answers

CISA Question 661

Question

When reviewing IS strategies, an IS auditor can BEST assess whether IS strategy supports the organizations’ business objectives by determining if IS:

A. has all the personnel and equipment it needs.
B. plans are consistent with management strategy.
C. uses its equipment and personnel efficiently and effectively.
D. has sufficient excess capacity to respond to changing directions.

Answer

B. plans are consistent with management strategy.

Explanation

Determining if the IS plan is consistent with management strategy relates IS/IT planning to business plans. Choices A, C and D are effective methods for determining the alignment of IS plans with business objectives and the organization’s strategies.

CISA Question 662

Question

An IS auditor reviewing an organization’s IT strategic plan should FIRST review:

A. the existing IT environment.
B. the business plan.
C. the present IT budget.
D. current technology trends.

Answer

B. the business plan.

Explanation

The IT strategic plan exists to support the organization’s business plan. To evaluate the IT strategic plan, an IS auditor would first need to familiarize themselves with the business plan.

CISA Question 663

Question

Which of the following would an IS auditor consider to be the MOST important when evaluating an organization’s IS strategy? That it:

A. has been approved by line management.
B. does not vary from the IS department’s preliminary budget.
C. complies with procurement procedures.
D. supports the business objectives of the organization.

Answer

D. supports the business objectives of the organization.

Explanation

Strategic planning sets corporate or department objectives into motion. Both long-term and short- term strategic plans should be consistent with the organization’s broader plans and business objectives for attaining these goals. Choice A is incorrect since line management prepared the plans.

CISA Question 664

Question

Which of the following goals would you expect to find in an organization’s strategic plan?

A. Test a new accounting package.
B. Perform an evaluation of information technology needs.
C. Implement a new project planning system within the next 12 months.
D. Become the supplier of choice for the product offered.

Answer

D. Become the supplier of choice for the product offered.

Explanation

Strategic planning sets corporate or departmental objectives into motion. Comprehensive planning helps ensure an effective and efficient organization. Strategic planning is time- and project-oriented, but also must address and help determine priorities to meet business needs.
Long- and short-range plans should be consistent with the organization’s broader plans for attaining their goals. Choice D represents a business objective that is intended to focus the overall direction of the business and would thus be a part of the organization’s strategic plan. The other choices are project-oriented and do not address business objectives.

CISA Question 665

Question

Which of the following would an IS auditor consider the MOST relevant to short-term planning for an IS department?

A. Allocating resources
B. Keeping current with technology advances
C. Conducting control self-assessment
D. Evaluating hardware needs

Answer

A. Allocating resources

Explanation

The IS department should specifically consider the manner in which resources are allocated in the short term. Investments in IT need to be aligned with top management strategies, rather than focusing on technology for technology’s sake. Conducting control self-assessments and evaluating hardware needs are not as critical as allocating resources during short-term planning for the IS department.

CISA Question 666

Question

In reviewing the IS short-range (tactical) plan, an IS auditor should determine whether:

A. there is an integration of IS and business staffs within projects.
B. there is a clear definition of the IS mission and vision.
C. a strategic information technology planning methodology is in place.
D. the plan correlates business objectives to IS goals and objectives.

Answer

A. there is an integration of IS and business staffs within projects.

Explanation

The integration of IS and business staff in projects is an operational issue and should be considered while reviewing the short-range plan. A strategic plan would provide a framework for the IS short-range plan. Choices B, C and D are areas covered by a strategic plan.

CISA Question 667

Question

To support an organization’s goals, an IS department should have:

A. a low-cost philosophy.
B. long- and short-range plans.
C. leading-edge technology.
D. plans to acquire new hardware and software.

Answer

B. long- and short-range plans.

Explanation

To ensure its contribution to the realization of an organization’s overall goals, the IS department should have long- and short-range plans that are consistent with the organization’s broader plans for attaining its goals. Choices A and C are objectives, and plans would be needed to delineate how each of the objectives would be achieved. Choice D could be a part of the overall plan but would be required only if hardware or software is needed to achieve the organizational goals.

CISA Question 668

Question

Which of the following is normally a responsibility of the chief security officer (CSO)?

A. Periodically reviewing and evaluating the security policy
B. Executing user application and software testing and evaluation
C. Granting and revoking user access to IT resources
D. Approving access to data and applications

Answer

A. Periodically reviewing and evaluating the security policy

Explanation

The role of a chief security officer (CSO) is to ensure that the corporate security policy and controls are adequate to prevent unauthorized access to the company assets, including data, programs and equipment. User application and other software testing and evaluation normally are the responsibility of the staff assigned to development and maintenance. Granting and revoking access to IT resources is usually a function of network or database administrators. Approval of access to data and applications is the duty of the data owner.

CISA Question 669

Question

Which of the following is a risk of cross-training?

A. Increases the dependence on one employee
B. Does not assist in succession planning
C. One employee may know all parts of a system
D. Does not help in achieving a continuity of operations

Answer

C. One employee may know all parts of a system

Explanation

When cross-training, it would be prudent to first assess the risk of any person knowing all parts of a system and what exposures this may cause. Cross-training has the advantage of decreasing dependence on one employee and, hence, can be part of succession planning. It also provides backup for personnel in the event of absence for any reason and thereby facilitates the continuity of operations.

CISA Question 670

Question

Which of the following is the BEST performance criterion for evaluating the adequacy of an organization’s security awareness training?

A. Senior management is aware of critical information assets and demonstrates an adequate concern for their protection.
B. Job descriptions contain clear statements of accountability for information security.
C. In accordance with the degree of risk and business impact, there is adequate funding for security efforts.
D. No actual incidents have occurred that have caused a loss or a public embarrassment.

Answer

B. Job descriptions contain clear statements of accountability for information security.

Explanation

Inclusion in job descriptions of security responsibilities is a form of security training and helps ensure that staff and management are aware of their roles with respect to information security. The other three choices are not criterion for evaluating security awareness training. Awareness is a criterion for evaluating the importance that senior management attaches to information assets and their protection. Funding is a criterion that aids in evaluating whether security vulnerabilities are being addressed, while the number of incidents that have occurred is a criterion for evaluating the adequacy of the risk management program.

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. We need money to operate the site, and almost all of it comes from online advertising. Please support us by disabling these ads blocker.

Please disable ad blocker