Free Isaca CISA Exam Dumps and CISA Exam Questions

Question No: 11

MultipleChoice

An IS auditor is planning an audit of an organization's risk management practices. Which of the following would provide the MOST useful information about risk appetite?

Options

ARisk policies

BRisk assessments

CPrior audit reports

DManagement assertion

Answer
AExplanation

Risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. Risk appetite reflects the organization's risk culture, strategy, and tolerance, and guides the organization's risk management practices. The most useful information about risk appetite can be obtained from the risk policies, which are the documents that define the organization's risk management framework, principles, objectives, roles, responsibilities, and processes. Risk policies also establish the criteria and thresholds for identifying, assessing, prioritizing, mitigating, and monitoring risks, as well as the reporting and escalation mechanisms for risk issues. By reviewing the risk policies, an IS auditor can evaluate whether they are consistent, comprehensive, and aligned with the organization's risk appetite and whether they provide clear guidance and direction for managing risks effectively.

The other options are not correct because they are either not the most useful or not relevant to risk appetite. Risk assessments are the processes of identifying, analyzing, and evaluating the risks that may affect the organization's objectives. Risk assessments provide information about the current risk profile and exposure of the organization, but they do not indicate the organization's risk appetite or preferences. Prior audit reports are the documents that summarize the findings, recommendations, and conclusions of previous audits. Prior audit reports may provide information about the past performance and issues of the organization's risk management practices, but they do not reflect the organization's risk appetite or expectations. Management assertion is a statement or declaration made by management about the accuracy, completeness, validity, or reliability of a certain fact or data. Management assertion may provide information about the management's confidence or opinion on a specific risk or issue, but it does not represent the organization's risk appetite or criteria.

Question No: 12

MultipleChoice

An IS auditor observes that a bank's web page address is prefixed 'https://'. The auditor would be correct to conclude that:

Options

Athe bank has a restricted Internet protocol (IP) address

Btransactions are encrypted

Cthe bank has established a virtual private network (VPN).

Dthe customer is connected to the bank's intranet

Question No: 13

MultipleChoice

IS audit is asked to explain how local area network (LAN) servers can contribute to a rapid dissemination of viruses. The IS auditor's BEST response is that:

Options

Athe server's file sharing function facilitates the distribution of files and applications

Busers of a given server have similar usage of applications and files.

Cthe server's software is the prime target and is the first to be infected

Dthe server's operating system exchanges data with each station starting at every logon.

Question No: 14

MultipleChoice

Which of the following is the BEST control to ensure data entered into a calculation program is accurated?

Options

AProgrammed edit checks to prevent entry of invalid data

BIndependent user review of test results

CProgrammed reasonableness checks with a data entry range

DVisual verification of data entered

Question No: 15

MultipleChoice

Which of the following is the BEST indicator that an application system's agreed-upon level of service has been met?

Options

ACPU utilization reports

BTransaction response time

CSecurity incident reports

DBandwidth usage logs

Question No: 16

MultipleChoice

When auditing the security architecture of an online application, an IS auditor should FIRST review the

Options

Aconfiguration of the firewall

Blocation of the firewall within the network.

Cfirewall standards

Dfirmware version of the firewall

Question No: 17

MultipleChoice

During an internal audit of automated controls, an IS auditor identifies that the integrity of data transfer between systems has not been tested since successful implementation two years ago Which of the following should the auditor do NEXT?

Options

ADocument the finding in the audit report.

BReview relevant system changes.

CReview previous system interface testing records.

DReview IT testing policies and procedures

Question No: 18

MultipleChoice

Which of the following is the BEST indication of effective IT investment management9

Options

AIT investments are implemented and monitored following a system development life cycle (SDLC)

BIT investments are mapped to specific business objectives

CKey performance indicators (KPIs) are defined for each business requiring IT Investment

DThe IT Investment budget is significantly below industry benchmarks

Question No: 19

MultipleChoice

An IS audit reveals that an organization is not proactively addressing known vulnerabilities Which of the following should the IS auditor recommend the organization do FIRST?

Options

AConfirm the incident response team understands the issue.

BEnsure the intrusion prevention system (IPS) is effective.

CVerify the disaster recovery plan (DRP) has been tested

DAssess the security risks to the business

Question No: 20

MultipleChoice

Which of the following is the GREATEST risk associated with utilizing spreadsheets for financial reporting in end-user computing (EUC)?

Options

ALack of processing integrity

BLack of password protection

CIncrease in operational incidents

DIncrease in regulatory violations

Free Isaca CISA Exam Dumps - Page 2