Free ISACA CISA Übungsprüfungen - Seite 4 von 55

Question #31

Which of the following is the BEST recommendation to drive accountability for achieving the desired outcomes specified in a benefits realization plan for an IT project?

A . Document the dependencies between the project and other projects within the same program.
B . Ensure that IT takes ownership for the delivery and tracking of all aspects of the benefits realization plan.
C . Ensure that the project manager has formal authority for managing the benefits realization plan.
D . Assign responsibilities, measures, and timelines for each identified benefit within the plan.

Lösung einblenden Lösung ausblenden

Question #32

An IS auditor is reviewing a client’s outsourced payroll system to assess whether the financial audit team can rely on the application.

Which of the following findings would be the auditor’s GREATEST concern?

A . User access rights have not been periodically reviewed by the client.
B . Payroll processing costs have not been included in the IT budget.
C . The third-party contract has not been reviewed by the legal department.
D . The third-party contract does not comply with the vendor management policy.

Lösung einblenden Lösung ausblenden

Richtige Antwort: C
C

Explanation:

The third-party contract has not been reviewed by the legal department is the auditor’s greatest concern because it poses a significant legal and financial risk to the client. A third-party contract is a legally binding agreement between the client and the outsourced payroll provider that defines the scope, terms, and conditions of the service. A third-party contract should be reviewed by the legal department to ensure that it complies with the applicable laws and regulations, protects the client’s interests and rights, and specifies the roles and responsibilities of both parties. A third-party contract that has not been reviewed by the legal department may contain clauses that are unfavorable, ambiguous, or contradictory to the client, such as:

Inadequate or unclear service level agreements (SLAs) that do not specify the quality, timeliness, and accuracy of the payroll service.

Insufficient or vague security and confidentiality provisions that do not safeguard the client’s data and information from unauthorized access, use, disclosure, or loss.

Unreasonable or excessive fees, penalties, or liabilities that may impose an undue financial burden on the client.

Limited or no audit rights that may prevent the client from verifying the effectiveness and compliance of the payroll provider’s internal controls.

Inflexible or restrictive termination clauses that may limit the client’s ability to cancel or switch to another payroll provider.

A third-party contract that has not been reviewed by the legal department may expose the client to various risks, such as:

Legal disputes or litigation with the payroll provider over contractual breaches or performance issues.

Regulatory fines or sanctions for noncompliance with tax, labor, or other laws and regulations related to payroll.

Financial losses or damages due to errors, fraud, or negligence by the payroll provider.

Reputation damage or customer dissatisfaction due to payroll errors or delays.

Therefore, an IS auditor should be highly concerned about a third-party contract that has not been reviewed by the legal department and recommend that the client seek legal advice before signing or renewing any contract with an outsourced payroll provider.

User access rights have not been periodically reviewed by the client is a moderate concern because it may indicate a lack of proper access control over the payroll system. User access rights are the permissions granted to users to access, view, modify, or delete data and information in the payroll system. User access rights should be periodically reviewed by the client to ensure that they are aligned with the user’s roles and responsibilities, and that they are revoked or modified when a user changes roles or leaves the organization. User access rights that are not periodically reviewed by the client may result in unauthorized or inappropriate access to payroll data and information, which may compromise its confidentiality, integrity, and availability.

Payroll processing costs have not been included in the IT budget is a minor concern because it may indicate a lack of proper planning and allocation of IT resources for payroll processing. Payroll processing costs are the expenses incurred by the client for using an outsourced payroll service, such as fees, charges, taxes, or penalties. Payroll processing costs should be included in the IT budget to

ensure that they are adequately estimated, monitored, and controlled. Payroll processing costs that are not included in the IT budget may result in unexpected or excessive costs for payroll processing, which may affect the client’s profitability and cash flow.

The third-party contract does not comply with the vendor management policy is a low concern because it may indicate a lack of alignment between the client’s vendor management policy and its actual vendor selection and evaluation process. A vendor management policy is a set of guidelines and procedures that governs how the client manages its relationship with its vendors, such as how to select, monitor, evaluate, and terminate vendors. A vendor management policy should be consistent with the client’s business objectives, risk appetite, and regulatory requirements. A third-party contract that does not comply with the vendor management policy may result in suboptimal vendor performance or service quality, but it does not necessarily imply a breach of contract or a violation of law.

Question #33

When reviewing a project to replace multiple manual data entry systems with an artificial intelligence (Al) system, the IS auditor should be MOST concerned with the impact Al will have on

A . employee retention
B . enterprise architecture (EA)
C . future task updates
D . task capacity output

Lösung einblenden Lösung ausblenden

Question #34

Which of the following should an IS auditor consider FIRST when evaluating firewall rules?

A . The organization’s security policy
B . The number of remote nodes
C . The firewalls‘ default settings
D . The physical location of the firewalls

Lösung einblenden Lösung ausblenden

Richtige Antwort: A
A

Explanation:

This should be the first thing that an IS auditor considers when evaluating firewall rules, because it defines the objectives, standards, and guidelines for securing the organization’s network and information assets. The firewall rules should be aligned with the organization’s security policy, and reflect the level of risk and protection required for each type of network traffic, system, or data. The IS auditor should compare the firewall rules with the security policy, and identify any discrepancies, gaps, or conflicts that could compromise the security or performance of the network.

The other options are not as important as the organization’s security policy when evaluating firewall rules:

The number of remote nodes. This is a factor that may affect the complexity and scalability of the firewall rules, but it is not a primary consideration for the IS auditor. Remote nodes are devices or systems that connect to the network from outside locations, such as teleworkers, mobile users, or branch offices. The IS auditor should ensure that the firewall rules provide adequate security and access control for remote nodes, but this depends on the organization’s security policy and business needs.

The firewalls’ default settings. These are the predefined configurations that come with the firewall devices or software, and that determine how they handle network traffic by default. The IS auditor should review the firewalls’ default settings, and verify that they are appropriate and secure for the organization’s network environment. However, the firewalls’ default settings may not match the organization’s security policy or specific requirements, and may need to be customized or overridden by firewall rules.

The physical location of the firewalls. This is a factor that may affect the placement and design of the

firewall rules, but it is not a critical consideration for the IS auditor. The physical location of the firewalls refers to where they are installed or deployed in relation to the network topology, such as at the network perimeter, between network segments, or on individual hosts. The IS auditor should ensure that the firewall rules are consistent and coordinated across different locations, but this depends on the organization’s security policy and network architecture.

Question #35

To reduce operational costs, IT management plans to reduce the number of servers currently used to run business applications.

Which of the following is MOST helpful to review when identifying which servers are no longer required?

A . Performance feedback from the user community
B . Contract with the server vendor
C . Server CPU usage trends
D . Mean time between failure (MTBF) of each server

Lösung einblenden Lösung ausblenden

Question #36

In response to an audit finding regarding a payroll application, management implemented a new automated control.

Which of the following would be MOST helpful to the IS auditor when evaluating the effectiveness of the new control?

A . Approved test scripts and results prior to implementation
B . Written procedures defining processes and controls
C . Approved project scope document
D . A review of tabletop exercise results

Lösung einblenden Lösung ausblenden

Question #37

Which of the following control measures is the MOST effective against unauthorized access of confidential information on stolen or lost laptops?

A . Remote wipe capabilities
B . Disk encryption
C . User awareness
D . Password-protected files

Lösung einblenden Lösung ausblenden

Question #38

An organization has partnered with a third party to transport backup drives to an offsite storage facility.

Which of the following is MOST important before sending the drives?

A . Creating a chain of custody to accompany the drive in transit
B . Ensuring data protection is aligned with the data classification policy
C . Encrypting the drive with strong protection standards
D . Ensuring the drive is placed in a tamper-evident mechanism

Lösung einblenden Lösung ausblenden

Question #39

An organization’s security policy mandates that all new employees must receive appropriate security awareness training.

Which of the following metrics would BEST assure compliance with this policy?

A . Percentage of new hires that have completed the training.
B . Number of new hires who have violated enterprise security policies.
C . Number of reported incidents by new hires.
D . Percentage of new hires who report incidents

Lösung einblenden Lösung ausblenden

Question #40

An IS audit team is evaluating documentation of the most recent application user access review. It is determined that the user list was not system generated.

Which of the following should be of MOST concern?

A . Confidentiality of the user list
B . Timeliness of the user list review
C . Completeness of the user list
D . Availability of the user list

Lösung einblenden Lösung ausblenden