CISA exam

Due to limited storage capacity, an organization has decided to reduce the actual retention period for media containing completed low-value transactions. Which of the following is MOST important for the organization to ensure?A . The policy includes a strong risk-based approach.B . The retention period allows for review during the...

During a review of a production schedule, an IS auditor observes that a staff member is not complying with mandatory operational procedures. The auditor's NEXT step should be to:A . note the noncompliance in the audit working papers.B . issue an audit memorandum identifying the noncompliance.C . include the noncompliance...

Which of the following components of a risk assessment is MOST helpful to management in determining the level of risk mitigation to apply?A . Risk identificationB . Risk classificationC . Control self-assessment (CSA)D . Impact assessmentView AnswerAnswer: D

Coding standards provide which of the following?A . Program documentationB . Access control tablesC . Data flow diagramsD . Field naming conventionsView AnswerAnswer: D Explanation: Coding standards provide field naming conventions, which are rules for naming variables, constants, functions, classes, and other elements in a program. Coding standards help to...

Which of the following is the MOST important benefit of involving IS audit when implementing governance of enterprise IT?A . Identifying relevant roles for an enterprise IT governance frameworkB . Making decisions regarding risk response and monitoring of residual riskC . Verifying that legal, regulatory, and contractual requirements are being...

An IS auditor is reviewing an organization's information asset management process. Which of the following would be of GREATEST concern to the auditor?A . The process does not require specifying the physical locations of assets.B . Process ownership has not been established.C . The process does not include asset review.D...

When reviewing an organization's information security policies, an IS auditor should verify that the policies have been defined PRIMARILY on the basis of:A . a risk management process.B . an information security framework.C . past information security incidents.D . industry best practices.View AnswerAnswer: A Explanation: Information security policies are high-level...

Which of the following is MOST important for an effective control self-assessment (CSA) program?A . Determining the scope of the assessmentB . Performing detailed test proceduresC . Evaluating changes to the risk environmentD . Understanding the business processView AnswerAnswer: D Explanation: Understanding the business process is the most important factor...

Which of the following would be an IS auditor's GREATEST concern when reviewing the early stages of a software development project?A . The lack of technical documentation to support the program codeB . The lack of completion of all requirements at the end of each sprintC . The lack of...

Which of the following is MOST important with regard to an application development acceptance test?A . The programming team is involved in the testing process.B . All data files are tested for valid information before conversion.C . User management approves the test design before the test is started.D . The...