CISA Online Practice Questions and Answers

Correct Answer: A

The IS auditor's primary concern when an organization has recently implemented a Voice-over IP (VoIP) communication system is a single point of failure for both voice and data communications. VoIP is a technology that allows voice communication over IP networks such as the internet. VoIP can offer benefits such as lower costs, higher flexibility, and better integration with other applications. However, VoIP also introduces risks such as dependency on network availability, performance, and security. If both voice and data communications share the same network infrastructure and devices, then a single point of failure can affect both services simultaneously and cause significant disruption to business operations. Therefore, the IS auditor should evaluate the availability and redundancy of the network components and devices that support VoIP communication. The other options are not as critical as a single point of failure for both voice and data communications, as they do not pose a direct threat to business continuity. References: CISA Review Manual, 27th Edition, page 385

Correct Answer: D

An audit universe is a comprehensive list of all the auditable entities, processes, and activities within an organization. It helps the IS auditor to identify the scope, objectives, and priorities of the audit plan, as well as the resources and methodologies required to conduct the audits. An audit universe can also help the IS auditor to ensure that all the key risks, controls, and regulations are covered by the audit plan, and that there are no gaps or overlaps in the audit coverage. The first activity that the IS auditor should perform when preparing a plan for audits to be carried out over a specified period is to determine the audit universe. This involves defining the criteria and methods for identifying and categorizing the auditable units, such as by business function, process, system, location, or risk level. The IS auditor should also consult with the management and other stakeholders to obtain their input and expectations for the audit plan. The IS auditor should then document and validate the audit universe, and update it regularly to reflect any changes in the organization's structure, operations, or environment. The other three activities are also important for preparing an audit plan, but they should be performed after determining the audit universe. Allocating audit resources involves assigning staff, time, budget, and tools to each audit based on their complexity, priority, and availability. Prioritizing risks involves assessing the likelihood and impact of each risk associated with each auditable unit, and ranking them according to their significance and urgency. Reviewing prior audit reports involves analyzing the findings, recommendations, and actions from previous audits related to each auditable unit, and evaluating their current status and relevance. Therefore, determining the audit universe is the best answer. References: Audit Universe ?UPDATED 2022 ?Examples, Templateandp; More! 01 February 2023 Audit universe - IIA

Correct Answer: D

The most useful thing to do when planning to audit an organization's compliance with cybersecurity regulations in foreign countries is to map the different regulatory requirements to the organization's IT governance framework. This is because

an IT governance framework is a roadmap that defines the methods used by an organization to implement, manage and report on IT governance within said organization1. IT governance helps align business and IT strategies using a solid

and formal framework. By mapping the different regulatory requirements to the IT governance framework, the auditor can:

Identify the commonalities and differences among the various cybersecurity regulations that apply to the organization's operations in different countries. Assess the level of compliance and maturity of the organization's IT governance

practices against each regulatory requirement.

Evaluate the risks and gaps associated with non-compliance or partial compliance with any of the regulatory requirements.

Recommend appropriate actions or improvements to enhance the organization's IT governance and cybersecurity posture.

Option D is correct because mapping the different regulatory requirements to the organization's IT governance framework is a systematic and effective way to plan and conduct an audit of compliance with cybersecurity regulations in foreign

countries.

Correct Answer: B

When operational management informs the IS auditor that recent organizational changes have addressed previously identified risks and implementing the action plan is no longer necessary, the IS auditor should accept management's assertion and report that the risks have been addressed. However, it is essential to document this communication and ensure that there is evidence supporting management's claim. If there are any doubts or concerns, further investigation may be necessary. The auditor should not assume new risks without proper assessment or evidence

Correct Answer: D

The best performance indicator for the effectiveness of an incident management program is the incident resolution meantime. This is the average time it takes to resolve an incident from the moment it is reported to the moment it is closed. The incident resolution meantime reflects how quickly and efficiently the incident management team can restore normal service and minimize the impact of incidents on the business operations and customer satisfaction. The average time between incidents (option A) is not a good performance indicator for the effectiveness of an incident management program, as it does not measure how well the incidents are handled or resolved. It only shows how frequently the incidents occur, which may depend on various factors beyond the control of the incident management team, such as the complexity and reliability of the systems, the security threats and vulnerabilities, and the user behavior and expectations. The incident alert meantime (option B) is the average time it takes to detect and report an incident. While this is an important metric for measuring the responsiveness and awareness of the incident management team, it does not indicate how effective the incident management program is in resolving the incidents and restoring normal service. The number of incidents reported (option C) is also not a good performance indicator for the effectiveness of an incident management program, as it does not reflect how well the incidents are handled or resolved. It only shows how many incidents are identified and recorded, which may vary depending on the reporting channels, tools, and procedures used by the incident management team and the users. Therefore, option D is the correct answer. References: Incident Management: Processes, Best Practices and Tools - Atlassian What is backup and disaster recovery? | IBM

Correct Answer: B

Correct Answer: A

Correct Answer: C

Correct Answer: C

Correct Answer: D