1.

An organization recently implemented an industry-

recognized IT framework to improve the overall
effectiveness of IT governance. Which of the following
would BEST enable an IS auditor to access the
implementation against the framework?

o Capability maturity model

o Key risk indicators (KRIs)
o Industry benchmarking
o Balanced scorecard
2. An organization plans to allow third parties to collect
customer personal data from a retail loyalty platform
via an application programming interface (API). Which
of the following should be the PRIMARY consideration
when designing this API?

o Data governance policies

o System resilience
o Regulatory compliance
o Data availability
3. Which of the following would provide management
with the MOST reasonable assurance that a new data
warehouse will meet the needs of the organization?

o Appointing data stewards to provide effective data governance

o Classifying data quality issues by the severity of their impact to the
organization
o Integrating data requirements into the system development life
cycle (SDLC)
o Facilitating effective communication between management and
developers
4. Which of the following has the GREATEST influence on
the success of IT governance?

o IT strategy is embedded in all risk management processes

o Alignment of IT strategies with the entity’s vision
o The CIO is a member of the audit committee
o Clear, concise, and enforced IS policies
5. Which of the following is the MOST important step in
the development of an effective IT governance action
plan?

o Conducting a business impact analysis (BIA)

o Preparing a statement of sensitivity
o Setting up an IT governance framework for the process
 o Measuring IT governance key performance indicators (KPIs)
6. Which of the following governance functions is
responsible for ensuring IT projects have sufficient
resources and are prioritized appropriately?

o Board of directors
o IT management
o IT steering committee
o Executive management
7. Which of the following is a benefit of requiring
management to issue a report to stakeholders
regarding the internal controls over IT?

o Transparency of IT costs
o Improved portfolio management
o Improved cost management
o Focus on IT governance
8. An IS auditor’s role in privacy and security is to:

o assist in developing an IS security strategy.

o verify compliance with applicable laws.
o implement risk management methodologies.
o assist the governance steering committee with implementing a
security policy.
9. Which of the following should be of GREATEST
concern to an IS auditor reviewing an organization’s
initiative to adopt an enterprise governance
framework?

o The organization has not identified the business drivers for adopting
the framework.
o The organization’s security department has not been involved with
the initiative.
o The organization has tried to adopt the entire framework at once.
o The organization has not provided employees with formal training
on the framework.
10. Which of the following IT processes is likely to have
the GREATEST inherent regulatory risk?

o IT project management
o Data management
o Capacity management
o IT resource management
11. Which of the following is the BEST indication that
an organization has achieved legal and regulatory
compliance?
 o The board of directors and senior management accept responsibility
for compliance.
o An independent consultant has been appointed to ensure legal and
regulatory compliance.
o Periodic external and internal audits have not identified instances of
noncompliance.
o The risk management process incorporates noncompliance as a
risk.
12. Which of the following is the MOST significant
obstacle to establishing a new privacy program?

o Unresolved overlap of security and privacy roles and responsibilities

o An insufficient privacy awareness training program
o A Complex legal and regulatory landscape
o Failure to perform a business impact analysis (BIA)
13. Which of the following is the BEST evidence that an
organization is aware of applicable laws and
regulations?

o The organization’s compliance matrix

o History of legal actions and regulatory correspondence
o The existence of an employee awareness training program
o Industry benchmark results
14. Which of the following is MOST important to
consider when reviewing a third-party service
agreement for disaster recovery services?

o Recovery point objectives (RPOs) and recovery time objectives

(RTOs) are included in the agreement.
o The lowest price possible is obtained for the service rendered.
o Security and regulatory requirements are addressed in the
agreement.
o Provisions exist to retain ownership of intellectual property in the
event of termination.
15. A new regulation in one country of a global
organization has recently prohibited cross-border
transfer of personal data. An IS auditor has been
asked to determine the organization’s level of
exposure in the affected country. Which of the
following would be MOST helpful in making this
assessment?

o Identifying data security threats in the affected jurisdiction

o Reviewing data classification procedures associated with the
affected jurisdiction
o Identifying business processes associated with personal data
exchange with the affected jurisdiction
 o Developing an inventory of all business entities that exchange
personal data with the affected jurisdiction
16. A new regulatory standard for data privacy
requires an organization to protect personally
identifiable information (PII). Which of the following is
MOST important to include in the audit engagement
plan to access compliance with the new standard?

o Identification of IT systems that host PII

o Review of data loss risk scenarios
o Identification of unencrypted PII
o Review of data protection procedures
17. Which of the following tests would provide the
BEST assurance that a health care organization is
handling patient data appropriately?

o Compliance with local laws and regulations

o Compliance with the organization’s policies and procedures
o Compliance with action plans resulting from recent audits
o Compliance with industry standards and best practice
18. Which of the following is the BEST source of
information for an IS auditor to use as a baseline to
assess the adequacy of an organization’s privacy
policy?

o Benchmark studies of similar organizations

o Local privacy standards and regulations
o Historical privacy breaches and related root causes
o Globally accepted privacy best practices
19. An IS auditor is reviewing standards and
compliance requirements related to an upcoming
systems audit. The auditor notes that the industry
standards are less stringent than local regulatory
standards. How should the auditor proceed?

o Audit to the standards with the highest requirements.

o Audit exclusively to the industry standards.
o Coordinate with regulatory officers to determine necessary
requirements.
o Audit to the policies and procedures of the organization.
20. A new regulation requires organizations to report
significant security incidents to the regulator within
24 hours of identification. Which of the following is
the IS auditor’s BEST recommendation to facilitate
compliance with the regulation?
 o Include the requirement in the incident management response
plan.
o Establish key performance indicators (KPIs) for timely identification
of security incidents.
o Enhance the alert functionality of the intrusion detection system
(IDS).
o Engage an external security incident response expert for incident
handling.

 CISA : Part 1 - 40

 CISA : Part 41 - 80