The following correction applies to page 24 of the CISA Review

Questions, Answers & Explanations Manual 2014 Supplement.

The text in the box below has been replaced.
24 CISA Review Questions, Answers & Explanations Manual 2014 Supplement
ISACA. All Rights Reserved.
DOMAIN 3INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT
AND IMPLEMENTATION
AS3-16 An IS audit department is considering implementing continuous auditing techniques for a multinational
retail enterprise that processes a large volume of transactions per day. A PRIMARY benefit of continuous
auditing is that:
A. effective preventive controls are enforced.
B. system integrity is ensured.
C. errors can be corrected in a timely fashion.
D. fraud can be detected more quickly.
D is the correct answer.
Justification:
A. Continuous monitoring is detective in nature, and therefore does not necessarily assist the IS auditor in monitoring
for preventive controls. The approach will detect and monitor for errors that have already occurred. In addition,
continuous monitoring will benefit the internal audit function in reducing the use of auditing resources and in the
timely reporting of errors or inconsistencies.
B. System integrity is typically associated with preventive controls such as input controls and quality assurance
reviews. These controls do not typically benefit an internal auditing function implementing continuous monitoring.
Continuous monitoring benefits the internal audit function because it reduces the use of auditing resources.
C. Error identification and handling is the primary responsibility of management. While audits responsibility also is
to find errors, audit can only report errors, not fix them.
D. Continuous auditing techniques assist the auditing function in reducing the use of auditing resources
through continuous collection of evidence. This approach assists IS auditors in identifying fraud in a timely
fashion and allows auditors to focus on relevant data.
AS3-17 Which of the following is the MOST important critical success factor (CSF) of implementing a risk-based
approach to the IT system life cycle?
A. Adequate involvement of stakeholders
B. Selection of a risk management framework
C. Identification of risk mitigation strategies
D. Understanding of the regulatory environment
A is the correct answer.
Justification:
A. The most important critical success factor (CSF) is the adequate involvement and support of the various
quality assurance, privacy, legal, audit, regulatory affairs or compliance teams in high regulatory risk
situations. Some IT system changes may, based on risk ratings, require sign-off from key stakeholders before
proceeding.
B. Selecting a risk management framework helps the organization define the approach to addressing risk, but still
requires adequate involvement of stakeholders to be successful.
C. Identifying risk mitigation strategies helps the organization define the approach to addressing risk, but still requires
adequate involvement of stakeholders to be successful.
D. Having an understanding of the regulatory environment is important to ensure that risk is addressed in the context
of the applicable regulation, but adequate stakeholder involvement is required to ensure success.
The following correction applies to page 60 of the CISA Review
Questions, Answers & Explanations Manual 2014 Supplement.
The text in the box below has been replaced.
60 CISA Review Questions, Answers & Explanations Manual 2014 Supplement
ISACA. All Rights Reserved.
SAMPLE EXAM
22. An IS auditor is reviewing the IT governance practices. Which of the following BEST helps the IS auditor
evaluate the quality of alignment between IT and the business?
A. Security policies
B. Operational procedures
C. Project portfolio
D. IT balanced scorecard (IT BSC)
23. Which of the following is the BEST method of disposing of sensitive data on a former employees laptop
so that it can be reused by another employee?
A. Overwrite the hard drive sectors.
B. Degauss the hard drive.
C. Reimage the computer.
D. Format the hard drive.
24. An IS auditor is assessing a biometric system used to protect physical access to a data center containing
regulated data. Which of the following observations is the GREATEST concern to the auditor?
A. Administrative access to the biometric scanners or the access control system is permitted over a virtual
private network (VPN).
B. Biometric scanners are not installed in restricted areas.
C. Data transmitted between the biometric scanners and the access control system do not use a securely
encrypted tunnel.
D. Biometric system risk analysis was last conducted three years ago.
25. Which of the following attacks is BEST prevented by training and awareness?
A. Phishing
B. Pharming
C. Man-in-the-middle
D. Browser hijacking
26. Which of the following is the BEST indicator that a newly developed system will be used after it is
in production?
A. Regression testing
B. User acceptance testing (UAT)
C. Sociability testing
D. Parallel testing
27. An IS audit department is considering implementing continuous auditing techniques for a multinational
retail enterprise that processes a large volume of transactions per day. A PRIMARY benefit of continuous
auditing is that:
A. effective preventive controls are enforced.
B. system integrity is ensured.
C. errors can be corrected in a timely fashion.
D. fraud can be detected more quickly.
28. What is the MAJOR benefit of conducting a control self-assessment (CSA) over a traditional audit?
A. It detects risk sooner.
B. It replaces the audit function.
C. It reduces audit workload.
D. It reduces audit resources.