Governance and Management of IT for CISA

Sample Practice Questions

1. Question 1

   During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:
   1. A. reflect current practices.
   2. B. be subject to adequate quality assurance (QA).
   3. C. include new systems and corresponding process changes.
   4. D. incorporate changes to relevant laws.
   Explanation

   The correct answer is: D. incorporate changes to relevant laws..

   When policies and procedures are not reviewed regularly the most damaging gap is failure to incorporate changes to relevant laws and regulations, because regulatory non-compliance produces fines, sanctions, contractual breach and reputational harm that other types of drift do not. Failure to reflect current practice is a documentation hygiene problem and is generally remediable internally without external penalties. Inadequate quality assurance is a process maturity issue but does not by itself trigger regulator action. Failure to capture new systems and process changes is significant for operational governance but again does not equate to violating statutes or regulations. Regulatory and legal currency is therefore the greatest concern, which aligns with how CISA frames compliance risk in the governance domain.

2. Question 2

   Management receives information indicating a high level of risk associated with potential flooding near the organization's data center with in the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?
   1. A. Risk reduction
   2. B. Risk acceptance
   3. C. Risk transfer
   4. D. Risk avoidance
   Explanation

   The correct answer is: D. Risk avoidance.

   Relocating the data center to higher ground in response to a flood-risk warning eliminates exposure to the threat altogether at the new site, which is the textbook description of risk avoidance: changing the circumstances so the risk no longer applies. Risk reduction would mean keeping the facility but adding flood defenses or operational mitigations to lower the residual exposure. Risk acceptance would mean choosing to live with the flood risk and absorbing any losses. Risk transfer would mean shifting the financial consequences to a third party such as an insurer while staying in the same location. Moving to remove the underlying exposure is therefore avoidance in ISO 31000 terms. Avoidance is the appropriate label when the chosen response eliminates the activity's exposure to the threat, which is precisely what relocation does for the flood risk.

3. Question 3

   Which of the following would be MOST useful to an IS auditor assessing the effectiveness of IT resource planning?
   1. A. Budget execution status
   2. B. A capacity analysis of IT operations
   3. C. A succession plan for key IT personnel
   4. D. A list of new applications to be implemented
   Explanation

   The correct answer is: B. A capacity analysis of IT operations.

   A capacity analysis of IT operations is the most useful input for assessing the effectiveness of IT resource planning because it reveals current and projected utilization of compute, storage, network and people against demand, which is exactly what resource planning aims to balance. Budget execution status shows financial pacing but says little about whether the right capacity will be available where needed. A succession plan for key IT personnel addresses talent continuity, which is a narrow slice of resource planning. A list of new applications to be implemented enumerates demand without showing capacity to absorb it. Capacity analysis is therefore the most direct measure of resource-planning effectiveness.

4. Question 4

   An IS auditor is evaluating controls for monitoring the regulatory compliance of a third party that provides IT services to the organization. Which of the following should be the auditor's GREATEST concern?
   1. A. A gap analysis against regulatory requirements has not been conducted.
   2. B. The third-party disclosed a policy-related issue of noncompliance.
   3. C. The organization has not reviewed the third party's policies and procedures.
   4. D. The organization has not communicated regulatory requirements to the third party.
   Explanation

   The correct answer is: D. The organization has not communicated regulatory requirements to the third party..

   When monitoring third-party regulatory compliance, the greatest concern is that the organization has not communicated regulatory requirements to the third party, because the third party cannot comply with rules it does not know about, and the organization remains accountable for compliance even when delivery is outsourced. A missing regulatory-gap analysis is a process weakness but presupposes that requirements have been communicated. A disclosed policy-related noncompliance issue is concerning but reflects an active engagement that can be remediated. Not reviewing the third party's policies and procedures is a due-diligence gap but again secondary to first telling the third party what to comply with. Communication of regulatory requirements is the foundational step in third-party compliance monitoring.

5. Question 5

   A small startup organization does not have the resources to implement segregation of duties. Which of the following is the MOST effective compensating control?
   1. A. Rotation of log monitoring and analysis responsibilities
   2. B. Additional management reviews and reconciliations
   3. C. Mandatory vacations
   4. D. Third-party assessments
   Explanation

   The correct answer is: B. Additional management reviews and reconciliations.

   When proper segregation of duties is infeasible in a small organization, the standard compensating control is to layer in additional management reviews and reconciliations so that a second pair of eyes verifies the actions of the single individual who must perform multiple incompatible functions. Rotation of log monitoring assignments creates short-term diversity in who watches but does not by itself review the underlying work product. Mandatory vacations help expose anomalies during the absence but only address concealment, not detection of routine errors or unauthorized actions. Third-party assessments occur infrequently and do not substitute for ongoing oversight of day-to-day work. Management reviews and reconciliations operate at the cadence of the underlying transactions, which makes them the most effective compensating control when segregation cannot be achieved organically.

Other CISA domains

• Information System Auditing Process (318 questions)
• Information Systems Acquisition, Development and Implementation (276 questions)
• Information Systems Operations and Business Resilience (360 questions)
• Protection of Information Assets (576 questions)