- (Topic 4)
Which of the following should be the PRIMARY role of an internal audit function in the management of identified business risks?
Correct Answer:
C
The primary role of an internal audit function in the management of identified business risks is to validate the enterprise risk management (ERM) process and provide assurance on its effectiveness. The internal audit function should evaluate whether the ERM process is aligned with the organization’s objectives, strategies, policies and culture, and whether it covers all relevant risks and controls. The internal audit function should also assess whether the ERM process is operating as designed and producing reliable and timely information for decision making. The other options are not the primary role of an internal audit function, but rather the responsibilities of senior management, board of directors or risk owners. References:
✑ ISACA, CISA Review Manual, 27th Edition, chapter 1, section 1.41
✑ ISACA, IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 12072
- (Topic 4)
An IS auditor is reviewing the perimeter security design of a network. Which of the following provides the GREATEST assurance outgoing Internet traffic is controlled?
Correct Answer:
C
A stateful firewall provides the greatest assurance that outgoing Internet traffic is controlled, as it monitors and filters packets based on their source, destination and connection state. A stateful firewall can prevent unauthorized or malicious traffic from leaving the network, as well as block incoming traffic that does not match an established connection. An intrusion detection system (IDS) can detect and alert on suspicious or anomalous traffic, but it does not block or control it. A security information and event management (SIEM) system can collect and analyze logs and events from various sources, but it does not directly control traffic. A load balancer can distribute traffic among multiple servers, but it does not filter or monitor it. References: CISA Review Manual (Digital Version), Chapter 6, Section 6.2
- (Topic 4)
Which of the following biometric access controls has the HIGHEST rate of false negatives?
Correct Answer:
B
Among the options provided, fingerprint scanning has the highest rate of false negatives. False negatives occur when a biometric system fails to recognize an authentic individual. Factors such as skin conditions (wet, dry, greasy), finger injuries, and inadequate scanning can contribute to false negatives in fingerprint scanning1. In comparison, iris recognition23, face recognition45, and retina scanning67 generally have lower rates of false negatives.
References:
✑ How Accurate are today’s Fingerprint Scanners? - Bayometric
✑ 25 Advantages and Disadvantages of Iris Recognition - Biometric Today
✑ Iris Recognition Technology (or, Musings While Going through Airport …
✑ The Critics Were Wrong: NIST Data Shows the Best Facial Recognition Algorithms Are Neither Racist Nor Sexist | ITIF
✑ NIST Launches Studies into Masks’ Effect on Face Recognition Software
✑ Retinal scan - Wikipedia
✑ How accurate are retinal security scans - Smart Eye Technology
- (Topic 4)
Which of the following is the BEST way to identify whether the IT help desk is meeting service level agreements (SLAS)?
Correct Answer:
A
The best way to identify whether the IT help desk is meeting service level agreements (SLAs) is A. Review exception reports. Exception reports are documents that highlight any deviations from the agreed service levels, such as breaches, delays, or failures. They can help the IT help desk to monitor their performance, identify root causes, and implement corrective actions. Reviewing exception reports can also help the IT help desk to communicate with the end users and stakeholders about any service issues and their resolution.
Reference: IT help desk support SLA, Section 4: Reporting and Reviewing Service Levels,
Page 3.
- (Topic 1)
During the design phase of a software development project, the PRIMARY responsibility of an IS auditor is to evaluate the:
Correct Answer:
C
The primary responsibility of an IS auditor during the design phase of a software development project is to evaluate the controls incorporated into the system specifications. Controls are mechanisms or procedures that aim to ensure the security, reliability, or performance of a system or process. System specifications are documents that define and describe the requirements, features, functions, or components of a system or software. Evaluating the controls incorporated into the system specifications is a key responsibility of an IS auditor during the design phase of a software development project, as it helps ensure that the system or software meets the organization’s objectives, standards, and expectations for security, reliability, or performance. The other options are not primary responsibilities of an IS auditor during the design phase of a software development project, as they do not directly relate to evaluating the controls incorporated into the system specifications. Future compatibility of the application is a possible factor that may affect the functionality or usability of the application in different environments or platforms, but it is not a primary responsibility of an IS auditor during the design phase of a software development project. Proposed functionality of the application is a possible factor that may affect the suitability or value of the application for meeting user needs or expectations, but it is not a primary responsibility of an IS auditor during the design phase of a software development project. Development methodology employed is a possible factor that may affect the quality or consistency of the software development process, but it is not a primary responsibility of an IS auditor during the design phase of a software development project. References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3