Home / Isaca / CISA

Question list

List of questions

Question 1

(0)

What would be an IS auditor's BEST recommendation upon finding that a third-party IT service provider hosts the organization's human resources (HR) system in a foreign country?

Question 2

(0)

Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?

Question 3

(0)

The PRIMARY benefit of automating application testing is to:

Question 4

(0)

Which of the following BEST addresses the availability of an online store?

Question 5

(0)

Which of the following is the BEST way to prevent social engineering incidents?

Question 6

(0)

The PRIMARY purpose of a configuration management system is to:

Question 7

(0)

Which of the following is the MOST important consideration when evaluating the data retention policy for a global organization with regional offices in multiple countries?

Question 8

(0)

Which of the following BEST enables alignment of IT with business objectives?

Question 9

(0)

Which of the following are used in a firewall to protect the entity's internal resources?

Question 10

(0)

Which of the following would be MOST impacted if an IS auditor were to assist with the implementation of recommended control enhancements?

Question 1066 - CISA discussion

An IS auditor is planning an audit of an organization's risk management practices. Which of the following would provide the MOST useful information about risk appetite?

Risk policies

Risk assessments

Prior audit reports

Management assertion

Suggested answer: A

Explanation:

Risk appetite is the amount and type of risk that an organization is willing to accept in pursuit of its objectives. Risk appetite reflects the organization's risk culture, strategy, and tolerance, and guides the organization's risk management practices. The most useful information about risk appetite can be obtained from the risk policies, which are the documents that define the organization's risk management framework, principles, objectives, roles, responsibilities, and processes. Risk policies also establish the criteria and thresholds for identifying, assessing, prioritizing, mitigating, and monitoring risks, as well as the reporting and escalation mechanisms for risk issues. By reviewing the risk policies, an IS auditor can evaluate whether they are consistent, comprehensive, and aligned with the organization's risk appetite and whether they provide clear guidance and direction for managing risks effectively.

The other options are not correct because they are either not the most useful or not relevant to risk appetite. Risk assessments are the processes of identifying, analyzing, and evaluating the risks that may affect the organization's objectives. Risk assessments provide information about the current risk profile and exposure of the organization, but they do not indicate the organization's risk appetite or preferences. Prior audit reports are the documents that summarize the findings, recommendations, and conclusions of previous audits. Prior audit reports may provide information about the past performance and issues of the organization's risk management practices, but they do not reflect the organization's risk appetite or expectations. Management assertion is a statement or declaration made by management about the accuracy, completeness, validity, or reliability of a certain fact or data. Management assertion may provide information about the management's confidence or opinion on a specific risk or issue, but it does not represent the organization's risk appetite or criteria.

Show Answer

asked 18/09/2024

Dean Pillay

47 questions

Your answer: A B C D

0 comments

Sorted by