CISA-JPN 試験問題 236
報告された監査問題に対する合意された是正措置のフォローアップをスケジュールする適切な時期を決定する際に、情報システム監査人に最も適したガイドとなるのは次のどれですか。
正解: B
This is because the follow-up of agreed corrective actions for reported audit issues should be done after the auditee has had enough time to implement the corrective actions and demonstrate their effectiveness and sustainability. The follow-up audit should not be too soon or too late, but based on a reasonable and realistic timeframe that allows for adequate testing and verification of the control operation12.
Answer A. Progress updates indicate that the implementation of agreed actions is on track. is not the best answer, because progress updates are not sufficient to guide the follow-up audit timing. Progress updates are useful for monitoring and communicating the status and challenges of the corrective actions, but they do not provide conclusive evidence of the control operation. The follow-up audit should be based on actual results and outcomes, not on expectations or projections12.
Answer C. Business management has completed the implementation of agreed actions on schedule. is not the best answer, because the completion of the implementation of agreed actions is not enough to guide the follow-up audit timing. The completion of the implementation only indicates that the auditee has taken the necessary steps to address the audit issues, but it does not guarantee that the corrective actions are effective and sustainable. The follow-up audit should be based on the evaluation and validation of the control operation, not on the completion of the control implementation12.
Answer D. Regulators have announced a timeline for an inspection visit. is not the best answer, because the regulators' inspection visit is not relevant to guide the follow-up audit timing. The regulators' inspection visit is an external factor that may or may not coincide with the internal follow-up audit schedule. The follow-up audit should be based on the internal audit plan and objectives, not on the external audit requirements or expectations12.
Answer A. Progress updates indicate that the implementation of agreed actions is on track. is not the best answer, because progress updates are not sufficient to guide the follow-up audit timing. Progress updates are useful for monitoring and communicating the status and challenges of the corrective actions, but they do not provide conclusive evidence of the control operation. The follow-up audit should be based on actual results and outcomes, not on expectations or projections12.
Answer C. Business management has completed the implementation of agreed actions on schedule. is not the best answer, because the completion of the implementation of agreed actions is not enough to guide the follow-up audit timing. The completion of the implementation only indicates that the auditee has taken the necessary steps to address the audit issues, but it does not guarantee that the corrective actions are effective and sustainable. The follow-up audit should be based on the evaluation and validation of the control operation, not on the completion of the control implementation12.
Answer D. Regulators have announced a timeline for an inspection visit. is not the best answer, because the regulators' inspection visit is not relevant to guide the follow-up audit timing. The regulators' inspection visit is an external factor that may or may not coincide with the internal follow-up audit schedule. The follow-up audit should be based on the internal audit plan and objectives, not on the external audit requirements or expectations12.
CISA-JPN 試験問題 237
IS 監査により、パンデミック状況下で事業継続モードで運営している組織が、事業継続計画 (BCP) のシミュレーション テストを実施していないことが判明しました。監査人が取るべき最善の行動は次のどれですか。
正解: B
This is because the auditor's primary objective is to evaluate the adequacy and performance of the business continuity plan (BCP) in ensuring the continuity and resilience of the organization's critical functions and processes during a disruption. The auditor should review the actual results and outcomes of the business response, such as the recovery time, recovery point, service level, customer satisfaction, and incident management, and compare them with the predefined objectives and criteria of the BCP. The auditor should also identify and analyze any gaps, issues, or lessons learned from the business response, and provide recommendations for improvement12.
Answer A. Confirm the BCP has been recently updated. is not the best answer, because it is not directly related to the auditor's course of action. Confirming the BCP has been recently updated is a part of the audit planning and scoping process, not the audit execution or reporting process. The auditor should confirm the BCP has been recently updated before conducting the audit, not after revealing that a simulation test has not been performed. Moreover, confirming the BCP has been recently updated does not provide sufficient evidence of the effectiveness of the business response12.
Answer C. Raise an audit issue for the lack of simulated testing. is not the best answer, because it is not relevant to the auditor's course of action. Raising an audit issue for the lack of simulated testing is a part of the audit reporting and follow-up process, not the audit execution or evaluation process. The auditor should raise an audit issue for the lack of simulated testing after reviewing the effectiveness of the business response, not before or instead of doing so. Furthermore, raising an audit issue for the lack of simulated testing does not address the root cause or impact of the problem, nor does it provide any constructive feedback or guidance for improvement12.
Answer D. Interview staff members to obtain commentary on the BCP's effectiveness. is not the best answer, because it is not sufficient to guide the auditor's course of action. Interviewing staff members to obtain commentary on the BCP's effectiveness is a part of the audit evidence collection and analysis process, not the audit evaluation or conclusion process. The auditor should interview staff members to obtain commentary on the BCP's effectiveness as one of the sources of information, not as the only or main source of information. Additionally, interviewing staff members to obtain commentary on the BCP's effectiveness may be subjective, biased, or incomplete, and may not reflect the actual performance or outcomes of the business response12.
References:
Business Continuity Management Audit/Assurance Program
Business Continuity Plan Testing: Types and Best Practices
Answer A. Confirm the BCP has been recently updated. is not the best answer, because it is not directly related to the auditor's course of action. Confirming the BCP has been recently updated is a part of the audit planning and scoping process, not the audit execution or reporting process. The auditor should confirm the BCP has been recently updated before conducting the audit, not after revealing that a simulation test has not been performed. Moreover, confirming the BCP has been recently updated does not provide sufficient evidence of the effectiveness of the business response12.
Answer C. Raise an audit issue for the lack of simulated testing. is not the best answer, because it is not relevant to the auditor's course of action. Raising an audit issue for the lack of simulated testing is a part of the audit reporting and follow-up process, not the audit execution or evaluation process. The auditor should raise an audit issue for the lack of simulated testing after reviewing the effectiveness of the business response, not before or instead of doing so. Furthermore, raising an audit issue for the lack of simulated testing does not address the root cause or impact of the problem, nor does it provide any constructive feedback or guidance for improvement12.
Answer D. Interview staff members to obtain commentary on the BCP's effectiveness. is not the best answer, because it is not sufficient to guide the auditor's course of action. Interviewing staff members to obtain commentary on the BCP's effectiveness is a part of the audit evidence collection and analysis process, not the audit evaluation or conclusion process. The auditor should interview staff members to obtain commentary on the BCP's effectiveness as one of the sources of information, not as the only or main source of information. Additionally, interviewing staff members to obtain commentary on the BCP's effectiveness may be subjective, biased, or incomplete, and may not reflect the actual performance or outcomes of the business response12.
References:
Business Continuity Management Audit/Assurance Program
Business Continuity Plan Testing: Types and Best Practices
CISA-JPN 試験問題 238
アクティブ RFID タグの使用に最も大きなリスクをもたらすのは次のどれですか?
正解: D
CISA-JPN 試験問題 239
IS リソースの最も効率的な使用を効果的に促進する課金方法は次のとおりです。
正解: A
The charging method for IS resources is the way that the IS function allocates its costs to the users or business units that consume its services. The charging method can affect the behavior and incentives of the users and the IS function, as well as the efficiency and effectiveness of the IS resources. Therefore, choosing an appropriate charging method is an important decision for the IS function and its stakeholders.
One of the possible charging methods is to charge specific costs that can be tied back to specific usage. This means that the IS function tracks and measures the actual consumption of each user or business unit for each IS service, and charges them accordingly. For example, if a user uses 10 GB of storage space, 5 hours of CPU time, and 100 MB of network bandwidth, the IS function will charge them based on the unit costs of these resources. This charging method has the advantage of encouraging the most efficient use of IS resources, as it provides clear and accurate feedback to the users about their consumption and costs, and motivates them to optimize their usage and avoid waste or overuse. This charging method also aligns the interests of the IS function and the users, as both parties benefit from reducing costs and improving efficiency.
The other possible charging methods are:
* Total utilization to achieve full operating capacity: This means that the IS function charges a fixed amount to each user or business unit based on their proportion of the total operating capacity of the IS resources. For example, if a user or business unit has 10% of the total computing power allocated to them, they will pay 10% of the total IS costs. This charging method has the disadvantage of discouraging efficient use of IS resources, as it does not reflect the actual consumption or usage of each user or business unit, and does not provide any incentive to reduce costs or improve efficiency. This charging method also creates a mismatch between the interests of the IS function and the users, as the IS function benefits from increasing costs and capacity, while the users bear the burden of paying for them.
* Residual income in excess of actual incurred costs: This means that the IS function charges a markup or profit margin on top of its actual incurred costs to each user or business unit. For example, if a user or business unit consumes $100 worth of IS resources, the IS function will charge them $120, where $20 is the residual income for the IS function. This charging method has the disadvantage of discouraging efficient use of IS resources, as it increases the costs for the users and reduces their value for money.
This charging method also creates a conflict between the interests of the IS function and the users, as the IS function benefits from increasing costs and profits, while the users suffer from paying more than they should.
* Allocations based on the ability to absorb charges: This means that the IS function charges different amounts to different users or business units based on their ability to pay or their profitability. For example, if a user or business unit is more profitable or has a higher budget than another user or business unit, they will pay more for the same amount of IS resources. This charging method has the disadvantage of discouraging efficient use of IS resources, as it does not reflect the actual consumption or usage of each user or business unit, and does not provide any incentive to reduce costs or improve efficiency. This charging method also creates an unfair and arbitrary distribution of costs among the users or business units, as some pay more than others for no valid reason. References: 1: Charging Methods for IT Services - IT Process Wiki 2: IT Chargeback Methods - CIO Wiki 3: IT Chargeback - Wikipedia
One of the possible charging methods is to charge specific costs that can be tied back to specific usage. This means that the IS function tracks and measures the actual consumption of each user or business unit for each IS service, and charges them accordingly. For example, if a user uses 10 GB of storage space, 5 hours of CPU time, and 100 MB of network bandwidth, the IS function will charge them based on the unit costs of these resources. This charging method has the advantage of encouraging the most efficient use of IS resources, as it provides clear and accurate feedback to the users about their consumption and costs, and motivates them to optimize their usage and avoid waste or overuse. This charging method also aligns the interests of the IS function and the users, as both parties benefit from reducing costs and improving efficiency.
The other possible charging methods are:
* Total utilization to achieve full operating capacity: This means that the IS function charges a fixed amount to each user or business unit based on their proportion of the total operating capacity of the IS resources. For example, if a user or business unit has 10% of the total computing power allocated to them, they will pay 10% of the total IS costs. This charging method has the disadvantage of discouraging efficient use of IS resources, as it does not reflect the actual consumption or usage of each user or business unit, and does not provide any incentive to reduce costs or improve efficiency. This charging method also creates a mismatch between the interests of the IS function and the users, as the IS function benefits from increasing costs and capacity, while the users bear the burden of paying for them.
* Residual income in excess of actual incurred costs: This means that the IS function charges a markup or profit margin on top of its actual incurred costs to each user or business unit. For example, if a user or business unit consumes $100 worth of IS resources, the IS function will charge them $120, where $20 is the residual income for the IS function. This charging method has the disadvantage of discouraging efficient use of IS resources, as it increases the costs for the users and reduces their value for money.
This charging method also creates a conflict between the interests of the IS function and the users, as the IS function benefits from increasing costs and profits, while the users suffer from paying more than they should.
* Allocations based on the ability to absorb charges: This means that the IS function charges different amounts to different users or business units based on their ability to pay or their profitability. For example, if a user or business unit is more profitable or has a higher budget than another user or business unit, they will pay more for the same amount of IS resources. This charging method has the disadvantage of discouraging efficient use of IS resources, as it does not reflect the actual consumption or usage of each user or business unit, and does not provide any incentive to reduce costs or improve efficiency. This charging method also creates an unfair and arbitrary distribution of costs among the users or business units, as some pay more than others for no valid reason. References: 1: Charging Methods for IT Services - IT Process Wiki 2: IT Chargeback Methods - CIO Wiki 3: IT Chargeback - Wikipedia
CISA-JPN 試験問題 240
IS 監査人は、ある従業員が機密データに不正アクセスしていることを発見しました。IS 監査人の最善の推奨事項は次のようになります。
正解: B
The best recommendation for an IS auditor who finds that one employee has unauthorized access to confidential data is to require the business owner to conduct regular access reviews. Access reviews are periodic assessments of user access rights and permissions to ensure that they are appropriate, necessary, and aligned with the business needs and objectives. Access reviews help to identify and remediate any unauthorized, excessive, or obsolete access that could pose a security risk or violate compliance requirements.
The business owner is responsible for defining and approving the access requirements for their data and ensuring that they are enforced and monitored. References:
* CISA Review Manual (Digital Version)
* CISA Questions, Answers & Explanations Database
The business owner is responsible for defining and approving the access requirements for their data and ensuring that they are enforced and monitored. References:
* CISA Review Manual (Digital Version)
* CISA Questions, Answers & Explanations Database
- 他のバージョン
- 3078ISACA.CISA-JPN.v2025-06-30.q593
- 1168ISACA.CISA-JPN.v2025-06-05.q596
- 2171ISACA.CISA-JPN.v2023-04-10.q297
- 2041ISACA.CISA-JPN.v2023-04-03.q306
- 2177ISACA.CISA-JPN.v2023-03-20.q319
- 2226ISACA.CISA-JPN.v2022-08-01.q273
- 2286ISACA.CISA-JPN.v2022-05-28.q253
- 最新アップロード
- 138Peoplecert.MSP-Practitioner.v2026-06-24.q75
- 178PaloAltoNetworks.SecOps-Generalist.v2026-06-23.q81
- 162NetworkAppliance.NS0-005.v2026-06-23.q110
- 145Google.Generative-AI-Leader.v2026-06-23.q31
- 168Google.Google-Workspace-Administrator.v2026-06-23.q111
- 198Databricks.Databricks-Certified-Professional-Data-Engineer.v2026-06-22.q208
- 184Oracle.1z0-1054-25.v2026-06-22.q64
- 164Fortinet.NSE5_FSW_AD-7.6.v2026-06-22.q41
- 166Salesforce.MC-202.v2026-06-22.q57
- 154Nutanix.NCA-6.10.v2026-06-22.q43