CISA-JPN 試験問題 121
新しいシステムの実装中に、各マイルストーンでリスク管理を確認するために IS 監査人が任命されました。監査人は、プロジェクトの利益に対するいくつかのリスクが対処されていないことを発見しました。これらのリスクを管理する責任は誰が負うべきでしょうか?
正解: D
The project manager should be accountable for managing the risks to project benefits. Project benefits are the expected outcomes or value that a project delivers to its stakeholders, such as improved efficiency, quality, customer satisfaction, or revenue. Project risks are uncertain events or conditions that may affect the project objectives, scope, budget, schedule, or quality. The project manager is responsible for identifying, analyzing, prioritizing, responding to, and monitoring project risks throughout the project life cycle. The other options are not accountable for managing project risks, as they have different roles and responsibilities. The enterprise risk manager is responsible for overseeing the organization's overall risk management framework and strategy, but not for managing specific project risks. The project sponsor is responsible for initiating, approving, and supporting the project, but not for managing project risks. The information security officer is responsible for ensuring that the project complies with the organization's information security policies and standards, but not for managing project risks. References: CISA Review Manual (Digital Version), Chapter 3, Section 3.3
CISA-JPN 試験問題 122
財務報告におけるエンドユーザー コンピューティング (EUC) アプリケーションに関連する最大のリスクは次のどれですか。
正解: D
Spreadsheets, often used in EUC, are prone to manual input errors and formula mistakes. These errors can significantly compromise the accuracy and integrity of financial reporting.
References
ISACA CISA Review Manual (Current Edition) - Chapter on End-User Computing (EUC) risks Industry Research on Spreadsheet Errors: Multiple studies highlight the prevalence of errors in spreadsheets, especially those used for financial purposes.
References
ISACA CISA Review Manual (Current Edition) - Chapter on End-User Computing (EUC) risks Industry Research on Spreadsheet Errors: Multiple studies highlight the prevalence of errors in spreadsheets, especially those used for financial purposes.
CISA-JPN 試験問題 123
導入後のレビュー中に情報システム監査人が最も懸念すべきことは次のうちどれですか?
正解: A
A post-implementation review (PIR) is an assessment conducted at the end of a project cycle to determine if the project was indeed successful and to identify any existing flaws in the project1. One of the main objectives of a PIR is to evaluate the outcome and functional value of a project1. Therefore, an IS auditor should be most concerned with whether the system meets the intended requirements and delivers the expected benefits to the stakeholders. A system that does not have a maintenance plan is a major risk, as it may not be able to cope with changing needs, fix errors, or prevent security breaches. A maintenance plan is essential for ensuring the system's reliability, availability, and performance in the long term2.
The other options are less critical for a PIR, as they are more related to the project management aspects than the system quality aspects. The system may contain several minor defects that do not affect its functionality or usability, and these can be resolved in future updates. The system deployment may be delayed by three weeks due to unforeseen circumstances or dependencies, but this does not necessarily mean that the system is faulty or ineffective. The system may be over budget by 15% due to various factors such as scope creep, resource constraints, or market fluctuations, but this does not imply that the system is not valuable or beneficial.
References: 1: Post-Implementation Review Best Practices - MetaPM 2: What is Post-Implementation Review in Project Management?
The other options are less critical for a PIR, as they are more related to the project management aspects than the system quality aspects. The system may contain several minor defects that do not affect its functionality or usability, and these can be resolved in future updates. The system deployment may be delayed by three weeks due to unforeseen circumstances or dependencies, but this does not necessarily mean that the system is faulty or ineffective. The system may be over budget by 15% due to various factors such as scope creep, resource constraints, or market fluctuations, but this does not imply that the system is not valuable or beneficial.
References: 1: Post-Implementation Review Best Practices - MetaPM 2: What is Post-Implementation Review in Project Management?
CISA-JPN 試験問題 124
コーディング標準は次のどれを提供しますか?
正解: D
Coding standards provide field naming conventions, which are rules for naming variables, constants, functions, classes, and other elements in a program. Coding standards help to ensure consistency, readability, maintainability, and portability of code. Program documentation, access control tables, and data flow diagrams are not part of coding standards. References: CISA Review Manual (Digital Version), Chapter 4, Section 4.3.1
CISA-JPN 試験問題 125
組織内のエンドユーザー コンピューティング (EUC) に関連するリスクを評価する情報システム監査人にとって、次の調査結果のうちどれが最も懸念されるでしょうか。
正解: D
The finding that should be of greatest concern to an IS auditor assessing the risk associated with end-user computing (EUC) in an organization is the lack of defined criteria for EUC applications. EUC applications are applications that are developed and maintained by end-users, rather than by IT professionals, to support their business functions and processes. Examples of EUC applications include spreadsheets, databases, reports, and scripts. The lack of defined criteria for EUC applications means that the organization does not have clear and consistent standards or guidelines to identify, classify, and manage EUC applications. This can lead to various risks, such as:
* Inaccurate or unreliable data and results from EUC applications that are not validated, verified, or tested
* Unauthorized or inappropriate access or use of EUC applications that are not secured, controlled, or monitored
* Inconsistent or incompatible data and results from EUC applications that are not integrated, documented, or updated
* Loss or corruption of data and results from EUC applications that are not backed up, recovered, or archived Therefore, the IS auditor should be most concerned about the lack of defined criteria for EUC applications, as it can affect the quality, integrity, and availability of the EUC applications and the data they produce.
Insufficient processes to track ownership of each EUC application is a finding that should be of concern to an IS auditor assessing the risk associated with EUC in an organization, but it is not the greatest concern. The ownership of an EUC application refers to the person or group who is responsible for creating, maintaining, and using the EUC application. Insufficient processes to track ownership of each EUC application means that the organization does not have adequate mechanisms or records to identify and communicate who owns each EUC application. This can lead to risks, such as:
* Lack of accountability or ownership for the quality and accuracy of the EUC application and its data
* Lack of support or maintenance for the EUC application when the owner leaves or changes roles
* Lack of awareness or training for the users of the EUC application on its purpose and functionality However, these risks are less severe than those caused by the lack of defined criteria for EUC applications.
Insufficient processes to test for version control is a finding that should be of concern to an IS auditor assessing the risk associated with EUC in an organization, but it is not the greatest concern. Version control is a process that tracks and manages the changes made to an EUC application over time. Insufficient processes to test for version control means that the organization does not have adequate procedures or tools to ensure that the changes made to an EUC application are authorized, documented, and tested. This can lead to risks, such as:
* Errors or inconsistencies in the data and results from different versions of the EUC application
* Conflicts or confusion among the users of the EUC application on which version is current or correct
* Loss or overwrite of data and results from previous versions of the EUC application However, these risks are less severe than those caused by the lack of defined criteria for EUC applications.
Lack of awareness training for EUC users is a finding that should be of concern to an IS auditor assessing the risk associated with EUC in an organization, but it is not the greatest concern. Awareness training for EUC users is a process that educates and informs the users of the EUC applications on their roles, responsibilities, and risks. Lack of awareness training for EUC users means that the organization does not have adequate programs or materials to raise the knowledge and skills of the users on how to use and manage the EUC applications effectively and securely. This can lead to risks, such as:
* Misuse or abuse of the EUC applications by users who are not aware of their impact or implications
* Non-compliance or violation of policies or regulations by users who are not aware of their requirements or expectations
* Dissatisfaction or frustration among users who are not aware of their benefits or limitations However, these risks are less severe than those caused by the lack of defined criteria for EUC applications.
References:
* End-user computing - Wikipedia 1
* How to Manage the Risks Associated with End User Computing 2
* Managing end user computing risks - KPMG UK 3
* Inaccurate or unreliable data and results from EUC applications that are not validated, verified, or tested
* Unauthorized or inappropriate access or use of EUC applications that are not secured, controlled, or monitored
* Inconsistent or incompatible data and results from EUC applications that are not integrated, documented, or updated
* Loss or corruption of data and results from EUC applications that are not backed up, recovered, or archived Therefore, the IS auditor should be most concerned about the lack of defined criteria for EUC applications, as it can affect the quality, integrity, and availability of the EUC applications and the data they produce.
Insufficient processes to track ownership of each EUC application is a finding that should be of concern to an IS auditor assessing the risk associated with EUC in an organization, but it is not the greatest concern. The ownership of an EUC application refers to the person or group who is responsible for creating, maintaining, and using the EUC application. Insufficient processes to track ownership of each EUC application means that the organization does not have adequate mechanisms or records to identify and communicate who owns each EUC application. This can lead to risks, such as:
* Lack of accountability or ownership for the quality and accuracy of the EUC application and its data
* Lack of support or maintenance for the EUC application when the owner leaves or changes roles
* Lack of awareness or training for the users of the EUC application on its purpose and functionality However, these risks are less severe than those caused by the lack of defined criteria for EUC applications.
Insufficient processes to test for version control is a finding that should be of concern to an IS auditor assessing the risk associated with EUC in an organization, but it is not the greatest concern. Version control is a process that tracks and manages the changes made to an EUC application over time. Insufficient processes to test for version control means that the organization does not have adequate procedures or tools to ensure that the changes made to an EUC application are authorized, documented, and tested. This can lead to risks, such as:
* Errors or inconsistencies in the data and results from different versions of the EUC application
* Conflicts or confusion among the users of the EUC application on which version is current or correct
* Loss or overwrite of data and results from previous versions of the EUC application However, these risks are less severe than those caused by the lack of defined criteria for EUC applications.
Lack of awareness training for EUC users is a finding that should be of concern to an IS auditor assessing the risk associated with EUC in an organization, but it is not the greatest concern. Awareness training for EUC users is a process that educates and informs the users of the EUC applications on their roles, responsibilities, and risks. Lack of awareness training for EUC users means that the organization does not have adequate programs or materials to raise the knowledge and skills of the users on how to use and manage the EUC applications effectively and securely. This can lead to risks, such as:
* Misuse or abuse of the EUC applications by users who are not aware of their impact or implications
* Non-compliance or violation of policies or regulations by users who are not aware of their requirements or expectations
* Dissatisfaction or frustration among users who are not aware of their benefits or limitations However, these risks are less severe than those caused by the lack of defined criteria for EUC applications.
References:
* End-user computing - Wikipedia 1
* How to Manage the Risks Associated with End User Computing 2
* Managing end user computing risks - KPMG UK 3
- 他のバージョン
- 1178ISACA.CISA-JPN.v2025-06-05.q596
- 1112ISACA.CISA-JPN.v2025-05-16.q572
- 2172ISACA.CISA-JPN.v2023-04-10.q297
- 2047ISACA.CISA-JPN.v2023-04-03.q306
- 2185ISACA.CISA-JPN.v2023-03-20.q319
- 2226ISACA.CISA-JPN.v2022-08-01.q273
- 2286ISACA.CISA-JPN.v2022-05-28.q253
- 最新アップロード
- 157Peoplecert.MSP-Practitioner.v2026-06-24.q75
- 184PaloAltoNetworks.SecOps-Generalist.v2026-06-23.q81
- 180NetworkAppliance.NS0-005.v2026-06-23.q110
- 149Google.Generative-AI-Leader.v2026-06-23.q31
- 174Google.Google-Workspace-Administrator.v2026-06-23.q111
- 217Databricks.Databricks-Certified-Professional-Data-Engineer.v2026-06-22.q208
- 194Oracle.1z0-1054-25.v2026-06-22.q64
- 166Fortinet.NSE5_FSW_AD-7.6.v2026-06-22.q41
- 172Salesforce.MC-202.v2026-06-22.q57
- 166Nutanix.NCA-6.10.v2026-06-22.q43