Last Updated on December 12, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 04

  1. Which of the following is an analytical review procedure for a payroll system?

    • Performing penetration attempts on the payroll system
    • Evaluating the performance of the payroll system using benchmarking software
    • Performing reasonableness tests by multiplying the number of employees by the average wage rate
    • Testing hours reported on time sheets
  2. An IS auditor observes that the CEO has full access to the enterprise resource planning (ERP) system. The IS auditor should FIRST:

    • accept the level of access provided as appropriate
    • recommend that the privilege be removed
    • ignore the observation as not being material to the review
    • document the finding as a potential risk
  3. Two servers are deployed in a cluster to run a mission-critical application. To determine whether the system has been designed for optimal efficiency, the IS auditor should verify that:

    • the security features in the operating system are all enabled
    • the number of disks in the cluster meets minimum requirements
    • the two servers are of exactly the same configuration
    • load balancing between the servers has been implemented
  4. The GREATEST risk when performing data normalization is:

    • the increased complexity of the data model
    • duplication of audit logs
    • reduced data redundancy
    • decreased performance
  5. An IS auditor has found that a vendor has gone out of business and the escrow has an older version of the source code. What is the auditor’s BEST recommendation for the organization?

    • Continue using the existing application since it meets the current requirements
    • Prepare a maintenance plan that will support the application using the existing code
    • Bring the escrow version up to date
    • Undertake an analysis to determine the business risk
  6. Which of the following is the BEST way to evaluate the effectiveness of access controls to an internal network?

    • Perform a system penetration test
    • Test compliance with operating procedures
    • Review access rights
    • Review router configuration tables
  7. An IS auditor finds a number of system accounts that do not have documented approvals. Which of the following should be performed FIRST by the auditor?

    • Have the accounts removed immediately
    • Obtain sign-off on the accounts from the application owner
    • Document a finding and report an ineffective account provisioning control
    • Determine the purpose and risk of the accounts
  8. An IS auditor is a member of an application development team that is selecting software. Which of the following would impair the auditor’s independence?

    • Verifying the weighting of each selection criteria
    • Approving the vendor selection methodology
    • Reviewing the request for proposal (RFP)
    • Witnessing the vendor selection process
  9. An internal control audit has revealed a control deficiency related to a legacy system where the compensating controls no longer appear to be effective. Which of the following would BEST help the information security manager determine the security requirements to resolve the control deficiency?

    • Cost-benefit analysis
    • Gap analysis
    • Risk assessment
    • Business case
  10. An audit of the quality management system (QMS) begins with an evaluation of the:

    • organization’s QMS policy
    • sequence and interaction of QMS processes
    • QMS processes and their application
    • QMS document control procedures
  11. An IS auditor has completed an audit on the organization’s IT strategic planning process. Which of the following findings should be given the HIGHEST priority?

    • The IT strategic plan was completed prior to the formulation of the business strategic plan
    • Assumptions in the IT strategic plan have not been communicated to business stakeholders
    • The IT strategic plan was formulated based on the current IT capabilities
    • The IT strategic plan does not include resource requirements for implementation
  12. Which of the following provides the BEST evidence of successfully completed batch uploads?

    • Sign-off on the batch journal
    • Using sequence controls
    • Enforcing batch cut-off times
    • Reviewing process logs
  13. An IS auditor is conducting a review of a healthcare organization’s IT policies for handling medical records. Which of the following is MOST important to verify?

    • A documented policy approval process is in place
    • Policy writing standards are consistent
    • The policies comply with regulatory requirements
    • IT personnel receive ongoing policy training
  14. Audit management has just completed the annual audit plan for the upcoming year, which consists entirely of high-risk processes. However, it is determined that there are insufficient resources to execute the plan. What should be done NEXT?

    • Remove audits from the annual plan to better match the number of resources available
    • Reduce the scope of the audits to better match the number of resources available
    • Present the annual plan to the audit committee and ask for more resources
    • Review the audit plan and defer some audits to the subsequent year
  15. If concurrent update transactions to an account are not processed properly, which of the following will be affected?

    • Integrity
    • Confidentiality
    • Availability
    • Accountability
  16. When conducting a review of security incident management, an IS auditor found there are no defined escalation processes. All incidents are managed by the service desk. Which of the following should be the auditor’s PRIMARY concern?

    • Inefficient use of service desk resources
    • Management’s lack of awareness of high impact incidents
    • Delays in resolving low priority trouble tickets
    • Management’s inability to follow up on incident resolution
  17. Which of the following should an IS auditor be MOST concerned with during a post-implementation review?

    • The system does not have a maintenance plan
    • The system contains several minor defects
    • The system was over budget by 15%
    • The system deployment was delayed by three weeks
  18. An IS auditor is reviewing a bank’s service level agreement (SLA) with a third-party provider that hosts the bank’s secondary data center. Which of the following findings should be of GREATEST concern to the auditor?

    • The recovery point objective (RPO) has a shorter duration than documented in the disaster recovery plan
    • The recovery time objective (RTO) has a longer duration than documented in the disaster recovery plan
    • Backup data is hosted online only
    • The SLA has not been reviewed in more than a year
  19. Which of the following is the MOST appropriate responsibility of an IS auditor involved in a data center renovation project?

    • Performing independent reviews of responsible parties engaged in the project
    • Ensuring the project progresses as scheduled and milestones are achieved
    • Performing day-to-day activities to ensure the successful completion of the project
    • Providing sign off on the design of controls for the data center
  20. Which of the following is MOST important for an IS auditor to determine when reviewing how the organization’s incident response team handles devices that may be involved in criminal activity?

    • Whether devices are checked for malicious applications
    • Whether the access logs are checked before seizing the devices
    • Whether users have knowledge of their devices being examined
    • Whether there is a chain of custody for the devices