Last Updated on December 12, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 05

  1. During a follow-up audit, an IS auditor learns the organization implemented an automated process instead of the originally agreed upon enhancement of the manual process. The auditor should:

    • report the finding that recommendations were not acted upon
    • perform a cost-benefit analysis on the new process
    • verify that the new process satisfies control objectives
    • report the recommendation as implemented
  2. During a privileged access review, an IS auditor observes many help desk employees have privileges within systems not required for their job functions. Implementing which of the following would have prevented this situation?

    • Separation of duties
    • Multi-factor authentication
    • Least privilege access
    • Privileged access reviews
  3. Management disagrees with a finding in a draft audit report and provides supporting documentation. Which of the following should be the IS auditor’s NEXT course of action?

    • Document management’s disagreement in the final report
    • Evaluate the supporting documentation
    • Escalate the issue with supporting documentation to senior management
    • Finalize the draft audit report without changes
  4. Which of the following audit techniques is MOST appropriate for verifying application program controls?

    • Statistical sampling
    • Code review
    • Confirmation of accounts
    • Use of test data
  5. A business has requested an IS audit to determine whether information stored in an application system is adequately protected. Which of the following is the MOST important action before the audit work begins?

    • Establish control objectives
    • Conduct a vulnerability analysis
    • Perform penetration testing
    • Review remediation reports
  6. Which audit technique provides the GREATEST assurance that incident management procedures are effective?

    • Determining whether incidents are categorized and addressed
    • Performing comprehensive vulnerability scanning and penetration testing
    • Comparing incident management procedures to best practices
    • Evaluating end-user satisfaction survey results
  7. Which of the following findings would be of MOST concern to an IS auditor performing a review of an end-user developed application that generates financial statements?

    • The application is not sufficiently supported by the IT department
    • There is not adequate training in the use of the application
    • There is no adequate user license for the application
    • There is no control to ensure accuracy of the processed data
  8. An organization plans to deploy Wi-Fi location analytics to count the number of shoppers per day across its various retail outlets. What should the IS auditor recommend as the FIRST course of action by IT management?

    • Conduct a privacy impact assessment
    • Mask media access control (MAC) addresses
    • Survey shoppers for feedback
    • Develop a privacy notice to be displayed to shoppers
  9. An IS auditor discovered abnormalities in a monthly report generated from a system upgraded six months ago. Which of the following should be the auditor’s FIRST course of action?

    • Inspect source code for proof of abnormalities
    • Perform a change management review of the system
    • Schedule an access review of the system
    • Determine the impact of abnormalities in the report
  10. When auditing the effectiveness of a biometric system, which of the following indicators would be MOST important to review?

    • False negatives
    • False acceptance rate
    • Failure to enroll rate
    • System response time
  11. An IS auditor conducting audit follow-up activities learns that some previously agreed-upon corrective actions have not been taken and that the associated risk has been accepted by senior management. If the auditor disagrees with management’s decision, what is the BEST way to address the situation?

    • Repeat the audit with audit scope only covering areas with accepted risks
    • Report the issue to the chief audit executive for resolution
    • Recommend new corrective actions to mitigate the accepted risk
    • Take no action since management’s decision has been made
  12. During a security audit, an IS auditor is tasked with reviewing log entries obtained from an enterprise intrusion prevention system (IPS). Which type of risk would be associated with the potential for the auditor to miss a sequence of logged events that could indicate an error in the IPS configuration?

    • Inherent risk
    • Sampling risk
    • Control risk
    • Detection risk
  13. An organization is concerned about duplicate vendor payments on a complex system with a high volume of transactions. Which of the following would be MOST helpful to an IS auditor to determine whether duplicate vendor payments exist?

    • Computer-assisted technique
    • Stop-and-go testing
    • Statistical sampling
    • Judgmental sampling
  14. The MAIN benefit of using an integrated test facility (ITF) as an online auditing technique is that it enables:

    • a cost-effective approach to application controls audit
    • auditors to investigate fraudulent transactions
    • auditors to test without impacting production data
    • the integration of financial and audit tests
  15. When evaluating the ability of a disaster recovery plan (DRP) to enable the recovery of IT processing capabilities, it is MOST important for the IS auditor to verify the plan is:

    • stored at an offsite location
    • communicated to department heads
    • regularly reviewed
    • periodically tested
  16. An IS auditor is analyzing a sample of accesses recorded on the system log of an application. The auditor intends to launch an intensive investigation if one exception is found. Which sampling method would be appropriate?

    • Discovery sampling
    • Variable sampling
    • Stratified sampling
    • Judgmental sampling
  17. Assessments of critical information systems are based on a cyclical audit plan that has not been updated for several years. Which of the following should the IS auditor recommend to BEST address this situation?

    • Use a revolving set of audit plans to cover all systems
    • Update the audit plan quarterly to account for delays and deferrals of periodic reviews
    • Regularly validate the audit plan against business risks
    • Do not include periodic reviews in detail as part of the audit plan
  18. An IS auditor is assessing risk associated with peer-to-peer file sharing within an organization. Which of the following should be of GREATEST concern?

    • File-sharing policies have not been reviewed since last year
    • Only some employees are required to attend security awareness training
    • Not all devices are running antivirus programs
    • The organization does not have an efficient patch management process
  19. An IS auditor is reviewing an organization’s incident management processes and procedures. Which of the following observations should be the auditor’s GREATEST concern?

    • Ineffective incident classification
    • Ineffective incident prioritization
    • Ineffective incident detection
    • Ineffective post-incident review
  20. During an IS audit, it is discovered that security configurations differ across the organization’s virtual server farm. Which of the following is the IS auditor’s BEST recommendation for improving the control environment?

    • Conduct an independent review of each server’s security configuration
    • Implement a security configuration baseline for virtual servers
    • Implement security monitoring controls for high-risk virtual servers
    • Conduct a standard patch management review across the virtual server farm