Last Updated on December 12, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 07

  1. Which of the following is the BEST IS audit strategy?

    • Perform audits based on impact and probability of error and failure.
    • Cycle general control and application audits over a two-year period.
    • Conduct general control audits annually and application audits in alternating years.
    • Limit audits to new application system developments.
  2. Which of the following is MOST important for an IS auditor to review when evaluating the effectiveness of an organization’s incident response process?

    • Past incident response actions
    • Incident response staff experience and qualifications
    • Results from management testing of incident response procedures
    • Incident response roles and responsibilities
  3. Which of the following observations would an IS auditor consider the GREATEST risk when conducting an audit of a virtual server farm for potential software vulnerabilities?

    • The hypervisor is updated quarterly.
    • Guest operating systems are updated monthly.
    • Antivirus software has been implemented on the guest operating system only.
    • A variety of guest operating systems operate on one virtual server.
  4. An internal audit department recently established a quality assurance (QA) program. Which of the following activities is MOST important to include as part of the QA program requirements?

    • Ongoing monitoring of the audit activities
    • Analysis of user satisfaction reports from business lines.
    • Feedback from internal audit staff
    • Long-term internal audit resource planning
  5. Which of the following is the BEST control to detect errors in an accounts payable system?

    • Alignment of the process to business objectives
    • Quality control review of new payments
    • Management approval of payments
    • Input validation
  6. When auditing a quality assurance plan, an IS auditor should be MOST concerned if the:

    • quality assurance function is separate from the programming function.
    • SDLC is coupled with the quality assurance plan.
    • quality assurance function is periodically reviewed by internal audit.
    • scope of quality assurance activities is undefined.
  7. The PRIMARY reason for an IS auditor to use data analytics techniques is to reduce which type of audit risk?

    • Technology risk
    • Inherent risk
    • Detection risk
    • Control risk
  8. An IS audit manager has been asked to perform a quality review on an audit that the same manager also supervised. Which of the following is the manager’s BEST response to this situation?

    • Notify the audit committee of the situation.
    • Escalate the situation to senior audit leadership.
    • Determine whether audit evidence supports audit conclusions.
    • Discuss with the audit team to understand how conclusions were reached.
  9. While reviewing similar issues in an organization’s help desk system, an IS auditor finds that they were analyzed independently and resolved differently. This situation MOST likely indicates a deficiency in:

    • IT service level management.
    • change management.
    • configuration management.
    • problem management.
  10. An auditor is creating an audit program where the objective is to establish the adequacy of personal data privacy controls in a payroll process. Which of the following is MOST important to include?

    • Approval of data changes
    • Audit logging of administrative user activity
    • Segregation of duties controls
    • User access provisioning
  11. An IS auditor auditing the effectiveness of utilizing a hot site will MOST likely:

    • review reciprocal agreements.
    • review logical access controls.
    • evaluate physical access controls.
    • analyze system restoration procedures.
  12. An IS auditor has assessed a payroll service provider’s security policy and finds significant topics are missing. Which of the following is the auditor’s BEST course of action?

    • Recommend the service provider update their policy.
    • Notify the service provider of the discrepancies.
    • Report the risk to internal management.
    • Recommend replacement of the service provider.
  13. While reviewing a hot site, the IS auditor discovers that one type of hardware platform is not installed. The IS auditor should FIRST:

    • recommend the purchase and installation of hardware at the hot site.
    • report the finding immediately to senior IS management.
    • determine the business impact of the absence of the hardware.
    • establish the lead time for delivery of a new machine.
  14. An IS auditor is reviewing the upgrading of an operating system. Which of the following would be the GREATEST audit concern?

    • The lack of release notes
    • The lack of change control
    • The lack of malware protection
    • The lack of activity logging
  15. An IS auditor has been asked to assess the security of a recently migrated database system that contains personal and financial data for a bank’s customers. Which of the following controls is MOST important for the auditor to confirm it in place?

    • The default configurations have been changed.
    • All tables in the database are normalized.
    • The service port used by the database server has been changed.
    • The default administration account is used after changing the account password.
  16. Which of the following is the MOST important determining factor when establishing appropriate timeframes for follow-up activities related to audit findings?

    • Peak activity periods for the business
    • Remediation dates included in management responses
    • Availability of IS audit resources
    • Complexity of business processes identified in the audit
  17. An IS auditor has obtained a large data set containing multiple fields and non-numeric data for analysis. Which of the following activities will MOST improve the quality of conclusions derived from the use of a data analytics tool for this audit?

    • Data anonymization
    • Data classification
    • Data stratification
    • Data preparation
  18. Which of the following is the MOST important requirement for an IS auditor to evaluate when reviewing a transmission of personally identifiable information (PII) between two organizations?

    • Completeness
    • Timeliness
    • Necessity
    • Accuracy
  19. An IS auditor reviewed the business case for a proposed investment to virtualize an organization’s server infrastructure. Which of the following is MOST likely to be included among the benefits in the project proposal?

    • Fewer operating system licenses
    • Better efficiency of logical resources
    • Reduced hardware footprint
    • Less memory and storage space
  20. Which of the following is the BEST way to facilitate proper follow-up for audit findings?

    • Schedule a follow-up audit for two weeks after the initial audit was completed.
    • Conduct a surprise audit to determine whether remediation is in progress.
    • Conduct a follow-up audit when findings escalate to incidents.
    • Schedule a follow-up audit based on remediation due dates.