Last Updated on December 12, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 09

  1. When evaluating whether the expected benefits of a project have been achieved, it is MOST important for an IS auditor to review:

    • post-implementation issues.
    • quality assurance results.
    • the project schedule.
    • the business case.
  2. To BEST evaluate the effectiveness of a disaster recovery plan (DRP), the IS auditor should review the:

    • test plan and results of past tests.
    • plans and procedures in the business continuity plan (BCP).
    • capacity of backup facilities.
    • hardware and software inventory.
  3. During an audit of a mission-critical system hosted in an outsourced data center, an IS auditor discovers that contracted routine maintenance for the alternate power generator was not performed. Which of the following should be the auditor’s MAIN concern?

    • Fraudulent behavior by the outsourcer charging for work not performed
    • Failure of the alternate power generator during a power outage
    • High repair costs if faulty generator parts are not detected in a timely manner
    • Loss of warranty due to lack of system maintenance
  4. An internal audit department recently established a quality assurance (QA) program as part of its overall audit program. Which of the following activities should be included as part of the QA program requirements?

    • Reporting program results to the board
    • Reviewing audit standards periodically
    • Analyzing user satisfaction reports from business lines
    • Conducting long-term planning for internal audit staffing
  5. A previously agreed-upon recommendation was not implemented because the auditee no longer agrees with the original finding. What should be the IS auditor’s FIRST course of action?

    • exclude the finding in the follow-up audit report.
    • escalate the disagreement to the audit committee.
    • assess the reason for the disagreement.
    • require implementation of the original recommendation.
  6. An IS auditor has observed gaps in the data available to the organization for detecting incidents. Which of the following would be the BEST recommendation to improve the organization’s security incident response capability?

    • Document procedures for incident escalation.
    • Document procedures for incident classification.
    • Correlate security logs collected from multiple sources.
    • Centralize alerts and security log information.
  7. When reviewing the effectiveness of data center operations, the IS auditor would FIRST establish that system performance:

    • is monitored and reported against agreed service levels.
    • reflects the expected usage levels established at implementation.
    • meets the expected targets specified by the manufacturer.
    • is within generally accepted reliability levels for that system.
  8. An organization has purchased a replacement mainframe computer to cope with the demands of increased business. Which of the following should be the PRIMARY concern of an IS auditor?

    • The disaster recovery plan has been reviewed and updated.
    • Application access controls are adequate.
    • Appropriate tender evaluation processes have been followed.
    • The procurement is within the planned budget for the year.
  9. An IS auditor discovers instances where software with the same license key is deployed to multiple workstations, in breach of the licensing agreement. Which of the following is the auditor’s BEST recommendation?

    • Evaluate the business case for funding of additional licenses.
    • Require business owner approval before granting software access.
    • Remove embedded keys from offending packages.
    • Implement software licensing monitoring to manage duplications.
  10. The GREATEST benefit of risk-based auditing is that it:

    • demonstrates compliance with regulatory requirements.
    • enables alignment of resources to significant risk areas.
    • allows an organization to identify and eliminate low-risk areas.
    • identifies problem areas within an organization.
  11. Which of the following are BEST suited for continuous auditing?

    • Manual transactions
    • Irregular transactions
    • Low-value transactions
    • Real-time transactions
  12. An organization’s data retention policy states that all data will be backed up, retained for 10 years, and then destroyed. When conducting an audit of the long-term offsite backup program, an IS auditor should:

    • verify that business owners review data before it is destroyed.
    • verify that there is a process to ensure readability and restore capability.
    • confirm that business interruption insurance coverage is in place.
    • review data classification schemes for appropriate security levels.
  13. Which of the following is the MOST important for an IS auditor to do during an exit meeting with an auditee?

    • Ensure that the facts presented in the report are correct.
    • Specify implementation dates for the recommendations.
    • Request input in determining corrective action.
    • Communicate the recommendations to senior management.
  14. Which of the following should be of GREATEST concern to an IS auditor conducting an audit of incident response procedures?

    • End users have not completed security awareness training.
    • Senior management is not involved in the incident response process.
    • There is no procedure in place to learn from previous security incidents.
    • Critical incident response events are not recorded in a centralized repository.
  15. An IS auditor finds that confidential company data has been inadvertently leaked through social engineering. The MOST effective way to help prevent a recurrence of this issue is to implement:

    • penalties to staff for security policy breaches.
    • a third-party intrusion prevention solution.
    • a security awareness program.
    • data loss prevention (DLP) software.
  16. An organization is developing data classification standards and has asked internal audit for advice on aligning the standards with best practices. Internal audit would MOST likely recommend the standards should be:

    • based on the results of an organization-wide risk assessment.
    • based on the business requirements for confidentiality of the information.
    • aligned with the organization’s segregation of duties requirements.
    • based on the business requirements for authentication of the information.
  17. Which of the following would an IS auditor consider to be the MOST significant risk associated with a project to reengineer a business process?

    • The negative impact of change may not be documented.
    • The project manager is inexperienced in information systems.
    • Existing controls may be weakened or removed.
    • Existing baseline processes may not be reported to management.
  18. A web organization is developed in-house by an organization. Which of the following would provide the BEST evidence to an IS auditor that the application is secure from external attack?

    • Code review by a third party
    • Web application firewall implementation
    • Penetration test results
    • Database application monitoring logs
  19. Internal audit reports should be PRIMARILY written for and communicated to:

    • audit management, as they are responsible for the quality of the audit.
    • external auditors, as they provide an opinion on the financial statements.
    • auditees, as they will eventually have to implement the recommendations.
    • senior management, as they should be informed about the identified risks.
  20. Which of the following is MOST important for an IS auditor to verify when reviewing a critical business application that requires high availability?

    • Algorithms are reviewed to resolve process inefficiencies.
    • Users participate in offsite business continuity testing.
    • There is no single point of failure.
    • Service level agreement (SLAs) are monitored.