Last Updated on December 12, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 10

  1. Which procedure provides the GREATEST assurance that corrective action to an audit report has been taken?

    • Performing subsequent audit tests to verify resolution of the deficiencies
    • Inquiring about the current status of the recommendation
    • Reporting to the audit committee or the board of directors concerning specific action taken or lack thereof
    • Requesting a written management reply to the audit report, identifying corrective action for each deficiency
  2. Which of the following should be done FIRST to effectively define the IT audit universe for an entity with multiple business lines?

    • Identify aggregate residual IT risk for each business line.
    • Obtain a complete listing of the entity’s IT processes.
    • Obtain a complete listing of assets fundamental to the entity’s businesses.
    • Identify key control objectives for each business line’s core processes.
  3. An IS auditor determines that a business continuity plan has not been reviewed and approved by management. Which of the following is the MOST significant risk associated with this situation?

    • Continuity planning may be subject to resource constraints.
    • The plan may not be aligned with industry best practice.
    • Critical business processes may not be addressed adequately.
    • The plan has not been reviewed by risk management.
  4. After an external IS audit, which of the following should be IT management’s MAIN consideration when determining the prioritization of follow-up activities?

    • The amount of time since the initial audit was completed.
    • The materiality of the reported findings
    • The availability of the external auditors
    • The scheduling of major changes in the control environment
  5. Which of the following is MOST important when planning a network audit?

    • Determination of IP range in use
    • Isolation of rogue access points
    • Identification of existing nodes
    • Analysis of traffic content
  6. Which of the following is the MOST effective way to identify anomalous transactions when performing a payroll fraud audit?

    • Substantive testing of payroll files
    • Data analytics on payroll data
    • Observation of payment processing
    • Sample-based review of pay stubs
  7. During an audit, which of the following would be MOST helpful in establishing a baseline for measuring data quality?

    • Built-in data error prevention application controls
    • Industry standard business definitions
    • Input from customers
    • Validation of rules by the business
  8. IS audit is asked to explain how local area network (LAN) servers can contribute to a rapid dissemination of viruses. The IS auditor’s BEST response is that:

    • the server’s software is the prime target and is the first to be infected.
    • the server’s operating system exchanges data with each station starting at every log-on.
    • the server’s file sharing function facilitates the distribution of files and applications.
    • users of a given server have similar usage of applications and files.
  9. An organization allows employees to use personally owned mobile devices to access customers’ personal information. An IS auditor’s GREATEST concern should be whether:

    • mobile devices are compatible with company infrastructure.
    • devices have the capability to segregate business and personal data.
    • mobile device security policies have been implemented.
    • devices have adequate storage and backup capabilities.
  10. During a review of an application system, an IS auditor identifies automated controls designed to prevent the entry of duplicate transactions. What is the BEST way to verify that the controls work as designed?

    • Implement periodic reconciliations.
    • Review quality assurance (QA) test results.
    • Use generalized audit software for seeking data corresponding to duplicate transactions.
    • Enter duplicate transactions in a copy of the live system.
  11. A bank is selecting a server for its retail accounts application. To ensure that the server can handle a high volume of transactions with the required response times, which test should the IS auditor recommend?

    • Regression
    • Acceptance
    • Benchmark
    • Integration
  12. During business process reengineering (BPR) of a bank’s teller activities, an IS auditor should evaluate:

    • the impact of changed business processes.
    • the cost of new controls.
    • BPR project plans.
    • continuous improvement and monitoring plans.
  13. During an audit of an organization’s incident management process, an IS auditor learns that the security operations team includes detailed reports of recent attacks in its communications to employees. Which of the following is the GREATEST concern with this situation?

    • Employees may fail to understand the severity of the threats.
    • The reports may be too complex for a nontechnical audience.
    • Employees may misuse the information in the reports.
    • There is not a documented procedure to communicate the reports.
  14. A large insurance company is about to replace a major financial application. Which of the following is the IS auditor’s PRIMARY focus when conducting the pre-implementation review?

    • Procedure updates
    • Migration of data
    • System manuals
    • Unit testing
  15. An audit team has a completed schedule approved by the audit committee. After starting some of the scheduled audits, executive management asked the team to immediately audit an additional process. There are not enough resources available to add the additional audit to the schedule. Which of the following is the BEST course of action?

    • Revise the scope of scheduled audits.
    • Propose a revised audit schedule.
    • Approve overtime work to ensure the audit is completed.
    • Consider scheduling the audit for the next period.
  16. An internal audit has found that critical patches were not implemented within the timeline established by policy without a valid reason. Which of the following is the BEST course of action to address the audit findings?

    • Monitor and notify IT staff of critical patches.
    • Evaluate patch management training.
    • Perform regular audits on the implementation of critical patches.
    • Assess the patch management process.
  17. A recent audit has identified that security controls required by the organization’s policies have not been implemented for a particular application. What should the information security manager do NEXT to address this issue?

    • Deny access to the application until the issue is resolved.
    • Discuss the issue with data custodians to determine the reason for the exception.
    • Report the issue to senior management and request funding to fix the issue.
    • Discuss the issue with data owners to determine the reason for the exception.
  18. During a vulnerability assessment, an IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer orders via credit card. The IS auditor should FIRST:

    • notify management.
    • redesign the customer order process.
    • document the finding in the report.
    • suspend credit card processing.
  19. Which of the following is the PRIMARY objective of the IS audit function?

    • Perform reviews based on standards developed by professional organizations.
    • Reports to management on the functioning of internal controls.
    • Certify the accuracy of financial data.
    • Facilitate extraction of computer-based data for substantive testing.
  20. Which of the following should be an IS auditor’s FIRST activity when planning an audit?

    • Gain an understanding of the area to be audited.
    • Document specific questions in the audit program.
    • Create a list of key controls to be reviewed.
    • Identify proper resources for audit activities.