Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 100

  1. A small startup organization does not have the resources to implement segregation of duties. Which of the following is the MOST effective compensating control?

    • Rotation of log monitoring and analysis responsibilities
    • Additional management reviews and reconciliations
    • Third-party assessments
    • Mandatory vacations



  2. Which of the following BEST facilitates compliance with requirements mandating the security of confidential data?

    • Classification of data
    • Security awareness training
    • Encryption of external data transmissions
    • Standardized escalation protocols for breaches
  3. An IS auditor is performing an audit of a large organization’s operating system maintenance procedures. Which of the following findings presents the GREATEST risk?

    • Some internal servers cannot be patched due to software incompatibility.
    • The configuration management database is not up-to-date.
    • Vulnerability testing is not performed on the development servers.
    • Critical patches are applied immediately while others follow quarterly release cycles.
  4. Which of the following should occur EARLIEST in a business continuity management lifecycle?

    • Defining business continuity procedures
    • Identifying critical business processes
    • Developing a training and awareness program
    • Carrying out a threat and risk assessment
  5. While performing a risk-based audit, which of the following would BEST enable an IS auditor to identify and categorize risk?

    • Understanding the control framework
    • Developing a comprehensive risk model
    • Understanding the business environment
    • Adopting qualitative risk analysis
  6. Which of the following is a MAJOR benefit of using a wireless network?

    • Faster network speed
    • Stronger authentication
    • Protection against eavesdropping
    • Lower installation cost
  7. Which of the following is appropriate when an IS auditor is conducting an exit meeting with senior management?

    • Eliminate significant findings where audit and management agree on risk acceptance.
    • Agree with senior management on the risk grading of the audit report.
    • Document written responses from management along with an implementation plan.
    • Escalate disputed recommendations to the audit committee.
  8. When conducting a follow-up of previous audit findings, an IS auditor is told by management that a recommendation to make security changes to an application has not been implemented. The IS auditor should FIRST determine whether:

    • additional time to implement changes is needed.
    • the associated risk is still relevant.
    • the recommendation should be re-issued.
    • the issue should be escalated.
  9. A new system development project is running late against a critical implementation deadline. Which of the following is the MOST important activity?

    • Document last-minute enhancements.
    • Perform user acceptance testing.
    • Perform a pre-implementation audit.
    • Ensure that code has been reviewed.
  10. Which of the following actions should an organization’s security policy require an employee to take upon finding a security breach?

    • Report the incident to the manager immediately.
    • Inform IS audit management immediately.
    • Confirm the breach can be exploited.
    • Devise appropriate countermeasures.
  11. The performance of an order-processing system can be measured MOST reliably by monitoring:

    • input/request queue length.
    • turnaround time of completed transactions.
    • application and database servers’ CPU load.
    • heartbeats between server systems.
  12. In planning a major system development project, function point analysis would assist in:

    • estimating the elapsed time of the project.
    • estimating the size of a system development task.
    • analyzing the functions undertaken by system users as an aid to job redesign.
    • determining the business functions undertaken by a system or program.
  13. During an audit, the IS auditor finds that in many cases excessive rights were not removed from a system. Which of the following would be the auditor’s BEST recommendation?

    • IT security should regularly revoke excessive system rights.
    • System administrators should ensure consistency of assigned rights.
    • Line management should regularly review and request modification of access rights.
    • Human resources should delete access rights of terminated employees.
  14. During an enterprise resource planning (ERP) post-implementation review, it was noted that operating costs have been significantly higher than anticipated. Which of the following should the organization have done to detect this issue?

    • Updated the project charter as major changes occurred
    • Conducted periodic user satisfaction surveys
    • Performed an analysis of system usage
    • Monitored financial key performance indicators (KPIs)
  15. Which of the following access rights in the production environment should be granted to a developer to maintain segregation of duties?

    • Database administration
    • Emergency support
    • IT operations
    • System administration
  16. An IS auditor considering use of another auditor’s workpapers should:

    • rarely rely on the work of another auditor.
    • determine that the workpapers were completed within the past month.
    • determine that the auditee agrees with key issues in these workpapers.
    • consider the appropriateness and sufficiency of the workpapers.
  17. Which of the following is the MOST important issue for an IS auditor to consider with regard to Voice-over IP (VoIP) communications?

    • Continuity of service
    • Homogeneity of the network
    • Nonrepudiation
    • Identity management
  18. An organization with many desktop PCs is considering moving to a thin client architecture. Which of the following is the MAJOR advantage?

    • Administrative security can be provided for the client.
    • System administration can be better managed.
    • The security of the desktop PC is enhanced.
    • Desktop application software will never have to be upgraded.
  19. Which of the following would BEST assist senior management in evaluating IT performance as well as the alignment between corporate and IT strategic objectives?

    • Enterprise architecture (EA)
    • IT project value analysis
    • Balanced scorecard
    • Control self-assessment (CSA)
  20. Which of the following should be the GREATEST concern to an IS auditor reviewing the information security framework of an organization?

    • The information security policy has not been updated in the last two years.
    • A list of critical information assets was not included in the information security policy.
    • Senior management was not involved in the development of the information security policy.
    • The information security policy is not aligned with regulatory requirements.