Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 101

  1. The business case for an IS project has changed during the course of the project due to new requirements being added. What should be done NEXT?

    • The project should go through the formal reapproval process.
    • The changes to the business case should be documented in the project plan.
    • Additional resources should be allocated to the project due to the new requirements.
    • Project stakeholders should be notified of the changes.
  2. An organization has implemented a control to help ensure databases containing personal information will not be updated with online transactions that are incomplete due to connectivity issues. Which of the following information attributes is PRIMARILY addressed by this control?

    • Integrity
    • Confidentiality
    • Availability
    • Compliance
  3. When planning an audit, it is acceptable for an IS auditor to rely on a third-party provider’s external audit report on service level management when the:

    • report was released within the last 12 months.
    • scope and methodology meet audit requirements.
    • service provider is independently certified and accredited.
    • report confirms that service levels were not violated.
  4. When auditing a software development project, a review of which of the following will BEST verify that project work is adequately subdivided?

    • Work breakdown structure
    • Statement of work
    • Scope statement
    • Functional and technical design documents
  5. A company uses a standard form to document and approve all changes in production programs. To ensure that the forms are properly authorized, which of the following is the MOST effective sampling method?

    • Attribute
    • Variable
    • Discovery
    • Monetary
  6. An organization’s business continuity plan should be:

    • updated based on changes to personnel and environments.
    • updated only after independent audit review by a third party.
    • tested whenever new applications are implemented.
    • tested after successful intrusions into the organization’s hot site.
  7. During the review of a business process reengineering project, the PRIMARY concern of an IS auditor is to determine whether the new business model:

    • is aligned with industry best practices.
    • is aligned with organizational goals.
    • leverages benchmarking results.
    • meets its key performance measures.
  8. The PRIMARY purpose of reviewing the IT strategic plan is to identify risks that may:

    • limit the ability to deliver customer requirements.
    • limit the organization’s ability to achieve its objectives.
    • impact operational efficiency of the IT department.
    • impact financial resourcing to implement the plan.
  9. An IS auditor finds that intellectual property is not being protected to the level specified in the organization’s data classification and protection policy. The business owner is aware of this issue and chooses to accept the risk. Which of the following is the auditor’s BEST course of action?

    • Note the finding and request formal acceptance.
    • Include the finding in the follow-up audit.
    • Amend the data classification policy.
    • Form a committee and further investigate the issue.
  10. Due to a recent business divestiture, an organization has limited IT resources to deliver critical projects. Reviewing the IT staffing plan against which of the following would BEST guide IT management when estimating resource requirements for future projects?

    • Peer organization staffing benchmarks
    • Budgeted forecast for the next financial year
    • Human resources (HR) sourcing strategy
    • Records of actual time spent on projects
  11. During audit follow-up, an IS auditor finds that a control has been implemented differently than recommended. The auditor should:

    • verify whether the control objectives are adequately addressed.
    • compare the control to the action plan.
    • report as a repeat finding.
    • inform management about incorrect implementation.
  12. A source code repository should be designed to:

    • provide automatic incorporation and distribution of modified code.
    • prevent changes from being incorporated into existing code.
    • provide secure versioning and backup capabilities for existing code.
    • prevent developers from accessing secure source code.
  13. Which of the following could be determined by an entity-relationship diagram?

    • Links between data objects
    • How the system behaves as a consequence of external events
    • How data are transformed as they move through the system
    • Modes of behavior of data objects
  14. Which of the following is a method to prevent disclosure of classified documents printed on a shared printer?

    • Requiring a key code to be entered on the printer to produce hardcopy
    • Producing a header page with classification level for printed documents
    • Encrypting the data stream between the user’s computer and the printer
    • Using passwords to allow authorized users to send documents to the printer
  15. To restore service at a large processing facility after a disaster, which of the following tasks should be performed FIRST?

    • Launch the emergency action team.
    • Inform insurance company agents.
    • Contact equipment vendors.
    • Activate the reciprocal agreement.
  16. A database is denormalized in order to:

    • prevent loss of data.
    • increase processing efficiency.
    • ensure data integrity.
    • save storage space.
  17. Electrical surge protectors BEST protect from the impact of:

    • electromagnetic interference.
    • power outages.
    • sags and spikes
    • reduced voltage.
  18. When removing a financial application system from production, which of the following is MOST important?

    • Media used by the retired system has been sanitized.
    • Data retained for regulatory purposes can be retrieved.
    • End-user requests for changes are recorded and tracked.
    • Software license agreements are retained.
  19. When planning an audit to assess application controls of a cloud-based system, it is MOST important for the IS auditor to understand the:

    • policies and procedures of the business area being audited.
    • business process supported by the system.
    • availability reports associated with the cloud-based system.
    • architecture and cloud environment of the system.
  20. During a security audit, which of the following is MOST important to review to ensure data confidentiality is managed?

    • Access controls
    • Data flows
    • Access log monitoring
    • Network configuration