Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 103

  1. Which of the following should an IS auditor expect to find in an organization’s information security policies?

    • Authentication requirements
    • Asset provisioning lifecycle
    • Security configuration settings
    • Secure coding procedures
  2. Which of the following requirements in a document control standard would provide nonrepudiation to digitally signed legal documents?

    • All digital signatures must include a hashing algorithm.
    • All digitally signed documents must be stored in an encrypted database.
    • All documents requiring digital signatures must be signed by both the customer and a witness.
    • Only secure file transfer protocol (SFTP) may be used for digitally signed documentation.
  3. Which of the following would MOST likely impact the integrity of a database backup?

    • Record fields contain null information
    • Open database files during backup
    • Relational database model used
    • Backing up the database to an optical disk
  4. When conducting a post-implementation review, which of the following is the BEST way to determine whether the value from an IT project has been achieved?

    • Calculate the return on investment (ROI).
    • Interview stakeholders.
    • Conduct an earned value analysis (EVA).
    • Survey end users.
  5. Reviewing project plans and status reports throughout the development life cycle will:

    • eliminate the need to perform a risk assessment.
    • postpone documenting the project’s progress until the final phase.
    • guarantee that the project will meet its intended deliverables.
    • facilitate the optimal use of resources over the life of the project.
  6. Which of the following is the PRIMARY reason an IS auditor should discuss observations with management before delivering a final report?

    • Identify business risks associated with the observations.
    • Assist the management with control enhancements.
    • Record the proposed course of corrective action.
    • Validate the audit observations.
  7. Which of the following is the MOST effective control to minimize the risk of cross-site scripting (XSS)?

    • Periodic vulnerability assessments
    • Secure coding practices
    • Network intrusion prevention system
    • Web firewall policy
  8. During a follow-up audit, an IS auditor finds that the auditee has updated virus scanner definitions without adopting the original audit recommendation to increase the frequency of using the scanner. The MOST appropriate action for the auditor is to:

    • prepare a follow-up audit report reiterating the recommendation.
    • escalate the issue to senior management.
    • modify the audit opinion based on the new information available.
    • conclude that the residual risk is beyond tolerable levels of risk.
  9. When developing a business continuity plan (BCP), business unit management’s involvement is MOST important during the:

    • performance of a business impact analysis (BIA).
    • development of business recovery procedures.
    • implementation of a document repository.
    • performance of an IT risk assessment.
  10. The final acceptance testing of a new application system should be the responsibility of the:

    • IS audit team.
    • user group
    • IS management
    • quality assurance team
  11. Which of the following is MOST important when an organization contracts for the long-term use of a custom-developed application?

    • Documented coding standards
    • Error correction management
    • Contract renewal provisions
    • Escrow clause
  12. Which should be reviewed FIRST by an IS auditor to ensure that data is being secured appropriately for an application?

    • Data classification
    • Data encryption
    • Data access
    • Data storage

    Explanation: 
    Data classification is necessary to provide proper access rights to the users. If you do not classify data according to their sensitivity and importance to the business, you cannot apply proper access rules to them. Data owners are responsible for defining access rules. The data classification process starts with the process of establishing ownership of data. This process also helps to prepare data dictionary

  13. Which of the following would a digital signature MOST likely prevent?

    • Corruption
    • Unauthorized change
    • Repudiation
    • Disclosure
    Explanation: 
    The main reason of using digital signature is to ensure message integrity.it also helps to ensure authenticity and non-repudiation of the message. A digital signature can never ensure the confidentiality of data
  14. A computer program used by multiple departments has data quality issues. There is no agreement as to who should be responsible for corrective action. Which of the following is an IS auditor’s BEST course of action?

    • Recommend the IT department be assigned data cleansing responsibility.
    • Modify the program to automatically cleanse the data and close the issue.
    • Assign responsibility to the primary department using the program.
    • Note the disagreement and recommend establishing data governance.
  15. An IS auditor has just completed a physical access review of the organization’s primary data center. Which of the following weaknesses should be of MOST concern?

    • Metal keys are used for access.
    • Backups of video cameras are corrupt.
    • There is no mantrap at the main door.
    • There is no manual logging for visitors.
  16. An IS auditor’s PRIMARY concern about a business partner agreement for the exchange of electronic information should be to determine whether there is:

    • a clause that addresses the audit of shared systems.
    • evidence of review and approval by each partner’s legal department.
    • an information classification framework.
    • appropriate control and responsibility defined for each partner.
    Explanation: 
    The overall purpose of using a formal information classification scheme is to ensure proper handling based on the information content and context. Context refers to the usage of information.
    Two major risks are present in the absence of an information classification scheme. The first major risk is that information will be mishandled. The second major risk is that without an information classification scheme, all of the organization’s data may be subject to scrutiny during legal proceedings. The information classification scheme safeguards knowledge. Failure to implement a records and data classification scheme leads to disaster
  17. The BEST reason for implementing a virtual private network (VPN) is that it:

    • eases the implementation of data encryption.
    • allows for public use of private networks.
    • enables use of existing hardware platforms.
    • allows for private use of public networks.
    Explanation: 
    Virtual private networks (VPNs) connect remote users over an insecure public network such as the Internet. The connection is virtual because it is temporary with no physical presence. VPN technology is cost-effective and highly flexible. A VPN creates an encrypted tunnel to securely pass data as follows:
    – Between two machines (host-host)
    – From a machine to a network (host-gateway)
    – From one network to another network (gateway-gateway)
  18. In an annual audit cycle, the audit of an organization’s IT department resulted in many findings. Which of the following would be the MOST important consideration when planning the next audit?

    • Limiting the review to the deficient areas
    • Verifying that all recommendations have been implemented
    • Postponing the review until all of the findings have been rectified
    • Following up on the status of all recommendations
  19. An IS auditor is conducting a follow-up internal IS audit and determines that several recommendations from the prior year have not been implemented. Which of the following should be the auditor’s FIRST course of action?

    • Evaluate the recommendations in context of the current IT environment.
    • Continue the audit and disregard prior audit recommendations.
    • Request management implement recommendations from the prior year.
    • Add unimplemented recommendations as findings for the new audit.
  20. Which of the following controls BEST ensures appropriate segregation of duties within an accounts payable department?

    • Ensuring that audit trails exist for transactions
    • Restricting access to update programs to accounts payable staff only
    • Restricting program functionality according to user security profiles
    • Including the creator’s user ID as a field in every transaction record created