Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 104

  1. When reviewing the process by which a contract for the outsourcing of various IT functions was completed, an IS auditor would ensure that the successful contractor:

    • has eliminated the risks of outsourcing.
    • maintains an internal audit function.
    • requires a confidentiality agreement to be signed by all employees.
    • was selected according to established business criteria.
  2. Which of the following would be the PRIMARY benefit of replacing physical keys with an electronic entry system for a data center?

    • Creates an audit trail
    • Enables data mining
    • Ensures compliance
    • Reduces cost
  3. Which of the following is the BEST way to determine if IT is delivering value to the business?

    • Distribute surveys to various end users of IT services.
    • Interview key IT managers and service providers.
    • Review IT service level agreement (SLA) metrics.
    • Analyze downtime frequency and duration.

    Explanation: 
    A service level agreement (SLA) is a written document, which officially describe the details of services, in non-technical terms, provided by the IT department (internal or external) to its customers. The aim of SLA is to maintain and improve the customer satisfaction to an agreed level.

  4. Following an IS audit recommendation, all Telnet and File Transfer Protocol (FTP) connections have been replaced by Secure Socket Shell (SSH) and Secure File Transfer Protocol (SFTP). Which risk treatment approach has the organization adopted?

    • Acceptance
    • Mitigation
    • Avoidance
    • Transfer
  5. Which of the following would be the BEST way to address segregation of duties issues in an organization with budget constraints?

    • Perform an independent audit.
    • Rotate job duties periodically.
    • Implement compensating controls.
    • Hire temporary staff.
  6. In a large organization, IT deadlines on important projects have been missed because IT resources are not prioritized properly. Which of the following is the BEST recommendation to address this problem?

    • Implement project portfolio management.
    • Implement an integrated resource management system.
    • Implement a comprehensive project scorecard.
    • Revisit the IT strategic plan.
  7. Which of the following would be MOST useful when analyzing computer performance?

    • Report of off-peak utilization and response time
    • Tuning of system software to optimize resource usage
    • Operations report of user dissatisfaction with response time
    • Statistical metrics measuring capacity utilization
  8. When migrating critical systems to a cloud provider, the GREATEST data security concern for an organization would be that data from different clients may be:

    • subject to different service level agreements (SLAs) for disaster recovery.
    • subject to varying government compliance regulations.
    • improperly separated from each other.
    • requested during a legal discovery process.
  9. As part of a post-implementation review, the BEST way to assess the realization of outcomes is by:

    • obtaining feedback from the user community.
    • performing a comprehensive risk analysis.
    • evaluating the actual performance of the system.
    • comparing the business case benefits to the achieved benefits.
  10. A recent audit identified duplicate software licenses and technologies. Which of the following would be MOST helpful to prevent this type of duplication in the future?

    • Centralizing IT procurement and approval practices
    • Updating IT procurement policies and procedures
    • Conducting periodic inventory reviews
    • Establishing a project management office
  11. An IS auditor finds multiple situations where the help desk resolved security incidents without notifying IT security as required by policy. Which of the following is the BEST audit recommendation?

    • Display the incident response hotline in common areas.
    • Have IT security review problem management policy.
    • Reinforce the incident escalation process.
    • Redesign the help desk reporting process.
  12. After threats to a data center are identified, an IS auditor would expect management to FIRST:

    • recommend required actions to executive management.
    • discuss risk management practices with neighboring firms.
    • implement procedures to address all identified threats.
    • establish and quantify the potential effects if each threat occurs.
  13. During a review of information security procedures for disabling user accounts, an IS auditor discovers that IT is only disabling network access for terminated employees. IT management maintains if terminated users cannot access the network, they will not be able to access any applications. Which of the following is the GREATEST risk associated with application access?

    • Unauthorized access to data
    • Inability to access data
    • Lack of segregation of duties
    • Loss of non-repudiation
  14. Adopting a service-oriented architecture would MOST likely:

    • inhibit integration with legacy systems.
    • compromise application software security.
    • facilitate connectivity between partners.
    • streamline all internal processes.
  15. Which of the following is the BEST data integrity check?

    • Counting the transactions processed per day
    • Performing a sequence check
    • Tracing data back to the point of origin
    • Preparing and running test data
  16. An IS auditor seeks assurance that a new process for purging transactions does not have a detrimental impact on the integrity of a database. This could be achieved BEST by analyzing the:

    • database structure.
    • design of triggers.
    • results of the process in a test environment.
    • entity relationship diagram of the database.
  17. Organization A has a Software as a Service Agreement (SaaS) with Organization B. The software is vital to Organization A. Which of the following would provide the GREATEST assurance that the application can be recovered in the event of a disaster?

    • Organization B is responsible for disaster recovery and held accountable for interruption of service.
    • Organization A has a source code escrow agreement and hardware procurement provisions for disaster recovery purposes.
    • Organization B has a disaster recovery plan included in its contract and allows oversight by Organization A.
    • Organization A buys disaster insurance to recuperate losses in the event of a disaster.
  18. Which of the following should be of MOST concern to an IS auditor during the review of a quality management system?

    • The quality management system includes training records for IT personnel.
    • There are no records to document actions for minor business processes.
    • Important quality checklists are maintained outside the quality management system.
    • Indicators are not fully represented in the quality management system.
  19. An organization has begun using social media to communicate with current and potential clients. Which of the following should be of PRIMARY concern to the auditor?

    • Using a third-party provider to host and manage content
    • Lack of guidance on appropriate social media usage and monitoring
    • Negative posts by customers affecting the organization’s image
    • Reduced productivity of stuff using social media
  20. An IS auditor should ensure that an application’s audit trail:

    • has adequate security
    • does not impact operational efficiency.
    • is accessible online.
    • logs all database records.