Last Updated on December 22, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 105

  1. As part of an audit response, an auditee has concerns with the recommendations and is hesitant to implement them. Which of the following would be the BEST course of action for the IS auditor?

    • Accept the auditee’s response and perform additional testing.
    • Conduct further discussions with the auditee to develop a mitigation plan.
    • Suggest hiring a third-party consultant to perform a current state assessment.
    • Issue a final report without including the opinion of the auditee.
  2. Which of the following is the FIRST step in initiating a data classification program?

    • Risk appetite assessment
    • Inventory of data assets
    • Assignment of data ownership
    • Assignment of sensitivity levels

    Explanation: 
    The data classification process starts with the process of establishing ownership of data. This process also helps to prepare data dictionary

  3. Which of the following should be used to assess the level of security required to protect information on a corporate network?

    • Data classification
    • Business intelligence
    • Access rights
    • Access control matrix
  4. Which of the following is the MOST important difference between end-user computing (EUC) applications and traditional applications?

    • Traditional application documentation is typically less comprehensive than EUC application documentation.
    • Traditional applications require roll-back procedures whereas EUC applications do not.
    • Traditional applications require periodic patching whereas EUC applications do not.
    • Traditional application input controls are typically more robust than EUC application input controls.
  5. Which of the following is the MOST significant risk when an application uses individual end user accounts to access the underlying database?

    • User accounts may remain active after a termination.
    • Multiple connects to the database are used and slow the process.
    • Application may not capture a complete audit trail.
    • Users may be able to circumvent application controls.
  6. An IS auditor is assessing the results of an organization’s post-implementation review of a newly developed information system. Which of the following should be the auditor’s MAIN focus?

    • The procurement contract has been closed.
    • Lessons learned have been identified.
    • The disaster recovery plan has been updated.
    • Benefits realization analysis has been completed.
  7. Which of the following is the MOST effective way to maintain network integrity when using mobile devices?

    • Perform network reviews.
    • Implement network access control.
    • Implement outbound firewall rules.
    • Review access control lists.
  8. Which of the following should be an IS auditor’s PRIMARY focus when developing a risk-based IS audit program?

    • Business plans
    • Business processes
    • IT strategic plans
    • Portfolio management
  9. During a follow-up audit, an IS auditor discovers that a recommendation has not been implemented. However, the auditee has implemented a manual workaround that addresses the identified risk, through far less efficiency than the recommended action would. Which of the following would be the auditor’s BEST course of action?

    • Notify management that the risk has been addressed and take no further action.
    • Escalate the remaining issue for further discussion and resolution.
    • Note that the risk has been addressed and notify management of the inefficiency.
    • Insist to management that the original recommendation be implemented.
  10. An organization is replacing its financial processing system. To help ensure that transactions in the new system are processed accurately, which of the following is MOST appropriate?

    • Compare year-to-date balances between the systems.
    • Reconcile results of parallel processing.
    • Document and test internal controls over the conversion.
    • Review data file conversion procedures.
  11. Which of the following methods would be MOST effective in verifying that all changes have been authorized?

    • Reconciling problem tickets with authorized change control entries
    • Reconciling reports of changes in production libraries to authorized change log entries
    • Validating authorized change log entries with individual(s) who promoted into production
    • Reconciling reports of changes in development libraries to supporting documentation
  12. During the evaluation of a firm’s newly established whistleblower system, an auditor notes several findings. Which of the following should be the auditor’s GREATEST concern?

    • New employees have not been informed of the whistleblower policy.
    • The whistleblower’s privacy is not protected.
    • The whistleblower system does not track the time and date of submission.
    • The whistleblower system is only available during business hours.
  13. An organization has established three IT processing environments: development, test, and production. The MAJOR reason for separating the development and test environments is to:

    • obtain segregation of duties between IT staff and end users.
    • limit the users’ access rights to the test environment.
    • perform testing in a stable environment.
    • protect the programs under development from unauthorized testing.
  14. An organization allows its employees to use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?

    • Partitioning the work environment from personal space on devices
    • Preventing users from adding applications
    • Restricting the use of devices for personal purposes during working hours
    • Installing security software on the devices
  15. Which of the following is a reason for implementing a decentralized IT governance model?

    • Standardized controls and economies of scale
    • IT synergy among business units
    • Greater consistency among business units
    • Greater responsiveness to business needs
  16. The use of symmetric key encryption controls to protect sensitive data transmitted over a communications network requires that:

    • primary keys for encrypting the data be stored in encrypted form.
    • encryption keys be changed only when a compromise is detected at both ends.
    • encryption keys at one end be changed on a regular basis.
    • public keys be stored in encrypted form.
  17. A purpose of project closure is to determine the:

    • potential risks affecting the quality of deliverables.
    • lessons learned for use in future projects.
    • project feasibility requirements
    • professional expertise of the project manager.
  18. When providing a vendor with data containing personally identifiable information (PII) for offsite testing, the data should be:

    • current
    • encrypted.
    • sanitized.
    • backed up.
  19. Which of the following should be the PRIMARY basis for prioritizing follow-up audits?

    • Complexity of management’s actions plans
    • Recommendation from executive management
    • Audit cycle defined in the audit plan
    • Residual risk from the findings of previous audits
  20. An IS auditor is reviewing the results of a business process improvement project. Which of the following should be performed FIRST?

    • Evaluate control gaps between the old and the new processes.
    • Develop compensating controls.
    • Document the impact of control weaknesses in the process.
    • Ensure that lessons learned during the change process are documented.