Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 117

  1. In a public key infrastructure (PKI), the authority responsible for the identification and authentication of an applicant for a digital certificate (i.e., certificate subjects) is the:

    • registration authority (RA).
    • issuing certification authority (CA).
    • subject CA.
    • policy management authority.

    Explanation: 
    A RA is an entity that is responsible for identification and authentication of certificate subjects, but the RA does not sign or issue certificates. The certificate subject usually interacts with the RA for completing the process of subscribing to the services of the certification authority in terms of getting identity validated with standard identification documents, as detailed in the certificate policies of the CA. In the context of a particular certificate, the issuing CA is the CA that issued the certificate. In the context of a particular CA certificate, the subject CA is the CA whose public key is certified in the certificate.

  2. Which of the following is a data validation edit and control?

    • Hash totals
    • Reasonableness checks
    • Online access controls
    • Before and after image reporting
    Explanation: 
    A reasonableness check is a data validation edit and control, used to ensure that data conforms to predetermined criteria.
  3. A control that detects transmission errors by appending calculated bits onto the end of each segment of data is known as a:

    • reasonableness check.
    • parity check.
    • redundancy check.
    • check digits.
    Explanation: 
    A redundancy check detects transmission errors by appending calculated bits onto the end of each segment of data.
  4. What is the primary objective of a control self-assessment (CSA) program?

    • Enhancement of the audit responsibility
    • Elimination of the audit responsibility
    • Replacement of the audit responsibility
    • Integrity of the audit responsibility
    Explanation: 
    Audit responsibility enhancement is an objective of a control self-assessment (CSA) program.
  5. IS auditors are MOST likely to perform compliance tests of internal controls if, after their initial evaluation of the controls, they conclude that control risks are within the acceptable limits. True or false?

    • True
    • False
    Explanation: 
    IS auditors are most likely to perform compliance tests of internal controls if, after their initial evaluation of the controls, they conclude that control risks are within the acceptable limits. Think of it this way: If any reliance is placed on internal controls, that reliance must be validated through compliance testing. High control risk results in little reliance on internal controls, which results in additional substantive testing.
  6. As compared to understanding an organization’s IT process from evidence directly collected, how valuable are prior audit reports as evidence?

    • The same value.
    • Greater value.
    • Lesser value.
    • Prior audit reports are not relevant.
    Explanation: 
    Prior audit reports are considered of lesser value to an IS auditor attempting to gain an understanding of an organization’s IT process than evidence directly collected.
  7. The PRIMARY purpose of audit trails is to:

    • improve response time for users.
    • establish accountability and responsibility for processed transactions.
    • improve the operational efficiency of the system.
    • provide useful information to auditors who may wish to track transactions
    Explanation: 
    Enabling audit trails helps in establishing the accountability and responsibility of processed transactions by tracing transactions through the system. The objective of enabling software to provide audit trails is not to improve system efficiency, since it often involves additional processing which may in fact reduce response time for users. Enabling audit trails involves storage and thus occupies disk space. 
  8. How does the process of systems auditing benefit from using a risk-based approach to audit planning?

    • Controls testing starts earlier.
    • Auditing resources are allocated to the areas of highest concern.
    • Auditing risk is reduced.
    • Controls testing is more thorough.
    Explanation: 
    Allocation of auditing resources to the areas of highest concern is a benefit of a risk-based approach to audit planning.
  9. After an IS auditor has identified threats and potential impacts, the auditor should:

    • Identify and evaluate the existing controls
    • Conduct a business impact analysis (BIA)
    • Report on existing controls
    • Propose new controls
    Explanation: 
    After an IS auditor has identified threats and potential impacts, the auditor should then identify and evaluate the existing controls.
  10. The use of statistical sampling procedures helps minimize:

    • Detection risk
    • Business risk
    • Controls risk
    • Compliance risk
    Explanation: 
    The use of statistical sampling procedures helps minimize detection risk.
  11. What type of risk results when an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when errors actually exist?

    • Business risk
    • Detection risk
    • Residual risk
    • Inherent risk
    Explanation: 
    Detection risk results when an IS auditor uses an inadequate test procedure and concludes that material errors do not exist when errors actually exist.
  12. A PRIMARY benefit derived by an organization employing control self-assessment (CSA) techniques is that CSA:

    • can identify high-risk areas for detailed review.
    • allows IS auditors to independently assess risk.
    • can be used as a replacement for traditional audits.
    • allows management to relinquish responsibility for control.
    Explanation: 
    CSA is predicated on the review of high-risk areas that either need immediate attention or a more thorough review at a later date. Choice B is incorrect, because CSA requires the involvement of auditors and line management. What occurs is that the internal audit function shifts some of the control monitoring responsibilities to the functional areas. Choice C is incorrect because CSA is not a replacement for traditional audits. CSA is not intended to replace audit’s responsibilities, but to enhance them. Choice D is incorrect, because CSA does not allow management to relinquish its responsibility for control.
  13. What type of approach to the development of organizational policies is often driven by risk assessment?

    • Bottom-up
    • Top-down
    • Comprehensive
    • Integrated
    Explanation: 
    A bottom-up approach to the development of organizational policies is often driven by risk assessment.
  14. Who is accountable for maintaining appropriate security measures over information assets?

    • Data and systems owners
    • Data and systems users
    • Data and systems custodians
    • Data and systems auditors
    Explanation: 
    Data and systems owners are accountable for maintaining appropriate security measures over information assets.
  15. Proper segregation of duties prohibits a system analyst from performing quality-assurance functions. True or false?

    • True
    • False
    Explanation: 
    Proper segregation of duties prohibits a system analyst from performing quality-assurance functions.
  16. What should an IS auditor do if he or she observes that project-approval procedures do not exist?

    • Advise senior management to invest in project-management training for the staff
    • Create project-approval procedures for future project implementations
    • Assign project leaders
    • Recommend to management that formal approval procedures be adopted and documented
    Explanation: 
    If an IS auditor observes that project-approval procedures do not exist, the IS auditor should recommend to management that formal approval procedures be adopted and documented.
  17. Who is ultimately accountable for the development of an IS security policy?

    • The board of directors
    • Middle management
    • Security administrators
    • Network administrators
    Explanation: 
    The board of directors is ultimately accountable for the development of an IS security policy.
  18. Proper segregation of duties normally does not prohibit a LAN administrator from also having programming responsibilities. True or false?

    • True
    • False
    Explanation: 
    Proper segregation of duties normally prohibits a LAN administrator from also having programming responsibilities.
  19. A core tenant of an IS strategy is that it must:

    • Be inexpensive
    • Be protected as sensitive confidential information
    • Protect information confidentiality, integrity, and availability
    • Support the business objectives of the organization
    Explanation: 
    Above all else, an IS strategy must support the business objectives of the organization.
  20. Batch control reconciliation is a _____________________ (fill the blank) control for mitigating risk of inadequate segregation of duties.

    • Detective
    • Corrective
    • Preventative
    • Compensatory
    Explanation: 
    Batch control reconciliations is a compensatory control for mitigating risk of inadequate segregation of duties.