Last Updated on December 12, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 12

  1. An IS auditor reviewing the use of encryption finds that the symmetric key is sent by an email message between the parties. Which of the following audit responses is correct in this situation?

    • An audit finding is recorded, as the key should be asymmetric and therefore changed.
    • No audit finding is recorded, as it is normal to distribute a key of this nature in this manner.
    • No audit finding is recorded, as the key can only be used once.
    • An audit finding is recorded, as the key should be distributed in a secure manner.
  2. Which of the following is the GREATEST risk resulting from conducting periodic reviews of IT over several years based on the same audit program?

    • The amount of errors will increase because the routine work promotes inattentiveness.
    • Detection risk is increased because auditees already know the audit program.
    • Audit risk is increased because the programs might not be adapted to the organization’s current situation.
    • Staff turnover in the audit department will increase because fieldwork becomes less interesting.
  3. What is the FIRST step an auditor should take when beginning a follow-up audit?

    • Review workpapers from the previous audit.
    • Gather evidence of remediation to conduct tests of controls.
    • Review previous findings and action plans.
    • Meet with the auditee to discuss remediation progress.
  4. Following an IS audit, which of the following types of risk would be MOST critical to communicate to key stakeholders?

    • Control
    • Residual
    • Audit
    • Inherent
  5. During an audit of information security procedures of a large retailer’s online store, an IS auditor notes that operating system (OS) patches are automatically deployed upon release. Which of the following should be of GREATEST concern to the auditor?

    • Patches are in conflict with current licensing agreements.
    • Patches are pushed from the vendor increasing Internet traffic.
    • Patches are not reflected in the configuration management database.
    • Patches are not tested before installation on critical servers.
  6. Which of the following is the BEST way to address ongoing concerns with the quality and accuracy of internal audits?

    • Engage an independent review of the audit function.
    • Require peer reviews of audit workpapers.
    • Implement performance management for IS auditors.
    • Require IS audit management to lead exit meetings.
  7. An IS auditor finds that periodic reviews of read-only users for a reporting system are not being performed. Which of the following should be the IS auditor’s NEXT course of action?

    • Obtain a verbal confirmation from IT for this exemption.
    • Review the list of end-users and evaluate for authorization.
    • Verify management’s approval for this exemption.
    • Report this control process weakness to senior management.
  8. Which of the following activities would allow an IS auditor to maintain independence while facilitating a control self-assessment (CSA)?

    • Developing the CSA questionnaire
    • Developing the remediation plan
    • Implementing the remediation plan
    • Partially completing the CSA
  9. What should an IS auditor do when informed that some recommendations cannot be implemented due to financial constraints?

    • Document management’s response in the working papers.
    • Insist the recommendations be implemented.
    • Agree to waive the recommendations.
    • Suggest management identify cost-effective alternatives.
  10. Which of the following audit procedures would be MOST conclusive in evaluating the effectiveness of an e-commerce application system’s edit routine?

    • Interviews with knowledgeable users
    • Use of test transactions
    • Review of source code
    • Review of program documentation
  11. Which of the following would be an auditor’s GREATEST concern when reviewing data inputs from spreadsheets into the core finance system?

    • Undocumented code formats data and transmits directly to the database.
    • There is not a complete inventory of spreadsheets, and file naming is inconsistent.
    • Spreadsheets are accessible by all members of the finance department.
    • The department data protection policy has not been reviewed or updated for two years.
  12. Which of the following should be an IS auditor’s FIRST action when assessing the risk associated with unstructured data?

    • Implement strong encryption for unstructured data.
    • Implement user access controls to unstructured data.
    • Identify repositories of unstructured data.
    • Identify appropriate tools for data classification.
  13. Management has agreed to perform multiple remediation actions in response to an audit issue, including the implementation of a new control. Which of the following is the BEST time for an IS auditor to perform an audit follow-up of this issue?

    • After management has completed the required actions
    • When audit resources are available
    • When management resources are available
    • After the new control has been in place for one year
  14. An IS audit reveals that an organization is not proactively addressing known vulnerabilities. Which of the following should the IS auditor recommend the organization do FIRST?

    • Verify the disaster recovery plan (DRP) has been tested.
    • Ensure the intrusion prevention system (IPS) is effective.
    • Confirm the incident response team understands the issue.
    • Assess the security risks to the business.
  15. An IS auditor concludes that a local area network’s (LAN’s) access security is satisfactory. In reviewing the work, the audit manager should:

    • re-perform some steps of the audit to verify the quality of the work.
    • verify that the elements of an agreed-upon audit plan have been addressed.
    • verify user management’s agreement with the findings.
    • assess whether the auditor had the appropriate skills to perform the work.
  16. As part of an IS audit, the auditor notes the practices listed below. Which of the following would be a segregation of duties concern?

    • Operators are degaussing magnetic tapes during night shifts.
    • System programmers have logged access to operating system parameters.
    • System programmers are performing the duties of operators.
    • Operators are acting as tape librarians on alternate shifts.
  17. During an audit, the client learns that the IS auditor has recently completed a similar security review at a competitor. The client inquires about the competitor’s audit results. What is the BEST way for the auditor to address this inquiry?

    • Explain that it would be inappropriate to discuss the results of another audit client.
    • Escalate the question to the audit manager for further action.
    • Discuss the results of the audit omitting specifics related to names and products.
    • Obtain permission from the competitor to use the audit results as examples for future clients.
  18. Which of the following is MOST important for an IS auditor to verify when reviewing an organization’s information security practices following the adoption of a bring your own device (BYOD) program?

    • Only applications approved by information security may be installed on devices.
    • The expected benefits of adopting the BYOD program have been realized.
    • Security policies have been updated to include BYOD.
    • Remote wipe is enabled for devices allowed by BYOD.
  19. An IS auditor is asked to review a large organization’s change management process. Which of the following practices presents the GREATEST risk?

    • Emergency code changes are promoted without user acceptance testing.
    • A system administrator performs code migration on planned downtime.
    • Change management tickets do not contain specific documentation.
    • Transaction data changes can be made by a senior developer.
  20. Which of the following BEST demonstrates to an IS auditor that an organization has implemented effective risk management processes?

    • Critical business assets have additional controls.
    • The risk register is reviewed periodically.
    • A business impact analysis (BIA) has been completed.
    • The inventory of IT assets includes asset classification.