Last Updated on December 13, 2021 by Admin 3

 CISA : Certified Information Systems Auditor : Part 124

  1. An intentional or unintentional disclosure of a password is likely to be evident within control logs. True or false?

    • True
    • False

    Explanation: 
    An intentional or unintentional disclosure of a password is not likely to be evident within control logs.

  2. When are benchmarking partners identified within the benchmarking process?

    • In the design stage
    • In the testing stage
    • In the research stage
    • In the development stage
    Explanation: 
    Benchmarking partners are identified in the research stage of the benchmarking process.
  3. A check digit is an effective edit check to:

    • Detect data-transcription errors
    • Detect data-transposition and transcription errors
    • Detect data-transposition, transcription, and substitution errors
    • Detect data-transposition errors
    Explanation:​
    A check digit is an effective edit check to detect data-transposition and transcription errors.
  4. Parity bits are a control used to validate:

    • Data authentication
    • Data completeness
    • Data source
    • Data accuracy
    Explanation:
    Parity bits are a control used to validate data completeness.
  5. The traditional role of an IS auditor in a control self-assessment (CSA) should be that of a(n):

    • Implementor
    • Facilitator
    • Developer
    • Sponsor
    Explanation:
    The traditional role of an IS auditor in a control self-assessment (CSA) should be that of a facilitator.
  6. Which of the following would prevent accountability for an action performed, thus allowing nonrepudiation?

    • Proper authentication
    • Proper identification AND authentication
    • Proper identification
    • Proper identification, authentication, AND authorization
    Explanation:
    If proper identification and authentication are not performed during access control, no accountability can exist for any action performed.
  7. Which of the following is the MOST critical step in planning an audit?

    • Implementing a prescribed auditing framework such as COBIT
    • Identifying current controls
    • Identifying high-risk audit targets
    • Testing controls
    Explanation:
    In planning an audit, the most critical step is identifying the areas of high risk.
  8. To properly evaluate the collective effect of preventative, detective, or corrective controls within a process, an IS auditor should be aware of which of the following?

    • The business objectives of the organization
    • The effect of segregation of duties on internal controls
    • The point at which controls are exercised as data flows through the system
    • Organizational control policies
    Explanation:
    When evaluating the collective effect of preventive, detective, or corrective controls within a process, an IS auditor should be aware of the point at which controls are exercised as data flows through the system.
  9. What is the recommended initial step for an IS auditor to implement continuous-monitoring systems?

    • Document existing internal controls
    • Perform compliance testing on internal controls
    • Establish a controls-monitoring steering committee
    • Identify high-risk areas within the organization
    Explanation:
    When implementing continuous-monitoring systems, an IS auditor’s first step is to identify high-risk areas within the organization. 
  10. What type of risk is associated with authorized program exits (trap doors)?

    • Business risk
    • Audit risk
    • Detective risk
    • Inherent risk
    Explanation:
    Inherent risk is associated with authorized program exits (trap doors).
  11. Which of the following is best suited for searching for address field duplications?

    • Text search forensic utility software
    • Generalized audit software
    • Productivity audit software
    • Manual review
    Explanation:
    Generalized audit software can be used to search for address field duplications.
  12. Which of the following is of greatest concern to the IS auditor?

    • Failure to report a successful attack on the network
    • Failure to prevent a successful attack on the network
    • Failure to recover from a successful attack on the network
    • Failure to detect a successful attack on the network
    Explanation:
    Lack of reporting of a successful attack on the network is a great concern to an IS auditor.
  13. An integrated test facility is not considered a useful audit tool because it cannot compare processing output with independently calculated data. True or false?

    • True
    • False
    Explanation:
    An integrated test facility is considered a useful audit tool because it compares processing output with independently calculated data.
  14. An advantage of a continuous audit approach is that it can improve system security when used in time-sharing environments that process a large number of transactions. True or false?

    • True
    • False
    Explanation:
    It is true that an advantage of a continuous audit approach is that it can improve system security when used in time-sharing environments that process a large number of transactions.
  15. If an IS auditor finds evidence of risk involved in not implementing proper segregation of duties, such as having the security administrator perform an operations function, what is the auditor’s primary responsibility?

    • To advise senior management.
    • To reassign job functions to eliminate potential fraud.
    • To implement compensator controls.
    • Segregation of duties is an administrative control not considered by an IS auditor.
    Explanation:
    An IS auditor’s primary responsibility is to advise senior management of the risk involved in not implementing proper segregation of duties, such as having the security administrator perform an operations function.
  16. Who is responsible for implementing cost-effective controls in an automated system?

    • Security policy administrators
    • Business unit management
    • Senior management
    • Board of directors
    Explanation:​
    Business unit management is responsible for implementing cost-effective controls in an automated system.
  17. Why does an IS auditor review an organization chart?

    • To optimize the responsibilities and authority of individuals
    • To control the responsibilities and authority of individuals
    • To better understand the responsibilities and authority of individuals
    • To identify project sponsors
    Explanation:
    The primary reason an IS auditor reviews an organization chart is to better understand the responsibilities and authority of individuals.
  18. Ensuring that security and control policies support business and IT objectives is a primary objective of:

    • An IT security policies audit
    • A processing audit
    • A software audit
    • A vulnerability assessment
    Explanation:
    Ensuring that security and control policies support business and IT objectives is a primary objective of an IT security policies audit.
  19. When auditing third-party service providers, an IS auditor should be concerned with which of the following?

    • Ownership of the programs and files
    • A statement of due care and confidentiality, and the capability for continued service of the service provider in the event of a disaster
    • A statement of due care
    • Ownership of programs and files, a statement of due care and confidentiality, and the capability for continued service of the service provider in the event of a disaster
    Explanation:​
    When auditing third-party service providers, an auditor should be concerned with ownership of programs and files, a statement of due care and confidentiality, and the capability for continued service of the service provider in the event of a disaster.
  20. When performing an IS strategy audit, an IS auditor should review both short-term (one- year) and long-term (three-to five-year) IS strategies, interview appropriate corporate management personnel, and ensure that the external environment has been considered. The auditor should especially focus on procedures in an audit of IS strategy. True or false?

    • True
    • False
    Explanation:
    When performing an IS strategy audit, an IS auditor should review both short-term (one-year) and long-term (three-to five-year) IS strategies, interview appropriate corporate management personnel, and ensure that the external environment has been considered.