Last Updated on December 15, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 14

  1. When reviewing a newly implemented quality management system (QMS), which of the following should be the IS auditor’s PRIMARY concern?

    • The QMS benefit measures were not included in the business case.
    • The QMS testing methodology is not clearly documented.
    • The QMS post-implementation review (PIR) has not been finalized.
    • The QMS is not mapped to some core business processes.
  2. What would be an IS auditor’s GREATEST concern when using a test environment for an application audit?

    • Test and production environments lack data encryption.
    • Developers have access to the test environment.
    • Retention period of test data has been exceeded.
    • Test and production environments do not mirror each other.
  3. After the release of an application system, an IS auditor wants to verify that the system is providing value to the organization. The auditor’s BEST course of action would be to:

    • review the results of compliance testing.
    • quantify improvements in client satisfaction.
    • confirm that risk has declined since the application system release.
    • perform a gap analysis against the benefits defined in the business case.
  4. What is an IS auditor’s BEST recommendation for management if a network vulnerability assessment confirms that critical patches have not been applied since the last assessment?

    • Implement a process to test and apply appropriate patches.
    • Apply available patches and continue periodic monitoring.
    • Configure servers to automatically apply available patches.
    • Remove unpatched devices from the network.
  5. During a review of a production schedule, an IS auditor observes that a staff member is not complying with mandatory operational procedures. The auditor’s NEXT step should be to:

    • determine why the procedures were not followed.
    • include the noncompliance in the audit report.
    • note the noncompliance in the audit working papers.
    • issue an audit memorandum identifying the noncompliance.
  6. Which of the following should an IS auditor be MOST concerned with when a system uses radio frequency identification (RFID)?

    • Scalability
    • Maintainability
    • Nonrepudiation
    • Privacy
  7. An IS auditor conducts a review of a third-party vendor’s reporting of key performance indicators (KPIs). Which of the following findings should be of MOST concern to the auditor?

    • Some KPIs are not documented.
    • KPIs have never been updated.
    • KPIs data is not being analyzed.
    • KPIs are not clearly defined.
  8. An IS auditor notes that application of super-user activity was not recorded in system logs. What is the auditor’s BEST course of action?

    • Recommend a least-privilege access model.
    • Investigate the reason for the lack of logging.
    • Report the issue to the audit manager.
    • Recommend activation of super-user activity logging.
  9. An IS auditor discovers a recurring software control process issue that severely impacts the efficiency of a critical business process. Which of the following is the BEST recommendation?

    • Replace the malfunctioning system.
    • Determine the compensating controls.
    • Identify other impacted processes.
    • Determine the root cause of the issue.
  10. An employee transfers from an organization’s risk management department to become the lead IS auditor. While in the risk management department, the employee helped develop the key performance indicators (KPIs) now used by the organization. Which of the following would pose the GREATEST threat to the independence of this auditor?

    • Evaluating the effectiveness of IT risk management processes
    • Recommending controls to address the IT risks identified by KPIs
    • Developing KPIs to measure the internal audit team
    • Training the IT audit team on IT risk management processes
  11. Following a security breach in which a hacker exploited a well-known vulnerability in the domain controller, an IS auditor has been asked to conduct a control assessment. The auditor’s BEST course of action would be to determine if:

    • the domain controller was classified for high availability.
    • the network traffic was being monitored.
    • the patches were updated.
    • the logs were monitored.
  12. Which of the following should be of GREATEST concern to an IS auditor conducting an audit of an organization’s backup processes?

    • A written backup policy is not available.
    • Backup failures are not resolved in a timely manner.
    • The restoration process is slow due to connectivity issues.
    • The service levels are not achieved.
  13. Performance monitoring tools report that servers are consistently above the recommended utilization capacity. Which of the following is the BEST recommendation of the IS auditor?

    • Develop a capacity plan based on usage projections.
    • Deploy load balancers.
    • Monitor activity logs.
    • Add servers until utilization is at target capacity.
  14. Which of the following would be MOST critical for an IS auditor to look for when evaluating fire precautions in a manned data center located in the upper floor of a multi-story building?

    • Existence of handheld fire extinguishers in highly visible locations
    • Documentation of regular inspections by the local fire department
    • Adequacy of the HVAC system throughout the facility
    • Documentation of tested emergency evacuation plans
  15. Which of the following findings should be an IS auditor’s GREATEST concern when reviewing an organization’s purchase of new IT infrastructure hardware?

    • The new infrastructure arrived with default system settings.
    • The new infrastructure has residual risk within the organization’s risk tolerance.
    • The new infrastructure’s hardening requirements are stronger than required by policy.
    • The new infrastructure has compatibility issues with existing systems.
  16. The MOST effective method for an IS auditor to determine which controls are functioning in an operating system is to:

    • compare the current configuration to the corporate standard.
    • consult with the systems programmer.
    • consult with the vendor of the system.
    • compare the current configuration to the default configuration.
  17. To test the integrity of the data in the accounts receivable master file, an IS auditor is particularly interested in reviewing customers with balances over $400,000. The selection technique the IS auditor would use to obtain such a sample is called:

    • random selection.
    • systematic selection.
    • discovery selection.
    • stratification.
  18. During audit planning, an IS auditor walked through the design of controls related to a new data loss prevention (DLP) tool. It was noted that the tool will be configured to alert IT management when large files are sent outside of the organization via email. What type of control will be tested?

    • Detective
    • Corrective
    • Directive
    • Preventive
  19. Which of the following should be of GREATEST concern to an IS auditor when auditing an organization’s information security awareness program?

    • Security awareness training is not included as part of the onboarding process for new hires.
    • The number of security incidents logged by employees to the help desk has increased in the past year.
    • Training quizzes are designed and run by a third-party company under a contract with the organization.
    • Security awareness training is run via the organization’s enterprise-wide e-learning portal.
  20. A legacy application is running on an operating system that is no longer supported by the vendor. If the organization continues to use the current application, which of the following should be the IS auditor’s GREATEST concern?

    • Potential exploitation of zero-day vulnerabilities in the system
    • Inability to update the legacy application database
    • Increased cost of maintaining the system
    • Inability to use the operating system due to potential license issues