Last Updated on December 12, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 15

  1. A 5-year audit plan provides for general audits every year and application audits on alternating years. To achieve higher efficiency, the IS audit manager would MOST likely:

    • proceed with the plan and integrate all new applications.
    • alternate between control self-assessment (CSA) and general audits every year.
    • implement risk assessment criteria to determine audit priorities.
    • have control self-assessments (CSAs) and formal audits of applications on alternating years.
  2. Which of the following would be an IS auditor’s GREATEST concern when evaluating a cybersecurity incident response plan?

    • The plan has not been recently tested.
    • Roles and responsibilities are not detailed for each process.
    • Stakeholder contact details are not up-to-date.
    • The plan does not include incident response metrics.
  3. An organization has agreed to perform remediation related to high risk audit findings. The remediation process involves a complex reorganization of user roles as well as the implementation of several compensating controls that may not be completed within the next audit cycle. Which of the following is the BEST way for an IS auditor to follow up on the activities?

    • Review the progress of remediation on a regular basis.
    • Provide management with a remediation timeline and verify adherence.
    • Continue to audit the failed controls according to the audit schedule.
    • Schedule a review of the controls after the projected remediation date.
  4. The IS auditor’s PRIMARY role in control self-assessment (CSA) is to:

    • evaluate the controls.
    • facilitate the process.
    • identify weaknesses.
    • draw up an action plan.
  5. Which of the following is an IS auditor’s BEST course of action upon learning that preventive controls have been replaced with detective and corrective controls?

    • Report the issue to management as the risk level has increased.
    • Recommend the implementation of preventive controls in addition to the other controls.
    • Verify the revised controls enhance the efficiency of related business processes.
    • Evaluate whether new controls manage the risk at an acceptable level.
  6. Which of the following should the IS auditor do FIRST to ensure data transfer integrity for Internet of Things (IoT) devices?

    • Verify access control lists to the database where collected data is stored.
    • Confirm that acceptable limits of data bandwidth are defined for each device.
    • Ensure that message queue telemetry transport (MQTT) is used.
    • Determine how devices are connected to the local network.
  7. An IS auditor finds that corporate mobile devices used by employees have varying levels of password settings. Which of the following would be the BEST recommendation?

    • Update the acceptable use policy for mobile devices.
    • Notify employees to set passwords to a specified length.
    • Encrypt data between corporate gateway and devices.
    • Apply a security policy to the mobile devices.
  8. When planning an application audit, it is MOST important to evaluate risk factors by interviewing:

    • process owners.
    • application owners.
    • IT management.
    • application users.
  9. The scheduling of audit follow-ups should be based PRIMARILY on:

    • costs and audit efforts involved.
    • auditee and auditor time commitments.
    • the risk and exposure involved.
    • control and detection processes.
  10. A vendor service level agreement (SLA) requires backups to be physically secured. An IS audit of the backup system revealed a number of the backup media were missing. Which of the following should be the auditor’s NEXT step?

    • Recommend a review of the vendor’s contract.
    • Recommend identification of the data stored on the missing media.
    • Notify executive management.
    • Include the missing backup media finding in the audit report.
  11. An internal audit department recently established a quality assurance (QA) program as part of its overall audit program. Which of the following activities is MOST important to include as part of the QA program requirements?

    • Implementing corrective action plans.
    • Reviewing audit standards periodically
    • Analyzing user satisfaction reports from business lines
    • Creating a long-term plan for internal audit staffing
  12. Which of the following would be of MOST concern for an IS auditor evaluating the design of an organization’s incident management processes?

    • Metrics are not reported to senior management.
    • Service management standards are not followed.
    • Expected time to resolve incidents is not specified.
    • Prioritization criteria are not defined.
  13. During a review of an organization’s IT incident management practices, the IS auditor finds the quality of incident resolution documentation is poor. Which of the following is the BEST recommendation to help address this issue?

    • Have service desk staff create documentation be choosing from pre-selected answers in the service management tool.
    • Require service desk staff to open incident tickets only when they have sufficient information.
    • Revise incident resolution procedures and provide training for service desk staff on the applicable updates.
    • Require peer review of resolution documentation followed by service desk management sign off.
  14. What is an IS auditor’s BEST course of action when provided with a status update indicating audit recommendations related to segregation of duties for financial staff have been implemented?

    • Verify sufficient segregation of duties controls are in place.
    • Request documentation of the segregation of duties policy and procedures.
    • Note the department’s response in the audit workpapers and records.
    • Confirm with the business that the recommendations are implemented.
  15. When reviewing capacity monitoring, an IS auditor notices several incidents where storage capacity limits were reached, while the average utilization was below 30%. Which of the following would the IS auditor MOST likely identify as the root cause?

    • The IT response to the alerts was too slow.
    • The amount of data produced was unacceptable for operations.
    • The storage space should have been enlarged in time.
    • The dynamics of the utilization were not properly taken into account.
  16. An IS auditor is reviewing the process followed in identifying and prioritizing the critical business processes. This process is part of the:

    • balanced scorecard.
    • business impact analysis (BIA).
    • operations component of the business continuity plan (BCP).
    • enterprise risk management plan.
  17. When assessing a business case as part of a post-implementation review, the IS auditor must ensure that the:

    • feasibility of alternative project approaches has been assessed.
    • business case has not been amended since project approval.
    • quality assurance measures have been applied throughout the project.
    • amendments to the business case have been approved.
  18. While auditing an IT department’s cloud service provider, the IS auditor found that privileged access monitoring is not being performed as required by the contract. The provider disagrees with this issue and notes that compensating controls are in place. The IS auditor’s NEXT course of action should be to:

    • test compensating controls as part of the audit.
    • define a remediation plan.
    • review privileged access logs.
    • recommend revising the service level agreement (SLA).
  19. Which of the following should be of GREATEST concern to an IS auditor reviewing an organization’s information security program?

    • The program was not formally signed off by the sponsor.
    • Key performance indicators (KPIs) are not established.
    • Not all IT staff are aware of the program.
    • The program was last updated five years ago.
  20. During an incident management audit, an IS auditor finds that several similar incidents were logged during the audit period. Which of the following is the auditor’s MOST important course of action?

    • Document the finding and present it to management.
    • Determine if a root cause analysis was conducted.
    • Validate whether all incidents have been actioned.
    • Confirm the resolution time of the incidents.