Last Updated on December 12, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 16

  1. Which of the following responsibilities of an organization’s quality assurance function should raise concern for an IS auditor?

    • Ensuring the test work supports observations
    • Ensuring standards are adhered to within the development process
    • Implementing solutions to correct defects
    • Updating development methodology
  2. Which of the following is the MOST appropriate document for granting authority to an external IS auditor in an audit engagement with a client organization?

    • Approved statement of work
    • Formally approved audit charter
    • An internal memo to all concerned parties
    • Request for proposal for audit services
  3. Which of the following is MOST important for an IS auditor to evaluate when determining the effectiveness of an information security program?

    • Percentage of users aware of the objectives of the security program
    • Percentage of policy exceptions that were approved with justification
    • Percentage of desired control objectives achieved
    • Percentage of reported security incidents
  4. When auditing an organization’s software acquisition process, the BEST way for an IS auditor to understand the software benefits to the organization would be to review the:

    • request for proposal (RFP).
    • feasibility study.
    • alignment with IT strategy.
    • business case.
  5. Which of the following should be the GREATEST concern to an IS auditor evaluating an organization’s policies?

    • Policies are not formally approved by the management.
    • Policies are nor formally acknowledged and signed by employees.
    • Policies do not provide adequate protection to the organization.
    • Policies are not reviewed and updated frequently.
  6. Which of the following is the BEST source of information for an IS auditor when planning an audit of a business application’s controls?

    • User documentation
    • Change control procedures
    • Access control lists
    • Process flow diagrams
  7. An IS auditor notes that a loan servicing group retains customer personally identifiable information (PII) on a shared drive. Which of the following is MOST important to ensure compliance with privacy principles?

    • Backups are performed in accordance with organizational policy.
    • Access to the shared drive must be approved by the manager of the group.
    • The data is maintained in accordance with the business’s retention policy.
    • All key customer data elements are captured on the shared drive.
  8. An IS auditor is evaluating the access controls at a multinational company with a shared network infrastructure. Which of the following is MOST important?

    • Simplicity of end-to-end communication paths
    • Remote network administration
    • Common security policies
    • Logging of network information at user level
  9. Which of the following is the MOST significant risk an IS auditor should consider when reviewing a credit card company’s application system?

    • Data privacy
    • Processing times
    • System availability
    • Credit ratings
  10. Which of the following should be an IS auditor’s PRIMARY concern when evaluating an organization’s information security policies, procedures, and controls for third-party vendors?

    • The third-party vendors have their own information security requirements.
    • The organization is still responsible for protecting the data.
    • Noncompliance is easily detected.
    • The same procedures and controls are used for all third-party vendors.
  11. During a follow-up audit, an IS auditor finds that some critical recommendations have not been addressed as management has decided to accept the risk. Which of the following is the IS auditor’s BEST course of action?

    • Adjust the annual risk assessment accordingly.
    • Require the auditee to address the recommendations in full.
    • Evaluate senior management’s acceptance of the risk.
    • Update the audit program based on management’s acceptance of risk.
  12. As part of a follow-up of a previous year’s audit, an IS auditor has increased the expected error rate for a sample. What is the impact?

    • degree of assurance increases.
    • standard deviation decreases.
    • sampling risk decreases.
    • required sample size increases.
  13. During a vendor management database audit, an IS auditor identifies multiple instances of duplicate vendor records. In order to prevent recurrence of the same issue, which of the following is the IS auditor’s BEST recommendation to management?

    • Perform system verification checks for unique data values on key fields.
    • Request senior management approval of all new vendor details.
    • Run system reports of full vendor listings periodically to identify duplication.
    • Build a segregation of duties control into the vendor creation process.
  14. During the implementation of a new system, an IS auditor must assess whether certain automated calculations comply with the regulatory requirements. Which of the following is the BEST way to obtain this assurance?

    • Inspect user acceptance test (UAT) results.
    • Re-perform the calculation with audit software.
    • Review sign-off documentation.
    • Review the source code related to the calculation.
  15. An IS auditor has been asked to review a recently implemented quality management system (QMS). Which of the following should be the auditor’s PRIMARY focus?

    • Training materials prepared for coaching employees
    • Processes to measure the performance of business critical transactions
    • Documentation standard of the implemented QMS system
    • Stability of the implemented QMS system over a period of time
  16. Which of the following should be the PRIMARY concern of an IS auditor during a review of an external IT service level agreement (SLA) for computer operations?

    • No employee succession plan
    • Changes in services are not tracked
    • Lack of software escrow provisions
    • Vendor has exclusive control of IT resources
  17. An IS auditor finds that one employee has unauthorized access to confidential data. The IS auditor’s BEST recommendation should be to:

    • reclassify the data to a lower level of confidentiality.
    • recommend corrective actions to be taken by the security administrator.
    • implement a strong password schema for users.
    • require the business owner to conduct regular access reviews.
  18. An IS auditor is reviewing an organization’s primary router access control list. Which of the following should result in a finding?

    • The network security group can change network address translation (NAT).
    • There are conflicting permit and deny rules for the IT group.
    • There is only one rule per group with access privileges.
    • Individual permissions are overriding group permissions.
  19. Which of the following BEST describes an audit risk?

    • The financial report may contain undetected material errors.
    • The company is being sued for false accusations.
    • Key employees have not taken vacation for 2 years.
    • Employees have been misappropriating funds.
  20. An IS auditor notes that several of a client’s servers are vulnerable to attack due to open unused ports and protocols. The auditor recommends management implement minimum security requirements. Which type of control has been recommended?

    • Preventive
    • Corrective
    • Directive
    • Compensating