Last Updated on December 12, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 17

  1. Which of the following is the PRIMARY reason for an IS auditor to map out the narrative of a business process?

    • To verify the business process is as described in the engagement letter
    • To identify the resources required to perform the audit
    • To ensure alignment with organizational objectives
    • To gain insight into potential risks
  2. Which of the following is the BEST way for an IS auditor to assess the effectiveness of backup procedures?

    • Review the backup schedule.
    • Evaluate the latest data restore.
    • Inspect backup logs.
    • Interview the data owner.
  3. An IS auditor is auditing the infrastructure of an organization that hosts critical applications withing a virtual environment. Which of the following is MOST important for the auditor to focus on?

    • The ability to copy and move virtual machines in real time
    • The controls in place to prevent compromise of the host
    • Issues arising from system management of a virtual infrastructure
    • Qualifications of employees managing the applications
  4. When reviewing a database supported by a third-party service provider, an IS auditor found minor control deficiencies. The auditor should FIRST discuss recommendations with the:

    • service provider support team manager
    • organization’s service level manager
    • organization’s chief information officer (CIO)
    • service provider contract liaison
  5. Following an IT audit, management has decided to accept the risk highlighted in the audit report. Which of the following would provide the MOST assurance to the IS auditor that management is adequately balancing the needs of the business with the need to manage risk?

    • Established criteria exist for accepting and approving risk.
    • Identified risk is reported into the organization’s risk committee.
    • Potential impact and likelihood is adequately documented.
    • A communication plan exists for informing parties impacted by the risk.
  6. An IS auditor is performing a routine procedure to test for the possible existence of fraudulent transactions. Given there is no reason to suspect the existence of fraudulent transactions, which of the following data analytics techniques should be employed?

    • Association analysis
    • Classification analysis
    • Anomaly detection analysis
    • Regression analysis
  7. Which of the following is an IS auditor’s BEST recommendation for mitigating risk associated with rapid expansion of hosts within a virtual environment?

    • Limit access to the hypervisor operating system (OS) and administration console
    • Ensure quick access to updated images of a guest operating system for fast recovery
    • Consider using a third-party service provider to share the virtual machine (VM) risk
    • Implement policies and processes to control virtual machine (VM) lifecycle management
  8. Which of the following is the MOST effective way for an IS auditor to evaluate the creation and deletion of administrative accounts in a virtual environment?

    • Review password management procedures.
    • Review accounts to determine access requirements.
    • Review resource management for capacity performance. 
    • Review account provisioning and deprovisioning procedures.
  9. What should an IS auditor review FIRST when assessing the results of a recent penetration test to identify potential vulnerabilities?

    • Skill level of the network support staff
    • Parameters of the test 
    • Number of critical issues found
    • Incident response process
  10. While following up on a prior audit report, an IS auditor determines that a number of recommendations to address critical findings have not been implemented as agreed. What is the BEST course of action for the auditor?

    • Reclassify the risk ratings of the original findings.
    • Propose revised implementation timelines.
    • Escalate to the appropriate level of management. 
    • Revise the scope of the follow-up audit
  11. Which of the following would be of GREATEST concern to an IS auditor when auditing a small organization’s purchasing department?

    • The organization lacks a purchasing officer with experience in purchasing activities.
    • Purchases can be approved after expenses have already been incurred.
    • Some members of the department can request and approve payments for purchase requests.
    • Purchasing procedures and processes have not been updated during the past two years.
  12. Which of the following audit procedures would BEST assist an IS auditor in determining the effectiveness of a business continuity plan (BCP)?

    • Performing an assessment of BCP test documentation
    • Participating in BCP meetings held with user department managers
    • Performing a maturity assessment of BCP methodology against industry standards
    • Observing tests of the BCP performed at the alternate processing site 
  13. After discussing findings with an auditee, an IS auditor is required to obtain approval of the report from the CEO before issuing it to the audit committee. This requirement PRIMARILY affects the IS auditor’s:

    • judgment
    • effectiveness
    • independence
    • integrity
  14. An organization wants to classify database tables according to its data classification scheme. From an IS auditor’s perspective, the tables should be classified based on the:

    • number of end users with access to the table
    • frequency of updates to the table
    • descriptions of column names in the table
    • specific functional contents of each single table 
  15. Which of the following should be an IS auditor’s GREATEST consideration when scheduling follow-up activities for agreed-upon management responses to remediate audit observations?

    • Business interruption due to remediation
    • IT budgeting constraints
    • Risk rating of original findings 
    • Availability of responsible IT personnel
  16. Which of the following is MOST important for an IS auditor to consider when auditing a vulnerability scanning software solution?

    • The scanning software was purchased from an approved vendor.
    • The scanning software was approved for release into production.
    • The scanning software covers critical systems. 
    • The scanning software is cost-effective.
  17. An IS auditor attempts to sample for variables in a population of items with wide differences in values but determines that an unreasonably large number of sample items must be selected to produce the desired confidence level. In this situation, which of the following is the BEST audit decision?

    • Allow more time and test the required sample 
    • Select a judgmental sample
    • Select a stratified sample
    • Lower the desired confidence level
  18. A vulnerability in which of the following virtual systems should be of GREATEST concern to an IS auditor?

    • The virtual machine management server 
    • The virtual application server
    • The virtual antivirus server
    • The virtual file server
  19. What is an IS auditor’s BEST course of action if informed by a business unit’s representatives that they are too busy to cooperate with a scheduled audit?

    • Reschedule the audit for a time more convenient to the business unit.
    • Begin the audit regardless and insist on cooperation from the business unit.
    • Notify the audit committee immediately and request they direct the audit begin on schedule.
    • Notify the chief audit executive who can negotiate with the head of the business unit.
  20. An IS auditor wants to determine who has oversight of staff performing a specific task and is referencing the organization’s RACI chart. Which of the following roles within the chart would provide this information?

    • informed
    • Accountable 
    • Consulted
    • Responsible