Last Updated on December 12, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 19

  1. The BEST way for an IS auditor to determine which business processes are currently outsourced to a specific service provider is to review the:

    • enterprise architecture (EA) diagram.
    • service provider’s contract.
    • vendor management policy.
    • request for proposal (RFP) responses.
  2. Prior to the migration of acquired software into production, it is MOST important that the IS auditor review the:

    • user acceptance test report.
    • vendor testing report.
    • system documentation.
    • source code escrow agreement.
  3. When auditing the security architecture of an e-commerce environment, an IS auditor should FIRST review the:

    • configuration of the firewall
    • alternate firewall arrangements
    • location of the firewall within the network
    • criteria used for selecting the firewall
  4. An IS auditor reviewing a recently implemented virtual environment notices discrepancies among similar machine setups. Which of the following should the auditor recommend to minimize configuration risks?

    • Implement network best practice recommendations
    • Perform architectural vulnerability analysis to compare current system attributes to a reference
    • Perform hypervisor software updates with available patches to minimize security weakness
    • Implement templates to manage rapid deployment of virtual machines
  5. An organization has selected a web-based solution to reduce transaction costs and improve productivity. Before implementation, an IS auditor should ensure that the organization has:

    • performed a vulnerability assessment.
    • implemented electronic data interchange.
    • validated the solution against the current IT infrastructure.
    • addressed the level of risk exposure.
  6. An organization with high availability resource requirements is selecting a provider for cloud computing. Which of the following would cause the GREATEST concern to an IS auditor? The provider:

    • is not internationally certified for high availability.
    • does not store backup media offsite.
    • deploys patches automatically without testing. 
    • hosts systems for the organization’s competitor.
  7. Which of the following BEST enables an audit department to improve the quality of work performed by its auditors?

    • Implementing global quality standards 
    • Funding additional resources for audit work
    • Using audit-related data analytics tools
    • Implementing peer review of audit work
  8. An IS auditor discovers that management has created a system interface to receive financial data and store it in a data warehouse. Which of the following provides the BEST assurance that data in the data warehouse is accurate?

    • Established risk management processes
    • A documented change management process
    • Management access reviews
    • Management reconciliations
  9. An IS auditor performs a follow-up audit and learns the approach taken by the auditee to fix the findings differs from the agreed-upon approach confirmed during the last audit. Which of the following should be the auditor’s NEXT course of action?

    • Inform senior management of the change in approach.
    • Conduct a risk analysis incorporating the change.
    • Report results of the follow-up to the audit committee. 
    • Evaluate the appropriateness of the remedial action taken.
  10. An IS auditor is using data analytics for an accounts payable audit. Which of the following potential risk scenarios will MOST likely be identified using this approach?

    • Rogue or shadow vendors
    • Payments made to the wrong vendor
    • Consecutive invoice numbers paid
    • Duplicate payments made for a vendor
  11. An IS auditor is evaluating the risk associated with moving from one database management system (DBMS) to another. Which of the following would be MOST helpful to ensure the integrity of the system throughout the change?

    • Preserving the same data structure
    • Preserving the same data classifications
    • Preserving the same data interfaces
    • Preserving the same data inputs
  12. An IS auditor is performing a follow-up audit and notes that some critical deficiencies have not been addressed. The auditor’s BEST course of action is to:

    • assess the impact of not addressing deficiencies. 
    • document management’s reasons for not addressing deficiencies.
    • postpone the audit until the deficiencies are addressed.
    • provide new recommendations.
  13. Which of the following is MOST important for an IS auditor to focus on when evaluating the quality control processes for software deliverables?

    • The process to identify and manage defects
    • The process to check adherence to technical specifications 
    • The process to produce quality control reports
    • The process to peer review and test the software
  14. An IS auditor is performing a follow-up audit for findings identified in an organization’s user provisioning process. Which of the following is the MOST appropriate population to sample from when testing for remediation?

    • All users who have followed user provisioning processes provided by management
    • All users provisioned after the finding was originally identified
    • All users provisioned after management resolved the audit issue 
    • All users provisioned after the final audit report was issued
  15. An IS auditor is reviewing a sample of production incidents and notes that root cause analysis is not being performed. Which of the following is the GREATEST risk associated with this finding?

    • Future incidents may not be resolved in a timely manner.
    • Future incidents may be prioritized inappropriately.
    • The same incident may occur in the future. 
    • Service level agreements (SLAs) may not be met.
  16. An IS auditor concludes that an organization has a quality security policy. Which of the following is MOST important to determine next? The policy must be:

    • updated frequently.
    • developed by process owners.
    • based on industry standards.
    • well understood by all employees.
  17. When determining which IS audits to conduct during the upcoming year, internal audit has received a request from management for multiple audits of the contract division due to fraud findings during the prior year. Which of the following is the BEST basis for selecting the audits to be performed?

    • Select audits based on an organizational risk assessment.
    • Select audits based on collusion risk. 
    • Select audits based on the skill sets of the IS auditors.
    • Select audits based on management’s suggestion.
  18. An organization is considering the implementation of a business application. The IS auditor should FIRST ensure that:

    • user requirements are used to select the vendor.
    • an approved business case is in place.
    • users are represented on the project management team.
    • security requirements are specified.
  19. An IS auditor discovers an option in a database that allows the administrator to directly modify any table. This option is necessary to overcome bugs in the software, but is rarely used. Changes to tables are automatically logged. The IS auditor’s FIRST action should be to:

    • determine whether the log of changes to the tables is backed up.
    • determine whether the audit trail is secured and reviewed. 
    • recommend that the option to directly modify the database be removed immediately.
    • recommend that the system require two persons to be involved in modifying the database.
  20. Which of the following provides an IS auditor with the BEST evidence that an organization’s information security program is aligned to business objectives?

    • Balanced scorecard 
    • Risk assessment results
    • Business impact analysis (BIA)
    • Cost-benefit analysis