Last Updated on December 12, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 20

  1. An IS auditor is planning an audit of an organization’s payroll processes. Which of the following is the BEST procedure to provide assurance against internal fraud?

    • Review management’s approval of payroll system changes.
    • Review management’s validation of payroll payment recipients. 
    • Interview the payroll manager to obtain a detailed process workflow.
    • Compare employee work contracts against hours entered in the payroll system.
  2. An IS auditor has been asked to review an event log aggregation system to ensure risk management practices have been applied. Which of the following should be of MOST concern to the auditor?

    • Completeness testing has not been performed on the log data. 
    • Data encryption standards have not been considered.
    • Log feeds are uploaded via batch process.
    • The log data is not normalized.
  3. An IS auditor is planning a risk-based audit of the human resources department. The department uses separate systems for its payroll, training and employee performance review functions. What should the IS auditor do FIRST before identifying the key controls to be tested?

    • Determine the inherent risk related to each system.
    • Determine the number of samples to be tested for each system.
    • Assess the control risk associated with each system. 
    • Identify the technical skills and resources needed to audit each system.
  4. Which of the following findings should be of GREATEST concern to an IS auditor performing a review of IT operations?

    • The job scheduler application has not been designed to display pop-up error messages.
    • Access to the job scheduler application has not been restricted to a maximum of two staff members.
    • Changes to the job scheduler application’s parameters are not approved and reviewed by an operations supervisor. 
    • Operations shift turnover logs are not utilized to coordinate and control the processing environment.
  5. Which of the following findings should be of MOST concern to an IS auditor reviewing an organization’s business continuity plan (BCP)?

    • An application inventory is not included.
    • A resource optimization plan is not included.
    • A business feasibility study was not performed.
    • A business impact analysis (NA) was not performed.
  6. Which of the following is the BEST way for an external IS auditor to determine the scope of an audit for a large multinational organization?

    • Focus on areas related to the use of emerging technologies.
    • Sample audit each geographical location.
    • Focus on identified high-risk areas in the organization.
    • Use the work of the internal auditor at each location.
  7. After the merger of two organizations, which of the following is the MOST important task for an IS auditor to perform?

    • Investigating access rights for expiration dates
    • Verifying that access privileges have been reviewed
    • Updating the security policy 
    • Updating the continuity plan for critical resources
  8. Which of the following should be an IS auditor’s PRIMARY focus when evaluating the response process for cyber crimes?

    • Notification to regulators
    • Communication with law enforcement
    • Evidence collection 
    • Root cause analysis
  9. During the course of an audit, an IS auditor’s organizational independence is impaired. The IS auditor should FIRST:

    • inform audit management of the situation. 
    • inform senior management in writing and proceed with the audit.
    • obtain the auditee’s approval before continuing the audit.
    • proceed with the audit as planned after documenting the incident.
  10. An IS auditor has identified that some IT staff have administrative access to the enterprise resource planning (ERP) application, database, and server. IT management has responded that due to limited resources, the same IT staff members have to support all three layers of the ERP application. Which of the following would be the auditor’s BEST recommendation to management?

    • Request funding to hire additional IT staff to enable segregation of duties. 
    • Leverage business unit personnel to serve as administrators of the application.
    • Monitor activities of the associated IT staff members by reviewing system-generated logs weekly.
    • Remove some of the administrative access of the associated IT staff members.
  11. Which of the following would provide the BEST evidence for an IS auditor to determine whether segregation of duties is in place?

    • A review of the organizational chart
    • A review of personnel files
    • An analysis of user access requests 
    • A walk-through of job functions
  12. An IS auditor notes that a number of application plug-ins currently in use are no longer supported. Which of the following is the auditor’s BEST recommendation to management?

    • Implement role-based access controls.
    • Conduct a vulnerability assessment to determine exposure. 
    • Review content backup and archiving procedures.
    • Review on-boarding and off-boarding processes.
  13. What should be the PRIMARY basis for scheduling a follow-up audit?

    • The significance of reported findings 
    • The completion of all corrective actions
    • The availability of audit resources
    • The time elapsed after audit report submission
  14. The PRIMARY purpose for an IS auditor to review previous audit reports during the planning phase of a current audit is to:

    • become informed about the auditee’s business processes.
    • adjust audit scope to reduce testing in areas related to previous findings.
    • identify applicable regulatory requirements for the current audit.
    • ensure that previously identified risks are addressed in the audit program.
  15. What should be an IS auditor’s NEXT course of action when a review of an IT organizational structure reveals IT staff members have duties in other departments?

    • Determine whether any segregation of duties conflicts exist. 
    • Recommend that segregation of duties controls be implemented.
    • Report the issue to human resources (HR) management.
    • Immediately report a potential finding to the audit committee.
  16. An IS auditor is assessing an organization’s implementation of a virtual network. Which of the following observations should be considered the MOST significant risk?

    • Communication performance over the virtual network is not monitored.
    • Virtual network devices are replicated and stored in offline mode.
    • Traffic over the virtual network is not visible to security protection devices. 
    • Physical and virtual network configurations are not managed by the same team.
  17. An IS auditor is assessing a recent migration of mission critical applications to a virtual platform. Which of the following observations poses the GREATEST risk to the organization?

    • A post-implementation review of the hypervisor has not yet been conducted.
    • Role descriptions do not accurately reflect new virtualization responsibilities.
    • The migration was not approved by the board of directors.
    • Training for staff with new virtualization responsibilities has not been conducted.
  18. Which of the following should be of MOST concern to an IS auditor evaluating a forensics program?

    • Forensic images are stored on removable media with encryption.
    • Forensic images are only stored for involuntarily terminated employees.
    • Forensic images are only maintained for 12 months.
    • Forensic images are stored on shared disks.
  19. An organization has recently acquired and implemented intelligent-agent software for granting loans to customers. During the post-implementation review, which of the following would be the KEY procedure for the IS auditor to perform?

    • Review input and output control reports to verify the accuracy of the system decisions. 
    • Review system documentation to ensure completeness.
    • Ensure that a detection system designed to verify transaction accuracy is included.
    • Review signed approvals to ensure responsibilities for decisions of the system are well-defined.
  20. Which of the following should be of GREATEST concern when conducting an audit of software inventory management?

    • Missing licensing paper contracts
    • Anti-virus software not regularly upgraded
    • Unlicensed software 
    • Development libraries not included in inventory records