Last Updated on December 12, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 21

  1. Which of the following would the IS auditor MOST likely review to determine whether modifications to the operating system parameters were authorized?

    • Change control log 
    • System initialization logs
    • Security system parameters
    • Documentation of exit routines
  2. Which of the following is the BEST source of information for an IS auditor to use when determining whether an organization’s information security policy is adequate?

    • Industry benchmarks
    • Information security program plans
    • Penetration test results
    • Risk assessment results
  3. An internal audit has revealed a large number of incidents for which root cause analysis has not been performed. Which of the following is MOST important for the IS auditor to verify to determine whether there is an audit issue?

    • Cost of resolving the incidents
    • Severity level of the incidents
    • Time required to resolve the incidents
    • Frequency of the incidents
  4. In an IS auditor’s review of an organization’s configuration management practices for software, which of the following is MOST important?

    • Service level agreements (SLAs) between the IT function and users
    • Post-implementation review reports from development efforts
    • Organizational policies related to release management 
    • Software rental contracts or lease agreements
  5. An IS auditor notes that due to the small size of the organization, human resources staff can create new employees in the payroll system as well as process payroll. Which of the following is the BEST recommendation to address this situation?

    • Outsource the processing of payroll to a third party.
    • Implement a periodic user access review over the payroll system.
    • Implement periodic reviews of employees in the payroll system.
    • Hire additional staff so that access for the two functions can be segregated.
  6. Which of the following is MOST important for an auditor to consider when scoping for an IT general controls audit?

    • Frequency of changes
    • Timing of changes
    • Types of changes
    • Number of changes
  7. What would be an IS auditor’s BEST course of action when a critical issue outside the audit scope is discovered on an employee workstation?

    • Take no action as this issue is outside the audit scope.
    • Expand the audit scope to include desktop audits.
    • Include the findings with recommendations in the final report.
    • Record the observation in the workpapers.
  8. During an ongoing audit, management requests a briefing on the findings to date. Which of the following is the IS auditor’s BEST course of action?

    • Review working papers with the auditee.
    • Request the auditee provide management responses.
    • Request management wait until a final report is ready for discussion.
    • Present observations for discussion only.
  9. An IS auditor finds that an employee lost a mobile device containing sensitive company data. Which of the following would have BEST prevented data leakage?

    • The employee promptly reported the lost device.
    • Data on the device was encrypted.
    • The employee acknowledged the acceptable use policy.
    • Data on the device was backed up.
  10. Which of the following is the PRIMARY purpose for external assessments of internal audit’s quality assurance systems and frameworks?

    • To provide assurance that the internal audit function conforms with established professional practices
    • To provide assurance that internal audit staff are qualified to perform their responsibilities
    • To confirm the accuracy and reliability of prior internal audit results
    • To confirm the internal audit department has adequate budget to perform its duties
  11. Which of the following reports would BEST assist an IS auditor evaluating the effectiveness of preventive maintenance?

    • Downtime
    • Help desk
    • Violation
    • Activity
  12. During an audit of an online sales booking system, the IS auditor identifies exceptions in the batch mode that cause some transactions to not get posted. Which of the following is MOST important for the auditor to review?

    • Error detection and handling procedures
    • Changes to the scheduling program
    • The vulnerability of source code and parameters configured
    • The nature and frequency of network connection failures
  13. Which of the following would BEST indicate the independence of the internal audit function?

    • Engagement letter
    • Audit charter
    • Organizational structure
    • Dedicated chief internal auditor
  14. Which audit approach is MOST helpful in optimizing the use of IS audit resources?

    • Agile auditing
    • Outsourced auditing
    • Risk-based auditing
    • Continuous auditing
  15. Which of the following should an IS auditor review when verifying the integrity of a relational database management system (RDBMS)?

    • Cyclic redundancy check value
    • Secret key algorithm used
    • Foreign key attributes
    • Database size value
  16. The PRIMARY benefit of a risk-based audit methodology is to:

    • reduce audit scope.
    • identify key controls.
    • understand business processes.
    • prioritize audit resources.
  17. Following an internal audit of a database, management has committed to enhance password management controls. Which of the following provides the BEST evidence that management has remediated the audit finding?

    • Screenshots from end users showing updated password settings
    • Interviews with management about remediation completion
    • Change tickets of recent password configuration updates
    • Observation of updated password settings with database administrators (DBAs)
  18. Which of the following is the BEST audit technique to identify fraudulent activity processing system?

    • Inspect flow and timing of authorizations recorded by the system.
    • Perform statistical analysis and classification of all transactions.
    • Inspect the source code of the application programs.
    • Review a sample of transactions for compliance with policies.
  19. The PRIMARY reason to formally communicate audit results immediately after the audit has been completed is to ensure:

    • the report is relevant and useful.
    • deadlines and departmental goals are met.
    • the risk identified in the report is immediately mitigated.
    • the auditors adhere to standard audit practices.
  20. Which of the following findings should be of GREATEST concern to an IS auditor conducting a forensic analysis following incidents of suspicious activities on a server?

    • Most suspicious activities were created by system IDs.
    • Audit logs are not enabled on the server.
    • The server’s operating system is outdated.
    • The server is outside the domain.