Last Updated on December 12, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 22

  1. An IS auditor notes that nightly batch processing is frequently incomplete for an application. The auditor should FIRST review controls over which of the following?

    • Application logs
    • Backup procedures
    • Job notification
    • Job scheduling
  2. What is the PRIMARY benefit of an audit approach which requires reported findings to be issued together with related action plans, owners, and target dates?

    • It establishes accountability for the action plans
    • It helps to ensure factual accuracy of finding
    • It enforces action plan consensus between auditors and auditees
    • If facilitates easier audit follow-up
  3. Which of the following is the MOST important objective of a risk assessment performed during the annual audit planning process?

    • Identifying key areas of focus
    • Eliminating areas with low residual risk
    • Engaging management in the audit planning process
    • Assigning audit resources
  4. An IS audit manager has been advised that hackers have entered the company’s e-commerce server a number of times in the past month. The IS audit group does not have the expertise necessary to investigate this situation. The IS audit manager should:

    • obtain support by contracting external resources.
    • have network security staff conduct the audit.
    • have IS management proceed immediately with control self-assessment (CSA).
    • decline the request on the basis that the staff is not prepared for the task.
  5. During an internal review of the system development life cycle management, an IS auditor finds that customer production data has been displayed in the user acceptance testing (UAT) environment. Which of the following is the auditor’s BEST recommendation?

    • Request approval for the use of production data in the UAT environment
    • Use de-identified data in the UAT environment.
    • Use data encryption in the UAT environment.
    • Perform a risk assessment to establish the impact of data leakage.
  6. An IS auditor finds that capacity management for a key system is being performed by IT with no input from the business. The auditor’s PRIMARY concern would be:

    • unanticipated increase in business’s capacity needs
    • impact to future business project funding
    • failure to maximize the use of equipment
    • cost of excessive data center storage capacity
  7. An IS auditor is reviewing an end-user computing program. Which of the following is the BEST way to maintain the accuracy of calculations embedded in the tool?

    • Assign an owner and developer for each tool.
    • Maintain version control.
    • Review calculations periodically.
    • Use standardized tool calculations.
  8. An IS auditor identifies that the accounts payable clerk has direct access to the payment file after it has been generated. The MOST significant risk to the organization is that payments may be:

    • rejected.
    • duplicated.
    • late to customers.
    • altered.
  9. An IS auditor finds an IT department does not perform periodic discovery of hardware and software deployed in an environment. What is the GREATEST associated risk?

    • Increase in unused licenses within the organization
    • Inaccurate inventory of hardware and software
    • Inaccurate cost estimates of hardware and software
    • Incomplete lists for third-party license audits
  10. An IS auditor is conducting an interim review of an IT project. Which of the following would provide the MOST useful information regarding project performance?

    • Milestone review
    • Earned value analysis
    • Cost-benefit analysis
    • Function point analysis
  11. While reviewing transactions, an IS auditor discovers inconsistencies in a relational database. Which of the following would be the auditor’s BEST recommendation?

    • Perform data modeling.
    • Re-index the database.
    • Normalize the database.
    • Implement edit checks.
  12. Which of the following would be MOST useful to an IS auditor confirming that an IS department meets its service level agreements (SLAs)?

    • System downtime reports
    • IS strategic plan
    • Capacity planning tools
    • System utilization reports
  13. Which of the following would an IS auditor MOST likely recommend to ensure that an organization’s IT systems are effectively kept up-to-date regarding vulnerabilities?

    • Release management
    • Version management
    • Patch management
    • Risk management
  14. What should be of MOST concern to an IS auditor reviewing an organization’s proposal to combine its online transaction processing (OLTP) data and data warehouse in the same database environment?

    • The quality of business intelligence reporting may be impacted.
    • A significant amount of data computing resources will be required.
    • The combination of static data with dynamic data could reduce data quality.
    • The complexity of the solution could lead to delays in deployment.
  15. An IS auditor has found that despite an increase in phishing attacks over the past two years, there has been a significant decrease in the success rate. Which of the following is the MOST likely reason for this decline?

    • Implementation of an intrusion detection system (IDS)
    • Development of an incident response plan
    • Enhanced training for incident responders
    • Implementation of a security awareness program
  16. An IS auditor is evaluating networked devices at one of the organization’s branch locations. Which of the following observations should be of GREATEST concern?

    • Personal devices are required to connect wirelessly to a guest network.
    • A local executive has a wireless-enabled fish tank connected to the corporate network.
    • Company laptops with built-in cameras are observed with opaque tape blocking the cameras.
    • Four personal laptops with default passwords are connected to the corporate network.
  17. An external IS auditor is reviewing the continuous monitoring system for a large bank and notes several potential issues. Which of the following would present the GREATEST concern regarding the reliability of the monitoring system?

    • The system results are not regularly reviewed by management.
    • The measurement method is periodically varied.
    • The monitoring system was configured by internal auditors.
    • The alert threshold is updated periodically.
  18. Which of the following BEST indicates to an IS auditor that an IT-related project will deliver value to the organization?

    • The cost of the project is within the organization’s risk appetite.
    • The project will use existing infrastructure to deliver services.
    • Competitors are considering similar IT-based solutions.
    • Requirements are based on stakeholder expectations.
  19. An IS auditor reviewing a financial organization’s identity management solution found that some critical business applications do not have identified owners. Which of the following should the auditor do NEXT?

    • Request a business risk acceptance.
    • Discuss the issue with the auditee.
    • Write a finding in the audit report.
    • Revoke access rights to the critical applications.
  20. An IS audit team is planning to rely on a system-generated report to reduce the substantive procedures they will need to perform. Which of the following procedures should the IS auditor perform to verify the completeness of the report?

    • Test data for appropriateness.
    • Validate the report query.
    • Establish some criteria for expected results and compare to actual results.
    • Trace a sample of transactions to the internal transactions.