Last Updated on December 12, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 23

  1. What is the BEST strategy to prioritize work when planning a follow-up audit?

    • Target risks that are most easily mitigated
    • Agree on priorities with risk owners.
    • Target the areas of highest risk.
    • Target risks not reported as mitigated by risk owners.
  2. Which of the following should be established FIRST when initiating a control self-assessment (CSA) program in a small organization?

    • Control register
    • Staff questionnaires
    • Assessor competency
    • Facilitated workshops
  3. Which of the following is the MOST appropriate responsibility of an IS auditor involved in a data center renovation project?

    • Performing independent reviews of responsible parties engaged in the project
    • Ensuring the project progresses as scheduled and milestones are achieved
    • Shortlisting vendors to perform renovations
    • Approving the design of controls for the data center
  4. Which of the following should an IS auditor review FIRST when evaluating a business process for auditing?

    • Evidence that IS-related controls are operating effectively
    • Competence of the personnel performing the process
    • Assignment of responsibility for process management
    • Design and implementation of controls
  5. Which of the following is the MOST important operational aspect for an IS auditor to consider when assessing an assembly line with quality control sensors accessible via wireless technology?

    • Device updates
    • Resource utilization
    • Device security
    • Known vulnerabilities
  6. During an audit of an access control system, an IS auditor finds that RFID card readers are not connected via the network to a central server. Which of the following is the GREATEST risk associated with this finding?

    • Lost or stolen cards cannot be disabled immediately.
    • Card reader firmware updates cannot be rolled out automatically.
    • The system is not easily scalable to accommodate a new device.
    • Incidents cannot be investigated without a centralized log file.
  7. Which of the following findings should be of GREATEST concern to an IS auditor reviewing the effectiveness of an organization’s problem management practices?

    • Problem records are prioritized based on the impact of incidents.
    • Some incidents are closed without problem resolution.
    • Root causes are not adequately identified.
    • Problems are frequently escalated to management for resolution.
  8. A review of IT interface controls finds an organization does not have a process to identify and correct records that do not get transferred to the receiving system. Which of the following is the IS auditor’s BEST recommendation?

    • Implement software to perform automatic reconciliations of data between systems.
    • Enable automatic encryption, decryption, and electronic signing of data files.
    • Have coders perform manual reconciliation of data between systems.
    • Automate the transfer of data between systems as much as feasible.
  9. An IS auditor notes that IT and the business have different opinions on the availability of their application servers. Which of the following should the IS auditor review FIRST in order to understand the problem?

    • The regular performance-reporting documentation
    • The exact definition of the service levels and their measurement
    • The alerting and measurement process on the application servers
    • The actual availability of the servers as part of a substantive test
  10. When evaluating the management practices at a third-party organization providing outsourced services, the IS auditor considers relying on an independent auditor’s report. The IS auditor would FIRST:

    • review the objectives of the audit.
    • examine the independent auditor’s workpapers.
    • discuss the report with the independent auditor.
    • determine if recommendations have been implemented.
  11. When an organization introduces virtualization into its architecture, which of the following should be an IS auditor’s PRIMARY area of focus to verify adequate protection?

    • Maintenance cycles
    • Multiple versions of the same operating system
    • Shared storage space
    • Host operating system configuration
  12. An IS auditor is reviewing a banking mobile application that allows end users to perform financial transactions. Which of the following poses a security risk to the organization?

    • Unpatched security vulnerabilities in the mobile operating system
    • Outdated mobile network settings
    • Application programming interface (API) logic faults
    • Lack of strong device passwords
  13. Which of the following is the BEST way for an IS auditor to reduce sampling risk when performing audit sampling to verify the adequacy of an organization’s internal controls?

    • Outsource the sampling process.
    • Decrease the sampling size.
    • Lower the sample standard deviation.
    • Use a statistical sampling method.
  14. A company laptop has been stolen, and all photos on the laptop have been published on social media. Which of the following is the IS auditor’s BEST course of action?

    • Ensure that the appropriate authorities have been notified.
    • Review the photos to determine whether they were for business or personal purposes.
    • Verify the organization’s incident reporting policy was followed.
    • Determine if the laptop had the appropriate level of encryption.
  15. An organization’s enterprise architecture (EA) department decides to change a legacy system’s components while maintaining its original functionality. Which of the following is MOST important for an IS auditor to understand when reviewing this decision?

    • The current business capabilities delivered by the legacy system
    • The database entity relationships within the legacy system
    • The data flows between the components to be used by the redesigned system
    • The proposed network topology to be used by the redesigned system
  16. During an internal audit review of a human resources (HR) recruitment system implementation, the IS auditor notes that several defects were unresolved at the time the system went live. Which of the following is the auditor’s MOST important task prior to formulating an audit opinion?

    • Confirm the project plan was approved.
    • Confirm the severity of the identified defects.
    • Review the user acceptance test (UAT) results for defects.
    • Review the initial implementation plan for timelines.
  17. Which of the following observations should be of GREATEST concern to an IS auditor reviewing a hosted virtualized environment where each guest operating system (OS) is running a production application?

    • All virtual machines are launching an application backup job at the same time.
    • There are file shares between the host OS and the guest OS.
    • Access to virtualization utilities and tools in the host is not restricted.
    • The test environment of the applications is in a separate guest OS.
  18. A multinational organization is integrating its existing payroll system with a human resource information system. Which of the following should be of GREATEST concern to the IS auditor?

    • Currency conversion
    • Scope creep
    • Application interfaces
    • System documentation
  19. Which of the following is the MOST effective sampling method for an IS auditor to use for identifying fraud and circumvention of regulations?

    • Stop-or-go sampling
    • Variable sampling
    • Discovery sampling
    • Statistical sampling

    This is an example of the discovery sampling technique, where an auditor examines samples until an exception is found.

  20. Which of the following is the BEST way for an IS auditor to maintain visibility of a new system implementation project when faced with resource limitations?

    • Evaluate the project plan and milestones.
    • Attend steering committee meetings.
    • Assess user acceptance test (UAT) results.
    • Review the target control environment.