Last Updated on December 12, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 25

  1. An IS auditor informed that several spreadsheets are being used to generate key financial information. What should the auditor verify FIRST?

    • Whether the spreadsheets meet the minimum IT general controls requirements
    • Whether the spreadsheets are being formally reviewed by the chief financial officer (CFO)
    • Whether there is a complete inventory of end-user computing (EUC) spreadsheets
    • Whether adequate documentation and training is available for spreadsheets users
  2. Which of the following should be the PRIMARY role of an internal audit function in the management of identified business risks?

    • Operating the risk management framework
    • Establishing a risk appetite
    • Establishing a risk management framework
    • Validating enterprise risk management (ERM)
  3. A bank’s web-hosting provider has just completed an internal IT security audit and provides only a summary of the findings to the bank’s auditor. Which of the following should be the bank’s GREATEST concern?

    • The bank’s auditors are not independent of the service provider
    • The audit scope may not have addressed critical areas
    • The audit may be duplicative of the bank’s internal audit procedures
    • The audit procedures are not provided to the bank
  4. An IS audit manager is preparing the staffing plan for an audit engagement of a cloud service provider. What should be the manager’s PRIMARY concern when made aware that a new auditor in the department previously worked for this provider?

    • Competency
    • Independence
    • Integrity
    • Professional conduct
  5. An IS auditor noted that a change to a critical calculation was placed into the production environment without being tested. Which of the following is the BEST way to obtain assurance that the calculation functions correctly?

    • Check regular execution of the calculation batch job
    • Perform substantive testing using computer-assisted audit techniques (CAATs)
    • Obtain post-change approval from management
    • Interview the lead system developer
  6. What would be of GREATEST concern to an IS auditor reviewing end-user computing (EUC) spreadsheets used for financial reporting in which version control is enforced?

    • Access requests are processed manually
    • Spreadsheets are maintained in various locations
    • Spreadsheet owners are only reviewed annually
    • Spreadsheets are not password protected
  7. Which of the following should be of GREATEST concern to an IS auditor planning to employ data analytics in an upcoming audit?

    • There is no documented data model
    • Data is from the previous reporting period
    • Available data is incomplete
    • Data fields are used for multiple purposes
  8. Which of the following requires a consensus by key stakeholders on IT strategic goals and objectives?

    • Balanced scorecards
    • Benchmarking
    • Maturity models
    • Peer reviews
  9. An IS auditor found that a company executive is encouraging employee use of social networking sites for business purposes. Which of the following recommendations would BEST help to reduce the risk of data leakage?

    • Requiring policy acknowledgment and nondisclosure agreements signed by employees
    • Providing education and guidelines to employees on use of social networking sites
    • Establishing strong access controls on confidential data
    • Monitoring employees’ social networking usage
  10. An organization’s information security department is creating procedures for handling digital evidence that may be used in court. Which of the following would be the MOST important consideration from a risk standpoint?

    • Ensuring the entire security team reviews the evidence
    • Ensuring that analysis is conducted on the original data
    • Ensuring the original data is kept confidential
    • Ensuring the integrity of the data is preserved
  11. Which of the following is the BEST approach to make strategic information security decisions?

    • Establish regular information security status reporting
    • Establish business unit security working groups
    • Establish periodic senior management meetings
    • Establish an information security steering committee
  12. An organization which uses external cloud services extensively is concerned with risk monitoring and timely response. The BEST way to address this concern is to ensure:

    • the availability of continuous technical support
    • internal security standards are in place
    • a right-to-audit clause is included in contracts
    • appropriate service level agreements (SLAs) are in place
  13. The MAIN purpose of documenting information security guidelines for use within a large, international organization is to:

    • ensure that all business units have the same strategic security goals
    • provide evidence for auditors that security practices are adequate
    • explain the organization’s preferred practices for security
    • ensure that all business units implement identical security procedures
  14. Which of the following would be the MOST important information to include in a business case for an information security project in a highly regulated industry?

    • Industry comparison analysis
    • Critical audit findings
    • Compliance risk assessment
    • Number of reported security incidents
  15. When an information security manager presents an information security program status report to senior management, the MAIN focus should be:

    • key performance indicators (KPIs)
    • critical risks indicators
    • net present value (NPV)
    • key controls evaluation
  16. An organization’s senior management is encouraging employees to use social media for promotional purposes. Which of the following should be the information security manager’s FIRST step to support this strategy?

    • Develop a business case for a data loss prevention solution
    • Develop a guideline on the acceptable use of social media
    • Incorporate social media into the security awareness program
    • Employ the use of a web content filtering solution
  17. Which of the following is the BEST course of action for an information security manager to align security and business goals?

    • Reviewing the business strategy
    • Actively engaging with stakeholders
    • Conducting a business impact analysis
    • Defining key performance indicators
  18. An organization faces severe fines and penalties if not in compliance with local regulatory requirements by an established deadline. Senior management has asked the information security manager to prepare an action plan to achieve compliance. Which of the following would provide the MOST useful information for planning purposes?

    • Results from a business impact analysis
    • Results from a gap analysis
    • An inventory of security controls currently in place
    • Deadline and penalties for noncompliance
  19. The MOST important objective of security awareness training for business staff is to:

    • understand intrusion methods
    • reduce negative audit findings
    • increase compliance
    • modify behavior
  20. If the inherent risk of a business activity is higher than the acceptable risk level, the information security manager should FIRST:

    • transfer risk to a third party to avoid cost of impact
    • implement controls to mitigate the risk to an acceptable level
    • recommend that management avoids the business activity
    • assess the gap between current and acceptable level of risk