Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 39

  1. During an audit of identity and access management, an IS auditor finds that the engagement audit plan does not include the testing of controls that regulate access by third parties. Which of the following would be the auditor’s BEST course of action?

    • Plan to test these controls in another audit.
    • Escalate the deficiency to audit management.
    • Add testing of third-party access controls to the scope of the audit.
    • Determine whether the risk has been identified in the planning documents.
  2. Which of the following is the BEST method for converting a file into a format suitable for data analysis in a forensic investigation?

    • Extraction
    • Normalization
    • Data acquisition
    • Imaging
  3. Which of the following is MOST important to include in forensic data collection and preservation procedures?

    • Maintaining chain of custody
    • Preserving data integrity
    • Determining tools to be used
    • Assuring the physical security of devices
  4. An organization that has suffered a cyber attack is performing a forensic analysis of the affected users’ computers. Which of the following should be of GREATEST concern for the IS auditor reviewing this process?

    • The chain of custody has not been documented.
    • The legal department has not been engaged.
    • An imagining process was used to obtain a copy of the data from each computer.
    • Audit was only involved during extraction of the information.
  5. Which of the following is the PRIMARY role of an IS auditor with regard to data privacy?

    • Ensuring compliance with data privacy laws
    • Communicating data privacy requirements to the organization
    • Drafting the organization’s data privacy policy
    • Verifying that privacy practices match privacy statements
  6. Which of the following controls will BEST ensure that the board of directors receives sufficient information about IT?

    • The CIO reports on performance and corrective actions in a timely manner.
    • Regular meetings occur between the board, the CIO, and a technology committee.
    • The CIO regularly sends IT trend reports to the board.
    • Board members are knowledgeable about IT, and the CIO is consulted on IT issues.
  7. For mission-critical applications with a low recovery time objective (RTO), which of the following is the BEST backup strategy?

    • Frequent back-ups to tape
    • Mirroring
    • Use of virtual tape libraries
    • Archiving to conventional disk
  8. The MOST effective way to determine if IT is meeting business requirements is to establish:

    • industry benchmarks.
    • organizational goals.
    • a capability model.
    • key performance indicators (KPIs).
  9. Which of the following roles combined with the role of a database administrator (DBA) will create a segregation of duties conflict?

    • Quality assurance
    • Systems analyst
    • Application end user
    • Security administrator
  10. When testing segregation of duties, which of the following audit techniques provides the MOST reliable evidence?

    • Observing daily operations for the area in scope
    • Evaluating the department structure via the organizational chart
    • Reviewing departmental procedure handbooks
    • Interviewing managers and end users
  11. Which of the following should be reviewed as part of a data integrity test?

    • Completeness
    • Confidentiality
    • Data backup
    • Redundancy
  12. Which of the following would BEST provide executive management with current information on IT-related costs and IT performance indicators?

    • IT dashboard
    • Risk register
    • IT service-management plan
    • Continuous audit reports
  13. Which of the following will MOST effectively help to manage the challenges associated with end user-developed application systems?

    • Developing classifications based on risk
    • Introducing redundant support capacity
    • Prohibiting creation of executable files
    • Applying control practices used by IT
  14. Which of the following is the BEST compensating control for a lack of proper segregation of duties in an IT department?

    • Authorization forms
    • Audit trail reviews
    • System activity logging
    • Control self-assessment (CSA)
  15. The BEST way to evaluate a shared control environment is to obtain an assurance report and review which of the following?

    • Control self-assessment (CSA)
    • Service level agreement (SLA)
    • Master service agreement
    • Complementary user entity controls
  16. Which of the following is the PRIMARY advantage of the IT portfolio management approach over the balanced scorecard approach when managing IT investments?

    • The influence of qualitative factors on investment decisions.
    • Agility in adjusting investment decisions.
    • Incorporation of organizational strategy in investment decisions.
    • Use of the organization’s risk appetite in investment decisions.
  17. Which of the following is the PRIMARY benefit of including IT management and staff when conducting control self-assessments (CSAs) within an organization?

    • It helps to identify risk to the business.
    • It improves the efficiency of business and IT operational processes.
    • It increases buy-in for more stringent controls.
    • It reduces the workload of external and internal auditors.
  18. In the IT department where segregation of duties is not feasible due to a limited number of resources, a team member is performing the functions of computer operator and reviewer of application logs. Which of the following would be the IS auditor’s BEST recommendation?

    • Develop procedures to verify that the application logs are not modified.
    • Prevent the operator from performing application development activities.
    • Assign an independent second reviewer to verify the application logs.
    • Restrict the computer operator’s access to the production environment.
  19. An IT balanced scorecard is MOST useful in determining the effectiveness of which of the following?

    • Key IT controls
    • Change management processes
    • IT department’s financial position
    • Governance of enterprise IT
  20. To help determine whether a controls-reliant approach to auditing financial systems in a company should be used, which sequence of IS audit work is MOST appropriate?

    • Review of major financial applications followed by a review of IT governance processes
    • Review of application controls followed by a test of key business process controls
    • Review of the general IS controls followed by a review of the application controls
    • Detailed examination of financial transactions followed by review of the general ledger