Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 40

  1. A financial services organization has just been granted a banking license. Which of the following is MOST important for the organization to ensure when updating its IT security policy?

    • The policy has been approved by the board and executive management.
    • The policy is required to be reviewed at regular intervals.
    • The policy is consistent with relevant human resources policies.
    • The policy reflects legislative and regulatory requirements.
  2. An organization has an acceptable use policy in place, but users do not formally acknowledge the policy. Which of the following is the MOST significant risk from this finding?

    • Violation of industry standards
    • Lack of user accountability
    • Noncompliance with documentation requirements
    • Lack of data for measuring compliance
  3. When reviewing an organization’s security awareness program, it is MOST important to verify that training occurs:

    • on a continual basis.
    • within the first few months of employment.
    • before access to information is granted.
    • whenever security policies are updated.
  4. During an information security audit of a mid-sized organization, an IS auditor notes that the organization’s information security policy is not sufficient. What is the auditor’s BEST recommendation for the organization?

    • Identify and close gaps compared to a best-practice framework.
    • Perform a benchmark with competitors’ policies.
    • Obtain an external consultant’s support to rewrite the policy.
    • Define roles and responsibilities for regularly updating the policy.
  5. Which of the following is MOST important for an IS auditor to review when evaluating the completeness of an organization’s personally identifiable information (PII) inventory?

    • Data flows
    • Data retention
    • Data ownership
    • Data policy
  6. Which of the following is the BEST audit procedure to determine whether a firewall is configured in compliance with the organization’s security policy?

    • Reviewing the system log
    • Reviewing the parameter settings
    • Interviewing the firewall administrator
    • Reviewing the actual procedures
  7. What is the MOST effective way for an IS auditor to determine whether employees understand the organization’s information security policy?

    • Ensure the policy is current.
    • Survey employees.
    • Review the organization’s employee training log
    • Ensure the policy is communicated throughout the organization.
  8. Which of the following focus areas is a responsibility of IT management rather than IT governance?

    • Risk optimization
    • IT resource optimization
    • IT controls implementation
    • Benefits realization
  9. During an IT governance audit, an IS auditor notes that IT policies and procedures are not regularly reviewed and updated. The GREATEST concern to the IS auditor is that policies and procedures might not:

    • reflect current practices.
    • incorporate changes to relevant laws.
    • be subject to adequate quality assurance (QA).
    • include new systems and corresponding process changes.
  10. Which of the following falls within the scope of an information security governance committee?

    • Approving access to critical financial systems
    • Prioritizing information security technology initiatives
    • Reviewing content for information security awareness programs
    • Selecting the organization’s external security auditors
  11. Which of the following BEST indicates that an organization has effective governance in place?

    • The organization is compliant with local government regulations.
    • The organization’s board of directors executes on the management strategy.
    • The organization’s board of directors reviews metrics for strategic initiatives.
    • The organization regularly updates governance-related policies and procedures.
  12. Which of the following BEST demonstrates that IT strategy is aligned with organizational goals and objectives?

    • Organizational strategies are communicated to the chief information officer (CIO).
    • Business stakeholders are involved in approving the IT strategy.
    • The chief information officer (CIO) is involved in approving the organizational strategies.
    • IT strategies are communicated to all business stakeholders.



  13. An organization’s audit charter PRIMARILY:

    • describes the auditors’ authority to conduct audits.
    • documents the audit process and reporting standards.
    • formally records the annual and quarterly audit plans.
    • defines the auditors’ code of conduct.
  14. When deciding whether a third party can be used in resolving a suspected security breach, which of the following should be the MOST important consideration for IT management?

    • Audit approval
    • Third-party cost
    • Incident priority rating
    • Data sensitivity
  15. Which of the following would BEST help prioritize various projects in an organization’s IT portfolio?

    • Business cases
    • Total cost of ownership (TCO)
    • Industry trends
    • Enterprise architecture (EA)
  16. When evaluating database management practices, which of the following controls would MOST effectively support data integrity?

    • System processing output balanced to control totals
    • System edit checks
    • User access controls
    • System-generated duplicate transaction reports
  17. An IS auditor conducting a follow-up audit learns that previously funded recommendations have not been implemented due to recent budget restrictions. Which of the following should the auditor do NEXT?

    • Report to the audit committee that the recommendations are still open.
    • Report the matter to the chief financial officer (CFO) and recommend funding be reinstated.
    • Close the audit recommendations in the tracking register.
    • Start an audit of the project funding allocation process.
  18. Which of the following is the PRIMARY benefit of using a capability maturity model?

    • It provides detailed change management strategies for performance improvement.
    • It helps the organization develop a roadmap toward its desired level of maturity in each area.
    • It provides a way to compare against similar organizations’ maturity levels.
    • It helps the organization estimate how long it will take to reach the highest level of maturity in each area.
  19. What is the MOST critical finding when reviewing an organization’s information security management?

    • No periodic assessments to identify threats and vulnerabilities
    • No dedicated security officer
    • No official charter for the information security management system
    • No employee awareness training and education program
  20. Of the following, who should approve a release to a critical application that would make the application inaccessible for 24 hours?

    • Business process owner
    • Chief information security officer (CISO)
    • Data custodian
    • Project manager