Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 46

  1. Which of the following should be the MOST important consideration when prioritizing the funding for competing IT projects?

    • Criteria used to determine the benefits of projects
    • Skills and capabilities within the project management team
    • Quality and accuracy of the IT project inventory
    • Senior management preferences
  2. Which of the following activities should occur after a business impact analysis (BIA)?

    • Identify threats to the IT environment
    • Identify critical applications
    • Analyze recovery options
    • Review the computing and user environment
  3. The MOST important function of a business continuity plan is to:

    • ensure that the critical business functions can be recovered
    • provide procedures for evaluating tests of the business continuity plan
    • provide a schedule of events that has to occur if there is a disaster
    • ensure that all business functions are restored
  4. Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization’s goals?

    • Balanced scorecard
    • Enterprise architecture (EA)
    • Key performance indicators (KPIs)
    • Enterprise dashboard
  5. During an internal audit review of an HR recruitment system implementation, the IS auditor notes a number of defects were unresolved at the time the system went live. Which of the following is the auditor’s MOST important task prior to formulating an audit opinion?

    • Identify the root cause of the defects to confirm severity.
    • Review the user acceptance test results.
    • Verify risk acceptance by the project steering committee.
    • Confirm the timeline for migration of the defects.
  6. A company has implemented an IT segregation of duties policy. In a role-based environment, which of the following roles may be assigned to an approach developer?

    • IT operator
    • Database administration
    • System administration
    • Emergency support
  7. The BEST way to evaluate the effectiveness of a newly developed application is to:

    • perform a post-implementation review.
    • analyze load-testing results.
    • review acceptance-testing results.
    • perform a pre-implementation review.
  8. What is the BEST indicator of successful implementation of an organization’s information security policy?

    • Reduced number of successful phishing incidents
    • Reduced number of help desk calls
    • Reduced number of noncompliance penalties incurred
    • Reduced number of false-positive security events
  9. An organization is in the process of deciding whether to allow a bring your own device (BYOD) program. If approved, which of the following should be the FIRST control required before implementation?

    • Device baseline configurations
    • Device registration
    • An acceptable use policy
    • An awareness program
  10. A (chief information officer) CIO has asked an IS auditor to implement several security controls for an organization’s IT processes and systems. The auditor should:

    • perform the assignment and future audits with due professional care.
    • obtain approval from executive management for the implementation.
    • refuse due to independence issues.
    • communicate the conflict of interest to audit management.
  11. An IS auditor reviewing the acquisition of new equipment would consider which of the following to be a significant weakness?

    • Staff involved in the evaluation were aware of the vendors being evaluated.
    • Independent consultants prepared the request for proposal (RFP) documents.
    • Evaluation criteria were finalized after the initial assessment of responses.
    • The closing date for responses was extended after a request from potential vendors.
  12. A start-up company acquiring servers for its order-taking system is unable to predict the volume of transactions. Which of the following is MOST important for the company to consider?

    • Scalability
    • Configuration
    • Optimization
    • Compatibility
  13. A security company and service provider have merged, and the CEO has requested one comprehensive set of security policies be developed for the newly formed company. The IS auditor’s BEST recommendation would be to:

    • conduct a policy gap assessment.
    • adopt an industry standard security policy.
    • implement the service provider’s policies.
    • implement the security company’s policies.
  14. An audit committee is reviewing an annual IT risk assessment. Which of the following is the BEST justification for the audits selected?

    • Likelihood of an IT process failure
    • Key IT general process controls
    • Applications impacted
    • Underlying business risks
  15. When developing a risk-based IS audit plan, the PRIMARY focus should be on functions:

    • considered important by IT management.
    • with the most ineffective controls.
    • with the greatest number of threats.
    • considered critical to business operations.
  16. Which of the following is the GREATEST risk associated with in-house program development and customization?

    • The lack of a test environment
    • The lack of a quality assurance function
    • The lack of secure coding expertise
    • The lack of documentation for programs developed.
  17. Which of the following access control situations represents the MOST serious control weakness?

    • Computer operators have access to system level flowcharts.
    • Programmers have access to development hardware.
    • End users have access to program development tools.
    • System developers have access to production data.
  18. Which of the following could an IS auditor recommend to improve the estimated resources required in system development?

    • Business areas involvement
    • Prototyping
    • Function point analysis
    • CASE tools
  19. Which of the following would be a result of utilizing a top-down maturity model process?

    • A means of benchmarking the effectiveness of similar processes with peers
    • Identification of older, more established processes to ensure timely review
    • Identification of processes with the most improvement opportunities
    • A means of comparing the effectiveness of other processes within the enterprise
  20. Which of the following is the BEST source of information when assessing the amount of time a project will take?

    • GANTT chart
    • Workforce estimate
    • Critical path analysis
    • Scheduling budget