Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 51

  1. At which stage of the software development life cycle should an organization identity privacy considerations?

    • Design
    • Testing
    • Development
    • Requirements
  2. An IS auditor determines that a business impact analysis (BIA) was not conducted during the development of a business continuity plan (BCP). What is the MOST significant risk that could result from this situation?

    • Responsibilities are not property defined.
    • Recovery time objectives (RTOs) are not correctly determined.
    • Key performance indicators (KPIs) are not aligned.
    • Critical business applications are not covered.
  3. Which of the following is MOST important with regard to an application development acceptance test?

    • The quality assurance (QA) team is in charge of the testing process.
    • User management approves the test design before the test is started.
    • The programming team is involved in the testing process.
    • All data files are tested for valid information before conversion.
  4. A risk analysis is MOST useful when applied during which phase of the system development process?

    • Pre-implementation
    • Testing
    • Design
    • Feasibility
  5. Which of the following would provide the MOST useful input to IS audit management when developing an action plan for improving internal audit’s performance?

    • Feedback from departments that have participated in IS audits
    • Industry benchmarking analysis
    • An external quality assessment review
    • Results train an improvement initiative overseen by executive management 
  6. An organization has outsourced the development of a core application. However, the organization plans to bring the support and future maintenance of the application back in-house. Which of the following findings should be the IS auditor’s GREATEST concern?

    • A training plan for business users has not been developed.
    • The cost of outsourcing is lower than in-house development.
    • The vendor development team is located overseas.
    • The data model is not dearly documented.
  7. Which of the following is the MOST important consideration when developing an incident response program?

    • Senior management support 
    • Technical skills of response staff
    • Number of dedicated response staff
    • Incident response procedures
  8. Which of the following stakeholders should be PRIMARILY responsible for developing, implementing, and monitoring metrics for security activities?

    • Chief technology officer
    • Security incident response team
    • Chief information security officer 
    • IT steering committee
  9. Incorporating the results of a maturity model assessment is MOST useful in the development of:

    • balanced scorecards.
    • strategic implementation plans.
    • key performance indicators (KPIs). 
    • key risk indicators (KRIs).
  10. Which of the following testing approaches provides the GREATEST assurance that only approved systems development releases have been implemented in the production environment?

    • Test whether a sample of approved developments have releases in production migration logs.
    • Test whether a sample of developments in the systems development register have documented approvals.
    • Test whether a sample of releases in production migration logs have corresponding approvals. 
    • Test whether a sample of releases followed the organization’s segregation of duties access.
  11. When developing a business continuity plan (BCP), which of the following steps should be completed FIRST?

    • Ensure that offsite backups can be efficiently restored.
    • Identity alternatives to critical applications.
    • Review the business continuity insurance policy.
    • Carry out a risk assessment.
  12. Which of the following is the BEST recommendation for the establishment of an information security policy?

    • The policy should be developed by IS management.
    • The development and approval should be overseen by business area management. 
    • The policy and guidelines should be developed by the human resources department.
    • The policy should be developed by the security administrator.
  13. Which of the following is the BEST development methodology to help manage project requirements in a rapidly changing environment?

    • Object-oriented system development
    • Waterfall development process
    • Iterative development process 
    • Prototyping
  14. An IS auditor performing an application development review attends development team meetings. The IS auditor’s independence will be compromised if the IS auditor:

    • designs and executes the user’s acceptance test plan.
    • re-performs test procedures used by the development team. 
    • reviews the result of systems tests that were performed by the development team.
    • assists in developing an integrated test facility (ITF) on the system.
  15. An IS auditor would be concerned if the quality assurance (QA) function were found to be performing which of the following roles?

    • Reviewing the code to ensure proper documentation and development practices were followed 
    • Submitting corrected code for issues identified through the testing process
    • Evaluating whether the testing assumptions and developed code are aligned to the design criteria
    • Ensuring the development methods and standards are adhered to throughout the process
  16. A new application will require multiple interfaces. Which of the following testing methods can be used to detect interface errors early in the development life cycle?

    • Acceptance
    • Top down
    • Sociability
    • Bottom up
  17. An IS auditor is reviewing the release management process for an in-house software development solution. In which environment is the software version MOST likely to be the same as production?

    • Testing
    • Development
    • Integration
    • Staging
  18. An advantage of object-oriented system development is that it:

    • partitions systems into a client/server architecture.
    • decreases the need for system documentation.
    • is easier to code than procedural languages.
    • is suited to data with complex relationships.
  19. Which of the following is the BEST indication that a newly developed information system is ready for migration into production?

    • Items in the work breakdown structure are completed.
    • Audit has signed off.
    • User acceptance testing is successfully completed. 
    • Technical requirements are met.
  20. An IS auditor finds that the cost of developing an application is now projected to significantly exceed the budget. Which of the following is the GREATEST risk to communicate to senior management?

    • Increased staff turnover
    • Project abandonment 
    • Noncompliance with project methodology
    • Inability to achieve expected benefits