Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 55

  1. During the procurement process, which of the following would be the BEST indication that prospective vendors will meet the organization’s needs?

    • An account transition manager has been identified.
    • Expected service levels are defined.
    • The vendor’s subcontractors have been identified.
    • The service catalog is documented.
  2. When conducting a requirements analysis for a project the BEST approach would be to:

    • conduct a control self-assessment.
    • consult key stakeholders.
    • test operational deliverables.
    • prototype the requirements.
  3. What is the BEST population to select from when testing that programs are migrated to production with proper approval?

    • List of changes provided by application programming managers
    • List of production programs
    • Completed change request forms
    • Change advisory board meeting minutes
  4. Which of the following is the BEST guidance from an IS auditor to an organization planning an initiative to improve the effectiveness of its IT processes?

    • IT staff should be surveyed to identify current IT process weaknesses and suggest improvements.
    • The organization should use a capability maturity model to identify current maturity levels for each IT process.
    • IT management should include process improvements in staff performance
    • The organization should refer to prior audit reports to identify the specific IT processes to be improved.
  5. An organization implements a data loss prevention tool as a control to mitigate the risk of sensitive data leaving the organization via electronic mail. Which of the following would provide the BEST indication of adequate control design?

    • Management has formally approved the control design.
    • Management presents evidence that data loss incidents have decreased.
    • Security administrators can demonstrate the functions of the tool.
    • Rules enforced by the tool were based on the classification of the data.
  6. Which of the following should be the PRIMARY consideration when developing an IT strategy?

    • IT key performance indicators based on business objectives
    • Alignment with overall business objectives
    • Alignment with the IT investment portfolio
    • Short and long-term plans for the enterprise IT architecture
  7. An IS auditor is involved in the user testing phase of a development project. The developers wish to use a copy of a peak volume transaction file from the production process to show that the development can cope with the required volume. What is the auditor’s PRIMARY concern?

    • Sensitive production data may be read by unauthorized persons.
    • The error-handling and credibility checks may not be fully proven.
    • Users may not wish for production data to be made available for testing.
    • All functionality of the new process may not be tested.
  8. A post-implementation review of a system implementation has identified that the defined objectives were changed several times without the approval of the project board. What should the IS auditor do NEXT?

    • Notify the project sponsor and request that the project be reopened.
    • Ask management to obtain retrospective approvals.
    • Notify the project management office and raise a finding.
    • Determine whether the revised objectives are appropriate.
  9. An organization has implemented data storage hardware. Which of the following should an IS auditor review to assess if IT is maximizing storage and network utilization?

    • Capacity management plans
    • Downtime statistics
    • The quality management systems
    • Routine and non-routine job schedules
  10. Which of the following is MOST likely to be included in a post-implementation review?

    • Results of live processing
    • Current sets of test data
    • Test results
    • Development methodology
  11. At what point in software development should the user acceptance test plan be prepared?

    • Implementation planning
    • Requirements definition
    • Transfer into production
    • Feasibility study
  12. At a project steering committee meeting, it is stated that adding controls to business processes undergoing re-engineering is an unnecessary cost. The IS auditor’s BEST response is that the actual control overhead for a business process is:

    • usually considerable, but the benefits of good controls always exceed the cost.
    • the responsibility of the project manager, and the cost should have been included in the budget.
    • usually difficult to ascertain but is justifiable, because controls are essential to doing business
    • usually less than the potential cost of failure caused by lack of controls.
  13. In a decentralized organization, the selection and purchase of IS products is acceptable as long as which of the following conditions exists?

    • The same operating system is used throughout the organization.
    • Various offices are independent and exchange data on an occasional basis.
    • Acquired items are consistent with the organization’s short- and long-term IS strategy plans.
    • Managers undertake a full cost-benefit analysis before deciding what to purchase.
  14. An IS auditor has been asked to audit the proposed acquisition of new computer hardware. The auditor’s PRIMARY concern is that:

    • the implementation plan meets user requirements.
    • a clear business case has been established.
    • the new hardware meets established security standards.
    • a full, visible audit trail will be included.
  15. An effective implementation of security roles and responsibilities is BEST evidenced across an enterprise when:

    • operational activities are aligned with policies.
    • policies are signed off by users.
    • policies are rolled out and disseminated.
    • reviews and updates of policies are regularly performed.
  16. When evaluating the recent implementation of an intrusion detection system (IDS), an IS auditor should be MOST concerned with inappropriate:

    • encryption.
    • training.
    • tuning.
    • patching.
  17. A technology service organization has recently acquired a new subsidiary. What should be the IS auditor’s NEXT course of action when considering the impact on the development of the IT audit plan?

    • Review the revised business impact analysis (BIA).
    • Proceed with the current audit plan.
    • Perform a risk assessment.
    • Include the new systems in the audit plan.
  18. During a software acquisition review, an IS auditor should recommend that there be a software escrow agreement when:

    • the estimated life for the product is less than 3 years.
    • the deliverables do not include the source code.
    • the product is new in the market.
    • there is no service level agreement (SLA).
  19. Which of the following procedures should be implemented prior to disposing of surplus computer equipment to employees?

    • Use operating system commands to delete all files from the hard drive.
    • Have the employee receiving the machine sign a nondisclosure agreement.
    • Use application delete commands to remove files.
    • Overwrite the hard drive with random data.
  20. Which of the following controls should be implemented to BEST minimize system downtime for maintenance?

    • Nightly full backups
    • Virtualization
    • Warm site
    • Clustering