Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 57

  1. Management has requested a post-implementation review of a newly implemented purchasing package to determine to what extent business requirements are being met. Which of the following is MOST likely to be assessed?

    • Results of live processing
    • Test results
    • Purchasing guidelines and policies
    • Implementation methodology
  2. An organization’s only IS auditor is asked to design controls for a new system and is also scheduled to audit the system after implementation. Which of the following is the BEST action for the auditor?

    • Decline to undertake the design role because of the conflict of interest.
    • Respond positively to the request because there is no conflict of interest.
    • Request external audit to perform an independent review of the advice to be provided.
    • Inform the audit committee of the conflict of interest.
  3. Which of the following is the BEST indicator that executive management monitors the implementation of the IT strategy?

    • IT topics are regular items on the executive committee agenda
    • IS audit is required to audit large IT investments
    • Executive management subscribes to IT industry publications
    • Executive management receives reports on IT resource usage
  4. Following the last external review, the audit client implemented an advanced data storage solution. Which of the following is MOST important in the audit scope?

    • Reviewing the implemented storage options and architectures for critical applications
    • Reviewing procedures to ensure administrators are managing data storage appropriately
    • Determining whether management has adequate off-site storage of operational procedures and manuals
    • Ensuring management has completed a cost-benefit analysis and documented results
  5. During a pre-implementation system review, an IS auditor notes that several identified defects will not be fixed prior to go-live. Which of the following is the auditor’s BEST course of action?

    • Determine which developer’s code is responsible for each defect.
    • Recommend the system does not go live.
    • Recommend staff augmentation after implementation.
    • Evaluate the workarounds in place.
  6. Which of the following is the MOST effective control to mitigate against the risk of inappropriate activity by employees?

    • Network segmentation
    • User activity monitoring
    • Access recertification
    • Two-factor authentication
  7. Coding standards provide which of the following?

    • Access control tables
    • Field naming conventions
    • Data flow diagrams
    • Program documentation
  8. A white box testing method is applicable with which of the following testing processes?

    • User acceptance testing
    • Sociability testing
    • Parallel testing
    • Integration testing
  9. Which of the following may be adversely affected when thin client architecture is introduced?

    • Multi-tenancy
    • Portability
    • Availability
    • Concurrency
  10. The MOST appropriate control to ensure that all orders transmitted from remote locations to the production department are received accurately would be to:

    • have data transmitted back to the local site for comparison.
    • verify that parity checking is still active.
    • send and reconcile transaction counts and totals.
    • track and account for the numerical sequence of sales orders.
  11. An IS auditor who was instrumental in designing an application is called upon to review the application. The auditor should:

    • inform audit management of the earlier involvement.
    • modify the scope of the audit.
    • refuse the assignment to avoid conflict of interest.
    • use the knowledge of the application to carry out the audit.
  12. Which of the following is the GREATEST risk associated with end-user computing used in financial statement reporting?

    • Inability of IT to support the application
    • Loss of operational efficiency
    • Loss of data integrity
    • Inability to implement segregation of duties
  13. An organization has decided to implement a third-party system in its existing IT environment. Which of the following is MOST important for the IS auditor to confirm?

    • The organization has created a clone of the third party’s IT infrastructure to host the IT system.
    • The organization has analyzed the IT infrastructure to determine the feasibility of hosting the IT system.
    • The organization has maintained a clone of the existing infrastructure as backup.
    • The organization has purchased a newly released IT infrastructure environment relevant to the IT system.
  14. Which of the following would be an appropriate role of internal audit in helping to establish an organization’s privacy program?

    • Analyzing risks posed by new regulations
    • Defining roles within the organization related to privacy
    • Developing procedures to monitor the use of personal data
    • Designing controls to protect personal data
  15. Which of the following provides the MOST assurance over the completeness and accuracy of loan application processing with respect to the implementation of a new system?

    • Loading balance and transaction data to the new system
    • Comparing code between old and new systems
    • Reviewing quality assurance (QA) procedures
    • Running historical transactions through the new system
  16. Which of the following MUST be completed before selecting and deploying a biometric system that uses facial recognition software?

    • Image interference review
    • Vulnerability assessment
    • Privacy impact analysis
    • False acceptance testing



  17. An IS auditor is reviewing the implementation of an international quality management standard. Which of the following provides the BEST evidence that quality management objectives have been achieved?

    • Reduction in risk profile
    • Quality assurance (QA) documentation
    • Measurable processes
    • Enhanced compliance with laws and regulations
  18. Which of the following should be done FIRST when planning a penetration test?

    • Determine reporting requirements for vulnerabilities.
    • Define the testing scope.
    • Obtain management consent for the testing.
    • Execute nondisclosure agreements (NDAs).
  19. Which of the following is the MOST likely to ensure that an organization’s systems development meets its business objectives?

    • A focus on strategic projects
    • Segregation of systems development and testing
    • Business owner involvement
    • A project plan with clearly identified requirements
  20. An incorrect version of source code was amended by a development team. This MOST likely indicates a weakness in:

    • project management.
    • quality assurance (QA).
    • change management.
    • incident management.