Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 59

  1. An organization has recently incorporated robotic process automation. Which of the following would be of GREATEST concern to an IS auditor?

    • Controls have not been tested
    • A governance structure has not been implemented
    • A risk assessment has not been conducted
    • The adoption rate for the new technology has been low
  2. Two organizations will share ownership of a new enterprise resource management (ERM) system. To help ensure the successful implementation of the system, it is MOST important to define:

    • access to data
    • the governance model
    • custody of assets
    • appropriate procedures
  3. As IS auditor discovers that due to resource constraints, a database administrator (DBA) is responsible for developing and executing changes into the production environment. Which of the following should the auditor do FIRST?

    • Identify whether any compensating controls exist
    • Report a potential segregation of duties (SoD) violation
    • Determine whether another database administrator could make the changes
    • Ensure a change management process is followed prior to implementation
  4. An organization plans to receive an automated data feed into its enterprise data warehouse from a third-party service provider. Which of the following would be the BEST way to prevent accepting bad data?

    • Appoint data quality champions across the organization
    • Obtain error codes indicating failed data feeds
    • Purchase data cleansing tools from a reputable vendor
    • Implement business rules to reject invalid data
  5. Which of the following is the MOST important control to implement when senior managers use smartphones to access sensitive company information?

    • Mandatory virtual private network (VPN) connectivity
    • Centralized device administration
    • Strong passwords
    • Anti-malware on the devices
  6. When implementing a new risk assessment methodology, which of the following is the MOST important requirement?

    • The methodology must be approved by the chief executive officer.
    • Risk assessments must be reviewed annually.
    • Risk assessments must be conducted by certified staff.
    • The methodology used must be consistent across the organization.
  7. Which of the following is the MOST likely reason an organization would use Platform as a Service (PaaS)?

    • To operate third-party hosted applications
    • To install and manage operating systems
    • To establish a network and security architecture
    • To develop and integrate its applications
  8. Which of the following is the BEST approach to reduce unnecessary duplication of compliance activities?

    • Integrating of assurance efforts
    • Automation of controls
    • Standardization of compliance requirements
    • Documentation of control procedures
  9. A risk analysis for a new system is being performed. For which of the following is business knowledge MORE important than IT knowledge?

    • Vulnerability analysis
    • Cost-benefit analysis
    • Impact analysis
    • Balanced scorecard
  10. Which of the following is the MOST important security consideration when using infrastructure as a Service (IaaS)?

    • User access management
    • Compliance with internal standards
    • Segmentation among guests
    • Backup and recovery strategy
  11. Which of the following sites would be MOST appropriate in the case of a very short recovery time objective (RTO)?

    • Mobile
    • Redundant
    • Shared
    • Warm
  12. Which of the following would provide the STRONGEST indication that senior management commitment to information security is lacking within an organization?

    • Inconsistent enforcement of information security policies
    • A reduction in information security investment
    • A high of information security risk acceptance
    • The information security manager reports to the chief risk officer
  13. Which of the following is the GREATEST risk associated with the lack of an effective data privacy program?

    • Failure to prevent fraudulent transactions
    • Inability to manage access to private or sensitive data
    • Inability to obtain customer confidence
    • Failure to comply with data-related regulations
  14. Which of the following would BEST provide an information security manager with sufficient assurance that a service provider complies with organization’s information security requirements?

    • A live demonstration of the third-party supplier’s security capabilities
    • Third-party security control self-assessment results
    • An independent review report indicating compliance with industry standards
    • The ability to audit the third-party supplier’s IT systems and processes
  15. A design company has multiple name and address files for its customers in several of its independent systems. Which of the following is the BEST control to ensure that the customer name and address agree across all files?

    • Use of hash totals on customer records
    • Periodic review of each master file by management
    • Matching of records and review of exception reports
    • Use of authorized master file change forms
  16. An employee who denies accusations of sending inappropriate images to other employees has been discharged. For evidential purposes, the mail database for the discharged employee’s computer should be:

    • deleted as it could subject the organization to further legal liability
    • impounded by physically removing the disk drive
    • backed up to the server, where its access can be tightly restricted
    • copied to write-once, read-many media using the computer’s OS tools
  17. Which of the following is MOST important for an organization to complete when planning a new marketing platform that targets advertising based on customer behavior?

    • Data privacy impact assessment
    • Data quality assessment
    • Cross-border data transfer assessment
    • Security vulnerability assessment
  18. A company converted its payroll system from an external service to an internal package. Payroll processing in April was run in parallel. To validate the completeness of data after the conversion, which of the following comparisons from the old to the new system would be MOST effective?

    • Turnaround time for payroll processing
    • Employee counts and year-to-date payroll totals
    • Master file employee data to payroll journals
    • Cut-off dates and overwrites for a sample of employees
  19. Which of the following is the client organization’s responsibility in a Software as a Service (SaaS) environment?

    • Detecting unauthorized access
    • Ensuring that users are properly authorized
    • Ensuring the data is available when needed
    • Preventing insertion of malicious code
  20. One advantage of monetary unit sampling is the fact that:

    • results are stated in terms of the frequency of items in error
    • it can easily be applied manually when computer resources are not available
    • it increases the likelihood of selecting material items from the population
    • large-value population items are segregated and audited separately