Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 81

  1. In a 24/7 processing environment, a database contains several privileged application accounts with passwords set to “never expire”. Which of the following recommendations would BEST address the risk with minimal disruption to the business?

    • Modify the access management policy to make allowances for application accounts
    • Introduce database access monitoring into the environment
    • Modify applications to no longer require direct access to the database
    • Schedule downtime to implement password changes
  2. Which of the following is MOST important when duties in a small organization cannot be appropriately segregated?

    • Exception reporting
    • Variance reporting
    • Independent reviews
    • Audit trail
  3. An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner. Which of the following is the auditor’s BEST recommendation?

    • Upgrade hardware to newer technology
    • Build a virtual environment
    • Hire temporary contract workers for the IT function
    • Increase the capacity of existing systems
  4. Which of the following metrics would be MOST useful to an IS auditor when assessing the resilience of an application programming interface (API)?

    • Number of developers adopting the API for their applications
    • Number of patches released within a time interval for the API
    • Number of API calls expected versus actually received within a time interval
    • Number of defects logged during development compared to other APIs
  5. Which of the following is the BEST use of a balanced scorecard when evaluating IT performance?

    • Monitoring alignment of IT with the rest of the organization
    • Determining compliance with relevant regulatory requirements
    • Monitoring alignment of the IT project portfolio to budget
    • Evaluating implementation of the business strategy
  6. A checksum is classified as which type of control?

    • Corrective control
    • Detective control
    • Preventive control
    • Administrative control
  7. Which of the following is the GREATEST risk associated with vulnerability scanning tools used to identify security weaknesses?

    • False positives
    • False negatives
    • Use of open source tools
    • Outdated signatures for detection
  8. Which of the following controls is BEST implemented through system configuration?

    • Network user accounts for temporary workers expire after 90 days
    • Financial data in key reports is traced to source systems for completeness and accuracy
    • Application user access is reviewed every 180 days for appropriateness
    • Computer operations personnel initiate batch processing jobs daily
  9. An audit has identified that business units have purchased cloud-based applications without IT’s support. What is the GREATEST risk associated with this situation?

    • The application purchases did not follow procurement policy.
    • The applications may not reasonably protect data.
    • The applications could be modified without advanced notice.
    • The applications are not included in business continuity plans (BCPs).
  10. Which of the following is MOST important for an IS auditor to review when evaluating the accuracy of a spreadsheet that contains several macros?

    • Formulas within macros
    • Encryption of the spreadsheet
    • Version history
    • Reconciliation of key calculations
  11. An algorithm in an email program analyzes traffic to quarantine emails identified as spam. The algorithm in the program is BEST characterized as which type of control?

    • Corrective
    • Detective
    • Directive
    • Preventive
  12. Due to system limitations, segregation of duties (SoD) cannot be enforced in an accounts payable system. Which of the following is the IS auditor’s BEST recommendation for a compensating control?

    • Require written authorization for all payment transactions
    • Reconcile payment transactions with invoices
    • Restrict payment authorization to senior staff members
    • Review payment transaction history
  13. An organization is migrating its human resources (HR) application to an infrastructure as a Service (IaaS) model in a private cloud. Who is PRIMARILY responsible for the security configurations of the deployed application’s operating system?

    • The organization
    • The operating system vendor
    • The cloud provider
    • The cloud provider’s external auditor
  14. Which of the following is MOST important for an IS auditor to verify during a disaster recovery audit?

    • Roles and responsibilities are documented
    • Regular backups are made and stored offsite.
    • The disaster recovery plan (DRP) is updated on a regular basis.
    • Tabletop disaster recovery tests are conducted.
  15. The use of control totals reduces the risk of:

    • incomplete processing.
    • improper backup.
    • posting to the wrong record.
    • improper authorization.
  16. For an organization which uses a VoIP telephony system exclusively, the GREATEST concern associated with leaving a connected telephone in an unmonitored public area is the possibility of:

    • connectivity issues when used with an analog local exchange carrier
    • unauthorized use leading to theft of services and financial loss
    • network compromise due to the introduction of malware
    • theft or destruction of an expensive piece of electronic equipment
  17. Which of the following provides nonrepudiation in an electronic communication session without confidentiality?

    • Message encryption
    • Log-on ID and password
    • Certification authority
    • Digital signature
  18. Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system?

    • System performance may be impacted by the migration.
    • Records past their retention period may not be migrated to the new system.
    • Data from the source and target system may have different data formats.
    • Data from the source and target system may be intercepted.
  19. When responding to an ongoing denial of service (DoS) attack, an organization’s FIRST course of action should be to:

    • restore service
    • minimize impact
    • analyze the attack path
    • investigate damage
  20. Which of the following is the GREATEST risk when relying on reports generated by end-user computing?

    • Data may be inaccurate
    • Reports may not work efficiently
    • Reports may not be timely
    • Historical data may not be available