Last Updated on December 13, 2021 by Admin 3

CISA : Certified Information Systems Auditor : Part 99

  1. Well-written risk assessment guidelines for IS auditing should specify which of the following elements at the least (Choose four.)

    • A maximum length for audit cycles.
    • The timing of risk assessments.
    • Documentation requirements.
    • Guidelines for handling special cases.
    • None of the choices.

    Explanation: 
    A well-written risk assessment guidelines should specify a maximum length for audit cycles based on the risk scores and the timing of risk assessments for each department or activity. There should be documentation requirements to support scoring decisions. There should also be guidelines for overriding risk assessments in special cases and the circumstances under which they can be overridden.

  2. The ability of the internal IS audit function to achieve desired objectives depends largely on:

    • the training of audit personnel
    • the background of audit personnel
    • the independence of audit personnel
    • the performance of audit personnel
    • None of the choices.
    Explanation: 
    The ability of the internal audit function to achieve desired objectives depends largely on the independence of audit personnel. Top management should ensure that the audit department does not participate in activities that may compromise its independence.
  3. In-house personnel performing IS audits should possess which of the following knowledge and/or skills (Choose two.):

    • information systems knowledge commensurate with the scope of the IT environment in question
    • sufficient analytical skills to determine root cause of deficiencies in question
    • sufficient knowledge on secure system coding
    • sufficient knowledge on secure platform development
    • information systems knowledge commensurate outside of the scope of the IT environment in question
    Explanation:
    Personnel performing IT audits should have information systems knowledge commensurate with the scope of the institution’s IT environment. They should also possess sufficient analytical skills to determine the root cause of deficiencies.
  4. A comprehensive IS audit policy should include guidelines detailing what involvement the internal audit team should have?

    • in the development and coding of major OS applications.
    • in the acquisition and maintenance of major WEB applications.
    • in the human resource management cycle of the application development project.
    • in the development, acquisition, conversion, and testing of major applications.
    • None of the choices.
    Explanation: 
    The audit policy should include guidelines detailing what involvement internal audit will have in the development, acquisition, conversion, and testing of major applications. Such a policy must be approved by top management for it to be effective.
  5. For application acquisitions with significant impacts, participation of your IS audit team should be encouraged:

    • early in the due diligence stage.
    • at the testing stage.
    • at the final approval stage.
    • at the budget preparation stage.
    • None of the choices.
    Explanation: 
    For acquisitions with significant IT impacts, participation of IS audit is often necessary early in the due diligence stage as defined in the audit policy.
  6. Which of the following should be seen as one of the most significant factors considered when determining the frequency of IS audits within your organization?

    • The cost of risk analysis
    • The income generated by the business function
    • Resource allocation strategy
    • The nature and level of risk
    • None of the choices.
    Explanation: 
    You use a risk assessment process to describe and analyze the potential audit risks inherent in a given line of business. You should update such risk assessment at least annually to reflect changes. The level and nature of risk should be the most significant factors to be considered when determining the frequency of audits.
  7. Properly planned risk-based audit programs are often capable of offering which of the following benefits?

    • audit efficiency and effectiveness.
    • audit efficiency only.
    • audit effectiveness only.
    • audit transparency only.
    • audit transparency and effectiveness.
    • None of the choices.
    Explanation: 
    Properly planned risk-based audit programs shall increase audit efficiency and effectiveness. The sophistication and formality of this kind of audit do vary a lot depending on the target’s size and complexity.
  8. The sophistication and formality of IS audit programs may vary significantly depending on which of the following factors?

    • the target’s management hands-on involvement.
    • the target’s location.
    • the target’s size and complexity.
    • the target’s budget.
    • the target’s head count.
    • None of the choices.
    Explanation: 
    Properly planned risk-based audit programs shall increase audit efficiency and effectiveness. The sophistication and formality of this kind of audit do vary a lot depending on the target’s size and complexity.
  9. Which of the following is one most common way that spyware is distributed?

    • as a trojan horse.
    • as a virus.
    • as an Adware.
    • as a device driver.
    • as a macro.
    • None of the choices.
    Explanation: 
    One of the most common ways that spyware is distributed is as a Trojan horse, bundled with a piece of desirable software that the user downloads off the Web or a peer-to-peer file-trading network. When the user installs the software, the spyware is installed alongside.
  10. Which of the following is not a good tactic to use against hackers?

    • Enticement
    • Entrapment
    Explanation: 
    Enticement occurs after somebody has gained unlawful access to a system and then subsequently lured to a honey pot. Entrapment encourages the commitment of unlawful access. The latter is not a good tactic to use as it involves encouraging someone to commit a crime.
  11. Creating which of the following is how a hacker can insure his ability to return to the hacked system at will?

    • rootsec
    • checksum
    • CRC
    • backdoors
    • None of the choices.
    Explanation: 
    A backdoor refers to a generally undocumented means of getting into a system, mostly for programming and maintenance/troubleshooting needs. Most real world programs have backdoors. Creating backdoors is how a hacker can insure his ability to return to the hacked system at will.
  12. A trojan horse simply cannot operate autonomously.

    • true
    • false
    Explanation: 
    As a common type of Trojan horses, a legitimate software might have been corrupted with malicious code which runs when the program is used. The key is that the user has to invoke the program in order to trigger the malicious code. In other words, a trojan horse simply cannot operate autonomously. You would also want to know that most but not all trojan horse payloads are harmful – a few of them are harmless.
  13. Which of the following refers to the collection of policies and procedures for implementing controls capable of restricting access to computer software and data files?

    • Binary access control
    • System-level access control
    • Logical access control
    • Physical access control
    • Component access control
    • None of the choices.
    Explanation: 
    Logical access control is about the use of a collection of policies, procedures, and controls to restrict access to computer software and data files.
    Such control system should provide reasonable assurance that an organization’s objectives are being properly achieved securely and reliably.
  14. Which of the following is the GREATEST concern when an organization allows personal devices to connect to its network?

    • It is difficult to enforce the security policy on personal devices
    • Help desk employees will require additional training to support devices.
    • IT infrastructure costs will increase.
    • It is difficult to maintain employee privacy.
  15. Which of the following BEST ensures that effective change management is in place in an IS environment?

    • User authorization procedures for application access are well established.
    • User-prepared detailed test criteria for acceptance testing of the software.
    • Adequate testing was carried out by the development team.
    • Access to production source and object programs is well controlled.
  16. An IS auditor plans to review all access attempts to a video-monitored and proximity card-controlled communications room. Which of the following would be MOST useful to the auditor?

    • System electronic log
    • Security incident log
    • Manual sign-in and sign-out log
    • Alarm system with CCTV
    Explanation:
    Reference: https://www.slideshare.net/desmond.devendran/chap5-2007-cisa-review-course
  17. Which of the following is the BEST way to mitigate the risk of unintentional modifications associated with complex calculations in end-user computing (EUC)?

    • Verify EUC results through manual calculations.
    • Operate copies of EUC programs out of a secure library.
    • Implement data integrity checks.
    • Utilize an independent party to review the source calculations.
  18. An IS auditor has been asked to audit a complex system with computerized and manual elements. Which of the following should be identified FIRST?

    • Manual controls
    • System risks
    • Programmed controls
    • Input validation
  19. The MOST appropriate person to chair the steering committee for an enterprise-wide system development should normally be the:

    • project manager
    • IS director
    • executive level manager.
    • business analyst
  20. Which of the following activities is MOST important to consider when conducting IS audit planning?

    • Results from previous audits are reviewed.
    • Audit scheduling is based on skill set of audit team.
    • Resources are allocated to areas of high risk.
    • The audit committee agrees on risk rankings.