CISA : Certified Information Systems Auditor : Part 03

  1. An IS auditor reviewing a new application for compliance with information privacy principles should be the MOST concerned with:

    • nonrepudiation
    • collection limitation
    • availability
    • awareness
  2. Which of the following is the PRIMARY reason for an IS auditor to issue an interim audit report?

    • To avoid issuing a final audit report
    • To enable the auditor to complete the engagement in a timely manner
    • To provide feedback to the auditee for timely remediation
    • To provide follow-up opportunity during the audit
  3. Which of the following conditions would be of MOST concern to an IS auditor assessing the risk of a successful brute force attack encrypted data at rest?

    • Use of symmetric encryption
    • Use of asymmetric encryption
    • Random key generation
    • Short key length
  4. In which of the following SDLC phases would the IS auditor expect to find that controls have been incorporated into system specifications?

    • Development
    • Implementation
    • Design
    • Feasibility
  5. An IS auditor has been invited to join an IT project team responsible for building and deploying a new digital customer marketing platform. Which of the following is the BEST way for the auditor to support this project while maintaining independence?

    • Develop selection criteria for potential digital technology vendors.
    • Conduct an industry peer benchmarking exercise and advise on alternative solutions.
    • Conduct a risk assessment of the proposed initiative.
    • Design controls based on current regulatory requirements for digital technologies.
  6. An IS auditor observes a system performance monitoring tool which states that a server critical to the organization averages high CPU utilization across a cluster of four virtual servers throughout the audit period. To determine if further investigation is required, an IS auditor should review:

    • the system process activity log
    • system baselines
    • the number of CPUs allocated to each virtual machine
    • organizational objectives
  7. An IS auditor has discovered that a cloud-based application was not included in an application inventory that was used to confirm the scope of an audit. The business process owner explained that the application will be audited by a third party in the next year. The auditor’s NEXT step should be to:

    • evaluate the impact of the cloud application on the audit scope
    • revise the audit scope to include the cloud-based application
    • review the audit report when performed by the third party
    • report the control deficiency to senior management
  8. Which of the following should MOST concern an IS auditor reviewing an intrusion detection system (IDS)?

    • Number of false negatives
    • Number of false positives
    • Legitimate traffic blocked by the system
    • Reliability of IDS logs
  9. Multiple invoices are usually received for individual purchase orders, since purchase orders require staggered delivery dates. Which of the following is the BEST audit technique to test for duplicate payments?

    • Run the data on the software programs used to process supplier payments.
    • Use generalized audit software on the invoice transaction file.
    • Run the data on the software programs used to process purchase orders.
    • Use generalized audit software on the purchase order transaction file.
  10. An IS auditor considering the risks associated with spooling sensitive reports for off-line printing will be the MOST concerned that:

    • data can easily be read by operators
    • data can more easily be amended by unauthorized persons
    • unauthorized copies of reports can be printed
    • output will be lost if the system should fail
  11. In a data center audit, an IS auditor finds that the humidity level is very low. The IS auditor would be MOST concerned because of an expected increase in:

    • employee discomfort
    • risk of fire
    • static electricity problems
    • backup tape failures
  12. Before concluding that internal controls can be relied upon, the IS auditor should:

    • discuss the internal control weaknesses with the auditee
    • document application controls
    • conduct tests of compliance
    • document the system of internal control
  13. The IS auditor has identified a potential fraud perpetrated by the network administrator. The IS auditor should:

    • issue a report to ensure a timely resolution
    • review the audit finding with the audit committee prior to any other discussions
    • perform more detailed tests prior to disclosing the audit results
    • share the potential audit finding with the security administrator
  14. Which of the following should an IS auditor review FIRST when planning a customer data privacy audit?

    • Legal and compliance requirements
    • Customer agreements
    • Organizational policies and procedures
    • Data classification
  15. Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise e-mail?

    • The private key certificate has not been updated.
    • The certificate revocation list has not been updated.
    • The certificate practice statement has not been published.
    • The PKI policy has not been updated within the last year.
  16. Which of the following should be established FIRST when initiating a control self-assessment program in a small organization?

    • Control baselines
    • Client questionnaires
    • External consultants
    • Facilitated workshops
  17. What is an IS auditor’s BEST course of action if informed by a business unit’s representatives that they are too busy to cooperate with a scheduled audit?

    • Reschedule the audit for a time more convenient to the business unit.
    • Notify the chief audit executive who can negotiate with the head of the business unit.
    • Begin the audit regardless and insist on cooperation from the business unit.
    • Notify the audit committee immediately and request they direct the audit begin on schedule.
  18. An IS auditor has completed an audit of an organization’s accounts payable system. Which of the following should be rated as the HIGHEST risk in the audit report and requires immediate remediation?

    • Lack of segregation of duty controls for reconciliation of payment transactions
    • Lack of segregation of duty controls for removal of vendor records
    • Lack of segregation of duty controls for updating the vendor master file
    • Lack of segregation of duty controls for reversing payment transactions
  19. An IS auditor is planning on utilizing attribute sampling to determine the error rate for health care claims processed. Which of the following factors will cause the sample size to decrease?

    • Population size increase
    • Expected error rate increase
    • Acceptable risk level decrease
    • Tolerable error rate increase
  20. Which of the following is the PRIMARY benefit of using an integrated audit approach?

    • Higher acceptance of the findings from the audited business areas
    • The avoidance of duplicated work and redundant recommendations
    • Enhanced allocation of resources and reduced audit costs
    • A holistic perspective of overall risk and a better understanding of controls