CISA : Certified Information Systems Auditor : Part 08

  1. Which of the following would be the MOST efficient audit approach, given that a compliance-based approach was adopted in the previous year?

    • Validate all applications using test data.
    • Interview systems personnel to evaluate all automated controls.
    • Evaluate the controls surrounding changes to programs.
    • Perform a review of significant transactions posted within the system.
  2. An IS auditor will be testing accounts payable controls by performing data analytics on the entire population of transactions. Which of the following is MOST important for the auditor to confirm when sourcing the population data?

    • There is no privacy information in the data.
    • The data analysis tools have been recently updated.
    • The data can be obtained in a timely manner.
    • The data is taken directly from the system.
  3. Which of the following should the IS auditor use to BEST determine whether a project has met its business objectives?

    • Earned-value analysis
    • Completed project plan
    • Issues log with resolutions
    • Benefits realization document
  4. An IS auditor is observing transaction processing and notes that a high-priority update job ran out of sequence. What is the MOST significant risk from this observation?

    • Previous jobs may have failed.
    • The job may not have run to completion.
    • Daily schedules may not be accurate.
    • The job competes with invalid data.
  5. During an audit of the organization’s data privacy policy, the IS auditor identified that only some IT application databases have encryption in place. What should be the auditor’s FIRST action?

    • Assess the resources required to implement encryption to unencrypted databases.
    • Review the most recent database penetration testing results.
    • Determine whether compensating controls are in place.
    • Review a comprehensive list of databases with the information they contain.
  6. Which of the following should be of GREATEST concern to an IS auditor reviewing actions taken during a forensic investigation?

    • The investigation report does not indicate a conclusion.
    • An image copy of the attacked system was not taken.
    • The proper authorities were not notified.
    • The handling procedures of the attacked system are not documented.
  7. An IS auditor evaluating a three-tier client/server architecture observes an issue with graphical user interface (GUI) tasks. Which layer should the auditor recommend the client address?

    • Presentation layer
    • Application layer
    • Storage layer
    • Transport layer
  8. An IS auditor is assigned to review the development of a specific application. Which of the following would be the MOST significant step following the feasibility study?

    • Attend project progress meetings to monitor timely implementation of the application.
    • Assist users in the design of proper acceptance-testing procedures.
    • Follow up with project sponsor for project’s budgets and actual costs.
    • Review functional design to determine that appropriate controls are planned.
  9. An IS audit report highlighting inadequate network internal controls is challenged because no serious incident has ever occurred. Which of the following actions performed during the audit would have BEST supported the findings?

    • Compliance testing
    • Threat risk assessment
    • Penetration testing
    • Vulnerability assessment
  10. An IS auditor is performing a post-implementation review of a system deployed two years ago. Which of the following findings should be of MOST concern to the auditor?

    • Maintenance costs were not included in the project lifecycle costs.
    • Benefits as stated in the business case have not been realized.
    • Workarounds due to remaining defects had to be used longer than anticipated.
    • The system has undergone several change requests to further extend functionality.
  11. Which of the following should an IS auditor recommend as MOST critical to an effective performance improvement process for IT services?

    • Progress on performance goals is regularly reported to the board.
    • The performance goals are aligned with a commonly accepted framework.
    • Root cause analysis of service issues is used to develop performance goals.
    • Management accepts accountability for achieving performance goals.
  12. In reviewing the IT strategic plan, the IS auditor should consider whether it identifies the:

    • major IT initiatives.
    • links to operational tactical plans.
    • allocation of IT staff
    • project management methodologies used.
  13. During a review of system access, an IS auditor notes that an employee who has recently changed roles within the organization still has previous access rights. The auditor’s NEXT step should be to:

    • determine the reason why access rights have not been revoked.
    • recommend a control to automatically update access rights.
    • direct management to revoke current access rights.
    • determine if access rights are in violation of software licenses.
  14. When engaging services from external auditors, which of the following should be established FIRST?

    • Termination conditions agreements
    • Nondisclosure agreements
    • Service level agreements
    • Operational level agreements
  15. An IS auditor reviewing an incident management process identifies client information was lost due to ransomware attacks. Which of the following would MOST effectively minimize the impact of future occurrences?

    • Change access to client data to read-only.
    • Improve the ransomware awareness program.
    • Back up client data more frequently.
    • Monitor all client data changes.
  16. Which of the following is the PRIMARY benefit of implementing configuration management for IT?

    • It helps audit in verifying IT conformance to business requirements.
    • It establishes the dependency of application systems with various IT assets.
    • It provides visibility to the overall function and technical attributes of IT assets.
    • It helps automate change and release management processes in IT.
  17. The independence of an IS auditor auditing an application is maintained if the auditor’s role is limited to:

    • creating system specifications.
    • defining user requirements.
    • recommending system enhancements.
    • designing access control rules.
  18. Which of the following is the PRIMARY reason for an IS auditor to use computer-assisted audit techniques (CAATs)?

    • To efficiently test an entire population
    • To perform direct testing of production data
    • To conduct automated sampling for testing
    • To enable quicker access to information
  19. An IS auditor is planning to audit an organization’s infrastructure for access, patching, and change management. Which of the following is the BEST way to prioritize the systems?

    • Complexity of the environment
    • Criticality of the system
    • System hierarchy within the infrastructure
    • System retirement plan
  20. Which of the following would be the GREATEST concern to an IS auditor reviewing an IT outsourcing arrangement?

    • Several IT personnel perform the same functions as the vendor.
    • The contract does not include a renewal option.
    • Development of KPIs that will be used was assigned to the vendor.
    • Some penalties were waived during contract negotiations.