CISA : Certified Information Systems Auditor : Part 11
-
An organization was recently notified by its regulatory body of significant discrepancies in its reporting data. A preliminary investigation revealed that the discrepancies were caused by problems with the organization’s data quality. Management has directed the data quality team to enhance their program. The audit committee has asked internal audit to be advisors to the process. After the data quality team identifies the system data at fault, which of the following should internal audit recommend as the NEXT step in the process?
- Create business rules that validate data quality.
- Develop an improvement plan.
- Identify the root cause of data quality problems.
- Identify the source data owners.
-
To select a sample for testing, which must include the 80 largest client balances and a random sample of the rest, the IS auditor should recommend:
- sorting the file with a utility.
- use of generalized audit software.
- applying attribute sampling using software.
- development of an integrated test facility (ITF).
-
A database administrator (DBA) extracts a user listing for an auditor as testing evidence. Which of the following will provide the GREATEST assurance that the user listing is reliable?
- Requesting a query that returns the count of the users.
- Requesting a copy of the query that generated the user listing
- Obtaining sign-off from the DBA to attest that the list is complete
- Witnessing the DBA running the query in-person
-
During an audit, it is discovered that several suppliers with standing orders have been deleted from the supplier master file. Which of the following controls would have BEST prevented such an occurrence?
- Logical relationship check
- Existence check
- Table look-ups
- Referential integrity
-
An IS auditor discovered that a firewall has more services than needed. The IS auditor’s FIRST recommendation should be to:
- ensure logging is turned on.
- deploy a network penetration team.
- review configurations.
- eliminate services except for HTTPS.
-
An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be the auditor’s NEXT course of action?
- Determine the value of the firewall.
- Report the security posture of the organization.
- Report the mitigating controls.
- Determine the risk of not replacing the firewall.
-
Which of the following would be MOST important for an IS auditor to review during an audit of an automated continuous monitoring process being used by the finance department?
- Resiliency of the monitoring service
- Dual control and approvals embedded in processes
- Management sign-off of test documentation
- Configuration of the monitoring tool
-
Which of the following should be of GREATEST concern to an IS auditor reviewing the controls for a continuous software release process?
- Release documentation is not updated to reflect successful deployment.
- Test libraries have not been reviewed in over six months.
- Developers are able to approve their own releases.
- Testing documentation is not attached to production releases.
-
While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation, the IS auditor’s BEST course of action would be to:
- determine whether the alternative controls sufficiently mitigate the risk and record the results.
- reject the alternative controls and re-prioritize the original issue as high risk.
- postpone follow-up activities and escalate the alternative controls to senior audit management.
- schedule another audit due to the implementation of alternative controls.
-
Which of the following communication modes should be of GREATEST concern to an IS auditor evaluating end-user networking?
- System-to-system
- Peer-to-peer
- Host-to-host
- Client-to-server
-
An IS auditor is reviewing an organization’s sales and purchasing system due to ongoing data quality issues. An analysis of which of the following would provide the MOST useful information to determine the revenue loss?
- Correlation between the number of issues and average downtime
- Cost of implementing data validation controls within the system
- Comparison of the cost of data acquisition and loss in sales revenue
- Correlation between data errors and loss in value of transactions
-
During a review of an insurance company’s claims system, the IS auditor learns that claims for specific medical procedures are acceptable only from females. This is an example of a:
- key verification.
- completeness check.
- reasonableness check.
- logical relationship check.
-
Which of the following should be of concern to an IS auditor performing a software audit on virtual machines?
- Software licensing does not support virtual machines.
- Software has been installed on virtual machines by privileged users.
- Multiple users can access critical applications.
- Applications have not been approved by the CFO.
-
An IS auditor is evaluating the log management system for an organization with devices and systems in multiple geographic locations. Which of the following is MOST important for the auditor to verify?
- Log files are encrypted and digitally signed.
- Log files of the servers are synchronized.
- Log files are reviewed in multiple locations.
- Log files are concurrently updated.
-
An IS auditor reviews change control tickets and finds an emergency change request where an IT manager approved the change, modified the code on the production platform, and resolved the ticket. Which of the following should be the auditor’s GREATEST concern?
- There was no follow-up approval from the business.
- The change was made less than an hour after the request.
- There was no testing prior to making the change in production.
- The IT manager performed the change and resolved the ticket.
-
During a help desk review, an IS auditor determines the call abandonment rate exceeds agreed-upon service levels. What conclusion can be drawn from this finding?
- There are insufficient telephone lines available to the help desk.
- There is insufficient staff to handle the help desk call volume.
- Help desk staff are unable to resolve a sufficient number of problems on the first call.
- Users are finding solutions from alternative sources.
-
An IS auditor begins an assignment and identifies audit components for which the auditor is not qualified to assess. Which of the following is the BEST course of action?
- Notify audit management for a decision on how to proceed.
- Complete the audit and give full disclosure in the final audit report.
- Complete the work assignment to the best of the auditor’s ability.
- Exclude the related tests from the audit plan and continue the assignment.
-
When reviewing backup policies, an IS auditor MUST verify that backup intervals of critical systems do not exceed which of the following?
- Recovery point objective (RPO)
- Recovery time objective (RTO)
- Service level objective (SLO)
- Maximum acceptable outage (MAO)
-
Which of the following projects would be MOST important to review in an audit of an organization’s financial statements?
- Resource optimization of the enterprise resource planning (ERP) system
- Security enhancements to the customer relationship database
- Automation of operational risk management processes
- Outsourcing of the payroll system to an external service provider
-
An internal IS auditor recommends that incoming accounts payable payment files be encrypted. Which type of control is the auditor recommending?
- Corrective
- Detective
- Preventive
- Directive
Subscribe
0 Comments
Newest