CISA : Certified Information Systems Auditor : Part 13

  1. During an audit of a data center, an IS auditor’s BEST way to gain an understanding of physical security controls is to:

    • review the data center’s physical security procedures.
    • contact the alarm vendor and identify where alarms are installed in the data center.
    • take a tour of the facility and identify physical security controls.
    • obtain the engineering plans for the building and identify points of entry.
  2. An IS auditor finds that an organization’s data loss prevention (DLP) system is configured to use vendor default settings to identify violations. The auditor’s MAIN concern should be that:

    • violations may not be categorized according to the organization’s risk profile.
    • violation reports may not be retained according to the organization’s risk profile.
    • violation reports may not be reviewed in a timely manner.
    • a significant number of false positive violations may be reported.
  3. Which of the following IS audit recommendations would BEST help to ensure appropriate mitigation will occur on control weaknesses identified during an audit?

    • Assign actions to responsible personnel and follow up.
    • Report on progress to the audit committee.
    • Perform a cost-benefit analysis on remediation strategy.
    • Implement software to input the action points from the IS audit.
  4. During a database audit, an IS auditor noted frequent problems due to the growing size of the order tables. Which of the following is the BEST recommendation in this situation?

    • Develop an archiving approach.
    • Periodically delete completed orders.
    • Build more table indices.
    • Migrate to a different database management system.
  5. Which of the following procedures should an IS auditor complete FIRST when evaluating the adequacy of IT key performance indicators (KPIs)?

    • Independently calculate the accuracy of the KPIs.
    • Review KPIs that indicate poor IT performance.
    • Validate the KPI thresholds.
    • Determine whether the KPIs support IT objectives.
  6. During an audit of an organization’s financial statements, an IS auditor finds that the IT general controls are deficient. What should the IS auditor recommend?

    • Increase the compliance testing of the application controls.
    • Place greater reliance on the application controls.
    • Increase the substantive testing of the financial balances.
    • Place greater reliance on the framework of control.
  7. An internal review reveals an out-of-support human resources system. Which of the following is MOST important to determine when evaluating the associated risk?

    • Frequency of outages associated with the out-of-support system
    • The number of people accessing the out-of-support system
    • Exposure of the out-of-support system outside of the network
    • Timeline to replace the out-of-support system
  8. Which of the following is MOST important for an IS auditor to consider when determining an appropriate sample size in situations where selecting the entire population is not feasible?

    • Tolerable error
    • Accessibility of the data
    • Data integrity
    • Responsiveness of the auditee
  9. IT service engineers at a large organization are unable to effectively prioritize system-generated alerts from hundreds of applications running across multiple servers and databases. As a result, many alerts are often ignored, leading to major problems including downtime. Which of the following is the BEST IS audit recommendation to address this situation?

    • Prioritize alerts from legacy applications that may require remote support from external vendors.
    • Implement a threshold management system that prioritizes alerts over a certain age.
    • Develop a classification scheme that prioritizes alerts according to potential business impact.
    • Group alerts from related systems and immediately escalate to the application owner.
  10. An IS auditor finds that a mortgage origination team receives customer mortgage applications via a shared repository. Which of the following test procedures is the BEST way to assess whether there are adequate privacy controls over this process?

    • Validate whether the encryption is compliant with the organization’s requirements.
    • Validate that data is entered accurately and timely.
    • Validate whether documents are deleted according to data retention procedures.
    • Validate whether complex passwords are required.
  11. An IS auditor observes an organization is performing data backup and restoration testing on an ad hoc basis without a defined process. What is the MOST likely result of a data disruption event?

    • Increased loss impact
    • Decreased data confidentiality
    • Increased likelihood of future risk events
    • Decreased data integrity
  12. While reviewing the project plan for a new system prior to go-live, an IS auditor notes that the project team has not documented a fallback plan. Which of the following would be the BEST go-live approach in this situation?

    • Parallel processing
    • Immediate cutover
    • Real-time replication
    • Load balancing
  13. Which of the following is MOST important for an IS auditor to determine when evaluating a database for privacy-related risks?

    • Whether copies of production data are masked
    • Whether the integrity of the data dictionary is maintained
    • Whether data import and export procedures are approved
    • Whether all database tables are normalized
  14. Which of the following is MOST important for an IS auditor to consider when evaluating a Software as a Service (SaaS) arrangement?

    • Total cost of ownership
    • Frequency of software updates
    • Physical security
    • Software availability
  15. Which of the following should be of GREATEST concern to an IS auditor when evaluating a new system’s production readiness?

    • A system defect was found during user acceptance testing.
    • Functional design documentation is not complete.
    • Functional requirements have not been met.
    • Projected benefits have not been realized.
  16. Which of the following findings should be of GREATEST concern for an IS auditor when auditing the effectiveness of a phishing simulation test administered for staff members?

    • Staff members were not notified about the test beforehand.
    • Test results were not communicated to staff members.
    • Staff members who failed the test did not receive follow-up education.
    • Security awareness training was not provided prior to the test.
  17. During a review of an organization’s network threat response process, the IS auditor noticed that the majority of alerts were closed without resolution. Management responded that those alerts were unworkable due to lack of actionable intelligence, and therefore the support team is allowed to close them. What is the BEST way for the auditor to address this situation?

    • Further review closed unactioned alerts to identify mishandling of threats.
    • Omit the finding from the report as this practice is in compliance with the current policy.
    • Recommend that management enhance the policy and improve threat awareness training.
    • Reopen unactioned alerts and report to the audit committee.
  18. An IS auditor would MOST likely recommend that IT management use a balanced scorecard to:

    • ensure that IT staff meet performance requirements.
    • train and educate IT staff.
    • indicate whether the organization meets quality standards.
    • assess IT functions and processes.
  19. Which of the following should an IS auditor recommend to reduce the likelihood of potential intruders using social engineering?

    • Perform simulated attacks.
    • Prohibit the use of social networking platforms.
    • Implement an intrusion detection system (IDS).
    • Deploy a security awareness program.
  20. An IS auditor notes that the anticipated benefits from an ongoing infrastructure project have changed due to recent organizational restructuring. Which of the following is the IS auditor’s BEST recommendation?

    • Review and reapprove the business case.
    • Revise business goals and objectives.
    • Conduct a new feasibility study.
    • Review and update the business impact analysis (BIA).