CISA : Certified Information Systems Auditor : Part 24
-
An IS auditor’s independence with respect to the audit of an application system is MOST likely to be impaired if the auditor:
- performed a development review of the application.
- designed an embedded audit module for the application.
- knows that the application contains the auditor’s personal transactions.
- reports to an individual responsible for the application.
-
Which of the following provides the MOST useful information to an IS auditor reviewing the relationships between critical business processes and IT systems?
- IT portfolio management
- IT service management
- Enterprise architecture (EA)
- Configuration management database (CMDB)
-
Which of the following is the BEST justification for deferring remediation testing until the next audit?
- Auditee management has accepted all observations reported by the auditor.
- The audit environment has changed significantly.
- The auditor who conducted the audit and agreed with the timeline has left the organization.
- Management’s planned actions are sufficient given the relative importance of the observations.
-
When performing a post-implementation review, the adequacy of the data conversion effort would BEST be evaluated by performing a thorough review of the:
- functional conversion rules.
- conversion user acceptance testing (UAT) results.
- go-live conversion results.
- detailed conversion approach templates.
-
Which of the following is a PRIMARY role of an IS auditor in a control self-assessment (CSA) workshop?
- Reporting results of the workshop and recommendations to management
- Gathering background information prior to the СSA workshop
- Analyzing gaps between control design and control framework
- Assisting participants in evaluating risks and relevant controls
-
An IS auditor is planning an audit of an organization’s accounts payable processes. Which of the following controls is MOST important to assess in the audit?
- Management review and approval of purchase orders
- Management review and approval of authorization tiers
- Segregation of duties between issuing purchase orders and making payments
- Segregation of duties between receiving invoices and setting authorization limits
-
Which of the following should be of GREATEST concern to an IS auditor conducting a security review of a point-of-sale (POS) system?
- Management of POS systems is outsourced to a vendor based in another country.
- POS systems are not integrated with accounting applications for data transfer.
- Credit card verification value (CVV) information is stored on local POS systems.
- An optical scanner is not used to read bar codes for generating sales invoices.
-
External experts were used on a recent IT audit engagement. While assessing the external experts’ work, the internal audit team found some gaps in the evidence that may have impacted their conclusions. What is the internal audit team’s BEST course of action?
- Engage another expert to conduct the same testing.
- Recommend the external experts conduct additional testing.
- Report a scope limitation in their conclusions.
- Escalate to senior management.
-
Which of the following is the BEST ensures the quality and integrity of test procedures used in audit analytics?
- Developing and communicating test procedure best practices to audit teams
- Decentralizing procedures and implementing periodic peer review
- Developing and implementing an audit data repository
- Centralizing procedures and implementing change control
-
After delivering an audit report, the audit manager discovers that evidence was overlooked during the audit. This evidence indicates that a procedural control may have failed and could contradict a conclusion of the audit. Which of the following risks is MOST affected by this oversight?
- Inherent
- Financial
- Audit
- Operational
-
Which of the following should be the FIRST step when planning an IS audit of a third-party service provider that monitors network activities?
- Evaluate the organization’s third-party monitoring process
- Determine if the organization has a secure connection to the provider
- Review the roles and responsibilities of the third-party provider
- Review the third party’s monitoring logs and incident handling
-
An IS auditor is evaluating an organization’s IT strategy and plans. Which of the following would be of GREATEST concern?
- There is inadequate documentation of IT strategic planning
- IT is not engaged in business strategic planning
- There is not a defined IT security policy
- The business strategy meeting minutes are not disturbing
-
An IS auditor is reviewing an industrial control system (ICS) that uses older unsupported technology in the scope of an upcoming audit. What should the auditor consider the MOST significant concern?
- Technical specifications are not documented.
- Disaster recovery plans (DRPs) are not in place.
- Attack vectors are evolving for industrial control systems.
- There is a greater risk of system exploitation.
-
Which of the following is an IS auditor’s BEST recommendation to help an organization increase the efficiency of computing resources?
- Hardware upgrades
- Virtualization
- Real-time backups
- Overclocking the central processing unit (CPU)
-
An IS audit manager was temporarily tasked with supervising a project manager assigned to the organization’s payroll application upgrade. Upon returning to the audit department, the audit manager has been asked to perform an audit to validate the implementation of the payroll application. The audit manager is the only one in the audit department with IT project management experience. What is the BEST course of action?
- Transfer the assignment to a different audit manager despite lack of IT project management experience
- Have a senior IS auditor manage the project with the IS audit manager performing final review
- Outsource the audit to independent and qualified resources
- Manage the audit since there is no one else with the appropriate experience
-
Internal audit is conducting an audit of customer transaction risk. Which of the following would be the BEST reason to use data analytics?
- Transactional data is contained in multiple discrete systems that have varying levels of reliability
- Anomalies and risk trends in the data set have yet to be defined
- The audit is being performed to comply with regulations requiring periodic random sample testing
- The audit focus is on a small number of predefined high-risk transactions
-
When reviewing a data classification scheme, it is MOST important for an IS auditor to determine if:
- each information asset is assigned to a different classification.
- senior IT managers are identified as information owners.
- the security criteria are clearly documented for each classification.
- the information owner is required to approve access to the asset.
-
An IS auditor is examining a front-end subledger and a main ledger. Which of the following would be the GREATEST concern if there are flaws in the mapping of accounts between two systems?
- Unauthorized alteration of account attributes
- Inaccuracy of financial reporting
- Inability to support new business transactions
- Double-posting of a single journal entry
-
Which of the following is the PRIMARY purpose of conducting follow-up audits for material observations?
- To validate the correctness of reported findings
- To assess the risk of the audit environment
- To assess evidence for management reporting
- To validate remediation efforts
-
What is the MAIN purpose of an organization’s internal IS audit function?
- Provide assurance to management about the effectiveness of the organization’s risk management and internal controls.
- Identify and initiate necessary changes in the control environment to help ensure sustainable improvement.
- Review the organization’s policies and procedures against industry best practice and standards.
- Independently attest the organization’s compliance with applicable legal and regulatory requirements.