CISA : Certified Information Systems Auditor : Part 39

CISA : Part 1 - 40
CISA : Part 41 - 80

During an audit of identity and access management, an IS auditor finds that the engagement audit plan does not include the testing of controls that regulate access by third parties. Which of the following would be the auditor’s BEST course of action?
- Plan to test these controls in another audit.
- Escalate the deficiency to audit management.
- Add testing of third-party access controls to the scope of the audit.
- Determine whether the risk has been identified in the planning documents.
Which of the following is the BEST method for converting a file into a format suitable for data analysis in a forensic investigation?
- Extraction
- Normalization
- Data acquisition
- Imaging
Which of the following is MOST important to include in forensic data collection and preservation procedures?
- Maintaining chain of custody
- Preserving data integrity
- Determining tools to be used
- Assuring the physical security of devices
An organization that has suffered a cyber attack is performing a forensic analysis of the affected users’ computers. Which of the following should be of GREATEST concern for the IS auditor reviewing this process?
- The chain of custody has not been documented.
- The legal department has not been engaged.
- An imagining process was used to obtain a copy of the data from each computer.
- Audit was only involved during extraction of the information.
Which of the following is the PRIMARY role of an IS auditor with regard to data privacy?
- Ensuring compliance with data privacy laws
- Communicating data privacy requirements to the organization
- Drafting the organization’s data privacy policy
- Verifying that privacy practices match privacy statements
Which of the following controls will BEST ensure that the board of directors receives sufficient information about IT?
- The CIO reports on performance and corrective actions in a timely manner.
- Regular meetings occur between the board, the CIO, and a technology committee.
- The CIO regularly sends IT trend reports to the board.
- Board members are knowledgeable about IT, and the CIO is consulted on IT issues.
For mission-critical applications with a low recovery time objective (RTO), which of the following is the BEST backup strategy?
- Frequent back-ups to tape
- Mirroring
- Use of virtual tape libraries
- Archiving to conventional disk
The MOST effective way to determine if IT is meeting business requirements is to establish:
- industry benchmarks.
- organizational goals.
- a capability model.
- key performance indicators (KPIs).
Which of the following roles combined with the role of a database administrator (DBA) will create a segregation of duties conflict?
- Quality assurance
- Systems analyst
- Application end user
- Security administrator
When testing segregation of duties, which of the following audit techniques provides the MOST reliable evidence?
- Observing daily operations for the area in scope
- Evaluating the department structure via the organizational chart
- Reviewing departmental procedure handbooks
- Interviewing managers and end users
Which of the following should be reviewed as part of a data integrity test?
- Completeness
- Confidentiality
- Data backup
- Redundancy
Which of the following would BEST provide executive management with current information on IT-related costs and IT performance indicators?
- IT dashboard
- Risk register
- IT service-management plan
- Continuous audit reports
Which of the following will MOST effectively help to manage the challenges associated with end user-developed application systems?
- Developing classifications based on risk
- Introducing redundant support capacity
- Prohibiting creation of executable files
- Applying control practices used by IT
Which of the following is the BEST compensating control for a lack of proper segregation of duties in an IT department?
- Authorization forms
- Audit trail reviews
- System activity logging
- Control self-assessment (CSA)
The BEST way to evaluate a shared control environment is to obtain an assurance report and review which of the following?
- Control self-assessment (CSA)
- Service level agreement (SLA)
- Master service agreement
- Complementary user entity controls
Which of the following is the PRIMARY advantage of the IT portfolio management approach over the balanced scorecard approach when managing IT investments?
- The influence of qualitative factors on investment decisions.
- Agility in adjusting investment decisions.
- Incorporation of organizational strategy in investment decisions.
- Use of the organization’s risk appetite in investment decisions.
Which of the following is the PRIMARY benefit of including IT management and staff when conducting control self-assessments (CSAs) within an organization?
- It helps to identify risk to the business.
- It improves the efficiency of business and IT operational processes.
- It increases buy-in for more stringent controls.
- It reduces the workload of external and internal auditors.
In the IT department where segregation of duties is not feasible due to a limited number of resources, a team member is performing the functions of computer operator and reviewer of application logs. Which of the following would be the IS auditor’s BEST recommendation?
- Develop procedures to verify that the application logs are not modified.
- Prevent the operator from performing application development activities.
- Assign an independent second reviewer to verify the application logs.
- Restrict the computer operator’s access to the production environment.
An IT balanced scorecard is MOST useful in determining the effectiveness of which of the following?
- Key IT controls
- Change management processes
- IT department’s financial position
- Governance of enterprise IT
To help determine whether a controls-reliant approach to auditing financial systems in a company should be used, which sequence of IS audit work is MOST appropriate?
- Review of major financial applications followed by a review of IT governance processes
- Review of application controls followed by a test of key business process controls
- Review of the general IS controls followed by a review of the application controls
- Detailed examination of financial transactions followed by review of the general ledger

CISA : Part 1 - 40
CISA : Part 41 - 80

CISA : Certified Information Systems Auditor : All Parts
CISA Part 01	CISA Part 11	CISA Part 21	CISA Part 31
CISA Part 02	CISA Part 12	CISA Part 22	CISA Part 32
CISA Part 03	CISA Part 13	CISA Part 23	CISA Part 33
CISA Part 04	CISA Part 14	CISA Part 24	CISA Part 34
CISA Part 05	CISA Part 15	CISA Part 25	CISA Part 35
CISA Part 06	CISA Part 16	CISA Part 26	CISA Part 36
CISA Part 07	CISA Part 17	CISA Part 27	CISA Part 37
CISA Part 08	CISA Part 18	CISA Part 28	CISA Part 38
CISA Part 09	CISA Part 19	CISA Part 29	CISA Part 39
CISA Part 10	CISA Part 20	CISA Part 30	CISA Part 40

CISA : Certified Information Systems Auditor : All Parts
CISA Part 41	CISA Part 51	CISA Part 61	CISA Part 71
CISA Part 42	CISA Part 52	CISA Part 62	CISA Part 72
CISA Part 43	CISA Part 53	CISA Part 63	CISA Part 73
CISA Part 44	CISA Part 54	CISA Part 64	CISA Part 74
CISA Part 45	CISA Part 55	CISA Part 65	CISA Part 75
CISA Part 46	CISA Part 56	CISA Part 66	CISA Part 76
CISA Part 47	CISA Part 57	CISA Part 67	CISA Part 77
CISA Part 48	CISA Part 58	CISA Part 68	CISA Part 78
CISA Part 49	CISA Part 59	CISA Part 69	CISA Part 79
CISA Part 50	CISA Part 60	CISA Part 70	CISA Part 80

CISA : Certified Information Systems Auditor : All Parts
CISA Part 01	CISA Part 11	CISA Part 21	CISA Part 31
CISA Part 02	CISA Part 12	CISA Part 22	CISA Part 32
CISA Part 03	CISA Part 13	CISA Part 23	CISA Part 33
CISA Part 04	CISA Part 14	CISA Part 24	CISA Part 34
CISA Part 05	CISA Part 15	CISA Part 25	CISA Part 35
CISA Part 06	CISA Part 16	CISA Part 26	CISA Part 36
CISA Part 07	CISA Part 17	CISA Part 27	CISA Part 37
CISA Part 08	CISA Part 18	CISA Part 28	CISA Part 38
CISA Part 09	CISA Part 19	CISA Part 29	CISA Part 39
CISA Part 10	CISA Part 20	CISA Part 30	CISA Part 40

CISA : Certified Information Systems Auditor : All Parts
CISA Part 41	CISA Part 51	CISA Part 61	CISA Part 71
CISA Part 42	CISA Part 52	CISA Part 62	CISA Part 72
CISA Part 43	CISA Part 53	CISA Part 63	CISA Part 73
CISA Part 44	CISA Part 54	CISA Part 64	CISA Part 74
CISA Part 45	CISA Part 55	CISA Part 65	CISA Part 75
CISA Part 46	CISA Part 56	CISA Part 66	CISA Part 76
CISA Part 47	CISA Part 57	CISA Part 67	CISA Part 77
CISA Part 48	CISA Part 58	CISA Part 68	CISA Part 78
CISA Part 49	CISA Part 59	CISA Part 69	CISA Part 79
CISA Part 50	CISA Part 60	CISA Part 70	CISA Part 80

CISA : Certified Information Systems Auditor : Part 39

During an audit of identity and access management, an IS auditor finds that the engagement audit plan does not include the testing of controls that regulate access by third parties. Which of the following would be the auditor’s BEST course of action?

Which of the following is the BEST method for converting a file into a format suitable for data analysis in a forensic investigation?

Which of the following is MOST important to include in forensic data collection and preservation procedures?

An organization that has suffered a cyber attack is performing a forensic analysis of the affected users’ computers. Which of the following should be of GREATEST concern for the IS auditor reviewing this process?

Which of the following is the PRIMARY role of an IS auditor with regard to data privacy?

Which of the following controls will BEST ensure that the board of directors receives sufficient information about IT?

For mission-critical applications with a low recovery time objective (RTO), which of the following is the BEST backup strategy?

The MOST effective way to determine if IT is meeting business requirements is to establish:

Which of the following roles combined with the role of a database administrator (DBA) will create a segregation of duties conflict?

When testing segregation of duties, which of the following audit techniques provides the MOST reliable evidence?

Which of the following should be reviewed as part of a data integrity test?

Which of the following would BEST provide executive management with current information on IT-related costs and IT performance indicators?

Which of the following will MOST effectively help to manage the challenges associated with end user-developed application systems?

Which of the following is the BEST compensating control for a lack of proper segregation of duties in an IT department?

The BEST way to evaluate a shared control environment is to obtain an assurance report and review which of the following?

Which of the following is the PRIMARY advantage of the IT portfolio management approach over the balanced scorecard approach when managing IT investments?

Which of the following is the PRIMARY benefit of including IT management and staff when conducting control self-assessments (CSAs) within an organization?

In the IT department where segregation of duties is not feasible due to a limited number of resources, a team member is performing the functions of computer operator and reviewer of application logs. Which of the following would be the IS auditor’s BEST recommendation?

An IT balanced scorecard is MOST useful in determining the effectiveness of which of the following?

To help determine whether a controls-reliant approach to auditing financial systems in a company should be used, which sequence of IS audit work is MOST appropriate?