CISA : Certified Information Systems Auditor : Part 53

  1. When an organization outsources a payroll system to a cloud service provider, the IS auditor’s PRIMARY concern should be the:

    • service level agreement (SLA) is not reviewed annually.
    • lack of independent assurance from a third party. 
    • service provider’s data center is on the ground floor.
    • service provider’s platform is not compatible with legacy systems.
  2. The IS security group is planning to implement single sign-on. What is the IS auditor’s PRIMARY concern?

    • Integrated access rules will increase users’ access privileges.
    • Managing user IDs/passwords will require increased efforts.
    • Integrated access rules will restrict users’ access privileges.
    • Compromise of a user ID/password will yield more privileges.
  3. Which of the following would BEST help in classifying an organization’s data?

    • Data retention requirements
    • Impact of data loss or disclosure 
    • Analysis of existing data handling procedures
    • Industry best practices for data classification
  4. Which of the following should be of GREATEST concern to an organization’s board when reviewing the internal audit department’s quality assurance and improvement program?

    • The program does not include periodic external assessments.
    • Program metrics have not been updated in over two years.
    • The program has not been approved by senior management.
    • The program does not incorporate recommendations from prior audits.
  5. Which of the following should be a PRIMARY control objective when designing controls for system interfaces?

    • Ensure peer-to-peer data transfers are minimized.
    • Ensure all data transferred through system interfaces is encrypted. 
    • Ensure managed file transfer (MFT) systems have restart capability for interruptions.
    • Ensure data on the sending system is identical to the data on the receiving system.
  6. Audit software designed to detect invalid data, extreme values, or linear correlations between data elements can be classified as which type of data analytics tool?

    • Descriptive
    • Diagnostic 
    • Predictive
    • Prescriptive
  7. Which of the following factors constitutes a strength in regard to the use of a disaster recovery planning reciprocal agreement?

    • Changes to the hardware or software environment by one company could make the agreement ineffective or obsolete.
    • Reciprocal agreements may not be formally established in a contract.
    • The two companies might share a need for a specialized piece of equipment. 
    • A disaster could occur that would affect both companies.
  8. Which of the following is the MOST important consideration when establishing vulnerability scanning on critical IT infrastructure?

    • The scanning will not degrade system performance.
    • The scanning will be followed by penetration testing.
    • The scanning will be cost-effective.
    • The scanning will be performed during non-peak hours.
  9. Which of the following is MOST important for an organization to review before sharing data with an external business partner via an application programming interface (API)?

    • The business partner’s web application log files
    • The business partner’s help desk incident tickets
    • The business partner’s security practices 
    • The business partner’s data center access logs
  10. An organization recently decided to send the backup of its customer relationship management (CRM) system to its cloud provider for recovery. Which of the following should be of GREATEST concern to an IS auditor reviewing this process?

    • Backups are sent and stored in unencrypted format.
    • Validation of backup data has not been performed. 
    • The cloud provider is located in a different country.
    • Testing of restore data has not been performed.
  11. An IS auditor previously worked in an organization’s IT department and was involved with the design of the business continuity plan (BCP). The IS auditor has now been asked to review this same BCP. The auditor should FIRST:

    • document the conflict in the audit report.
    • decline the audit assignment.
    • communicate the conflict of interest to the audit manager prior to starting the assignment.
    • communicate the conflict of interest to the audit committee prior to starting the assignment.
  12. A request for proposal (RFP) for the acquisition of computer hardware should include:

    • the requirement that the supplier allow a right of audit.
    • maximum cost restriction. 
    • support and maintenance requirements. 
    • detailed specification of the current hardware infrastructure.
  13. Which of the following would BEST enable an organization to address the security risks associated with a recently implemented bring your own device (BYOD) strategy?

    • Mobile device upgrade program
    • Mobile device tracking program
    • Mobile device awareness program 
    • Mobile device testing program
  14. An IT strategic plan that BEST leverages IT in achieving organizational goals will include:

    • a risk-based ranking of projects.
    • a comparison of future needs against current capabilities. 
    • IT budgets linked to the organization’s budget.
    • enterprise architecture impacts.
  15. A disaster recovery plan (DRP) should include steps for:

    • assessing and quantifying risk. 
    • negotiating contracts with disaster planning consultants.
    • obtaining replacement supplies.
    • identifying application control requirements.
  16. In a RACI model, which of the following roles must be assigned to only one individual?

    • Responsible
    • Informed
    • Consulted
    • Accountable
  17. A manufacturing company is implementing application software for its sales and distribution system. Which of the following is the MOST important reason for the company choose a centralized online database?

    • Enhanced data redundancy
    • Elimination of multiple points of failure
    • Elimination of the need for data normalization
    • Enhanced integrity controls
  18. An organization has replaced all of the storage devices at its primary data center with new, higher capacity units. The replaced devices have been installed at the disaster recovery site to replace older units. An IS auditor’s PRIMARY concern would be whether:

    • the procurement was in accordance with corporate policies and procedures
    • the relocation plan has been communicated to all concerned parties
    • a hardware maintenance contract is in place for both old and new storage devices
    • the recovery site devices can handle the storage requirements
  19. Which of the following BEST describes a common risk in implementing a new application software package?

    • Parameter settings are incorrect
    • Transaction volume is excessive
    • Sensitivity of transactions is high
    • The application lacks audit trails
  20. An organization is replacing a mission-critical system. Which of the following is the BEST implementation strategy to mitigate and reduce the risk of system failure?

    • Stage
    • Phase
    • Parallel
    • Big-bang