CISA : Certified Information Systems Auditor : Part 79

  1. In the risk assessment process, which of the following should be identified FIRST?

    • Threats
    • Vulnerabilities
    • Assets
    • Impact
  2. Which of the following is the MOST important consideration when sampling is required to validate management’s remediation of audit findings?

    • Whether management approves the sampling methodology to be used
    • Whether the sampling techniques align with industry standards
    • Whether audit team members performing the sampling are adequately trained on the chosen sampling techniques
    • Whether an adequate amount of time has passed to produce a representative population for testing
  3. Which of following is the BEST evidence of senior management review of IT performance?

    • Key IT performance indicators
    • IT tactical plans
    • Executive committee meeting minutes
    • Balanced scorecard
  4. A senior IS auditor suspects that a PC may have been used to perpetrate a fraud in a finance department. The auditor should FIRST report this suspicion to:

    • audit management
    • the audit committee
    • the police
    • auditee line management
  5. An IS auditor follows up on a recent security incident and finds the incident response was not adequate. Which of the following findings should be considered MOST critical?

    • The attack could not be traced back to the originating person.
    • The security weakness facilitating the attack was not identified.
    • Appropriate response documentation was not maintained.
    • The attack was not automatically blocked by the intrusion detection system (IDS).
  6. Which of the following would provide the MOST useful information for evaluating whether network availability is meeting the performance objectives set by management?

    • Capability maturity model
    • Balanced scorecard
    • IT value analysis
    • Gap analysis
  7. Of the following, who is BEST suited to establish an organization’s risk tolerance?

    • Senior leadership
    • Chief audit executive (CAE)
    • Information system owner
    • Information security officer
  8. Which of the following is MOST essential to quality management?

    • Adherence to a globally recognized quality standard
    • Application of statistical process control methods
    • Commitment on the part of executive management
    • Teamwork by all representatives of the quality group
  9. Which of the following roles is BEST suited to determine information classification?

    • Data custodian
    • Data owner
    • Privacy officer
    • Information security manager
  10. Which of the following control techniques BEST ensures the integrity of system interface transmissions?

    • Reasonableness check
    • Validity check
    • Completeness check
    • Parity check

    Explanation:

    Reference:
    https://www.infosectrain.com/blog/cisa-domain-3-information-systems-acquisition-development-and-implementation-part-7/

  11. To address issues related to privileged users identified in an IS audit, management implemented a security information and event management (SIEM) system. Which type of control is in place?

    • Directive
    • Corrective
    • Detective
    • Preventive
    Explanation:
    Reference:
    https://www.isaca.org/resources/isaca-journal/issues/2015/volume-5/cybersecurity-detective-controlsmonitoring-to-identify-and-respond-to-threats
  12. Which type of control is in place when an organization requires new employees to complete training on applicable privacy and data protection regulations?

    • Directive control
    • Detective control
    • Corrective control
    • Preventive control
    Explanation:
    Reference:
    https://www.isaca.org/resources/isaca-journal/issues/2020/volume-2/aligning-coso-and-privacy-frameworks-to-manage-privacy-in-a-post-gdpr-world
  13. Which of the following is the MOST important process to ensure planned IT system changes are completed in an efficient manner?

    • Configuration management
    • Demand management
    • Release management
    • Incident management
  14. Which of the following will BEST help to ensure that an in-house application in the production environment is current?

    • Version control procedures
    • Quality assurance (QA)
    • Production access control
    • Change management
  15. During a review of IT service desk practices, an IS auditor notes that help desk personnel are spending more time fulfilling user requests for password resets than resolving critical incidents. Which of the following recommendations to IT management would BEST address this situation?

    • Calculate the age of incident tickets and alert senior IT personnel when they exceed service level agreements (SLAs).
    • Provide annual password management training to end users to reduce the number of instances requiring password resets.
    • Incentivize service desk personnel to close incidents within agreed service levels.
    • Implement a self-service solution and redirect users to access frequently requested services.
  16. Which of the following is the MAIN benefit of using data analytics when testing the effectiveness of controls?

    • The full population can be tested.
    • Analytics can be applied to any type of control.
    • The demand for IS auditors is reduced over time.
    • Analytics remove the need to focus on areas of higher risk.
    Explanation:
    Reference:
    https://www.isaca.org/resources/isaca-journal/issues/2017/volume-2/how-analytics-will-transform-internal-audit
  17. When measuring the effectiveness of a security awareness program, the MOST helpful key performance indicator (KPI) is the number of:

    • employees who have signed the information security policy.
    • employees passing a phishing exercise.
    • security incidents detected by tools.
    • employees attending security awareness training.
  18. Which of the following technologies has the SMALLEST maximum range for data transmission between devices?

    • Near-field communication (NFC)
    • Wi-Fi
    • Bluetooth
    • Long-term evolution (LTE)
  19. During the post-implementation review of an application that was implemented six months ago, which of the following would be MOST helpful in determining whether the application meets business requirements?

    • Project closure report and lessons-learned documents from the project management office (PMO)
    • User acceptance testing (UAT) results and sign-off from users on meeting business requirements
    • Difference between approved budget and actual project expenditures determined post implementation
    • Comparison between expected benefits from the business case and actual benefits after implementation
  20. Which of the following provides the BEST evidence of the effectiveness of an organization’s audit quality management procedures?

    • Number of audits completed within the annual audit plan
    • Quality of auditor performance reviews
    • Quality of independent review scores
    • Number of resources dedicated to quality control procedures