CISA Exam-Test 23 /30 195 Sorry, Your time is over. CISA EXAM-TEST 23 1 / 30 1. The PRIMARY objective of conducting a postimplementation review for a business process automation project is to: ensure that the project meets the intended business requirements. confirm compliance with regulatory requirements. evaluate the adequacy of controls. confirm compliance with technological standards. Ensuring that the project meets the intended business requirements is the primary objective of a postimplementation review. 2 / 30 2. Responsibility and reporting lines cannot always be established when auditing automated systems because: duties change frequently in the rapid development of technology. ownership is difficult to establish where resources are shared. diversified control makes ownership irrelevant. staff traditionally changes jobs with greater frequency. The actual data and/or application owner may be hard to establish because of the complex nature of both data and application systems and many systems support more than one business department. 3 / 30 3. Which of the following should be of MOST concern to an IS auditor during the review of a quality management system? Indicators are not fully represented in the quality management system. There are no records to document actions for minor business processes. The quality management system includes training records for IT personnel. Important quality checklists are maintained outside the quality management system. 4 / 30 4. What is essential for the IS auditor to obtain a clear understanding of network management? Security administrator access to systems Systems logs of all hosts providing application services A graphical map of the network topology Administrator access to systems 5 / 30 5. Which of the following procedures would MOST effectively detect the loading of illegal software packages onto a network? The use of current antivirus software Periodic checking of hard drives Policies that result in instant dismissal if violated The use of diskless workstations The periodic checking of hard drives would be the most effective method of identifying illegal software packages loaded onto the network. 6 / 30 6. Once an organization has finished the business process reengineering (BPR) of all its critical operations, an IS auditor would MOST likely focus on a review of: post-BPR process flowcharts. BPR project plans. continuous improvement and monitoring plans pre-BPR process flowcharts. An IS auditor's task is to identify and ensure that key controls have been incorporated into the reengineered process. 7 / 30 7. Which of the following best characterizes "worms"? Malicious programs that can run independently and can propagate without the aid of a carrier program such as email. Programming code errors that cause a program to repeatedly dump data Malicious programs that masquerade as common applications such as screensavers or macro- enabled Word documents Malicious programs that require the aid of a carrier program such as email 8 / 30 8. An IS auditor is reviewing database log settings and notices that only INSERT and DELETE operations are being monitored in the database. What is the MOST significant risk? Newly added records may not be logged Changes to existing records may not be logged. Purged records may not be logged. Metadata may not be logged. 9 / 30 9. An organization has outsourced its help desk function. Which of the following indicators would be the BEST to include in the service level agreement (SLA)? Overall number of users supported Number of incidents reported to the help desk Number of agents answering the phones Percentage of incidents solved in the first call Because it is about service level (performance) indicators, the percentage of incidents solved on the first call is a good way to measure the effectiveness of the supporting organization. 10 / 30 10. A financial institution that processes millions of transactions each day has a central communications processor (switch) for connecting to automated teller machines (ATMs). Which of the following would be the BEST contingency plan for the communications processor? Alternate processor at another network node Reciprocal agreement with another organization Installation of duplex communication links Alternate processor in the same location The unavailability of the central communications processor would disrupt all access to the banking network. This could be caused by an equipment, power or communications failure. Having a duplicate processor in another location that could be used for alternate processing is the best solution. 11 / 30 11. An organization is considering using a new IT service provider. From an audit perspective, which of the following would be the MOST important item to review? References from other clients for the service provider The draft service level agreement (SLA) with the service provider Background checks of the service provider's employees The physical security of the service provider site When contracting with a service provider, it is a good practice to enter into an SLA with the provider. An SLA is a guarantee that the provider will deliver the services according to the contract. The IS auditor will want to ensure that performance and security requirements are clearly stated in the SLA. 12 / 30 12. Which audit approach is MOST helpful in optimizing the use of IS audit resources? Risk-based auditing Outsourced auditing Continuous auditing Agile auditing 13 / 30 13. An IS auditor should ensure that review of online electronic funds transfer (EFT) reconciliation procedures should include: tracing. corrections. vouching. authorizations. Tracing is a transaction reconciliation effort that involves following the transaction from the original source to its final destination. In electronic funds transfer (EFT) transactions, the direction on tracing may start from the customer-printed copy of the receipt, checking the system audit trails and logs, and finally checking the master file records for daily transactions. 14 / 30 14. Which of the following BEST minimizes performance degradation of servers used to authenticate users of an e-commerce website? Configure each authentication server as belonging to a cluster of authentication servers. Configure a single server as a primary authentication server and a second server as a secondary authentication server. Configure each authentication server and ensure that each disk of its RAID is attached to the primary controller. Configure each authentication server and ensure that the disks of each server form part of a duplex. 15 / 30 15. An IS auditor is to assess the suitability of a service level agreement (SLA) between the organization and the supplier of outsourced services. To which of the following observations should the IS auditor pay the MOST attention? The SLA does not contain a: late payment clause between the customer and the supplier. dispute resolution procedure between the contracting parties. transition clause from the old supplier to a new supplier in the case of expiration or termination. contractual commitment for service improvement. The delivery of IT services for a specific customer always implies a close linkage between the client and the supplier of the service. If there are no contract terms to specify how the transition to a new supplier may be performed, there is the risk that the old supplier may simply "pull the plug" if the contract expires or is terminated or may not make data available to the outsourcing organization or new supplier. This would be the greatest risk to the organization. 16 / 30 16. What benefit does using capacity-monitoring software to monitor usage patterns and trends provide to management? The software can dynamically readjust network traffic capabilities based upon current usage The software produces nice reports that really impress management. It allows users to properly allocate resources and ensure continuous efficiency of operations It allows management to properly allocate resources and ensure continuous efficiency of operations. 17 / 30 17. Which of the following BEST reduces the ability of one device to capture the packets that are meant for another device? Switches Firewalls Routers Hubs Switches are at a low level of network security and transmit a packet to the device to which it is addressed. This reduces the ability of one device to capture the packets that are meant for another device. 18 / 30 18. Management considered two projections for its disaster recovery plan (DRP): plan A with two months to fully recover and plan B with eight months to fully recover. The recovery point objectives are the same in both plans. It is reasonable to expect that plan B projected higher: resumption costs. recovery costs. downtime costs. walk-through costs. Because management considered a longer time window for recovery in plan B, downtime costs included in the plan are likely to be higher. 19 / 30 19. Which of the following is often used as a detection and deterrent control against Internet attacks? VPN CCTV Honeypots VLAN 20 / 30 20. Which of the following BEST helps an IS auditor assess and measure the value of a newly implemented system? System certification Postimplementation review Review of business requirements System accreditation One key objective of a postimplementation review is to evaluate the projected cost-benefits or the return on investment (ROI) measurements. 21 / 30 21. An IS auditor evaluating the resilience of a high-availability network should be MOST concerned if: the network servers are clustered in one site. the setup is geographically dispersed. diverse routing is implemented for the network a hot site is ready for activation. A clustered setup in one location makes the entire network vulnerable to natural disasters or other disruptive events. 22 / 30 22. An advantage of using unshielded twisted-pair (UTP) cable for data communication over other copper-based cables is that UTP cable: provides protection against wiretapping. can be used in long-distance networks. is simple to install. reduces crosstalk between pairs. The use of unshielded twisted-pair (UTP) in copper will reduce the likelihood of crosstalk. 23 / 30 23. An IS auditor reviewing a new outsourcing contract with a service provider would be MOST concerned if which of the following was missing? A clause regarding supplier limitation of liability A clause providing a "right to audit" the service provider A clause defining penalty payments for poor performance Predefined service level report templates The absence of a "right to audit" clause or other form of attestation that the supplier was compliant with a certain standard would potentially prevent the IS auditor from investigating any aspect of supplier performance moving forward, including control deficiencies, poor performance and adherence to legal requirements. This would be a major concern for the IS auditor because it would be difficult for the organization to assess whether the appropriate controls had been put in place. 24 / 30 24. There are several methods of providing telecommunication continuity. The method of routing traffic through split cable or duplicate cable facilities is called: long-haul network diversity. last-mile circuit protection. diverse routing. alternative routing. Diverse routing routes traffic through split-cable facilities or duplicate-cable facilities. This can be accomplished with different and/or duplicate cable sheaths. If different cable sheaths are used, the cable may be in the same conduit and, therefore, subject to the same interruptions as the cable it is backing up. The communication service subscriber can duplicate the facilities by having alternate routes, although the entrance to and from the customer premises may be in the same conduit. The subscriber can obtain diverse routing and alternate routing from the local carrier, including dual-entrance facilities. This type of access is time consuming and costly. 25 / 30 25. What are often the primary safeguards for systems software and data? Administrative access controls Physical access controls Logical access controls Detective access controls 26 / 30 26. Which of the following reports should an IS auditor use to check compliance with a service level agreement's (SLA) requirement for uptime? System logs Availability reports Utilization reports Hardware error reports IS inactivity, such as downtime, is addressed by availability reports. These reports provide the time periods during which the computer was available for utilization by users or other processes. 27 / 30 27. The BEST way to validate whether a malicious act has actually occurred in an application is to review. segregation of duties activity logs change management logs. change management logs 28 / 30 28. When reviewing the configuration of network devices, an IS auditor should FIRST identify: whether components of the network are missing. whether subcomponents of the network are being used appropriately. the importance of the network devices in the topology. the good practices for the type of network devices deployed. The first step is to understand the importance and role of the network device within the organization's network topology. 29 / 30 29. When reviewing an organization's approved software product list, which of the following is the MOST important thing to verify? Due to licensing issues, the list does not contain open source software. The latest version of software is listed for each product. The risk associated with the use of the products is periodically assessed After-hours support is offered. Because the business conditions surrounding vendors may change, it is important for an organization to conduct periodic risk assessments of the vendor software list. This may be best incorporated into the IT risk management process. 30 / 30 30. When two or more systems are integrated, the IS auditor must review input/output controls in the: systems sending output to other systems. interfaces between the two systems. systems sending and receiving data. systems receiving the output of other systems. Both of the systems must be reviewed for input/output controls because the output for one system is the input for the other. Your score is LinkedIn Facebook Twitter Exit