CISA Exam-Test 2 0% 822 Sorry your time is over CISA Exam-Test 2 1 / 30 1. Which of the following should the IS auditor do FIRST to ensure data transfer integrity for Internet of Things (IoT) devices? Verify access control lists to the database where collected data is stored. Determine how devices are connected to the local network Ensure that message queue telemetry transport (MQTT) is used. Confirm that acceptable limits of data bandwidth are defined for each device. 2 / 30 2. The practice of periodic secure code reviews is which type of control? Detective Preventive Compensating Corrective 3 / 30 3. An IS auditor is conducting a compliance test to determine whether controls support management policies and procedures. The test will assist the IS auditor to determine: that the control is operating as designed. that the control is operating efficiently. the reasonableness of financial reporting controls. the integrity of data controls. Compliance tests can be used to test the existence and effectiveness of a defined process. Understanding the objective of a compliance test is important. IS auditors want reasonable assurance that the controls they are relying on are effective. An effective control is one that meets management expectations and objectives. 4 / 30 4. The extent to which data will be collected during an IS audit should be determined based on the: auditee's ability to find relevant evidence. availability of critical and required information. auditor's familiarity with the circumstances. purpose and scope of the audit being done. The extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit. An IS audit with a narrow purpose and scope or just a high-level review would most likely require less data collection than an audit with a wider purpose and scope. 5 / 30 5. An IS auditor reviews an organizational chart PRIMARILY for: understanding the responsibilities and authority of individuals. investigating various communication channels. an understanding of the complexity of the organizational structure. investigating the network connected to different employees. An organizational chart provides information about the responsibilities and authority of individuals in the organization. This helps an IS auditor to know if there is a proper segregation of functions. 6 / 30 6. A vendor service level agreement (SLA) requires backups to be physically secured. An IS audit of the backup system revealed a number of the backup media Recommend identification of the data stored on the missing media. Notify executive management. Recommend a review of the vendor's contract. 7 / 30 7. Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system'' Records past their retention period may not be migrated to the new system Data from the source and target system may be intercepted Data from the source and target system may have different data formats System performance may be impacted by the migration 8 / 30 8. An IS auditor reviews one day of logs for a remotely managed server and finds one case where logging failed and the backup restarts cannot be confirmed. What should the IS auditor do? Seek an explanation from IS management. Review the classifications of data held on the server. Expand the sample of logs reviewed. Issue an audit finding. IS Audit and Assurance Standards require that an IS auditor gather sufficient and appropriate audit evidence. The IS auditor has found a potential problem and now needs to determine whether this is an isolated incident or a systematic control failure. 9 / 30 9. An IS auditor has been asked by management to review a potentially fraudulent transaction. The PRIMARY focus of an IS auditor while evaluating the transaction should be to: assure that the integrity of the evidence is maintained. ensure that the independence of an IS auditor is maintained. assess all relevant evidence for the transaction. maintain impartiality while evaluating the transaction. The IS auditor has been requested to perform an investigation to capture evidence which may be used for legal purposes, and therefore, maintaining the integrity of the evidence should be the foremost goal. Improperly handled computer evidence is subject to being ruled inadmissible in a court of law. 10 / 30 10. Which of the following should be an IS auditor's GREATEST concern when reviewing an outsourcing arrangement with a third-party cloud service provider to host personally identifiable The organization's servers are not compatible with the third party's infrastructure Fees are charged based on the volume of data stored by the host. The data is not adequately segregated on the host platform The outsourcing contract does not contain a right-to-audit clause. 11 / 30 11. An IS auditor should use statistical sampling and not judgmental (nonstatistical) sampling, when: generalized audit software is unavailable. the probability of error must be objectively quantified. the auditor wants to avoid sampling risk. the tolerable error rate cannot be determined. Given an expected error rate and confidence level, statistical sampling is an objective method of sampling, which helps an IS auditor determine the sample size and quantify the probability of error (confidence coefficient). 12 / 30 12. The scheduling of audit follow-ups should be based PRIMARILY on: auditee and auditor time commitments control and detection processes costs and audit efforts involved the risk and exposure involved. 13 / 30 13. Data flow diagrams are used by IS auditors to: identify key controls. graphically summarize data paths and storage. highlight high-level data definitions. portray step-by-step details of data generation. Data flow diagrams are used as aids to graph or chart data flow and storage. They trace data from their origination to destination, highlighting the paths and storage of data. 14 / 30 14. While planning an IS audit, an assessment of risk should be made to provide: definite assurance that material items will be covered during the audit work. reasonable assurance that all items will be covered by the audit. reasonable assurance that the audit will cover material items. sufficient assurance that all items will be covered during the audit work. ISACA IS Audit and Assurance Guideline (Risk Assessment in Planning) states that the applied risk assessment approach should help with the prioritization and scheduling process of the IS audit and assurance work. It should support the selection process of areas and items of audit interest and the decision process to design and conduct particular IS audit 15 / 30 15. An IS auditor performing a review of application controls would evaluate the: business processes served by the application. application's optimization. efficiency of the application in meeting the business processes. impact of any exposures discovered. An application control review involves the evaluation of the application's automated controls and an assessment of any exposures resulting from the control weaknesses. 16 / 30 16. When planning an application audit, it is MOST important to evaluate risk factors by interviewing: IT management. application owners process owners application users 17 / 30 17. The PRIMARY purpose of an IT forensic audit is: the systematic collection and analysis of evidence after a system irregularity. to preserve evidence of criminal activity. to participate in investigations related to corporate fraud. to assess the correctness of an organization's financial statements. The systematic collection and analysis of evidence best describes a forensic audit. The evidence collected could then be analyzed and used in judicial proceedings. 18 / 30 18. The PRIMARY reason an IS auditor performs a functional walk-through during the preliminary phase of an audit assignment is to: understand the business process. identify control weakness. develop the risk assessment. comply with auditing standards. Understanding the business process is the first step an IS auditor needs to perform. 19 / 30 19. An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the: IS audit resources to be deployed. most valuable information assets. control objectives and activities. auditee personnel to be interviewed. Once the business process is identified, the IS auditor should first identify the control objectives and activities associated with the business process that should be validated in the audit. 20 / 30 20. During a review of operations, it is noted that during a batch update, an error was detected and the database initiated a roll-back. An IT operator stopped the roll-back and re-initiated the update. What should the operator have done PRIOR to re-initiating the update? Allowed the roll-back to complete Determined the cause of the error Scheduled the roll-back for a later time Obtained approval before re-initiating the update 21 / 30 21. During a change control audit of a production system, an IS auditor finds that the change management process is not formally documented and that some migration procedures failed. What should the IS auditor do next? Recommend that program migration be stopped until the change process is documented. Recommend redesigning the change management process. Document the finding and present it to management. Gain more assurance on the findings through root cause analysis. A change management process is critical to IT production systems. Before recommending that the organization take any other action (e.g., stopping migrations, redesigning the change management process), the IS auditor should gain assurance that the incidents reported are related to deficiencies in the change management process and not caused by some process other than change management. 22 / 30 22. Which of the following is an advantage of an integrated test facility (ITF)? It uses actual master files or dummies and the IS auditor does not have to review the source of the transaction. It validates application systems and ensures the correct operation of the system. The need to prepare test data is eliminated. Periodic testing does not require separate test processes. An ITF creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. Careful planning is necessary, and test data must be isolated from production data. 23 / 30 23. An IS auditor evaluating logical access controls should FIRST: evaluate the security environment in relation to written policies and practices. test controls over the access paths to determine if they are functional. obtain an understanding of the security risk to information processing. document the controls applied to the potential access paths to the system. When evaluating logical access controls, an IS auditor should first obtain an understanding of the security risk facing information processing by reviewing relevant documentation, by inquiries, and conducting a risk assessment. This is necessary so that the IS auditor can ensure the controls are adequate to address risk. 24 / 30 24. Which of the following is MOST important for an IS auditor to evaluate when determining the effectiveness of an information security program? Percentage of reported security incidents Percentage of users aware of the objectives of the security program Percentage of policy exceptions that were approved with justification Percentage of desired control objectives achieved 25 / 30 25. During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to: specify appropriate tests. address audit objectives. minimize audit resources. collect sufficient evidence. SACA IS Audit and Assurance Standards require that an IS auditor plan the audit work to address the audit objectives. The activities described in choices B, C and D are all undertaken to address audit objectives and, thus, are secondary to choice A. 26 / 30 26. Which of the following should be of GREATEST concern to an IS auditor testing interface controls for an associated bank wire transfer process? Customer-provided information does not appear to be accurate Data is not independently verified by a third party. Data in the bank's wire transfer system does not reconcile with transferred data. The wire transfer was not completed with the most recent secure protocol. 27 / 30 27. Which audit technique provides the BEST evidence of the segregation of duties in an IT department? Review of the organization chart Observation and interviews Testing of user access rights Discussion with management Based on the observations and interviews, the IT auditor can evaluate the segregation of duties. By observing the IS staff performing their tasks, an IS auditor can identify whether they are performing any incompatible operations, and by interviewing the IT staff, the auditor can get an overview of the tasks performed. 28 / 30 28. In planning an IS audit, the MOST critical step is the identification of the: areas of significant risk. skill sets of the audit staff. test steps in the audit. time allotted for the audit. When designing a risk-based audit plan, it is important to identify the areas of highest risk to determine the areas to be audited. 29 / 30 29. When selecting audit procedures, an IS auditor should use professional judgment to ensure that: sufficient evidence will be collected. significant deficiencies will be corrected within a reasonable period. all material weaknesses will be identified. audit costs will be kept at a minimum level. Procedures are processes an IS auditor may follow in an audit engagement. In determining the appropriateness of any specific procedure, an IS auditor should use professional judgment appropriate to the specific circumstances. Professional judgment involves a subjective and often qualitative evaluation of conditions arising in the course of an audit. Judgment addresses a grey area where binary (yes/no) decisions are not appropriate and the IS auditor's past experience plays a key role in making a judgment. The IS auditor should use judgment in assessing the sufficiency of evidence to be collected. ISACA's guidelines provide information on how to meet the standards when performing IS audit work. 30 / 30 30. Which of the following BEST describes the purpose of performing a risk assessment in the planning phase of an IS audit? To establish adequate staffing requirements to complete the IS audit To provide reasonable assurance that all material items will be addressed To determine the skills required to perform the IS audit To develop the audit program and procedures to perform the IS audit A risk assessment helps focus the audit procedures on the highest risk areas included in the scope of the audit. The concept of reasonable assurance is important as well. Your score is LinkedIn Facebook Twitter Exit Canvas Bags in Dubai | Canvas Bags in UAE | Canvas Bags in Sharjah
