CISA Exam-Test 3 0% 602 Sorry, Your time is over. CISA Exam-Test 3 1 / 30 1. Which of the following would normally be the MOST reliable evidence for an IS auditor? Trend data obtained from World Wide Web (Internet) sources Assurance from line management that an application is working as designed Ratio analysis developed by the IS auditor from reports supplied by line management A confirmation letter received from a third party verifying an account balance Evidence obtained from independent third parties is almost always considered to be more reliable than assurance provided by local management. 2 / 30 2. Which of the following forms of evidence would an IS auditor consider the MOST reliable? An oral statement from the auditee An internally generated computer accounting report The results of a test performed by an external IS auditor A confirmation letter received from an outside source An independent test performed by an IS auditor should always be considered a more reliable source of evidence than a confirmation letter from a third party because the letter is the result of an analysis of the process and may not be based on authoritative audit techniques. An audit should consist of a combination of inspection, observation and inquiry by an IS auditor as determined by risk. This provides a standard methodology and "reasonable" assurance that the controls and test results are accurate. 3 / 30 3. An organization seeks to control costs related to storage media throughout the information life cycle while still meeting business and regulatory requirements. Which of the following is the BEST way to achieve this objective? Utilize solid state memory. Stream backups to the cloud. Perform periodic tape backups. Implement a data retention policy. 4 / 30 4. During a security audit of IT processes, an IS auditor found that documented security procedures did not exist. The IS auditor should: conduct compliance testing on available data. identify and evaluate existing practices. create the procedures document based on the practices. issue an opinion of the current state and end the audit. One of the main objectives of an audit is to identify potential risk; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by the organization and submit the findings and risk to management with recommendations to document the current controls or enforce the documented procedures. 5 / 30 5. While conducting an audit, an IS auditor detects the presence of a virus. What should be the IS auditor's next step? Observe the response mechanism. Clear the virus from the network. Ensure deletion of the virus. Inform appropriate personnel immediately. The first thing an IS auditor should do after detecting the virus is to alert the organization to its presence, then wait for their response. 6 / 30 6. An IS auditor is reviewing access to an application to determine whether recently added accounts were appropriately authorized. This is an example of: variable sampling. compliance testing. stop-or-go sampling. substantive testing. Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. 7 / 30 7. The BEST method of confirming the accuracy of a system tax calculation is by: recreating program logic using generalized audit software to calculate monthly totals. automatic flowcharting and analysis of the source code of the calculation programs. preparing simulated transactions for processing and comparing the results to predetermined results. review and analysis of the source code of the calculation programs. Preparing simulated transactions for processing and comparing the results to predetermined results is the best method for confirming the accuracy of a tax calculation. 8 / 30 8. An IS auditor wants to determine the number of purchase orders not appropriately approved. Which of the following sampling techniques should an IS auditor use to draw such conclusions? Attribute Judgment Stop-or-go Variable Attribute sampling is used to test compliance of transactions to controls—in this instance, the existence of appropriate approval. 9 / 30 9. An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives Which of the following findings should be the IS auditor's GREATEST concern? The business continuity plan (BCP) was not updated. Users have not been trained on the new system. Users are not required to sign updated acceptable Mobile devices are not encrypted. 10 / 30 10. An IS auditor interviewing a payroll clerk finds that the answers do not support job descriptions and documented procedures. Under these circumstances, the IS auditor should: place greater reliance on previous audits. suspend the audit. conclude that the controls are inadequate. expand the scope to include substantive testing. If the answers provided to an IS auditor's questions are not confirmed by documented procedures or job descriptions, the IS auditor should expand the scope of testing the controls and include additional substantive tests. 11 / 30 11. What is the PRIMARY requirement that a data mining and auditing software tool should meet? The software tool should: introduce audit hooks into the company's financial systems to support continuous auditing. be customizable and support inclusion of custom programming to aid in investigative analysis. interface with various types of enterprise resource planning (ERP) software and databases. accurately capture data from the organization's systems without causing excessive performance problems. While all of the choices above are desirable in a software tool evaluated for auditing and data mining purposes, the most critical requirement is that the tool will work effectively on the systems of the organization being audited. 12 / 30 12. An auditor is creating an audit program in which the objective is to establish the adequacy of personal data privacy controls in a payroll process. Which of the following would be MOST important3 to include? Segregation of duties controls User access provisioning Audit logging of administrative user activity Approval of data changes 13 / 30 13. An IS auditor uses computer-assisted audit techniques (CAATs) to collect and analyze data. Which of the following attributes of evidence is MOST affected by the use of CAATs? Reliability Relevance Adequacy Usefulness Because the data are directly collected by the IS auditor, the audit findings can be reported with an emphasis on the reliability of the records that are produced and maintained in the system. The reliability of the source of information used provides reassurance on the findings generated. 14 / 30 14. An IS auditor finds that one employee has unauthorized access to confidential data. The IS auditor’s BEST recommendation should be to: implement a strong password schema for users recommend corrective actions to be taken by the security administrator reclassify the data to a lower level of confidentiality. require the business owner to conduct regular access reviews. 15 / 30 15. Which of the following should be the GREATEST concern to an IS auditor evaluating an organization’s policies? Policies do not provide adequate protection to the organization. Policies are not reviewed and updated frequently. Policies are nor formally acknowledged and signed by employees. Policies are not formally approved by the management. 16 / 30 16. During a follow-up audit, an IS auditor finds that some critical recommendations have not been addressed as management has decided to accept the risk. Whichof the following is the IS auditor’s BEST course of action? Evaluate senior management’s acceptance of the risk Update the audit program based on management’s acceptance of risk Require the auditee to address the recommendations in full. Adjust the annual risk assessment accordingly 17 / 30 17. Audit management has just completed the annual audit plan for the upcoming year, which consists entirely of high-risk processor. However it is determined that there are insufficient resources to execute the plan. What should be done NEXT? Present the annual plan to the audit committee and ask for more resources Remove audit from the annual plan to better match the number of resources available. Review the audit plan and defer some audits to the subsequent year Reduce the scope of the audit to better match the number of resources available 18 / 30 18. Which of the following IS functions can be performed by the same group or individual while still providing the proper segregation of duties? Database administration and computer operations Security administration and application programming Computer operations and application programming Application programming and systems analysis 19 / 30 19. When testing program change requests for a remote system, an IS auditor finds that the number of changes available for sampling would not provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take? Create additional sample data to test additional changes. Perform a walk-through of the change management process. Develop an alternate testing procedure. Report the finding to management If a sample size objective cannot be met with the given data, the IS auditor would not be able to provide assurance regarding the testing objective. In this instance, the IS auditor should develop (with audit management approval) an alternate testing procedure. 20 / 30 20. An IS auditor is evaluating the access controls at a multinational company with a shared network infrastructure. Which of the following is MOST important? Common security policies Logging of network information at user level Remote network administration Simplicity of end-to-end communication paths 21 / 30 21. When evaluating the collective effect of preventive, detective and corrective controls within a process, an IS auditor should be aware of which of the following? Classification allows an IS auditor to determine which controls are missing Corrective controls are regarded as compensating The point at which controls are exercised as data flow through the system Only preventive and detective controls are relevant An IS auditor should focus on when controls are exercised as data flow through a computer system. 22 / 30 22. Comparing data from an accounts payable application with invoices received from vendors in the month of December is BEST described as: substantive testing. compliance testing. judgment sampling. qualitative analysis. Substantive testing involves obtaining audit evidence on the completeness, accuracy or existence of data at the individual transaction level. This can be achieved by comparing the data in the application to the base document. In this case, comparison is made between accounts payable data and the vendor invoices. 23 / 30 23. In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should: identify and evaluate the existing controls. identify information assets and the underlying systems. disclose the threats and impacts to management. ensure the risk assessment is aligned to management's risk assessment process. It is important for an IS auditor to identify and evaluate the existence and effectiveness of existing and planned controls so that the risk level can be calculated after the potential threats and possible impacts are identified. 24 / 30 24. During a vendor management database audit, an IS auditor identifies multiple instances of duplicate vendor records. In order to prevent recurrence of the same issue, which of the following would be the IS auditor’s BEST recommendation to management? Request senior management approval of all new vendor details - Build a segregation of duties control into the vendor creation process. Run system reports of full vendor listings periodically to identify duplication Perform system verification checks for unique data values on key fields. 25 / 30 25. When performing a computer forensic investigation, in regard to the evidence gathered, an IS auditor should be MOST concerned with: analysis. preservation. disclosure. evaluation. Preservation and documentation of evidence for review by law enforcement and judicial authorities are of primary concern when conducting an investigation. Failure to properly preserve the evidence could jeopardize the admissibility of the evidence in legal proceedings. 26 / 30 26. The vice president of human resources has requested an IS audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation? Embedded audit module Integrated test facility Generalized audit software Generate sample test data Generalized audit software features include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and recomputations. An IS auditor, using generalized audit software, could design appropriate tests to recompute the payroll, thereby determining whether there were overpayments and to whom they were made. 27 / 30 27. A substantive test to verify that tape library inventory records are accurate is: checking whether receipts and issues of tapes are accurately recorded determining whether bar code readers are installed. conducting a physical count of the tape inventory. determining whether the movement of tapes is authorized. A substantive test includes gathering evidence to evaluate the integrity (i.e., the completeness, accuracy or validity) of individual transactions, data or other information. Conducting a physical count of the tape inventory is a substantive test. 28 / 30 28. An IS auditor is reviewing security controls for a critical web-based system prior to implementation. The results of the penetration test are inconclusive, and the results will not be finalized prior to implementation. Which of the following is the BEST option for the IS auditor?? Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing. Inform management that audit work cannot be completed prior to implementation and recommend that the audit be postponed. Publish a report omitting the areas where the evidence obtained from testing was inconclusive. Request a delay of the implementation date until additional security testing can be completed and evidence of appropriate controls can be obtained. If the IS auditor cannot gain sufficient assurance for a critical system within the agreed-on time frame, this fact should be highlighted in the audit report and follow-up testing should be scheduled for a later date. Management could then determine whether any of the potential weaknesses identified were significant enough to delay the go-live date for the system. 29 / 30 29. Which of the following sampling methods is MOST useful when testing for compliance? Difference estimation sampling Variable sampling Attribute sampling Stratified mean per unit sampling Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. For example, an attribute sample may check all transactions over a certain pre-defined dollar amount for proper approvals. 30 / 30 30. An IS auditor finds a small number of user access requests that had not been authorized by managers through the normal predefined workflow steps and escalation rules. The IS auditor should: conduct a security risk assessment. recommend that the owner of the identity management (IDM) system fix the workflow issues. perform an additional analysis. report the problem to the audit committee. The IS auditor needs to perform substantive testing and additional analysis to determine why the approval and workflow processes are not working as intended. Before making any recommendation, the IS auditor should gain a good understanding of the scope of the problem and what factors caused this incident. The IS auditor should identify whether the issue was caused by managers not following procedures, by a problem with the workflow of the automated system or a combination of the two. Your score is LinkedIn Facebook Twitter Exit Jute Bags in Dubai | Jute Bags in UAE