CISA Exam-Test 1 0% 1858 Sorry your time is over CISA Exam-Test 1 1 / 30 1. Which of the following is the FIRST step performed prior to creating a risk ranking for the annual internal IS audit plan? Identify the critical controls. Prioritize the identified risk. Determine the testing approach. Define the audit universe. In a risk-based audit approach, the IS auditor identifies risk to the organization based on the nature of the business. In order to plan an annual audit cycle, the types of risk must be ranked. To rank the types of risk, the auditor must first define the audit universe by considering the IT strategic plan, organizational structure and authorization matrix. 2 / 30 2. After the release of an application system, an IS auditor wants to verify that the system is providing value to the organization. The auditor’s BEST course of action would be to: perform a gap analysis against the benefits defined in the business case. review the results of compliance testing quantify improvements in client satisfaction. confirm that risk has declined since the application system release. 3 / 30 3. Which of the following situations could impair the independence of an IS auditor? The IS auditor: implemented specific functionality during the development of an application. designed an embedded audit module for auditing an application. participated as a member of an application project team and did not have operational responsibilities. provided consulting advice concerning application good practices. Independence may be impaired if an IS auditor is, or has been, actively involved in the development, acquisition and implementation of the application system. 4 / 30 4. An organization transmits large amount of data from one internal system to another. The IS auditor is reviewing quality of the data at the originating point. Which of the following should the auditor verify first? The data transformation is accurate The data has been encrypted The data extraction process is completed The source data is accurate 5 / 30 5. For a retail business with a large volume of transactions, which of the following audit techniques is the MOST appropriate for addressing emerging risk? Quarterly risk assessments Continuous auditing Sampling of transaction logs Use of computer-assisted audit techniques (CAATs) The implementation of continuous auditing enables a real-time feed of information to management through automated reporting processes so that management may implement corrective actions more quickly. 6 / 30 6. An organization’s IS audit charter should specify the: role of the IS audit function. objectives and scope of IS audit engagements. detailed training plan for the IS audit staff. plans for IS audit engagements. An IS audit charter establishes the role of the information systems audit function. The charter should describe the overall authority, scope and responsibilities of the audit function. It should be approved by the highest level of management and, if available, by the audit committee. 7 / 30 7. An IS auditor discovers a recurring software control process issue that severely impacts the efficiency of a critical business process. Which of the following is the BEST recommendation? Replace the malfunctioning system. Determine the compensating controls. Identify other impacted processes Determine the root cause of the issue 8 / 30 8. Following a security breach in which a hacker exploited a well-known vulnerability in the domain controller, an IS auditor has been asked to conduct a control assessment. The auditor’s BEST course of action would be to determine if: the patches were updated the network traffic was being monitored. the logs were monitored the domain controller was classified for high availability 9 / 30 9. Which of the following is the MOST critical step when planning an IS audit? Perform a risk assessment. Executive management's approval of the audit plan. Review IS security policies and procedures. Review findings from prior audits. Of all the steps listed, performing a risk assessment is the most critical. Risk assessment is required by ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement 1202.2: “IS audit and assurance professionals shall identify and assess risk relevant to the area under review, when planning individual engagements.” In addition to the standards requirement, if a risk assessment is not performed, then high-risk areas of the auditee systems or operations may not be identified for evaluation. 10 / 30 10. When developing a risk-based audit strategy, an IS auditor should conduct a risk assessment to ensure that: a gap analysis is appropriate. audit risk is considered. vulnerabilities and threats are identified. controls needed to mitigate risk are in place. In order to develop a risk-based audit strategy, it is critical that the risk and vulnerabilities be understood. This will determine the areas to be audited and the extent of coverage. 11 / 30 11. To ensure that audit resources deliver the best value to the organization, the FIRST step would be to: develop the audit plan on the basis of a detailed risk assessment. train the IS audit staff on current technology used in the company. monitor progress of audits and initiate cost control measures. schedule the audits and monitor the time spent on each audit. Monitoring the time and audit programs, as well as adequate training, will improve the IS audit staff’s productivity (efficiency and performance), but that which delivers value to the organization is ensuring that the resources and efforts being dedicated to audit are focused on higher-risk areas. 12 / 30 12. An IS auditor finds that corporate mobile devices used by employees have varying levels of password settings. Which of the following would be the BEST recommendation? Update the acceptable use policy for mobile devices. Notify employees to set passwords to a specified length Apply a security policy to the mobile devices. Encrypt data between corporate gateway and devices. 13 / 30 13. Which of the following should be of GREATEST concern to an IS auditor conducting an audit of an organization’s backup processes? A written backup policy is not available Backup failures are not resolved in a timely manner. The service levels are not achieved. The restoration process is slow due to connectivity issues. 14 / 30 14. A PRIMARY benefit derived for an organization employing control self-assessment (CSA) techniques is that it: allows IS auditors to independently assess risk. allows management to relinquish responsibility for control. can identify high-risk areas that might need a detailed review later. can be used as a replacement for traditional audits. CSA is predicated on the review of high-risk areas that either need immediate attention or may require a more thorough review at a later date. 15 / 30 15. The PRIMARY advantage of a continuous audit approach is that it: simplifies the extraction and correlation of data from multiple and complex systems. does not require an IS auditor to collect evidence on system reliability while processing is taking place. places the responsibility for enforcement and monitoring of controls on the security department instead of audit. allows the IS auditor to review and follow up on audit issues in a timely manner. Continuous audit allows audit and response to audit issues in a timely manner because audit findings are gathered in near real time. 16 / 30 16. The internal audit department has written some scripts that are used for continuous auditing of some information systems. The IT department has asked for copies of the scripts so that they can use them for setting up a continuous monitoring process on key systems. Would sharing these scripts with IT affect the ability of the IS auditors to independently and objectively audit the IT function? Sharing the scripts is permissible as long as IT recognizes that audits may still be conducted in areas not covered in the scripts. Sharing the scripts is not permitted because it would give IT the ability to pre-audit systems and avoid an accurate, comprehensive audit. Sharing the scripts is required because IT must have the ability to review all programs and software that runs on IS systems regardless of audit independence. Sharing the scripts is not permitted because it would mean that the IS auditors who wrote the scripts would not be permitted to audit any IS systems where the scripts are being used for monitoring. Information systems audit can still review all aspects of the systems. They may not be able to review the effectiveness of the scripts themselves, but they can still audit the systems. 17 / 30 17. An IS auditor discovers that devices connected to the network have not been included in a network diagram that had been used to develop the scope of the audit. The chief information officer (CIO) explains that the diagram is being updated and awaiting final approval. The IS auditor should FIRST: note a control deficiency because the network diagram has not been approved. expand the scope of the IS audit to include the devices that are not on the network diagram. plan follow-up audits of the undocumented devices. evaluate the impact of the undocumented devices on the audit scope. In a risk-based approach to an IS audit, the scope is determined by the impact the devices will have on the audit. If the undocumented devices do not impact the audit scope, then they may be excluded from the current audit engagement. The information provided on a network diagram can vary depending on what is being illustrated—for example, the network layer, cross connections, etc. 18 / 30 18. An IS auditor is evaluating management’s risk assessment of information systems. The IS auditor should FIRST review: the effectiveness of the controls. the mechanism for monitoring the risk. the threats/vulnerabilities affecting the assets. the controls in place. One of the key factors to be considered while assessing the information systems risk is the value of the systems (the assets) and the threats and vulnerabilities affecting the assets. The risk related to the use of information assets should be evaluated in isolation from the installed controls. 19 / 30 19. An IS auditor is reviewing a software application that is built on the principles of service-oriented architecture (SOA). What is the INITIAL step? Reviewing the service level agreements (SLAs) established for all system providers. Auditing the core service and its dependencies on other systems. Understanding services and their allocation to business processes by reviewing the service repository documentation. Sampling the use of service security standards as represented by the Security Assertions Markup Language (SAML). A service-oriented architecture (SOA) relies on the principles of a distributed environment in which services encapsulate business logic as a black box and might be deliberately combined to depict real-world business processes. Before reviewing services in detail, it is essential for the IS auditor to comprehend the mapping of business processes to services. 20 / 30 20. The MOST appropriate action for an IS auditor to take when shared user accounts are discovered is to: document the finding and explain the risk of using shared IDs. inform the audit committee of the potential issue. request that the IDs be removed from the system. review audit logs for the IDs in question. An IS auditor’s role is to detect and document findings and control deficiencies. Part of the audit report is to explain the reasoning behind the findings. The use of shared IDs is not recommended because it does not allow for accountability of transactions. An IS auditor would defer to management to decide how to respond to the findings presented. 21 / 30 21. An organization allows its employees to use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy? Restricting the use of devices for personal purposes during working hours Partitioning the work environment from personal space on devices Installing security software on the devices Preventing users from adding applications 22 / 30 22. The decisions and actions of an IS auditor are MOST likely to affect which of the following types of risk? Inherent Business Detection Control Detection risk is directly affected by the IS auditor’s selection of audit procedures and techniques. Detection risk is the risk that a review will not detect or notice a material issue. 23 / 30 23. An IS auditor is developing an audit plan for an environment that includes new systems. The company’s management wants the IS auditor to focus on recently implemented systems. How should the IS auditor respond? Determine the highest-risk systems and plan accordingly. Audit systems not included in last year's scope Audit the new systems as requested by management. Audit both the systems not in last year's scope and the new systems The best course of action is to conduct a risk assessment and design the audit plan to cover the areas of highest risk. ISACA IS Audit and Assurance Standard 1202 (Risk Assessment in Planning), statement 1202.1: “The IS audit and assurance function shall use an appropriate risk assessment approach and supporting methodology to develop the overall IS audit plan and determine priorities for the effective allocation of IS audit resources.” 24 / 30 24. An IS auditor reviewing the system development life cycle (SDLC) finds there is no requirement for business cases. Which of the following should be of GREATEST concern to the organization? Vendor selection criteria are not sufficiently evaluated Business impacts of projects are not adequately analyzed Business resources have not been optimally assigned Project costs exceed established budgets 25 / 30 25. Which of the following responsibilities would MOST likely compromise the independence of an IS auditor when reviewing the risk management process? Performing due diligence of the risk management processes Participating in the design of the risk management framework Advising on different implementation techniques Facilitating risk awareness training Participating in the design of the risk management framework involves designing controls, which will compromise the independence of the IS auditor to audit the risk management process. 26 / 30 26. The BEST method an organization can employ to align its business continuity plan (BCP) and disaster recovery plan (DRP) with core business needs is to: update the business impact analysis (BIA) for significant business changes. outsource the maintenance of the BCP and disaster recovery plan to a third party execute periodic walk-throughs of the plans. include BCP and disaster recovery plan responsibilities as a part of new employee training, 27 / 30 27. Which of the following is the BEST factor for determining the required extent of data collection during the planning phase of an IS compliance audit? Findings and issues noted from the prior year Auditor's familiarity with the organization Purpose, objective and scope of the audit Complexity of the organization's operation The extent to which data will be collected during an IS audit is related directly to the purpose, objective and scope of the audit. An audit with a narrow purpose and limited objective and scope is most likely to result in less data collection than an audit with a wider purpose and scope. Statistical analysis may also determine the extent of data collection such as sample size or means of data collection. 28 / 30 28. An IS auditor analyzing the audit log of a database management system (DBMS) finds that some transactions were partially executed as a result of an error and have not been rolled back. Which of the following transaction processing features has been violated? Consistency Atomicity Durability Isolation 29 / 30 29. An audit charter should: be dynamic and change to coincide with the changing nature of technology and the audit profession. clearly state audit objectives for, and the delegation of, authority to the maintenance and review of internal controls. document the audit procedures designed to achieve the planned audit objectives. outline the overall authority, scope and responsibilities of the audit function. An audit charter should state management’s objectives for and delegation of authority to Information systems auditors. 30 / 30 30. An internal IS audit function is planning a general IS audit. Which of the following activities takes place during the FIRST step of the planning phase? Development of an audit program Review of the audit charter Identification of key information owners Development of a risk assessment A risk assessment should be performed to determine how internal audit resources should be allocated in order to ensure that all material items will be addressed. Your score is LinkedIn Facebook Twitter 0% Exit CISA Overview About CISA Exam Juco Bags in Dubai, Juco Bags in UAE, Juco Bags in Sharjah