CISA Exam-Test 2 0% 815 Sorry your time is over CISA Exam-Test 2 1 / 30 1. The practice of periodic secure code reviews is which type of control? Corrective Preventive Compensating Detective 2 / 30 2. During the planning stage of an IS audit, the PRIMARY goal of an IS auditor is to: specify appropriate tests. minimize audit resources. collect sufficient evidence. address audit objectives. SACA IS Audit and Assurance Standards require that an IS auditor plan the audit work to address the audit objectives. The activities described in choices B, C and D are all undertaken to address audit objectives and, thus, are secondary to choice A. 3 / 30 3. An IS auditor evaluating logical access controls should FIRST: document the controls applied to the potential access paths to the system. evaluate the security environment in relation to written policies and practices. test controls over the access paths to determine if they are functional. obtain an understanding of the security risk to information processing. When evaluating logical access controls, an IS auditor should first obtain an understanding of the security risk facing information processing by reviewing relevant documentation, by inquiries, and conducting a risk assessment. This is necessary so that the IS auditor can ensure the controls are adequate to address risk. 4 / 30 4. When selecting audit procedures, an IS auditor should use professional judgment to ensure that: significant deficiencies will be corrected within a reasonable period. sufficient evidence will be collected. audit costs will be kept at a minimum level. all material weaknesses will be identified. Procedures are processes an IS auditor may follow in an audit engagement. In determining the appropriateness of any specific procedure, an IS auditor should use professional judgment appropriate to the specific circumstances. Professional judgment involves a subjective and often qualitative evaluation of conditions arising in the course of an audit. Judgment addresses a grey area where binary (yes/no) decisions are not appropriate and the IS auditor's past experience plays a key role in making a judgment. The IS auditor should use judgment in assessing the sufficiency of evidence to be collected. ISACA's guidelines provide information on how to meet the standards when performing IS audit work. 5 / 30 5. Which of the following is the GREATEST security risk associated with data migration from a legacy human resources (HR) system to a cloud-based system'' System performance may be impacted by the migration Records past their retention period may not be migrated to the new system Data from the source and target system may have different data formats Data from the source and target system may be intercepted 6 / 30 6. Which of the following is MOST important for an IS auditor to evaluate when determining the effectiveness of an information security program? Percentage of policy exceptions that were approved with justification Percentage of reported security incidents Percentage of users aware of the objectives of the security program Percentage of desired control objectives achieved 7 / 30 7. An IS auditor reviews an organizational chart PRIMARILY for: understanding the responsibilities and authority of individuals. an understanding of the complexity of the organizational structure. investigating the network connected to different employees. investigating various communication channels. An organizational chart provides information about the responsibilities and authority of individuals in the organization. This helps an IS auditor to know if there is a proper segregation of functions. 8 / 30 8. Which of the following BEST describes the purpose of performing a risk assessment in the planning phase of an IS audit? To provide reasonable assurance that all material items will be addressed To establish adequate staffing requirements to complete the IS audit To develop the audit program and procedures to perform the IS audit To determine the skills required to perform the IS audit A risk assessment helps focus the audit procedures on the highest risk areas included in the scope of the audit. The concept of reasonable assurance is important as well. 9 / 30 9. An IS auditor has identified a business process to be audited. The IS auditor should NEXT identify the: auditee personnel to be interviewed. IS audit resources to be deployed. most valuable information assets. control objectives and activities. Once the business process is identified, the IS auditor should first identify the control objectives and activities associated with the business process that should be validated in the audit. 10 / 30 10. In planning an IS audit, the MOST critical step is the identification of the: test steps in the audit. areas of significant risk. time allotted for the audit. skill sets of the audit staff. When designing a risk-based audit plan, it is important to identify the areas of highest risk to determine the areas to be audited. 11 / 30 11. Which of the following is an advantage of an integrated test facility (ITF)? Periodic testing does not require separate test processes. The need to prepare test data is eliminated. It validates application systems and ensures the correct operation of the system. It uses actual master files or dummies and the IS auditor does not have to review the source of the transaction. An ITF creates a fictitious entity in the database to process test transactions simultaneously with live input. Its advantage is that periodic testing does not require separate test processes. Careful planning is necessary, and test data must be isolated from production data. 12 / 30 12. An IS auditor should use statistical sampling and not judgmental (nonstatistical) sampling, when: the tolerable error rate cannot be determined. generalized audit software is unavailable. the probability of error must be objectively quantified. the auditor wants to avoid sampling risk. Given an expected error rate and confidence level, statistical sampling is an objective method of sampling, which helps an IS auditor determine the sample size and quantify the probability of error (confidence coefficient). 13 / 30 13. An IS auditor has been asked by management to review a potentially fraudulent transaction. The PRIMARY focus of an IS auditor while evaluating the transaction should be to: assess all relevant evidence for the transaction. ensure that the independence of an IS auditor is maintained. assure that the integrity of the evidence is maintained. maintain impartiality while evaluating the transaction. The IS auditor has been requested to perform an investigation to capture evidence which may be used for legal purposes, and therefore, maintaining the integrity of the evidence should be the foremost goal. Improperly handled computer evidence is subject to being ruled inadmissible in a court of law. 14 / 30 14. Which of the following should the IS auditor do FIRST to ensure data transfer integrity for Internet of Things (IoT) devices? Confirm that acceptable limits of data bandwidth are defined for each device. Verify access control lists to the database where collected data is stored. Ensure that message queue telemetry transport (MQTT) is used. Determine how devices are connected to the local network 15 / 30 15. The PRIMARY purpose of an IT forensic audit is: to participate in investigations related to corporate fraud. to assess the correctness of an organization's financial statements. the systematic collection and analysis of evidence after a system irregularity. to preserve evidence of criminal activity. The systematic collection and analysis of evidence best describes a forensic audit. The evidence collected could then be analyzed and used in judicial proceedings. 16 / 30 16. An IS auditor performing a review of application controls would evaluate the: business processes served by the application. impact of any exposures discovered. application's optimization. efficiency of the application in meeting the business processes. An application control review involves the evaluation of the application's automated controls and an assessment of any exposures resulting from the control weaknesses. 17 / 30 17. Data flow diagrams are used by IS auditors to: highlight high-level data definitions. portray step-by-step details of data generation. identify key controls. graphically summarize data paths and storage. Data flow diagrams are used as aids to graph or chart data flow and storage. They trace data from their origination to destination, highlighting the paths and storage of data. 18 / 30 18. The PRIMARY reason an IS auditor performs a functional walk-through during the preliminary phase of an audit assignment is to: identify control weakness. understand the business process. comply with auditing standards. develop the risk assessment. Understanding the business process is the first step an IS auditor needs to perform. 19 / 30 19. Which of the following should be of GREATEST concern to an IS auditor testing interface controls for an associated bank wire transfer process? The wire transfer was not completed with the most recent secure protocol. Data in the bank's wire transfer system does not reconcile with transferred data. Data is not independently verified by a third party. Customer-provided information does not appear to be accurate 20 / 30 20. An IS auditor is conducting a compliance test to determine whether controls support management policies and procedures. The test will assist the IS auditor to determine: that the control is operating as designed. the integrity of data controls. the reasonableness of financial reporting controls. that the control is operating efficiently. Compliance tests can be used to test the existence and effectiveness of a defined process. Understanding the objective of a compliance test is important. IS auditors want reasonable assurance that the controls they are relying on are effective. An effective control is one that meets management expectations and objectives. 21 / 30 21. While planning an IS audit, an assessment of risk should be made to provide: definite assurance that material items will be covered during the audit work. sufficient assurance that all items will be covered during the audit work. reasonable assurance that the audit will cover material items. reasonable assurance that all items will be covered by the audit. ISACA IS Audit and Assurance Guideline (Risk Assessment in Planning) states that the applied risk assessment approach should help with the prioritization and scheduling process of the IS audit and assurance work. It should support the selection process of areas and items of audit interest and the decision process to design and conduct particular IS audit 22 / 30 22. During a review of operations, it is noted that during a batch update, an error was detected and the database initiated a roll-back. An IT operator stopped the roll-back and re-initiated the update. What should the operator have done PRIOR to re-initiating the update? Scheduled the roll-back for a later time Determined the cause of the error Allowed the roll-back to complete Obtained approval before re-initiating the update 23 / 30 23. Which audit technique provides the BEST evidence of the segregation of duties in an IT department? Testing of user access rights Observation and interviews Review of the organization chart Discussion with management Based on the observations and interviews, the IT auditor can evaluate the segregation of duties. By observing the IS staff performing their tasks, an IS auditor can identify whether they are performing any incompatible operations, and by interviewing the IT staff, the auditor can get an overview of the tasks performed. 24 / 30 24. During a change control audit of a production system, an IS auditor finds that the change management process is not formally documented and that some migration procedures failed. What should the IS auditor do next? Recommend redesigning the change management process. Recommend that program migration be stopped until the change process is documented. Gain more assurance on the findings through root cause analysis. Document the finding and present it to management. A change management process is critical to IT production systems. Before recommending that the organization take any other action (e.g., stopping migrations, redesigning the change management process), the IS auditor should gain assurance that the incidents reported are related to deficiencies in the change management process and not caused by some process other than change management. 25 / 30 25. When planning an application audit, it is MOST important to evaluate risk factors by interviewing: IT management. application owners application users process owners 26 / 30 26. The scheduling of audit follow-ups should be based PRIMARILY on: auditee and auditor time commitments the risk and exposure involved. costs and audit efforts involved control and detection processes 27 / 30 27. The extent to which data will be collected during an IS audit should be determined based on the: availability of critical and required information. auditor's familiarity with the circumstances. purpose and scope of the audit being done. auditee's ability to find relevant evidence. The extent to which data will be collected during an IS audit should be related directly to the scope and purpose of the audit. An IS audit with a narrow purpose and scope or just a high-level review would most likely require less data collection than an audit with a wider purpose and scope. 28 / 30 28. Which of the following should be an IS auditor's GREATEST concern when reviewing an outsourcing arrangement with a third-party cloud service provider to host personally identifiable The organization's servers are not compatible with the third party's infrastructure The data is not adequately segregated on the host platform Fees are charged based on the volume of data stored by the host. The outsourcing contract does not contain a right-to-audit clause. 29 / 30 29. An IS auditor reviews one day of logs for a remotely managed server and finds one case where logging failed and the backup restarts cannot be confirmed. What should the IS auditor do? Review the classifications of data held on the server. Issue an audit finding. Seek an explanation from IS management. Expand the sample of logs reviewed. IS Audit and Assurance Standards require that an IS auditor gather sufficient and appropriate audit evidence. The IS auditor has found a potential problem and now needs to determine whether this is an isolated incident or a systematic control failure. 30 / 30 30. A vendor service level agreement (SLA) requires backups to be physically secured. An IS audit of the backup system revealed a number of the backup media Recommend identification of the data stored on the missing media. Notify executive management. Recommend a review of the vendor's contract. Your score is LinkedIn Facebook Twitter Exit Canvas Bags in Dubai | Canvas Bags in UAE | Canvas Bags in Sharjah