CISA Exam-Test 3 0% 597 Sorry, Your time is over. CISA Exam-Test 3 1 / 30 1. Which of the following forms of evidence would an IS auditor consider the MOST reliable? The results of a test performed by an external IS auditor A confirmation letter received from an outside source An oral statement from the auditee An internally generated computer accounting report An independent test performed by an IS auditor should always be considered a more reliable source of evidence than a confirmation letter from a third party because the letter is the result of an analysis of the process and may not be based on authoritative audit techniques. An audit should consist of a combination of inspection, observation and inquiry by an IS auditor as determined by risk. This provides a standard methodology and "reasonable" assurance that the controls and test results are accurate. 2 / 30 2. An organization seeks to control costs related to storage media throughout the information life cycle while still meeting business and regulatory requirements. Which of the following is the BEST way to achieve this objective? Utilize solid state memory. Implement a data retention policy. Perform periodic tape backups. Stream backups to the cloud. 3 / 30 3. An IS auditor wants to determine the number of purchase orders not appropriately approved. Which of the following sampling techniques should an IS auditor use to draw such conclusions? Variable Judgment Stop-or-go Attribute Attribute sampling is used to test compliance of transactions to controls—in this instance, the existence of appropriate approval. 4 / 30 4. What is the PRIMARY requirement that a data mining and auditing software tool should meet? The software tool should: introduce audit hooks into the company's financial systems to support continuous auditing. accurately capture data from the organization's systems without causing excessive performance problems. be customizable and support inclusion of custom programming to aid in investigative analysis. interface with various types of enterprise resource planning (ERP) software and databases. While all of the choices above are desirable in a software tool evaluated for auditing and data mining purposes, the most critical requirement is that the tool will work effectively on the systems of the organization being audited. 5 / 30 5. Which of the following IS functions can be performed by the same group or individual while still providing the proper segregation of duties? Security administration and application programming Database administration and computer operations Application programming and systems analysis Computer operations and application programming 6 / 30 6. An organization recently implemented a cloud document storage solution and removed the ability for end users to save data to their local workstation hard drives Which of the following findings should be the IS auditor's GREATEST concern? Users have not been trained on the new system. Mobile devices are not encrypted. The business continuity plan (BCP) was not updated. Users are not required to sign updated acceptable 7 / 30 7. While conducting an audit, an IS auditor detects the presence of a virus. What should be the IS auditor's next step? Inform appropriate personnel immediately. Ensure deletion of the virus. Clear the virus from the network. Observe the response mechanism. The first thing an IS auditor should do after detecting the virus is to alert the organization to its presence, then wait for their response. 8 / 30 8. When testing program change requests for a remote system, an IS auditor finds that the number of changes available for sampling would not provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take? Perform a walk-through of the change management process. Report the finding to management Create additional sample data to test additional changes. Develop an alternate testing procedure. If a sample size objective cannot be met with the given data, the IS auditor would not be able to provide assurance regarding the testing objective. In this instance, the IS auditor should develop (with audit management approval) an alternate testing procedure. 9 / 30 9. During a vendor management database audit, an IS auditor identifies multiple instances of duplicate vendor records. In order to prevent recurrence of the same issue, which of the following would be the IS auditor’s BEST recommendation to management? Request senior management approval of all new vendor details - Build a segregation of duties control into the vendor creation process. Perform system verification checks for unique data values on key fields. Run system reports of full vendor listings periodically to identify duplication 10 / 30 10. An IS auditor finds that one employee has unauthorized access to confidential data. The IS auditor’s BEST recommendation should be to: recommend corrective actions to be taken by the security administrator implement a strong password schema for users require the business owner to conduct regular access reviews. reclassify the data to a lower level of confidentiality. 11 / 30 11. Which of the following would normally be the MOST reliable evidence for an IS auditor? Assurance from line management that an application is working as designed Ratio analysis developed by the IS auditor from reports supplied by line management A confirmation letter received from a third party verifying an account balance Trend data obtained from World Wide Web (Internet) sources Evidence obtained from independent third parties is almost always considered to be more reliable than assurance provided by local management. 12 / 30 12. Which of the following sampling methods is MOST useful when testing for compliance? Variable sampling Difference estimation sampling Attribute sampling Stratified mean per unit sampling Attribute sampling is the primary sampling method used for compliance testing. Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. For example, an attribute sample may check all transactions over a certain pre-defined dollar amount for proper approvals. 13 / 30 13. During a follow-up audit, an IS auditor finds that some critical recommendations have not been addressed as management has decided to accept the risk. Whichof the following is the IS auditor’s BEST course of action? Require the auditee to address the recommendations in full. Adjust the annual risk assessment accordingly Update the audit program based on management’s acceptance of risk Evaluate senior management’s acceptance of the risk 14 / 30 14. When performing a computer forensic investigation, in regard to the evidence gathered, an IS auditor should be MOST concerned with: disclosure. evaluation. preservation. analysis. Preservation and documentation of evidence for review by law enforcement and judicial authorities are of primary concern when conducting an investigation. Failure to properly preserve the evidence could jeopardize the admissibility of the evidence in legal proceedings. 15 / 30 15. The BEST method of confirming the accuracy of a system tax calculation is by: recreating program logic using generalized audit software to calculate monthly totals. preparing simulated transactions for processing and comparing the results to predetermined results. automatic flowcharting and analysis of the source code of the calculation programs. review and analysis of the source code of the calculation programs. Preparing simulated transactions for processing and comparing the results to predetermined results is the best method for confirming the accuracy of a tax calculation. 16 / 30 16. An IS auditor uses computer-assisted audit techniques (CAATs) to collect and analyze data. Which of the following attributes of evidence is MOST affected by the use of CAATs? Relevance Reliability Adequacy Usefulness Because the data are directly collected by the IS auditor, the audit findings can be reported with an emphasis on the reliability of the records that are produced and maintained in the system. The reliability of the source of information used provides reassurance on the findings generated. 17 / 30 17. An IS auditor interviewing a payroll clerk finds that the answers do not support job descriptions and documented procedures. Under these circumstances, the IS auditor should: suspend the audit. place greater reliance on previous audits. expand the scope to include substantive testing. conclude that the controls are inadequate. If the answers provided to an IS auditor's questions are not confirmed by documented procedures or job descriptions, the IS auditor should expand the scope of testing the controls and include additional substantive tests. 18 / 30 18. Audit management has just completed the annual audit plan for the upcoming year, which consists entirely of high-risk processor. However it is determined that there are insufficient resources to execute the plan. What should be done NEXT? Present the annual plan to the audit committee and ask for more resources Review the audit plan and defer some audits to the subsequent year Reduce the scope of the audit to better match the number of resources available Remove audit from the annual plan to better match the number of resources available. 19 / 30 19. An IS auditor finds a small number of user access requests that had not been authorized by managers through the normal predefined workflow steps and escalation rules. The IS auditor should: report the problem to the audit committee. conduct a security risk assessment. perform an additional analysis. recommend that the owner of the identity management (IDM) system fix the workflow issues. The IS auditor needs to perform substantive testing and additional analysis to determine why the approval and workflow processes are not working as intended. Before making any recommendation, the IS auditor should gain a good understanding of the scope of the problem and what factors caused this incident. The IS auditor should identify whether the issue was caused by managers not following procedures, by a problem with the workflow of the automated system or a combination of the two. 20 / 30 20. Comparing data from an accounts payable application with invoices received from vendors in the month of December is BEST described as: substantive testing. qualitative analysis. compliance testing. judgment sampling. Substantive testing involves obtaining audit evidence on the completeness, accuracy or existence of data at the individual transaction level. This can be achieved by comparing the data in the application to the base document. In this case, comparison is made between accounts payable data and the vendor invoices. 21 / 30 21. During a security audit of IT processes, an IS auditor found that documented security procedures did not exist. The IS auditor should: create the procedures document based on the practices. issue an opinion of the current state and end the audit. conduct compliance testing on available data. identify and evaluate existing practices. One of the main objectives of an audit is to identify potential risk; therefore, the most proactive approach would be to identify and evaluate the existing security practices being followed by the organization and submit the findings and risk to management with recommendations to document the current controls or enforce the documented procedures. 22 / 30 22. An auditor is creating an audit program in which the objective is to establish the adequacy of personal data privacy controls in a payroll process. Which of the following would be MOST important3 to include? Approval of data changes Audit logging of administrative user activity User access provisioning Segregation of duties controls 23 / 30 23. An IS auditor is reviewing access to an application to determine whether recently added accounts were appropriately authorized. This is an example of: variable sampling. compliance testing. stop-or-go sampling. substantive testing. Compliance testing determines whether controls are being applied in compliance with policy. This includes tests to determine whether new accounts were appropriately authorized. 24 / 30 24. Which of the following should be the GREATEST concern to an IS auditor evaluating an organization’s policies? Policies are nor formally acknowledged and signed by employees. Policies do not provide adequate protection to the organization. Policies are not reviewed and updated frequently. Policies are not formally approved by the management. 25 / 30 25. The vice president of human resources has requested an IS audit to identify payroll overpayments for the previous year. Which would be the BEST audit technique to use in this situation? Generalized audit software Generate sample test data Integrated test facility Embedded audit module Generalized audit software features include mathematical computations, stratification, statistical analysis, sequence checking, duplicate checking and recomputations. An IS auditor, using generalized audit software, could design appropriate tests to recompute the payroll, thereby determining whether there were overpayments and to whom they were made. 26 / 30 26. A substantive test to verify that tape library inventory records are accurate is: determining whether bar code readers are installed. conducting a physical count of the tape inventory. determining whether the movement of tapes is authorized. checking whether receipts and issues of tapes are accurately recorded A substantive test includes gathering evidence to evaluate the integrity (i.e., the completeness, accuracy or validity) of individual transactions, data or other information. Conducting a physical count of the tape inventory is a substantive test. 27 / 30 27. When evaluating the collective effect of preventive, detective and corrective controls within a process, an IS auditor should be aware of which of the following? Corrective controls are regarded as compensating Classification allows an IS auditor to determine which controls are missing Only preventive and detective controls are relevant The point at which controls are exercised as data flow through the system An IS auditor should focus on when controls are exercised as data flow through a computer system. 28 / 30 28. In the course of performing a risk analysis, an IS auditor has identified threats and potential impacts. Next, the IS auditor should: identify information assets and the underlying systems. disclose the threats and impacts to management. identify and evaluate the existing controls. ensure the risk assessment is aligned to management's risk assessment process. It is important for an IS auditor to identify and evaluate the existence and effectiveness of existing and planned controls so that the risk level can be calculated after the potential threats and possible impacts are identified. 29 / 30 29. An IS auditor is reviewing security controls for a critical web-based system prior to implementation. The results of the penetration test are inconclusive, and the results will not be finalized prior to implementation. Which of the following is the BEST option for the IS auditor?? Request a delay of the implementation date until additional security testing can be completed and evidence of appropriate controls can be obtained. Publish a report based on the available information, highlighting the potential security weaknesses and the requirement for follow-up audit testing. Publish a report omitting the areas where the evidence obtained from testing was inconclusive. Inform management that audit work cannot be completed prior to implementation and recommend that the audit be postponed. If the IS auditor cannot gain sufficient assurance for a critical system within the agreed-on time frame, this fact should be highlighted in the audit report and follow-up testing should be scheduled for a later date. Management could then determine whether any of the potential weaknesses identified were significant enough to delay the go-live date for the system. 30 / 30 30. An IS auditor is evaluating the access controls at a multinational company with a shared network infrastructure. Which of the following is MOST important? Logging of network information at user level Remote network administration Common security policies Simplicity of end-to-end communication paths Your score is LinkedIn Facebook Twitter Exit Jute Bags in Dubai | Jute Bags in UAE