CISA Final Assessment 1

An IS auditor learns a server administration team regularly applies workarounds to address repeated failures of critical data processing services. Which of the following would BEST enable the organization to resolve this issue?

Service level management
Incident management
Problem management
Change management

An IS auditor is informed that several spreadsheets are being used to generate key financial information. What should the auditor verify NEXT?

Whether adequate documentation and training is available for spreadsheet users
Whether the spreadsheets meet the minimum IT general controls requirements
Whether there is a complete inventory of end-user computing (EUC) spreadsheet
Whether the spreadsheets are being formally reviewed by the chief financial officer (CFO)

An IS auditor is reviewing a contract for the outsourcing of IT facilities. If missing, which of the following should present the GREATEST concern to the auditor?

Access control requirements
Hardware configurations
Help desk availability
Perimeter network security diagram

An IS auditor is reviewing a data conversion project. Which of the following is the auditor’s BEST recommendation prior to go-live?

Automate the test scripts.
Conduct a mock conversion test.
Review test procedures and scenarios.
Establish a configuration baseline.

An IS auditor should ensure that an application’s audit trail:

has adequate security.
is accessible online.
does not impact operational efficiency.
logs all database records.

Which of the following would provide the BEST evidence of an IT strategy committee’s effectiveness?

The minutes from the IT strategy committee meetings
The IT strategy committee charter
Synchronization of IT activities with corporate objectives
Business unit satisfaction survey results

An IS auditor is reviewing the business requirements for the deployment of a new website. Which of the following cryptographic systems would provide the BEST evidence of secure communications on the Internet?

Transport Layer Security (TLS)
Wi-Fi Protected Access 2 (WPA2)
IP Security (IPSEC)
Secure Shell (SSH)

An IS auditor is performing a follow-up audit for findings identified in an organization’s user provisioning process. Which of the following is the MOST appropriate population to sample from when testing for remediation?

All users provisioned after management resolved the audit issue
All users who have followed user provisioning processes provided by management
All users provisioned after the final audit report was issued
All users provisioned after the finding was originally identified

Which of the following is the BEST method to prevent wire transfer fraud by bank employees?

Two-factor authentication control
System-enforced dual control
Independent reconciliation
Re-keying of wire dollar amounts

Which of the following would be MOST useful to an organization planning to adopt a public cloud computing model?

Service level agreement (SLA) performance metrics
Management attestation report
Independent control assessment
Audit report prepared by the service provider

Which of the following is the MOST effective control to mitigate unintentional misuse of authorized access?

Regular monitoring of user access logs
Security awareness training
Annual sign-off of acceptable use policy
Formalized disciplinary action

In order to be useful, a key performance indicator (KPI) MUST:

be approved by management.
be changed frequently to reflect organizational strategy.
have a target value.
be measurable in percentages

Which of the following should be of GREATEST concern to an IS auditor reviewing an organization’s IT process performance reports over the last quarter?

Metrics are not aligned with industry benchmarks.
Metrics were defined without stakeholder review.
Key performance indicators (KPIs) were met in only one month.
Performance reporting includes too many technical terms.

Which of the following is MOST important to have in place to build consensus among key stakeholders on the cost-effectiveness of IT?

IT project governance and management
Standardized enterprise architecture (EA)
IT performance monitoring and reporting
A uniform IT chargeback process

Which of the following is the PRIMARY benefit of continuous auditing?

It facilitates the use of robotic automation processes.
It allows reduced sample sizes for testing.
It enables timely detection of anomalies.
It deters fraudulent transactions.

Which of the following are BEST suited for continuous auditing?

Low-value transactions
Irregular transactions
Real-time transactions
Manual transactions

Which of the following is the BEST method to maintain an audit trail of changes made to the source code of a program?

Standardize file naming conventions.
Utilize automated version control.
Embed details within source code.
Document details on a change register.

Which of the following is MOST likely to be detected by an IS auditor applying data analytic techniques?

Issues resulting from an unsecured application automatically uploading transactions to the general ledger
Unauthorized salary or benefit changes to the payroll system generated by authorized users
Potentially fraudulent invoice payments originating within the accounts payable department
Completion of inappropriate cross-border transmission of personally identifiable information (PII)

An IS auditor is planning an audit of an organization’s accounts payable processes. Which of the following controls is MOST important to assess in the audit?

Segregation of duties between issuing purchase orders and making payments
Management review and approval of purchase orders
Management review and approval of authorization tiers
Segregation of duties between receiving invoices and setting authorization limits

An IS auditor discovers that due to resource constraints, a database administrator (DBA) is responsible for developing and executing changes into the production environment. Which of the following should the auditor do FIRST?

Ensure a change management process is followed prior to implementation.
Identify whether any compensating controls exist.
Determine whether another database administrator (DBA) could make the changes.
Report a potential segregation of duties (SoD) violation.

An IS auditor is reviewing logical access controls for an organization’s financial business application. Which of the following findings should be of GREATEST concern to the auditor?

Management does not review application user activity logs.
Password length is set to eight characters.
User accounts are shared between users.
Users are not required to change their passwords on a regular basis.

An IS auditor has discovered that unauthorized customer management software was installed on a workstation. The auditor determines the software has been uploading customer data to an external party. Which of the following is the IS auditor’s BEST course of action?

Review other workstations to determine the extent of the incident.
Determine the number of customer records that were uploaded.
Notify the incident response team.
Present the issue at the next audit progress meeting.

An IS auditor is reviewing an organization’s information asset management process. Which of the following would be of GREATEST concern to the auditor?

Process ownership has not been established.
Identification of asset value is not included in the process.
The process does not require specifying the physical locations of assets.
The process does not include asset review.

An IS auditor is conducting a post-implementation review of an enterprise resource planning (ERP) system. End users indicated concerns with the accuracy of critical automatic calculations made by the system. The auditor’s FIRST course of action should be to:

verify completeness of user acceptance testing (UAT).
verify results to determine validity of user concerns.
review initial business requirements.
review recent changes to the system.

An IS auditor performing an audit of backup procedures observes that backup tapes are picked up weekly and stored offsite at a third-party hosting facility. Which of the following recommendations would be the BEST way to protect the integrity of the data on the backup tapes?

Ensure that data is encrypted before leaving the facility
Confirm that data transfers are logged and recorded.
Confirm that data is transported in locked tamper-evident containers.
Ensure that the transport company obtains signatures for all shipments.

An IS auditor has been asked to perform an assurance review of an organization’s mobile computing security. To ensure the organization is able to centrally manage mobile devices to protect against data disclosure, it is MOST important for the auditor to determine whether:

lost devices can be located remotely.
procedures for lost devices include remote wiping of data.
a mobile security awareness training program exists.
a security policy exists for mobile devices.

An IS auditor has been asked to perform a post-implementation assessment of a new corporate human resources (HR) system. Which of the following control areas would be MOST important to review for the protection of employee information?

Data retention practices
Authentication mechanisms
System architecture
Logging capabilities

An external IS auditor has been engaged to determine the organization’s cybersecurity posture. Which of the following is MOST useful for this purpose?

Capability maturity assessment
Compliance reports
Control self-assessment (CSA)
Industry benchmark report

An IS auditor observes that a business-critical application does not currently have any level of fault tolerance. Which of the following is the GREATEST concern with this situation?

Degradation of services
Decreased mean time between failures (MTBF)
Limited tolerance for damage
Single point of failure

An IS auditor is evaluating an organization’s IT strategy and plans. Which of the following would be of GREATEST concern?

IT is not engaged in business strategic planning.
The business strategy meeting minutes are not distributed.
There is inadequate documentation of IT strategic planning.
There is not a defined IT security policy.

An IS auditor reviewing the threat assessment for a data center would be MOST concerned if:

neighboring organizations' operations have been included.
the exercise was completed by local management.
all identified threats relate to external entities.
some of the identified threats are unlikely to occur.

An IS auditor observes that exceptions have been approved for an organization’s information security policy. Which of the following is MOST important for the auditor to confirm?

Exceptions do not change residual risk.
Exceptions are approved for predefined periods.
Exceptions require changes to the policy.
Exceptions are approved by the board of directors.

An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner. Which of the following is the auditor’s BEST recommendation?

Hire temporary contract workers for the IT function.
Build a virtual environment.
Increase the capacity of existing systems.
Upgrade hardware to newer technology.

A senior auditor is reviewing work papers prepared by a junior auditor indicating that a finding was removed after the auditee said they corrected the problem.
Which of the following is the senior auditor’s MOST appropriate course of action?

Ask the auditee to retest.
Have the finding reinstated.
Refer the issue to the audit director.
Approve the work papers as written.

An IS auditor finds that while an organization’s IT strategy is heavily focused on research and development, the majority of projects in the IT portfolio focus on operations and maintenance. Which of the following is the BEST recommendation?

Review priorities in the IT portfolio.
Change the IT strategy to focus on operational excellence.
Align the IT portfolio with the IT strategy.
Align the IT strategy with business objectives.

Which of the following documents should specify roles and responsibilities within an IT audit organization?

Organizational chart
Annual audit plan
Audit charter
Engagement letter

Which of the following presents the GREATEST challenge to the alignment of business and IT?

Lack of information security involvement in business strategy development
An IT steering committee chaired by the chief information officer (CIO)
Insufficient IT budget to execute new business projects
Lack of chief information officer (CIO) involvement in board meetings

Which of the following would be of MOST concern when determining if information assets are adequately safeguarded during transport and disposal?

Lack of recent awareness training
Lack of appropriate labeling
Lack of appropriate data classification
Lack of password protection

Which of the following provides the BEST evidence that a third-party service provider’s information security controls are effective?

Documentation of the service provider's security configuration controls
An audit report of the controls by the service provider's external auditor
An interview with the service provider's information security officer
A review of the service provider's policies and procedures

Which of the following is the BEST reason to implement a data retention policy?

To establish a recovery point objective (RPO) for disaster recovery procedures
To assign responsibility and owners hip for data protection outside IT
To limit the liability associated with storing and protecting information
To document business objectives for processing data within the organization

Capacity management enables organizations to:

establish the capacity of network communication links.
forecast technology trends.
identify the extent to which components need to be upgraded.
determine business transaction volumes.

Which of the following is the MOST effective way for an IS auditor to evaluate whether an organization is well positioned to defend against an advanced persistent threat (APT)?

Verify that the organization has adequate levels of cyber insurance.
Review the validity of external Internet Protocol (IP) addresses accessing the network.
Verify that the organization is using correlated data for security monitoring.
Assess the skill set with in the security function.

A credit card company has decided to outsource the printing of customer statements. It is MOST important for the company to verify whether:

the provider has alternate service locations.
the contract includes compensation for deficient service levels.
the provider adheres to the company's data retention policies.
the provider's information security controls are aligned with the company's.

An IS auditor is conducting a review of a data center. Which of the following observations could indicate an access control issue?

Security cameras deployed outside main entrance
Muddy footprints directly inside the emergency exit
Fencing around facility is two meters high
Antistatic mats deployed at the computer room entrance

An IS auditor notes that IT and the business have different opinions on the availability of their application servers. Which of the following should the IS auditor review FIRST in order to understand the problem?

The exact definition of the service levels and their measurement
The regular performance-reporting documentation
The alerting and measurement process on the application servers
The actual availability of the servers as part of a substantive test

Which type of migration process would BEST minimize the risk associated with a payroll application when converting from an old to a new system?

Phased
Direct
Parallel
Simulated

Which of the following is MOST important for an IS auditor to verify when reviewing the use of an outsourcer for disposal of storage media?

The contract includes issuance of a certificate of destruction by the vendor.
The vendor's process appropriately sanitizes the media before disposal.
The vendor has not experienced security incidents in the past
The disposal transportation vehicle is fully secure.

Which of the following is a detective control?

Verification of hash totals
Programmed edit checks for data entry
Use of pass cards to gain access to physical facilities
Backup procedures

Which of the following is the BEST way for an organization to mitigate the risk associated with third-party application performance?

Use analytics within the internal audit function.
Ensure the third party allocates adequate resources to meet requirements.
Conduct a capacity planning exercise.
Utilize performance monitoring tools to verify service level agreements (SLAs).

An organization conducted an exercise to test the security awareness level of users by sending an email offering a cash reward to those who click on a link embedded in the body of the email. Which of the following metrics BEST indicates the effectiveness of awareness training?

The number of users forwarding the email to their business unit managers
The number of users clicking on the link to learn more about the sender of the email
The number of users reporting receipt of the email to the information security team
The number of users deleting the email without reporting because it is a phishing email

A review of Internet security disclosed that users have individual user accounts with Internet service providers (ISPs) and use these accounts for downloading business data. The organization wants to ensure that only the corporate network is used. The organization should FIRST:

use a proxy server to filter out Internet sites that should not be accessed.
keep a manual log of Internet access.
include a statement in its security policy about Internet use.
monitor remote access activities.

Which of the following is MOST important to ensure when developing an effective security awareness program?

Phishing exercises are conducted post-training.
Training personnel are information security professionals.
Outcome metrics for the program are established.
Security threat scenarios are included in the program content.

An IS auditor has discovered that a cloud-based application was not included in an application inventory that was used to confirm the scope of an audit. The business process owner explained that the application will be audited by a third party in the next year. The auditor’s NEXT step should be to:

evaluate the impact of the cloud application on the audit scope.
revise the audit scope to include the cloud-based application.
review the audit report when performed by the third party.
report the control deficiency to senior management.

While executing follow-up activities, an IS auditor is concerned that management has implemented corrective actions that are different from those originally discussed and agreed with the audit function. In order to resolve the situation, the IS auditor’s BEST course of action would be to:

determine whether the alternative controls sufficiently mitigate the risk.
postpone follow-up activities and escalate the alternative controls to senior audit management.
re-prioritize the original issue as high risk and escalate to senior management.
schedule a follow-up audit in the next audit cycle.

Which of the following is the PRIMARY reason to follow a configuration management process to maintain applications?

To optimize system resources
To optimize asset management workflows
To ensure proper change control
To follow system hardening standards

What should an IS auditor do FIRST when management responses to an in-person internal control questionnaire indicate a key internal control is no longer effective?

Validate the overall effectiveness of the internal control.
Determine the resources required to make the control effective.
Verify the impact of the control no longer being effective
Ascertain the existence of other compensating controls.

Which of the following is the PRIMARY reason for an IS audit manager to review the work performed by a senior IS auditor prior to presentation of a report?

To ensure the conclusions are adequately supported
To ensure adequate sampling methods were used during fieldwork
To ensure the work is properly documented and filed
To ensure the work is conducted according to industry standards

Following the implementation of a data loss prevention (DLP) tool, administrators have been overwhelmed with a high number of false positives. Which of the following is the BEST way to address this issue?

Enable monitoring-only mode to permit further tuning of the solution.
Educate staff about the risks of sharing sensitive information outside the organization.
Amend policy rules to match approved and unapproved business information pathways.
Ensure the latest signature files are present and configure regular updates.

During an exit interview, senior management disagrees with some of the facts presented in the draft audit report and wants them removed from the report. Which of the following would be the auditor’s BEST course of action?

Revise the assessment based on senior management's objections
Gather evidence to analyze senior management's objections.
Escalate the issue to audit management.
Finalize the draft audit report without changes.

An organization was recently notified by its regulatory body of significant discrepancies in its reporting data. A preliminary investigation revealed that the discrepancies were caused by problems with the organization’s data quality. Management has directed the data quality team to enhance their program. The audit committee has asked internal audit to be advisors to the process. To ensure that management concerns are addressed, which data set should internal audit recommend be reviewed FIRST?

Data impacting business objectives
Data supporting financial statements
Data reported to the regulatory body
Data with customer personal information

Which of the following BEST minimizes performance degradation of servers used to authenticate users of an e-commerce website?

Configure each authentication server and ensure that the disks of each server form part of a duplex.
Configure each authentication server as belonging to a cluster of authentication servers.
Configure a single server as a primary authentication server and a second server as a secondary authentication server.
Configure each authentication server and ensure that each disk of its RAID is attached to the primary controller.

Audit frameworks can assist the IS audit function by:

outlining the specific steps needed to complete audits.
defining the authority and responsibility of the IS audit function.
providing details on how to execute the audit program.
providing direction and information regarding the performance of audits.

What is the BEST way to evaluate a control environment where the organization and a third party have shared responsibility?

Conduct a control self-assessment (CSA).
Review the service level agreement (SLA).
Perform an onsite evaluation.
Review complementary user entity controls.

Which of the following is the MAIN purpose of an information security management system?

To enhance the impact of reports used to monitor information security incidents
To reduce the frequency and impact of information security incidents
To identify and eliminate the root causes of information security incidents
To keep information security policies and procedures up-to-date

During the discussion of a draft audit report, IT management provided suitable evidence that a process has been implemented for a control that had been concluded by the IS auditor as ineffective. Which of the following is the auditor’s BEST action?

Explain to IT management that the new control will be evaluated during follow-up.
Add comments about the action taken by IT management in the report.
Change the conclusion based on evidence provided by IT management.
Re-perform the audit before changing the conclusion.

An organization allows its employees to use personal mobile devices for work. Which of the following would BEST maintain information security without compromising employee privacy?

Partitioning the work environment from personal space on devices
Preventing users from adding applications
Restricting the use of devices for personal purposes during working hours
Installing security software on the devices

An IS auditor who was instrumental in designing an application is called upon to review the application. The auditor should:

inform audit management of the earlier involvement.
modify the scope of the audit.
refuse the assignment to avoid conflict of interest.
use the knowledge of the application to carry out the audit.

Documentation of workaround processes to keep a business function operational during recovery of IT systems is a core part of a:

disaster recovery plan (DRP).
business continuity plan (BCP).
threat and risk assessment.
business impact analysis (BIA).

IS audit is asked to explain how local area network (LAN) servers can contribute to a rapid dissemination of viruses. The IS auditor’s BEST response is that:

the server's software is the prime target and is the first to be infected.
the server's operating system exchanges data with each station starting at every logon.
the server's file sharing function facilitates the distribution of files and applications.
users of a given server have similar usage of applications and files.

An organization has developed mature risk management practices that are followed across all departments. What is the MOST effective way for the audit team to leverage this risk management maturity?

Implementing risk responses on management's behalf
Providing assurances to management regarding risk
Facilitating audit risk identification and evaluation workshops
Integrating the risk register for audit planning purposes

Which of the following is the MOST important reason to implement version control for an end-user computing (EUC) application?

To ensure that only authorized users can access the application
To ensure compatibility between different versions of the application
To ensure that only the latest approved version of the application is used
To ensure that older versions are available for reference

One benefit of return on investment (ROI) analysis in IT decision making is that it provides the:

cost of replacing equipment.
estimated cost of ownership.
basis for allocating financial resources.
basis for allocating indirect costs.

Which of the following is MOST important for an IS auditor to verify when evaluating an organization’s data conversion and infrastructure migration plan?

A migration steering committee has been formed.
A rollback plan is included.
A code check review is included.
Strategic goals have been considered.

Which of the following weaknesses would have the GREATEST impact on the effective operation of a perimeter firewall?

Ad hoc monitoring of firewall activity
Use of stateful firewalls with default configuration
Potential back doors to the firewall software
Misconfiguration of the firewall rules

Which of the following is MOST important to ensure that electronic evidence collected during a forensic investigation will be admissible in future legal proceedings?

Restricting evidence access to professionally certified forensic investigators
Engaging an independent third party to perform the forensic investigation
Performing investigative procedures on the original hard drives rather than images of the hard drives
Documenting evidence handling by personnel throughout the forensic investigation

The IS auditor has recommended that management test a new system before using it in production mode. The BEST approach for management in developing a test plan is to use processing parameters that are:

randomly selected by a test generator.
provided by the vendor of the application.
randomly selected by the user.
simulated by production entities and customers.

Which of the following is the GREATEST risk associated with storing customer data on a web server?

Data integrity
Data availability
Data redundancy
Data confidentiality

Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?

Compliance with industry standards and best practice
Compliance with action plans resulting from recent audits
Compliance with local laws and regulations
Compliance with the organization's policies and procedures

Which of the following provides the BEST evidence that outsourced provider services are being properly managed?

The service level agreement (SLA) includes penalties for non-performance.
The vendor provides historical data to demonstrate its performance.
Internal performance standards align with corporate strategy
Adequate action is taken for noncompliance with the service level agreement (SLA).

Which of the following is a concern when an organization’s disaster recovery strategy utilizes a hot site?

Insufficient environmental controls
Significant distance from the primary data center
The lack of networking infrastructure
Conflicts due to reciprocal agreements with other organizations

What is the BEST method to determine if IT resource spending is aligned with planned project spending?

Return on investment (ROI) analysts
Critical path analysis
Earned value analysis (EVA)
Gantt chart

An IS auditor is reviewing the release management process for an in-house software development solution. In which environment is the software version MOST likely to be the same as production?

Development
Staging
Testing
Integration

Which of the following would BEST help to ensure that potential security issues are considered by the development team as part of incremental changes to agile- developed software?

Deploy changes in a controlled environment and observe for security defects.
Mandate that the change analyses are documented in a standard format.
Assign the security risk analysis to a specially trained member of the project management office.
Include a mandatory step to analyze the security impact when making changes.

The waterfall life cycle model of software development is BEST suited for which of the following situations?

The project will involve the use of new technology.
The project intends to apply an object-oriented design approach.
The project is subject to time pressures.
The project requirements are well understood.

Which of the following is the GREATEST impact as a result of the ongoing deterioration of a detective control?

Increased number of false negatives in security logs
Decreased effectiveness of root cause analysis
Decreased overall recovery time
Increased demand for storage space for logs

A proper audit trail of changes to server start-up procedures would include evidence of:

program execution.
operator overrides.
subsystem structure.
security control options.

An audit identified that a computer system is not assigning sequential purchase order numbers to order requests. The IS auditor is conducting an audit follow-up to determine if management has resolved this finding. Which of the following is the MOST reliable follow-up procedure?

Inquire with management if the system has been configured and tested to generate sequential order numbers.
Review the documentation of recent changes to implement sequential order numbering.
Inspect the system settings and transaction logs to determine if sequential order numbers are generated.
Examine a sample of system generated purchase orders obtained from management.

Which of the following is the BEST way to enforce the principle of least privilege on a server containing data with different security classifications?

Limiting access to the data files based on frequency of use
Using scripted access control lists to prevent unauthorized access to the server
Obtaining formal agreement by users to comply with the data classification policy
Applying access controls determined by the data owner

Which of the following is the BEST way to determine whether a test of a disaster recovery plan (DRP) was successful?

Analyze whether predetermined test objectives were met.
Perform testing at the backup data center.
Test offsite backup files.
Evaluate participation by key personnel.

If enabled within firewall rules, which of the following services would present the GREATEST risk?

File transfer protocol (FTP)
Simple object access protocol (SOAP)
Hypertext transfer protocol (HTTP)
Simple mail transfer protocol (SMTP)

Which of the following is the MOST effective way for an organization to protect against data loss?

Conduct periodic security awareness training.
Limit employee Internet access.
Review firewall logs for anomalies.
Implement data classification procedures.

Which of the following is the BEST control to minimize the risk of unauthorized access to lost company-owned mobile devices?

Device encryption
Device tracking software
Password/PIN protection
Periodic backup

In a RACI model, which of the following roles must be assigned to only one individual?

Responsible
Accountable
Informed
Consulted

An IS auditor has found that a vendor has gone out of business and the escrow has an older version of the source code. What is the auditor’s BEST recommendation for the organization?

Perform an analysis to determine the business risk.
Develop a maintenance plan to support the application using the existing code.
Bring the escrow version up to date.
Analyze a new application that meets the current requirements.

An IS auditor is reviewing the installation of a new server. The IS auditor’s PRIMARY objective is to ensure that:

security parameters are set in accordance with the manufacturer's standards.
security parameters are set in accordance with the organization's policies.
a detailed business case was formally approved prior to the purchase.
the procurement project invited tenders from at least three different suppliers.

An IS auditor finds a high-risk vulnerability in a public-facing web server used to process online customer payments. The IS auditor should FIRST:

notify the audit committee.
review security incident reports.
identify compensating controls.
document the exception in an audit report.

An IS auditor discovers that an IT organization serving several business units assigns equal priority to all initiatives, creating a risk of delays in securing project funding. Which of the following would be MOST helpful in matching demand for projects and services with available resources in a way that supports business objectives?

Risk assessment results
IT governance framework
Project management
Portfolio management

Which of the following is the MOST efficient way to identify segregation of duties violations in a new system?

Observe the performance of business processes.
Develop a process to identify authorization conflicts.
Review a report of security rights in the system.
Examine recent system access rights violations.

An internal audit team is deciding whether to use an audit management application hosted by a third party in a different country. What should be the MOST important consideration related to the uploading of payroll audit documentation in the hosted application?

Per-unit cost charged by the hosting services provider for storage
Privacy regulations affecting the organization
Financial regulations affecting the organization
Data center physical access controls where the application is hosted

Which of the following is the PRIMARY reason for an IS auditor to conduct post-implementation reviews?

To document lessons learned to improve future project delivery
To align project objectives with business needs
To determine whether project objectives in the business case have been achieved
To ensure key stakeholder sign-off has been obtained

Which of the following is the BEST metric to measure the alignment of IT and business strategy?

Frequency of business process capability maturity assessments
Percentage of enterprise risk assessments that include IT-related risk
Percentage of staff satisfied with their IT-related roles
Level of stakeholder satisfaction with the scope of planned IT projects

Which of the following is the MOST important activity in the data classification process?

Determining accountability of data owners
Labeling the data appropriately
Identifying risk associated with the data
Determining the adequacy of privacy controls

Which of the following is MOST appropriate to prevent unauthorized retrieval of confidential information stored in a business application system?

Implement segregation of duties.
Enforce an internal data access policy.
Enforce the use of digital signatures
Apply single sign-on for access control.

A project team has decided to switch to an agile approach to develop a replacement for an existing business application. Which of the following should an IS auditor do FIRST to ensure the effectiveness of the project audit?

Understand the specific agile methodology that will be followed.
Interview business process owners to compile a list of business requirements.
Compare the agile process with previous methodology.
Identify and assess existing agile process controls.

During an external review, an IS auditor observes an inconsistent approach in classifying system criticality within the organization. Which of the following should be recommended as the PRIMARY factor to determine system criticality?

Maximum allowable downtime (MAD)
Mean time to restore (MTTR)
Recovery point objective (RPO)
Key performance indicators (KPIs)

Which of the following is the MOST significant risk that IS auditors are required to consider for each engagement?

Irregularities and illegal acts
Noncompliance with organizational policies
Misalignment with business objectives
Process and resource inefficiencies

An externally facing system containing sensitive data is configured such that users have either read-only or administrator rights. Most users of the system have administrator access. Which of the following is the GREATEST risk associated with this situation?

Users can make unauthorized changes.
Users can export application logs.
Users can install open-licensed software.
Users can view sensitive data.

Which of the following is the GREATEST risk associated with utilizing spreadsheets for financial reporting in end-user computing (EUC)?

Lack of password protection
Lack of processing integrity
Increase in operational incidents
Increase in regulatory violations

The decision to accept an IT control risk related to data quality should be the responsibility of the:

IS audit manager.
chief information officer (CIO).
information security team.
business owner.

An organization’s audit charter PRIMARILY:

describes the auditor's authority to conduct audits.
formally records the annual and quarterly audit plans.
documents the audit process and reporting standards.
defines the auditors' code of conduct.

Following a security breach in which a hacker exploited a well-known vulnerability in the domain controller, an IS auditor has been asked to conduct a control assessment. The auditor’s BEST course of action would be to determine if:

the patches were updated.
the logs were monitored.
the domain controller was classified for high availability.
the network traffic was being monitored.

What is MOST important to verify during an external assessment of network vulnerability?

Regular review of the network security policy
Location of intrusion detection systems (IDS)
Update of security information event management (SIEM) rules
Completeness of network asset inventory

Which of the following environments is BEST used for copying data and transformation into a compatible data warehouse format?

Development
Testing
Replication
Staging

Which of the following is the BEST recommendation to include in an organization’s bring your own device (BYOD) policy to help prevent data leakage?

Specify employee responsibilities for reporting lost or stolen BYOD devices.
Require multi-factor authentication on BYOD devices.
Require employees to waive privacy rights related to data on BYOD devices.
Allow only registered BYOD devices to access the network.

Which type of testing BEST determines whether a new system meets business requirements and is ready to be placed into production?

Load testing
User acceptance testing (UAT)
Volume testing
Performance testing

During audit planning, the IS audit manager is considering whether to budget for audits of entities regarded by the business as having low risk. Which of the following is the BEST course of action in this situation?

Outsource low-risk audits to external audit service providers.
Challenge the risk rating and include the low-risk entities in the plan.
Conduct limited-scope audits of low-risk business entities.
Validate the low-risk entity ratings and apply professional judgment.

An organization has virtualized its server environment without making any other changes to the network or security infrastructure. Which of the following is the
MOST significant risk?

Data center environmental controls not aligning with new configuration
System documentation not being updated to reflect changes in the environment
Vulnerability in the virtualization platform affecting multiple hosts
Inability of the network intrusion detection system (IDS) to monitor virtual server-to-server communications.

During an audit of an organization’s risk management practices, an IS auditor finds several documented IT risk acceptances have not been renewed in a timely manner after the assigned expiration date. When assessing the severity of this finding, which mitigating factor would MOST significantly minimize the associated impact?

There are documented compensating controls over the business processes.
The risk acceptances with issues reflect a small percentage of the total population.
The business environment has not significantly changed since the risk acceptances were approved.
The risk acceptances were previously reviewed and approved by appropriate senior management.

Which of the following is MOST important for an IS auditor to consider when performing the risk assessment prior to an audit engagement?

Industry standards and best practices
The amount of time since the previous audit
The results of the previous audit
The design of controls

An IS auditor is reviewing the deployment of a new automated system. Which of the following findings presents the MOST significant risk?

Users have not been trained on the new system.
The new system is not platform agnostic.
Data from the legacy system is not migrated correctly to the new system.
The new system has resulted in layoffs of key experienced personnel.

Which of the following is an executive management concern that could be addressed by the implementation of a security metrics dashboard?

Effectiveness of the security program
Total number of false positives
Total number of hours budgeted to security
Security incidents vs. industry benchmarks

Which of the following is the BEST way to mitigate the risk associated with unintentional modifications of complex calculations in end-user computing (EUC)?

Have an independent party review the source calculations
Verify EUC results through manual calculations.
Execute copies of EUC programs out of a secure library.
Implement complex password controls.

Which of the following must be in place before an IS auditor initiates audit follow-up activities?

A management response in the final report with a committed implementation date
A heat map with the gaps and recommendations displayed in terms of risk
Supporting evidence for the gaps and recommendations mentioned in the audit report
Available resources for the activities included in the action plan

Which of the following is the BEST way to address segregation of duties issues in an organization with budget constraints?

Perform an independent audit.
Implement compensating controls.
Hire temporary staff.
Rotate job duties periodically.

The due date of an audit project is approaching, and the audit manager has determined that only 60% of the audit has been completed. Which of the following should the audit manager do FIRST?

Extend the audit deadline.
Escalate to the audit committee.
Assign additional resources to supplement the audit.
Determine where delays have occurred.

During a security audit, an IS auditor is tasked with reviewing log entries obtained from an enterprise intrusion prevention system (IPS). Which type of risk would be associated with the potential for the auditor to miss a sequence of logged events that could indicate an error in the IPS configuration?

Detection risk
Control risk
Sampling risk
Inherent risk

Which of the following backup schemes is the BEST option when storage media is limited?

Real-time backup
Differential backup
Virtual backup
Full backup

Which of the following should be of GREATEST concern for an IS auditor reviewing an organization’s disaster recovery plan (DRP)?

The DRP has not been updated since an IT infrastructure upgrade
The DRP has not been distributed to end users.
The DRP has not been formally approved by senior management.
The DRP contains recovery procedures for critical servers only.

A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?

Periodically reviewing log files
Configuring the router as a firewall
Installing biometrics-based authentication
Using smart cards with one-time passwords

According to the three lines of defense model for risk management, the second line of defense includes functions that:

own risks.
oversee risks.
define risk appetite.
provide independent assurance.

Which of the following should be an IS auditor’s PRIMARY focus when developing a risk-based IS audit program?

Business processes
Business plans
Portfolio management
IT strategic plans

Which of the following is the MOST appropriate and effective fire suppression method for an unstaffed computer room?

Water sprinkler
Fire extinguishers
Carbon dioxide (CO )
Dry pipe

Which of the following is MOST important for an IS auditor to examine when reviewing an organization’s privacy policy?

Whether there is explicit permission from regulators to collect personal data
The organization's legitimate purpose for collecting personal data
The encryption mechanism selected by the organization for protecting personal data
Whether sharing of personal information with third-party service providers is prohibited

An IS auditor reviewing security incident processes realizes incidents are resolved and closed, but root causes are not investigated. Which of the following should be the MAJOR concern with this situation?

Security incident policies are out of date.
Lessons learned have not been properly documented.
Vulnerabilities have not been properly addressed.
Abuses by employees have not been reported.

Which of the following provides the MOST assurance of the integrity of a firewall log?

The log is retained per policy.
Authorized access is required to view the log.
The log cannot be modified.
The log is reviewed on a monthly basis.

Which of the following is MOST important for an IS auditor to determine during the detailed design phase of a system development project?

Acceptance test criteria have been developed.
Data conversion procedures have been established.
The design has been approved by senior management.
Program coding standards have been followed.

Which of the following should an IS auditor consider FIRST when evaluating firewall rules?

The firewalls' default settings
The physical location of the firewalls
The number of remote nodes
The organization's security policy

An IS auditor has discovered that a software system still in regular use is years out of date and no longer supported. The auditee has stated that it will take six months until the software is running on the current version. Which of the following is the BEST way to reduce the immediate risk associated with using an unsupported version of the software?

Verify all patches have been applied to the software system's outdated version.
Monitor network traffic attempting to reach the outdated software system.
Close all unused ports on the outdated software system.
Segregate the outdated software system from the main network.

The PRIMARY purpose of running a new system in parallel is to:

validate the operation of the new system against its predecessor.
determine which of the two systems is more efficient and effective.
resolve any errors in the program and file interfaces.
provide the basis for comprehensive unit and system testing.

During the planning phase of a data loss prevention (DLP) audit, management expresses a concern about mobile computing. Which of the following should the IS auditor identify as the associated risk?

Lack of governance and oversight for IT infrastructure and applications
Increased need for user awareness training
The use of the cloud negatively impacting IT availability
Increased vulnerability due to anytime, anywhere accessibility

An organization has recently acquired and implemented intelligent-agent software for granting loans to customers. During the post-implementation review, which of the following is the MOST important procedure for the IS auditor to perform?

Review signed approvals to ensure responsibilities for decisions of the system are well defined.
Review system documentation to ensure completeness.
Review system and error logs to verify transaction accuracy.
Review input and output control reports to verify the accuracy of the system decisions.

During a new system implementation, an IS auditor has been assigned to review risk management at each milestone. The auditor finds that several risks to project benefits have not been addressed. Who should be accountable for managing these risks?

Project manager
Information security officer
Project sponsor
Enterprise risk manager

In a post-implementation review of a recently purchased system, it is MOST important for the IS auditor to determine whether the:

vendor product offered a viable solution.
user requirements were met.
test scenarios reflected operating activities.
stakeholder expectations were identified.

Which of the following strategies BEST optimizes data storage without compromising data retention practices?

Allowing employees to store large emails on flash drives
Automatically deleting emails older than one year
Moving emails to a virtual email vault after 30 days
Limiting the size of file attachments being sent via email

Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?

Obtain evidence of the vendor's control self-assessment (CSA).
Periodically review the service level agreement (SLA) with the vendor.
Conduct periodic on-site assessments using agreed-upon criteria.
Conduct an unannounced vulnerability assessment of vendor's IT systems.

An IS auditor is reviewing the maturity of a large organization’s IT governance. Which of the following BEST demonstrates that IT governance has been effectively implemented?

The board reviews compliance with legal and regulatory requirements.
The board monitors adherence to the organization's information security policy.
The board reviews strategic IT key performance indicators (KPIs).
The board approves necessary resources for IT security reviews.

What should an IS auditor do FIRST upon discovering that a service provider did not notify its customers of a security breach?

Notify law enforcement of the finding.
Require the third party to notify customers.
Issue the audit report with a significant finding.
Notify audit management of the finding.

An IS auditor is reviewing an organization’s primary router access control list. Which of the following should result in a finding?

There are conflicting permit and deny rules for the IT group.
There is only one rule per group with access privileges.
Individual permissions are overriding group permissions.
The network security group can change network address translation (NAT).

Which of the following is the GREATEST risk of using a reciprocal site for disaster recovery?

Inability to utilize the site when required
Inability to test the recovery plans onsite
Mismatched organizational security policies
Equipment compatibility issues at the site

Which of the following BEST enables the timely identification of risk exposure?

Control self-assessment (CSA)
Internal audit review
Stress testing
External audit review

CISA Final Assessment 1

Quiz Summary

Information

Results

Results

Categories

1. Question

2. Question

3. Question

4. Question

5. Question

6. Question

7. Question

8. Question

9. Question

10. Question

11. Question

12. Question

13. Question

14. Question

15. Question

16. Question

17. Question

18. Question

19. Question

20. Question

21. Question

22. Question

23. Question

24. Question

25. Question

26. Question

27. Question

28. Question

29. Question

30. Question

31. Question

32. Question

33. Question

34. Question

35. Question

36. Question

37. Question

38. Question

39. Question

40. Question

41. Question

42. Question

43. Question

44. Question

45. Question

46. Question

47. Question

48. Question

49. Question

50. Question

51. Question

52. Question

53. Question

54. Question

55. Question

56. Question

57. Question

58. Question

59. Question

60. Question

61. Question

62. Question

63. Question

64. Question

65. Question

66. Question

67. Question

68. Question

69. Question

70. Question

71. Question

72. Question

73. Question