During an information systems (IS) audit of the disaster recovery plan of a global enterprise, the auditor observes that some remote offices have very limited local IT resources. Which of the following observations is the MOST critical for the IS auditor?

A test has not been made to ensure that local resources can maintain security and service standards when recovering from a disaster or incident.

The corporate business continuity plan (BCP) plan does not accurately document the systems that exist at remote offices.

Corporate security measures have not been incorporated into the test plan

A test has not been made to ensure that backups from the remote offices are usable

During an information systems (IS) risk assessment of a health care organization regarding protected health information (PHI), an IS auditor interviews IS management. Which of the following findings from the interviews would be of MOST concern to the IS auditor?

Staff have to type [PHI] in the subject field of email messages to be encrypted

The organization does not encrypt all of its outgoing email messages

An individual’s computer screen saver function is disabled.

Server configuration requires the user to change the password annually.

An information systems (IS) auditor reviewing wireless network security determines that the Dynamic Host Configuration Protocol is disabled at all wireless access points. This practice:

reduces the risk of unauthorized access to the network

is not suitable for small networks

automatically provides an Internet Protocol (IP) address to anyone

increases the risk associated with Wireless Encryption Protocol

Which of the following is MOST indicative of the effectiveness of an information security awareness program?

Employees report more information regarding security incidents

All employees have signed the information security policy

Most employees have attended an awareness session

Information security responsibilities have been included in job descriptions

An information systems (IS) auditor performing a review of application controls evaluates the:

impact of any exposures discovered

efficiency of the application in meeting the business processes

business processes served by the application

Which of the following sampling methods is MOST useful when testing for compliance?

Stratified mean-per-unit sampling

The PRIMARY goal of a website certificate is:

authentication of the website that will be surfed.

authentication of the user who surfs through that site.

preventing surfing of the website by hackers.

the same purpose as that of a digital certificate.

An information systems (IS) auditor discovers several IT-based projects were implemented and not approved by the steering committee. What is the GREATEST concern for the IS auditor?

The IT department may not be working toward a common goal.

The IT department’s projects will not be adequately funded.

IT projects are not following the system development life cycle (SDLC) process.

IT projects are not consistently formally approved.

Which of the following is an advantage of prototyping?

Prototype systems can provide significant time and cost savings.

The finished system normally has strong internal controls.

Change control is often less complicated with prototype systems.

Prototyping ensures that functions or extras are not added to the intended system.

Which of the following provides the GREATEST assurance for database password encryption?

Advanced encryption standard (AES)

An information systems (IS) auditor reviewing the authentication controls of an enterprise should be MOST concerned if:

system administrators use shared login credentials

user accounts are not locked out after five failed attempts

passwords can be reused by employees within a defined time frame

password expiration is not automated

What is the PRIMARY reason for an information systems (IS) auditor to exercise due professional care?

To get reasonable assurance that IS controls are well-designed and effective

To eliminate inherent, control and detection risk associated with IS audit

To detect errors, misstatements or fraudulent transactions in IS and report them

To make sure that evidence collected during the IS audit is appropriate and sufficient

When developing a security architecture, which of the following steps should be executed FIRST?

Specifying an access control methodology

Defining roles and responsibilities

An organization is implementing an enterprise resource planning (ERP) application. Of the following, who is PRIMARILY responsible for overseeing the project to ensure that it is progressing in accordance with the project plan and that it will deliver the expected results?

System development project team

The BEST method for assessing the effectiveness of a business continuity plan (BCP) is to review the:

plans and compare them to appropriate standards

emergency procedures and employee training

offsite storage and environmental controls

Which of the following does an information systems (IS) auditor consider to be MOST important when evaluating an organization’s IT strategy? That it:

supports the business objectives of the organization

was approved by line management

does not vary from the IT department’s preliminary budget

complies with procurement procedures

Which of the following should an information systems (IS) auditor recommend to BEST enforce alignment of an IT project portfolio with strategic organizational priorities?

Select projects according to business benefits and risk

Define a balanced scorecard (BSC) for measuring performance

Consider user satisfaction in the key performance indicators (KPIs)

Modify the yearly process of defining the project portfolio

From an IT governance perspective, what is the PRIMARY responsibility of the board of directors? To ensure that the IT strategy:

is aligned with the business strategy.

is forward thinking and innovative.

has the appropriate priority level assigned.

Which of the following distinguishes a business impact analysis (BIA) from a risk assessment?

Determination of acceptable downtime

Identification of vulnerabilities

Which of the following is an implementation risk within the process of decision support systems (DSSs)?

Inability to specify purpose and usage patterns

Which of the following is the BEST audit procedure to determine if a firewall is configured in compliance with the enterprise security policy?

Interview the firewall administrator.

Review the device’s log file for recent attacks.

During an assessment of software development practices, an information systems (IS) auditor finds that open-source software components were used in an application designed for a client. What is the GREATEST concern that the auditor has about the use of open-source software?

The organization and client must comply with open-source software license terms

The client did not pay for the open-source software components

Open-source software has security vulnerabilities

Open-source software is unreliable for commercial use

Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The information systems (IS) auditor should:

include the finding in the final report because the IS auditor is responsible for an accurate report of all findings.

not include the finding in the final report because management resolved the item.

not include the finding in the final report because corrective action can be verified by the IS auditor during the audit.

include the finding in the closing meeting for discussion purposes only.

An information systems (IS) auditor is developing an audit plan for an environment that includes new systems. Enterprise management wants the IS auditor to focus on recently implemented systems. How should the IS auditor respond?

Determine the highest-risk systems and plan accordingly

Audit the new systems as requested by management

Audit systems not included in last year’s scope

Audit systems not in last year’s scope and the new systems

What is the MAJOR benefit of conducting a control self-assessment (CSA) over a traditional audit?

It replaces the internal audit function.

It reduces audit resource requirements.

Which of the following tasks should be performed FIRST when preparing a disaster recovery plan (DRP)?

Perform a business impact analysis (BIA)

Map software systems, hardware and network components

Appoint recovery teams with defined personnel, roles and hierarchy

Which of the following would be a MAJOR concern for an information systems (IS) auditor reviewing a business continuity plan (BCP)?

Test results are not adequately documented.

The plan is approved by the chief information officer.

The plan contact lists have not been updated.

The training schedule for recovery personnel is not included.

An information systems (IS) auditor wants to analyze audit trails on critical servers to discover potential anomalies in user or system behavior. Which of the following is the MOST suitable for performing that task?

Computer-aided software engineering tools

When testing program change requests for a remote system, an information systems (IS) auditor finds that the number of changes available for sampling does not provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take?

Develop an alternate testing procedure

Report the finding to management

Perform a walkthrough of the change management process

Create additional sample data to test additional changes

Which of the following BEST provides assurance of the integrity of new staff?

Qualifications listed on a resume

An information systems (IS) auditor of a health care organization is reviewing contractual terms and conditions of a third-party cloud provider being considered to host patient health information. Which of the following contractual terms is the GREATEST risk to the customer organization?

The third-party provider reserves the right to access data to perform certain operations.

Data ownership is retained by the customer organization.

Bulk data withdrawal mechanisms are undefined.

The customer organization is responsible for backup, archiving and restoration.

An information systems (IS) auditor is assigned to review an organization’s information security policy. Which of the following issues represents the HIGHEST potential risk?

The policy is approved by the security administrator.

The policy has not been updated in more than one year.

The policy includes no revision history.

The organization does not have an information security policy committee.

The information systems (IS) auditor is reviewing the implementation of a storage area network (SAN). The SAN administrator indicates that logging and monitoring is active, hard zoning is used to isolate data belonging to different business units and all unused SAN ports are disabled. The administrator implemented the system, performed and documented security testing during implementation and is the only user with administrative rights to the system. What should the IS auditor’s initial determination be?

The SAN administrator presents a potential risk.

There is no significant potential risk.

Soft zoning presents a potential risk.

Disabling unused ports presents a potential risk.

Which of the following is MOST critical for the successful implementation and maintenance of a security policy?

Assimilation of the framework and intent of a written security policy by all appropriate parties

Management support and approval for the implementation and maintenance of a security policy

Enforcement of security rules by providing punitive actions for any violation of security rules

Stringent implementation, monitoring and enforcing of rules by the security officer through access control software

CISA Practice Exam

Authored by John Lee

Professional Development

AI Actions

Add similar questions

Adjust reading levels

Convert to real-world scenario

Translate activity

More...

Content View

Student View

75 questions

Show all answers

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Which of the following processes will be MOST effective in reducing the risk that unauthorized software on a backup server is distributed to a production server?

Manually copy files to accomplish replication

Review changes in the software version control system.

Ensure that developers do not have access to the backup server

Review the access control log of the backup server

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

While performing an audit of an accounting application’s internal data integrity controls, an information systems (IS) auditor identifies a major control deficiency in the change management software supporting the accounting application. The MOST appropriate action for the IS auditor to take is to:

continue to test the accounting application controls and inform the IT manager about the control deficiency and recommend possible solutions.

complete the audit and not report the control deficiency because it is not part of the audit scope.

continue to test the accounting application controls and include the deficiency in the final report.

cease all audit activity until the control deficiency is resolved

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

When reviewing a hardware maintenance program, an information systems (IS) auditor should assess whether:

the schedule of all unplanned maintenance is maintained

it is in line with historical trends

it has been approved by the IS steering committee

the program is validated against vendor specifications

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

When reviewing the desktop software compliance of an organization, the information systems (IS) auditor should be MOST concerned if the installed software:

is installed, but not documented in the IT department records

is being used by users not properly trained in its use

is not listed in the approved software standards document

has a license that will expire in the next 15 days

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

When an employee is terminated from service, the MOST important action is to:

hand over all of the employee’s files to another designated employee

complete a backup of the employee’s work

notify other employees of the termination

disable the employee’s logical access

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

While evaluating software development practices in an organization, an information systems (IS) auditor notes that the quality assurance (QA) function reports to project management. The MOST important concern for an IS auditor is the:

effectiveness of the QA function because it should interact between project management and user management.

efficiency of the QA function because it should interact with the project implementation team.

effectiveness of the project manager because the project manager should interact with the QA function

efficiency of the project manager because the QA function needs to communicate with the project implementation team.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

Change control for business application systems being developed using prototyping can be complicated by the:

iterative nature of prototyping

rapid pace of modifications in requirements and design

emphasis on reports and screens

lack of integrated tools

Access all questions and much more by creating a free account

Create resources

Host any resource

Get auto-graded reports

Continue with Google

Continue with Email

Continue with Classlink

Continue with Clever

or continue with

Microsoft

Apple

Others

Already have an account?

Similar Resources on Wayground

70 questions

Computer & Technology Basics Course for Absolute Beginners

Quiz

•

Professional Development

72 questions

Super Quiz

Quiz

•

Professional Development

70 questions

Kuis HSSE Knowledge

Quiz

•

Professional Development

75 questions

Employability Skills - 1st Year 518-593

Quiz

•

Professional Development

73 questions

System Architect - ALL

Quiz

•

Professional Development

73 questions

EAL NETK3 001 H&S Practice

Quiz

•

Professional Development

80 questions

SSRA 2020 - RA

Quiz

•

Professional Development

80 questions

Scrum Final Test / Certification Simu

Quiz

•

Professional Development

Popular Resources on Wayground

10 questions

5.P.1.3 Distance/Time Graphs

Quiz

•

5th Grade

10 questions

Fire Drill

Quiz

•

2nd - 5th Grade

20 questions

Equivalent Fractions

Quiz

•

3rd Grade

22 questions

School Wide Vocab Group 1 Master

Quiz

•

6th - 8th Grade

20 questions

Main Idea and Details

Quiz

•

5th Grade

20 questions

Context Clues

Quiz

•

6th Grade

20 questions

Inferences

Quiz

•

4th Grade

12 questions

What makes Nebraska's government unique?

Quiz

•

4th - 5th Grade

Discover more resources for Professional Development

16 questions

Parallel, Perpendicular, and Intersecting Lines

Quiz

•

KG - Professional Dev...

20 questions

NCAA Logo Quiz

Quiz

•

Professional Development

20 questions

Easter trivia

Quiz

•

12th Grade - Professi...