Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISA > Practice Exam 1 > Flashcards

Practice Exam 1 Flashcards

1
Q
  1. Which of the following is the MOST important consideration when defining recovery point objectives (RPOs)?
    A. Minimum operating requirements
    B. Acceptable data loss
    C. Mean time between failures
    D. Acceptable time for recovery
A

B. Recovery point objectives (RPOs) are the level of data loss/reworking an organization is willing to accept.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. An information systems (IS) auditor reviewing a cloud computing environment that is managed by a third party should be MOST concerned when:

A. The enterprise is not permitted to assess the controls in the participating vendor’s site.
B. The service level agreement (SLA) does not address the responsibility of the vendor in the case of a security breach.
C. Laws and regulations are different in the countries of the enterprise and the vendor.
D. The enterprise is using an older version of a browser and is vulnerable to certain types of security risk.

A

B. Administration of cloud computing occurs over the Internet and involves more than one participating entity. It is the responsibility of each of the partners in the cloud computing environment to take care of security issues in their own environments. When there is a security breach, the party responsible for the breach should be identified and made accountable. This is not possible if the service level agreement (SLA) does not address the responsibilities of the partners during a security breach.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. Which of the following preventive controls BEST helps secure a web application?
    A. Password masking
    B. Developer training
    C. Use of encryption
    D. Vulnerability testing
A

B. Of the given choices, teaching developers to write secure code is the best way to secure a web application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. The information systems (IS) auditor is reviewing the implementation of a storage area network (SAN). The SAN administrator indicates that logging and monitoring is active, hard zoning is used to isolate data belonging to different business units and all unused SAN ports are disabled. The administrator implemented the system, performed and documented security testing during implementation and is the only user with administrative rights to the system. What should the IS auditor’s initial determination be?
    A. There is no significant potential risk.
    B. Soft zoning presents a potential risk.
    C. Disabling unused ports presents a potential risk.
    D. The SAN administrator presents a potential risk.
A

D. The potential risk in this scenario is posed by the SAN administrator. One concern is having a single point of failure. Because only one administrator has the knowledge and access required to administer the system, the enterprise is susceptible to risk. For example, if the SAN administrator decided to quit unexpectedly or was otherwise unavailable, the enterprise may not be able to adequately administer the SAN. In addition, having a single administrator for a large, complex system, such as a SAN, also presents a separation of duties risk. The enterprise currently relies entirely on the SAN administrator to implement, maintain and validate all security controls; this means that the SAN administrator can modify or remove those controls without detection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. Which of the following processes should an information systems (IS) auditor recommend to assist in the recording of baselines for software releases?
    A. User acceptance testing (UAT)
    B. Backup and recovery
    C. Incident management
    D. Configuration management
A

D. The configuration management process may include automated tools that provide an automated recording of software release baselines. If the new release fails, the baseline will provide a point to which to return.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  1. Corrective action has been taken by an auditee immediately after the identification of a reportable finding. The information systems (IS) auditor should:
    A. include the finding in the final report because the IS auditor is responsible for an accurate report of all findings.
    B. not include the finding in the final report because management resolved the item.
    C. not include the finding in the final report because corrective action can be verified by the IS auditor during the audit.
    D. include the finding in the closing meeting for discussion purposes only.
A

A. Including the finding in the final report is a generally accepted audit practice. If an action is taken after the audit started and before it ended, the audit report should identify the finding and describe the corrective action taken. An audit report should reflect the situation, as it existed at the start of the audit. All corrective actions taken by the auditee should be reported in writing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  1. If inadequate, which of the following is the MOST likely contributor (DoS) attack?
    A. Router configuration and rules
    B. Design of the internal network
    C. Updates to the router system software
    D. Audit testing and review techniques
A

A. Improper router configuration and rules can lead to denial-of-service (DoS) attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  1. An information systems (IS) auditor discovers several IT-based projects were implemented and not approved by the steering committee. What is the GREATEST concern for the IS auditor?

A. The IT department’s projects will not be adequately funded.
B. IT projects are not following the system development life cycle (SDLC) process.
C. IT projects are not consistently formally approved.
D. The IT department may not be working toward a common goal.

A

D. The steering committee provides direction and control over projects to ensure that the enterprise is making appropriate investments. Without approval, the project may or may not be working toward the enterprise goals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. The PRIMARY objective of performing a postincident review is that it presents an opportunity to:
    A. improve the internal control process.
    B. harden the network to industry good practices.
    C. highlight the importance of incident response management to management.
    D. improve employee awareness of the incident response process.
A

A. A postincident review examines the cause and response to an incident. The lessons
learned from the review can be used to improve internal controls. Understanding the purpose and structure of postincident reviews and follow-up procedures enables the information security manager to continuously improve the security program.
Improving the incident response plan based on the incident review is an internal (corrective) control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. Which of the following does a lack of adequate controls represent?

A. An impact
B. A vulnerability
C. An asset
D. A threat

A

B. The lack of adequate controls represents a vulnerability, exposing sensitive information and data to the risk of malicious damage, attack or unauthorized access by hackers, employee error, environmental threat, or equipment failure. This can result in a loss of sensitive information, financial loss, legal penalties or other losses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
  1. Which of the following would be a MAJOR concern for an information systems (IS) auditor reviewing a business continuity plan (BCP)?
    A. The plan is approved by the chief information officer.
    B. The plan contact lists have not been updated.
    C. Test results are not adequately documented.
    D. The training schedule for recovery personnel is not included.
A

C. The effectiveness of a BCP can best be determined through tests. If results of tests are not documented, then there is no basis for feedback, updates, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. Which of the following types of testing determines whether a new or modified system can operate in its target environment without adversely impacting other existing systems?
    A. Parallel testing
    B. Pilot testing
    C. Interface/integration testing
    D. Sociability testing
A

D. The purpose of sociability testing is to confirm that a new or modified system can operate in its target environment without adversely impacting existing systems. This should cover the platform that will perform primary application processing and interfaces with other systems, and changes to the desktop in a client-server or web development.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. An information systems (IS) auditor performing a review of a major software development project finds that it is on schedule and under budget even though the software developers have worked considerable amounts of unplanned overtime. The IS auditor should:
    A. conclude that the project is progressing as planned because dates are being met.
    B. question the project manager further to identify whether overtime costs are being tracked accurately.
    C. conclude that the programmers are intentionally working slowly to earn extra overtime pay.
    D. investigate further to determine whether the project plan may not be accurate.
A

D. Although the dates on which key projects are completed are important, there may be issues with the project plan if an extraordinary amount of unplanned overtime is required to meet those dates. In most cases, the project plan is based on a certain number of hours, and requiring programmers to work considerable overtime is not a good practice. Although overtime costs may be an indicator that something is wrong with the plan, in many organizations, the programming staff may be salaried, so overtime costs may not be directly recorded.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. Which of the following distinguishes a business impact analysis (BIA) from a risk assessment?

A. Inventory of critical assets
B. Identification of vulnerabilities
C. Listing of threats
D. Determination of acceptable downtime

A

D. A determination of acceptable downtime is made only in a BIA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. From an IT governance perspective, what is the PRIMARY responsibility of the board of directors? To ensure that the IT strategy:
    A. is cost-effective.
    B. is forward thinking and innovative.
    C. is aligned with the business strategy.
    D. has the appropriate priority level assigned.
A

C. The board of directors is responsible for ensuring that the IT strategy is aligned with the business strategy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. Which of the following is the BEST audit procedure to determine if a firewall is configured in compliance with the enterprise security policy?

A. Review the parameter settings.
B. Interview the firewall administrator.
C. Review the actual procedures.
D. Review the device’s log file for recent attacks.

A

A. A review of the parameter settings provides a good basis for comparison of the actual configuration to the security policy and provides audit evidence documentation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q
  1. An information systems (IS) auditor of a health care organization is reviewing contractual terms and conditions of a third-party cloud provider being considered to host patient health information. Which of the following contractual terms is the GREATEST risk to the customer organization?

A. Data ownership is retained by the customer organization.
B. The third-party provider reserves the right to access data to perform certain operations.
C. Bulk data withdrawal mechanisms are undefined.
D. The customer organization is responsible for backup, archiving and restoration.

A

B. Organizations must review the regulatory environment in which the cloud provider operates because it may have requirements or restrictions of its own. Some service providers reserve the right to access customer information (third-party access) to perform certain transactions and provide certain services. In the case of protected health information, regulations may restrict certain access. Organizations must then determine whether the cloud provider provides appropriate controls to ensure data security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q
  1. Which of the following is of GREATEST concern to an information systems (IS) auditor when performing an audit of a client relationship management system migration project?
    A. The technical migration is planned for a Friday preceding a long weekend, and the time window is too short for completing all tasks.
    B. Employees pilot testing the system are concerned that the data representation in the new system is completely different from the old system.
    C. A single implementation is planned, immediately decommissioning the legacy system.
    D. Five weeks prior to the target date, there are still numerous defects in the printing functionality of the new system’s software.
A

C. Major system migrations should include a phase of parallel operation or a phased cutover to reduce implementation risk. Decommissioning or disposing of the old hardware would complicate any fallback strategy if the new system does not operate correctly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q
  1. Which of the following types of transmission media provide the BEST security against unauthorized access?
    A. Copper wire
    B. Shielded twisted pair
    C. Fiber-optic cables
    D. Coaxial cables
A

C. Fiber-optic cables have proven to be more secure and more difficult to tap than the other media.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
  1. Enterprise governance of IT frameworks has been developed MAINLY to help an organization’s leaders:
    A. use resources responsibly and manage information systems risk.
    B. realize benefits and manage the performance of practices and processes.
    C. deliver value to stakeholders and preserve the value created.
    D. establish accountability and manage information security risk.
A

C. Enterprise governance of IT frameworks help an organization’s leaders to deliver value to stakeholders by using resources responsibly, realizing value delivered, establishing roles and responsibilities, preserving value through information risk management, and maintaining the required levels of performance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q
  1. An organization is implementing an enterprise resource planning (ERP) application. Of the following, who is PRIMARILY responsible for overseeing the project to ensure that it is progressing in accordance with the project plan and that it will deliver the expected results?
    A. Project sponsor
    B. System development project team
    C. Project steering committee
    D. User project team
A

C. A project steering committee that provides an overall direction for the enterprise resource planning (ERP) implementation project is responsible for reviewing the project’s progress to ensure that it will deliver the expected results.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q
  1. An information systems (IS) auditor is assigned to review an organization’s information security policy. Which of the following issues represents the HIGHEST potential risk?
    A. The policy has not been updated in more than one year.
    B. The policy includes no revision history.
    C. The policy is approved by the security administrator.
    D. The organization does not have an information security policy committee.
A

C. The information security policy should have an owner who has management responsibility for the development, review, approval and evaluation of the security policy. The position of security administrator is typically a staff-level position (not management), and therefore does not have the authority to approve the policy. In addition, an individual in a more independent position should also review the policy. Without proper management approval, enforcing the policy may be problematic, leading to compliance or security issues.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q
  1. Which of the following is MOST critical for the successful implementation and maintenance of a security policy?
    A. Assimilation of the framework and intent of a written security policy by all appropriate parties
    B. Management support and approval for the implementation and maintenance of a security policy
    C. Enforcement of security rules by providing punitive actions for any violation of security rules
    D. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software
A

A. Assimilation of the framework and intent of a written security policy by all levels of management and users of the system are critical to the successful implementation and maintenance of the security policy. If a policy is not assimilated into daily actions, it will not be effective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q
  1. Which of the following is the MOST important skill that an information systems (IS) auditor should develop to understand the constraints of conducting an audit?

A. Managing audit staff
B. Allocating resources
C. Project management
D. Attention to detail

A

C. Audits often involve resource management, deliverables, scheduling and deadlines that are similar to project management good practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q
  1. Which of the following processes will be MOST effective in reducing the risk that unauthorized software on a backup server is distributed to the production server?
    A. Manually copy files to accomplish replication.
    B. Review changes in the software version control system.
    C. Ensure that developers do not have access to the backup server.
    D. Review the access control log of the backup server.
A

B. It is common practice for software changes to be tracked and controlled using version control software. An information systems (IS) auditor should review reports or logs from this system to identify the software that is promoted to production. Only moving the versions on the version control system program will prevent the transfer of development or earlier versions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q
  1. The final decision to include a material finding in an audit report should be made by the:
    A. audit committee.
    B. auditee’s manager.
    C. information systems (IS) auditor.
    D. chief executive officer.
A

C. The IS auditor should make the final decision about what to include or exclude from the audit report.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q
  1. Which of the following tasks should be performed FIRST when preparing a disaster recovery plan (DRP)?
    A. Develop a recovery strategy.
    B. Perform a business impact analysis (BIA).
    C. Map software systems, hardware and network components.
    D. Appoint recovery teams with defined personnel, roles and hierarchy.
A

B. The first step in any disaster recovery plan (DRP) is to perform a BIA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q
  1. Which of the following should an information systems (IS) auditor recommend to BEST
    enforce alignment of an IT project portfolio with strategic organizational priorities?

A. Define a balanced scorecard (BSC) for measuring performance.
B. Consider user satisfaction in the key performance indicators (KPIs).
C. Select projects according to business benefits and risk.
D. Modify the yearly process of defining the project portfolio.

A

C. Prioritization of projects on the basis of their expected benefit(s) to business, and the related risk, is the best measure for achieving alignment of the project portfolio to an organization’s strategic priorities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q
  1. Which of the following is an implementation risk within the process of decision support systems (DSSs)?
    A. Management control
    B. Semi-structured dimensions
    C. Inability to specify purpose and usage patterns
    D. Changes in decision processes
A

C. The inability to specify purpose and usage patterns is a risk that developers need to anticipate while implementing a DSS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q
  1. An information systems (IS) auditor wants to analyze audit trails on critical servers to discover potential anomalies in user or system behavior. Which of the following is the MOST suitable for performing that task?

A. Computer-aided software engineering tools
B. Embedded data collection tools
C. Trend/variance detection tools
D. Heuristic scanning tools

A

C. Trend/variance detection tools look for anomalies in user or system behavior, such as invoices with increasing invoice numbers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q
  1. When testing program change requests for a remote system, an information systems (IS) auditor finds that the number of changes available for sampling does not provide a reasonable level of assurance. What is the MOST appropriate action for the IS auditor to take?
    A. Develop an alternate testing procedure.
    B. Report the finding to management.
    C. Perform a walkthrough of the change management process.
    D. Create additional sample data to test additional changes.
A

A. If a sample-size objective cannot be met with the given data, the information systems
(IS) auditor cannot provide assurance regarding the testing objective. In this instance, the IS auditor should develop (with audit management approval) an alternate testing procedure.

32
Q
  1. On which of the following factors should an information systems (IS) auditor PRIMARILY
    focus when determining the appropriate level of protection for an information asset?
    A. Results of a risk assessment
    B. Relative value to the business
    C. Results of a vulnerability assessment
    D. Cost of security controls
A

A. The appropriate level of protection for an asset is determined based on the risk
associated with the asset. The results of the risk assessment are, therefore, the primary information that the information systems (IS) auditor should review.

33
Q
  1. The cost of ongoing operations when a disaster recovery plan (DRP) is in place, compared to not having a DRP, will MOST likely:
    A. increase.
    B. decrease.
    C. remain the same.
    D. be unpredictable.
A

A. Due to the additional cost of testing, maintaining and implementing disaster recovery
plan (DRP) measures, the cost of normal operations for any organization will always increase after a DRP implementation (i.e., the cost of normal operations during a nondisaster period is more than the cost of operations during a nondisaster period when no DRP was in place).

34
Q
  1. Which one of the following can be used to provide automated assurance that proper data files are being used during processing?

A. File header record
B. Version usage
C. Parity checking
D. File security controls

A

A. A file header record provides assurance that proper data files are being used, and it allows for automatic checking.

35
Q
  1. When reviewing system parameters, an information systems (IS) concern should be that:
    A. they are set to meet both security and performance requirements.
    B. changes are recorded in an audit trail and periodically reviewed.
    C. changes are authorized and supported by appropriate documents.
    D. access to parameters in the system is restricted.
A

A. The primary concern is to find the balance between security and performance.
Recording changes in an audit trail and periodically reviewing them is a detective control; however, if parameters are not set according to business rules, monitoring of changes may not be an effective control.

36
Q
  1. Which of the following does an information systems (IS) auditor consider to be MOST
    important when evaluating an organization’s IT strategy? That it:

A. was approved by line management.
B. does not vary from the IT department’s preliminary budget.
C. complies with procurement procedures.
D. supports the business objectives of the organization.

A

D. Strategic planning sets corporate or department objectives into motion. Both long- term and short-term strategic plans should be consistent with the organization’s broader plans and its business objectives for attaining these goals.

37
Q
  1. During an assessment of software development practices, an information systems (IS) auditor finds that open-source software components were used in an application designed for a client. What is the GREATEST concern that the auditor has about the use of open-source software?

A. The client did not pay for the open-source software components.
B. The organization and client must comply with open-source software license terms.
C. Open-source software has security vulnerabilities.
D. Open-source software is unreliable for commercial use.

A

B. There are many types of open-source software licenses and each has different terms and conditions. Some open-source software licensing allows use of the open-source software component freely but requires that the completed software product must also allow the same rights. This is known as viral licensing, and if the development organization is not careful, its products can violate licensing terms by selling the product for profit. The information systems (IS) auditor should be most concerned with open-source software licensing compliance to avoid unintended intellectual property risk or legal consequences.

38
Q
  1. Which of the following reports should an information systems (IS) auditor use to check compliance with a service level agreement’s requirement for uptime?
    A. Utilization reports
    B. Hardware error reports
    C. System logs
    D. Availability reports
A

D. Information systems (IS) inactivity, such as downtime, is addressed by availability reports. These reports provide the time periods during which the computer was available for utilization by users or other processes.

39
Q
  1. The BEST overall quantitative measure of the performance of biometric control devices is:

A. false-rejection rate (FRR).
B. false-acceptance rate (FAR).
C. equal error rate (EER).
D. estimated-error rate.

A

C. A low equal error rate (EER) is a combination of a low FRR and a low FAR. EER, expressed as a percentage, is a measure of the number of times that the FRR and FAR are equal. A low EER is the measure of the more effective biometrics control device.

40
Q
  1. A legacy payroll application was migrated to a new application. Which of the following stakeholders should be PRIMARILY responsible for reviewing and signing off on the accuracy and completeness of the data before going live?
    A. Information systems (IS) auditor
    B. Database administrator (DBA)
    C. Project manager
    D. Data owner
A

D. During the data conversion stage of a project, the data owner is primarily responsible for reviewing and signing off that the data are migrated completely and accurately and are valid.

41
Q
  1. Which of the following provides the GREATEST assurance for database password encryption?

A. Secure hash algorithm-256
B. Advanced encryption standard (AES)
C. Secure Shell (SSH)
D. Triple DES (3DES)

A

B. The use of advanced encryption standard (AES) is a secure encryption algorithm that is appropriate for encrypting passwords.

42
Q
  1. Which of the following must exist to ensure the viability of a duplicate information processing facility (IPF)?
    A. The site is near the primary site to ensure quick and efficient recovery.
    B. The site contains the most advanced hardware available.
    C. The workload of the primary site is monitored to ensure adequate backup is available.
    D. The hardware is tested when it is installed to ensure it is working properly.
A

C. Resource availability must be assured. The workload of the primary site must be monitored to ensure that availability at the alternate site for emergency backup use is sufficient.

43
Q
  1. Which of the following would be the BEST overall control for an Internet business looking for confidentiality, reliability and integrity of data?
    A. Transport Layer Security (TLS)
    B. Intrusion detection system (IDS)
    C. Public key infrastructure
    D. Virtual private network (VPN)
A

A. Transport Layer Security (TLS) is used for many ecommerce applications to set up a
secure channel for communications that provides confidentiality through a combination of public and symmetric key encryption and integrity through hash message authentication code.

44
Q
  1. While performing an audit of an accounting application’s internal data integrity controls, an information systems (IS) auditor identifies a major control deficiency in the change management software supporting the accounting application. The MOST appropriate action for the IS auditor to take is to:

A. continue to test the accounting application controls and inform the IT manager about the control deficiency and recommend possible solutions.
B. complete the audit and not report the control deficiency because it is not part of the audit scope.
C. continue to test the accounting application controls and include the deficiency in the final report.
D. cease all audit activity until the control deficiency is resolved.

A

C. It is the responsibility of the IS auditor to report on findings that can have a material impact on the effectiveness of controls—whether they are within the scope of the audit.

45
Q
  1. Which of the following groups would create the MOST concern to an information systems (IS) auditor if the group has full access to the production database?

A. Application developers
B. System administrators
C. Business users
D. Information security team

A

A. Application developers having access to the production environment bear the highest
risk. Due to their focus on delivery of changes, they tend to bypass quality assurance controls installing deficient changes into the production environment.

46
Q
  1. An organization has contracted with a vendor for a turnkey solution for its electronic toll collection system (ETCS). The vendor has provided its proprietary application software as part of the solution. The contract should require that:
    A. a backup server is available to run ETCS operations with up-to-date data.
    B. a backup server is loaded with all relevant software and data.
    C. the systems staff of the organization is trained to handle any event.
    D. source code of the ETCS application is placed in escrow.
A

D. Whenever proprietary application software is purchased, the contract should provide for a source code escrow agreement. This agreement ensures that the purchasing organization can modify the software if the vendor ceases to be in business.

47
Q
  1. An information systems (IS) auditor is developing an audit plan for an environment that includes new systems. Enterprise management wants the IS auditor to focus on recently implemented systems. How should the IS auditor respond?
    A. Audit the new systems as requested by management.
    B. Audit systems not included in last year’s scope.
    C. Determine the highest-risk systems and plan accordingly.
    D. Audit systems not in last year’s scope and the new systems.
A

C. The best action is to conduct a risk assessment and design the audit plan to cover the areas of highest risk. ISACA IS Audit and Assurance Standard 1201 (Risk Assessment in Planning), statement 1201.1: “The IT audit and assurance function shall use an appropriate risk assessment approach (i.e., data-driven with both quantitative and qualitative factors) and supporting methodology to develop the overall IT audit plan and to determine priorities for the effective allocation of IT audit resources.”

48
Q
  1. An enterprise has established a guest network for visitor access. Which of the following should be of GREATEST concern to an information systems (IS) auditor?
    A. A login screen is not displayed for guest users.
    B. The guest network is not segregated from the production network.
    C. Guest users who are logged in are not isolated from each other.
    D. A single-factor authentication technique is used to grant access.
A

B. The implication of this is that guests have access to the enterprise network. Allowing untrusted users to connect to the enterprise network can introduce malware and potentially allow these individuals inappropriate access to systems and information.

49
Q
  1. The BEST method for assessing the effectiveness of a business continuity plan (BCP) is to review the:

A. plans and compare them to appropriate standards.
B. results from previous tests.
C. emergency procedures and employee training.
D. offsite storage and environmental controls.

A

B. Previous test results provide evidence of the effectiveness of the BCP.

50
Q
  1. An information systems (IS) auditor reviewing the authentication controls of an enterprise should be MOST concerned if:
    A. user accounts are not locked out after five failed attempts.
    B. passwords can be reused by employees within a defined time frame.
    C. system administrators use shared login credentials.
    D. password expiration is not automated.
A

C. The use of shared login credentials makes accountability impossible. This is especially a risk with privileged accounts.

51
Q
  1. Which of the following is an advantage of prototyping?
    A. The finished system normally has strong internal controls.
    B. Prototype systems can provide significant time and cost savings.
    C. Change control is often less complicated with prototype systems.
    D. Prototyping ensures that functions or extras are not added to the intended system.
A

B. Prototype systems can provide significant time and cost savings through better user interaction and the ability to rapidly adapt to changing requirements; however, they also have several disadvantages, including loss of overall security focus, project oversight and implementation of a prototype that is not yet ready for production.

52
Q
  1. When reviewing a hardware maintenance program, an information systems (IS) auditor should assess whether:
    A. the schedule of all unplanned maintenance is maintained.
    B. it is in line with historical trends.
    C. it has been approved by the IS steering committee.
    D. the program is validated against vendor specifications.
A

D. Although maintenance requirements vary based on complexity and performance workloads, a hardware maintenance schedule should be validated against the vendor- provided specifications.

53
Q
  1. Which of the following sampling methods is MOST useful when testing for compliance?

A. Attribute sampling
B. Variable sampling
C. Stratified mean-per-unit sampling
D. Difference estimation sampling

A

A. Attribute sampling is the primary sampling method used for compliance testing.
Attribute sampling is a sampling model that is used to estimate the rate of occurrence of a specific quality (attribute) in a population and is used in compliance testing to confirm whether the quality exists. For example, an attribute sample may check all transactions over a certain predefined dollar amount for proper approvals.

54
Q
  1. When reviewing the desktop software compliance of an organization, the information systems (IS) auditor should be MOST concerned if the installed software:
    A. is installed, but not documented in the IT department records.
    B. is being used by users not properly trained in its use.
    C. is not listed in the approved software standards document.
    D. has a license that will expire in the next 15 days.
A

C. Installing software not allowed by policy is a serious violation and can put the organization at security, legal and financial risk. Any software that is allowed should be part of a standard software list. This is the first thing to review because this would also indicate compliance with policies.

55
Q
  1. To address an organization’s disaster recovery requirements, backup intervals should not exceed the:
    A. service level objective.
    B. recovery time objective (RTO).
    C. recovery point objective (RPO).
    D. maximum acceptable outage (MAO).
A

D. The maximum acceptable outage (MAO) is the maximum amount of system downtime that is tolerable. It can be used as a synonym for maximum tolerable period of disruption or maximum allowable downtime. However, the RTO denotes an objective/target, while the MAO constitutes a vital necessity for an organization’s survival.

56
Q
  1. What is the PRIMARY reason for an information systems (IS) auditor to exercise due professional care?
    A. To get reasonable assurance that IS controls are well-designed and effective
    B. To eliminate inherent, control and detection risk associated with IS audit
    C. To detect errors, misstatements or fraudulent transactions in IS and report them
    D. To make sure that evidence collected during the IS audit is appropriate and sufficient
A

A. Exercising due professional care helps the information systems (IS) auditor to get
reasonable, but not absolute, assurance that audit risk is reduced and evidence that is collected about the design and effectiveness of IS controls is appropriate and sufficient.

57
Q
  1. An organization sells books and music online on its secure website. Transactions are transferred to the accounting and delivery systems every hour to be processed. Which of the following controls BEST ensures that sales processed on the secure website are transferred to both systems?

A. Transaction totals are recorded daily in the sales systems. Daily sales system totals are aggregated and totaled.
B. Transactions are automatically numerically sequenced. Sequences are checked and gaps in continuity are accounted for.
C. Processing systems check for duplicated transaction numbers. If a transaction number is duplicated (already present), it is rejected.
D. System time is synchronized hourly using a centralized time server. All transactions have a date/time stamp.

A

B. Automatic numerical sequencing is the only option that accounts for completeness of transactions because any missing transactions are identified by a gap.

58
Q
  1. When an employee is terminated from service, the MOST important action is to:
    A. hand over all of the employee’s files to another designated employee.
    B. complete a backup of the employee’s work.
    C. notify other employees of the termination.
    D. disable the employee’s logical access.
A

D. There is a probability that a terminated employee may misuse access rights; therefore, disabling the terminated employee’s logical access is the most important and immediate action to take.

59
Q
  1. While evaluating software development practices in an organization, an information systems (IS) auditor notes that the quality assurance (QA) function reports to project management. The MOST important concern for an IS auditor is the:
    A. effectiveness of the QA function because it should interact between project management and user management.
    B. efficiency of the QA function because it should interact with the project implementation team.
    C. effectiveness of the project manager because the project manager should interact with the QA function.
    D. efficiency of the project manager because the QA function needs to communicate with the project implementation team.
A

A. To be effective, the quality assurance (QA) function should be independent of project management. If it is not, project management may put pressure on the QA function to approve an inadequate product.

60
Q
  1. What BEST describes the risk that information collected may contain a material error that may go undetected during information systems (IS) auditing?
    A. Inherent risk
    B. Audit risk
    C. Control risk
    D. Detection risk
A

B. Audit risk is the probability that information or financial reports may contain material errors and that the auditor may not detect an error that has occurred.

61
Q
  1. An offsite information processing facility (IPF) with electrical wiring, air conditioning and flooring, but no computer or communications equipment, is a:

A. cold site.
B. warm site.
C. dial-up site.
D. duplicate processing facility.

A

A. A cold site is ready to receive equipment but does not offer any components at the site in advance of the need.

62
Q
  1. The Transport Layer Security (TLS) protocol ensures the confidentiality of data and message by using:
    A. symmetric encryption.
    B. message authentication codes.
    C. hash function.
    D. digital signature certificates.
A

A. Transport Layer Security (TLS) uses a symmetric key for data and message
encryption and asymmetric key for establishing session.

63
Q
  1. Change control for business application systems being developed using prototyping can be complicated by the:

A. iterative nature of prototyping.
B. rapid pace of modifications in requirements and design.
C. emphasis on reports and screens.
D. lack of integrated tools.

A

B. Changes in requirements and design happen so quickly that they are seldom documented or approved.

64
Q
  1. During an information systems (IS) audit of the disaster recovery plan of a global enterprise, the auditor observes that some remote offices have very limited local IT resources. Which of the following observations is the MOST critical for the IS auditor?
    A. A test has not been made to ensure that local resources can maintain security and service standards when recovering from a disaster or incident.
    B. The corporate business continuity plan (BCP) plan does not accurately document the systems that exist at remote offices.
    C. Corporate security measures have not been incorporated into the test plan.
    D. A test has not been made to ensure that backups from the remote offices are usable.
A

A. Regardless of the capability of local IT resources, the most critical risk is the lack of testing that would identify quality issues in the recovery process.

65
Q
  1. When reviewing an enterprise’s logical access security to its remote systems, which of the following would be of GREATEST concern to an information systems (IS) auditor?
    A. Passwords are shared.
    B. Unencrypted passwords are used.
    C. Redundant logon IDs exist.
    D. Third-party users possess administrator access.
A

B. When evaluating the technical aspects of logical security, unencrypted passwords represent the greatest risk because it is assumed that remote access is over an untrusted network where passwords can be discovered.

66
Q
  1. Which of the following BEST provides assurance of the integrity of new staff?
    A. Background screening
    B. References
    C. Bonding
    D. Qualifications listed on a resume
A

A. A background screening is the primary method for assuring the integrity of a prospective staff member. This may include criminal history checks, driver’s license abstracts, financial status checks, verification of education, etc.

67
Q
  1. A database administrator (DBA) who needs to make emergency changes to a database after normal working hours should log in:

A. with their named account to make the changes.
B. with the shared DBA account to make the changes.
C. to the server administrative account to make the changes.
D. to the user’s account to make the changes.

A

A. Logging in using the named user account before using the database administrator (DBA) account provides accountability by noting the person making the changes.

68
Q
  1. During an information systems (IS) risk assessment of a health care organization regarding protected health information (PHI), an IS auditor interviews IS management. Which of the following findings from the interviews would be of MOST concern to the IS auditor?
    A. The organization does not encrypt all of its outgoing email messages.
    B. Staff have to type “[PHI]” in the subject field of email messages to be encrypted.
    C. An individual’s computer screen saver function is disabled.
    D. Server configuration requires the user to change the password annually.
A

B. There will always be human-error risk that staff members forget to type certain words in the subject field. The organization should have automated encryption set up for outgoing email for employees working with protected health information (PHI) to protect sensitive information.

69
Q
  1. When developing a security architecture, which of the following steps should be executed
    FIRST?

A. Developing security procedures
B. Defining a security policy
C. Specifying an access control methodology
D. Defining roles and responsibilities

A

B. Defining a security policy for information and related technology is the first step toward building a security architecture. A security policy communicates a coherent security standard to users, management and technical staff. Security policies often set the stage in terms of the tools and procedures that are needed for an organization.

70
Q
  1. What is the MAJOR benefit of conducting a control self-assessment (CSA) over a traditional audit?
    A. It detects risk sooner.
    B. It replaces the internal audit function.
    C. It reduces the audit workload.
    D. It reduces audit resource requirements.
A

A. Control self-assessments (CSAs) require employees to assess the control stature of
their own function. CSA helps to increase the understanding of business risk and internal controls. Because they are conducted more frequently than audits, CSA helps to identify risk in a timelier manner.

71
Q
  1. An information systems (IS) auditor reviewing wireless network security determines that the Dynamic Host Configuration Protocol is disabled at all wireless access points. This practice:

A. reduces the risk of unauthorized access to the network.
B. is not suitable for small networks.
C. automatically provides an Internet Protocol (IP) address to anyone.
D. increases the risk associated with Wireless Encryption Protocol.

A

A. Dynamic Host Configuration Protocol (DHCP) automatically assigns Internet Protocol (IP) addresses to anyone connecting to the network. With DHCP disabled, static IP addresses must be used, and this requires either administrator support or a higher level of technical skill to attach to the network and gain Internet access.

72
Q
  1. Value delivery from IT to the business is MOST effectively achieved by:
    A. aligning the IT strategy with the enterprise strategy
    B. embedding accountability in the enterprise
    C. providing a positive return on investment
    D. establishing an enterprisewide risk management process
A

A. IT’s value delivery to the business is driven by aligning IT with the enterprise’s strategy.

73
Q
  1. Which of the following is MOST indicative of the effectiveness of an information security awareness program?

A. Employees report more information regarding security incidents.
B. All employees have signed the information security policy.
C. Most employees have attended an awareness session.
D. Information security responsibilities have been included in job descriptions.

A

A. Although the promotion of security awareness is a preventive control, it can also be a detective measure because it encourages people to identify and report possible security violations. The reporting of incidents implies that employees are acting because of the awareness program.

74
Q
  1. An information systems (IS) auditor performing a review of application controls evaluates the:
    A. efficiency of the application in meeting the business processes.
    B. impact of any exposures discovered.
    C. business processes served by the application.
    D. application optimization.
A

B. An application control review involves the evaluation of the application automated controls and an assessment of any exposures resulting from the control weaknesses.

75
Q
  1. The PRIMARY goal of a website certificate is:

A. authentication of the website that will be surfed.
B. authentication of the user who surfs through that site.
C. preventing surfing of the website by hackers.
D. the same purpose as that of a digital certificate.

A

A. Authenticating the site to be surfed is the primary goal of a web certificate.

CISA (12 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions