CISA Certified Information Systems Auditor Exam V31.65

Questions and Answers

PDF Questions PDF Answers

During a disaster recovery audit, an IS auditor finds that a business impact analysis (BIA) has not been performed. The auditor should FIRST:

Conduct additional compliance testing.

Issue an intermediate report to management.

Evaluate the impact on current disaster recovery capability. (correct)

Perform a business impact analysis (BIA).

An organization's security policy mandates that all new employees must receive appropriate security awareness training. Which of the following metrics would BEST assure compliance with this policy?

Number of new hires who have violated enterprise security policies.

Percentage of new hires that have completed the training. (correct)

Number of reported incidents by new hires.

Percentage of new hires who report incidents.

Which of the following is the BEST data integrity check?

Preparing and running test data

Tracing data back to the point of origin (correct)

Performing a sequence check

Counting the transactions processed per day

An IS auditor is reviewing an organization's information asset management process. Which of the following would be of GREATEST concern to the auditor?

Process ownership has not been established.

An IS auditor will be testing accounts payable controls by performing data analytics on the entire population of transactions. Which of the following is MOST important for the auditor to confirm when sourcing the population data?

The data is taken directly from the system.

Which of the following is the BEST recommendation to prevent fraudulent electronic funds transfers by accounts payable employees?

Dual control

When determining whether a project in the design phase will meet organizational objectives, what is BEST to compare against the business case?

Requirements analysis

During a new system implementation, an IS auditor has been assigned to review risk management at each milestone. Who should be accountable for managing these risks?

Project manager

Management has requested a post-implementation review of a newly implemented purchasing package to determine to what extent business requirements are being met. Which of the following is MOST likely to be assessed?

Results of line processing

During the design phase of a software development project, the PRIMARY responsibility of an IS auditor is to evaluate the:

Controls incorporated into the system specifications.

Which of the following is MOST important to include in forensic data collection and preservation procedures?

Preserving data integrity

A system development project is experiencing delays due to ongoing staff shortages. Which of the following strategies would provide the GREATEST assurance of system quality at implementation?

Deliver only the core functionality on the initial target date.

Malicious program code was found in an application and corrected prior to release into production. After the release, the same issue was reported. Which of the following is the IS auditor's BEST recommendation?

Ensure programmers cannot access code after the completion of program edits.

An IS auditor has found that an organization is unable to add new servers on demand in a cost-efficient manner. Which of the following is the auditor's BEST recommendation?

Build a virtual environment.

Prior to a follow-up engagement, an IS auditor learns that management has decided to accept a level of residual risk related to an audit finding without remediation. What should be the IS auditor's NEXT course of action?

Report the issue to IS audit management.

A system administrator recently informed the IS auditor about the occurrence of several unsuccessful intrusion attempts from outside the organization. Which of the following is MOST effective in detecting such an intrusion?

Periodically reviewing log files

What should be the PRIMARY basis for selecting which IS audits to perform in the coming year?

Organizational risk assessment

Which of the following is the MOST important reason to implement version control for an end-user computing (EUC) application?

To ensure that only the latest approved version of the application is used

Which of the following would BEST determine whether a post-implementation review (PIR) performed by the project management office (PMO) was effective?

Project outcomes have been realized.

Which of the following documents would be MOST useful in detecting a weakness in segregation of duties?

Process flowchart

The IS auditor's independence would be most likely impaired if they implemented a specific control during the development of an application system. What option does this relate to?

Implemented a control

Which of the following tests would provide the BEST assurance that a health care organization is handling patient data appropriately?

Compliance with local laws and regulations

Which audit approach is MOST helpful in optimizing the use of IS audit resources?

Risk-based auditing

Coding standards provide which of the following?

Field naming conventions

Which of the following would be the BEST way to prevent accepting bad data from a third-party service provider?

Implement business rules to reject invalid data

When auditing the security architecture of an online application, an IS auditor should FIRST review the:

Location of the firewall within the network

What is the BEST control to address SQL injection vulnerabilities?

Input validation

Which of the following is the BEST way to address segregation of duties issues in an organization with budget constraints?

Implement compensating controls

Which of the following should be done FIRST when planning a penetration test?

Obtain management consent for the testing

An IS auditor suspects an organization's computer may have been used to commit a crime. What should the auditor's BEST course of action be?

Contact the incident response team to conduct an investigation

Which of the following is the MOST effective way to maintain network integrity when using mobile devices?

Implement network access control

The decision to accept an IT control risk related to data quality should be the responsibility of the:

Business owner

Which of the following is MOST useful for determining whether the goals of IT are aligned with the organization's goals?

Balanced scorecard

An IS auditor finds that a key Internet-facing system is vulnerable to attack and that patches are not available. What should the auditor recommend be done FIRST?

Evaluate the associated risk

Which of the following is the BEST way to mitigate the impact of ransomware attacks?

Backing up data frequently

An IS auditor is evaluating an organization's IT strategy and plans. Which of the following would be of GREATEST concern?

IT is not engaged in business strategic planning

During the implementation of an upgraded enterprise resource planning (ERP) system, which of the following is the MOST important consideration for a go-live decision?

Business case

IS management has recently disabled certain referential integrity controls in the database management system (DBMS) software. Which of the following controls will MOST effectively compensate for the lack of referential integrity?

Periodic table link checks

An organization has outsourced its data processing function to a service provider. Which of the following would BEST determine whether the service provider continues to meet the organization's objectives?

Review of performance against service level agreements (SLAs)

Secure code reviews as part of a continuous deployment program are which type of control?

Preventive

Which of the following is the BEST method to safeguard data on an organization's laptop computers?

Full disk encryption

Which of the following is the BEST compensating control when segregation of duties is lacking in a small IS department?

Transaction log review

An IS audit reveals that an organization is not proactively addressing known vulnerabilities. Which of the following should the IS auditor recommend the organization do FIRST?

Assess the security risks to the business

The PRIMARY advantage of object-oriented technology is enhanced:

Efficiency due to the re-use of elements of logic

Study Notes

CISA Exam Overview

• Certified Information Systems Auditor (CISA) is governed by ISACA.
• The process focuses on evaluating an organization's IT governance, risk management, and compliance.

Business Impact Analysis (BIA)

• BIA identifies potential effects of disruptions on critical business functions.
• Evaluating current disaster recovery capability is crucial if a BIA has not been performed.

Security Awareness Training Compliance

• The percentage of new hires completing training is the best metric for compliance with training policies.
• Other metrics, while informative, do not directly measure training effectiveness.

Data Integrity Checks

• The most effective data integrity check is tracing data back to its origin, ensuring accuracy and consistency.
• Other checks like counting transactions or sequence checks are less direct and do not fully verify data integrity.

Information Asset Management

• Lack of process ownership is a major concern in information asset management, indicating accountability issues.
• Specifying asset locations, conducting reviews, and identifying asset value are important but secondary to ownership.

Accounts Payable Controls

• Data must be sourced directly from the system to ensure authenticity and accuracy when performing data analytics.
• Other factors, like timeliness or privacy, are less critical than data authenticity.

Prevention of Fraudulent Transactions

• Implementing dual control for significant transactions helps prevent fraud by requiring independent authorization.
• Other methods like vendor reviews or independent reconciliation are less effective at preventing fraud.

Project Design Phase Responsibilities

• Comparing requirements analysis against the business case is essential to ensure alignment with organizational objectives.
• This analysis evaluates whether project specifications meet the defined business needs.

Risk Management Accountability

• The project manager is responsible for managing risks to project benefits and ensuring project success.
• Other roles, like enterprise risk managers or sponsors, have different focuses and are not directly responsible for project-specific risks.

Post-Implementation Review

• Evaluating results of line processing is critical in assessing if business requirements are met by new systems after implementation.

Controls in Software Development

• An IS auditor's primary responsibility during the design phase is to assess controls within system specifications to ensure compliance with standards.

Forensic Data Collection and Preservation

• Preserving data integrity is crucial in forensic procedures, ensuring data remains accurate and reliable as evidence.
• While physical security and chain of custody are important, they do not directly ensure data integrity.

Handling Project Delays

• Delivering only core functionality on the target date assures quality and meets user needs, minimizing scope creep.
• Quick fixes like overtime or new tools may compromise quality if rushed.

Addressing Recurring Code Issues

• Ensuring programmers cannot access code post-editing prevents unauthorized changes and protects application integrity.
• Compiling code on dedicated servers or independent reviews are less direct solutions to correcting issues.### Code Access Control
• Restricting access to code post-editing ensures only authorized and tested code is deployed, preventing tampering and recurring issues.
• Best practices for controlling access are essential to maintain code integrity and security.

Virtual Environment Implementation

• To efficiently add new servers on demand, building a virtual environment is recommended.
• Virtualization minimizes hardware needs, maintenance, and power consumption, addressing cost-efficiency concerns.

IS Auditor's Response to Risk Acceptance

• If management accepts residual risk from an audit finding, the IS auditor should report this to IS audit management for proper handling.
• Directly reporting to the board or executive management is premature without consulting audit management first.

Intrusion Detection

• Periodically reviewing log files is the most effective method to detect intrusion attempts.
• Preventive controls like firewalls and biometrics do not inherently detect intrusions; they are focused on prevention.

Audit Selection Basis

• An organizational risk assessment should be the primary basis for selecting which IS audits to perform annually.
• Other factors like management requests and previous audit findings are secondary and should refine the audit plan.

Version Control Importance

• Ensuring only the latest approved version of an application is used mitigates risks of errors and unauthorized modifications.
• Version control also facilitates tracking of changes and reverting to earlier versions when necessary.

Effectiveness of Post-Implementation Review (PIR)

• The primary indicator of a PIR's effectiveness is whether project outcomes, such as improved efficiency or revenue, have been realized.
• Other measures, like management approval and lessons learned, do not reflect the effectiveness in achieving project goals.

Segregation of Duties Detection

• A process flowchart is crucial in identifying weaknesses in segregation of duties by illustrating roles and actions within processes.
• Other diagram types, such as system flowcharts or data flow diagrams, do not effectively highlight role conflicts.

IPsec Architecture Communication

• In IPsec architecture, application delivery servers communicate through Transport Layer Security (TLS) for data encryption and authentication.
• IPsec functions at the network layer, while TLS secures transport layer communications.

Reducing Data Leakage Risks

• Providing education and guidelines on social networking use is the most effective way to reduce data leakage risks.
• Employees must understand the benefits and risks associated with social media to navigate potential data leaks successfully.

Social Engineering Attacks

• Revealing sensitive information over the phone due to manipulation exemplifies a social engineering attack.
• Techniques like phishing and pretexting exploit human trust, making them effective strategies for attackers.

Production Access Control

• In small IT companies, removing developers' write access to production is crucial to prevent unauthorized changes and maintain system integrity.
• Continuous monitoring and user access reviews do not address the fundamental issue of production access.

Disaster Recovery Agreements

• The allocation of resources during an emergency is the primary concern in auditing reciprocal disaster recovery agreements.
• Clear definitions of roles, responsibilities, and requirements are essential for effective recovery.

Intrusion Detection System Placement

• Positioning an intrusion detection system (IDS) between the firewall and the Internet enhances security by providing an additional detection layer for attacks.
• This setup catches malicious traffic that may bypass the firewall.

Prioritizing Audit Reviews

• When transaction processing times increase significantly post-release, reviewing stress testing results should be the auditor's first action.
• This examination helps identify performance issues related to recent changes or upgrades.### Stress Testing
• Evaluates system performance under extreme conditions (high volume, load, concurrency).
• Identifies bottlenecks, limitations, and errors in transaction processing systems after major releases.
• Helps explain increased transaction processing times.

Information Security Policies

• Should primarily be based on a risk management process.
• Aligns policies with an organization’s risk appetite and business objectives.
• Frameworks, past incidents, and best practices are supportive but not foundational for the policies.

Top-Down Maturity Model

• Focuses on assessing and improving the maturity level of processes.
• Identifies processes with the most improvement opportunities as a key outcome.

Network Vulnerability Assessment

• Completeness of network asset inventory is crucial for identifying weaknesses and risks.
• An accurate inventory informs on critical assets, attack vectors, and security gaps.

Audit Noncompliance

• Upon observing noncompliance with operational procedures, determining the reasons for noncompliance is the next step.

Malware Risk Mitigation in Instant Messaging

• Allowing only corporate IM solutions effectively mitigates malware risks.
• Corporate solutions enforce security standards, making them more secure than unauthorized applications.

System Criticality Determination

• Maximum Allowable Downtime (MAD) is the primary factor determining system criticality.
• MAD reflects the business impact and recovery priorities for system operations.

Parallel Processing Advantages

• Provides assurance that a new system meets performance requirements while running alongside the old system.
• Minimizes risks of failure and data loss during implementation.

Black Box Penetration Testing Planning

• Determining the environment and penetration test scope is crucial.
• Clear definitions prevent unintended damage and ensure compliance with standards.

Network Monitoring Control Evaluation

• Review of network topology diagrams is vital for design and configuration assessment of security controls.
• Diagrams highlight connections and security measures protecting the network.

IT Framework Implementation

• Involving appropriate business representation is key to successful framework implementation.
• Business input helps align the framework with operational realities.

Log Management and Intrusion Detection

• Fine-tuning the IDS is recommended to reduce false positive alerts in log management systems.
• Adjusting sensitivity improves accuracy without simply increasing monitoring efforts.

Disaster Recovery Plan Test Evaluation

• Analyzing whether predetermined test objectives were met determines the success of a disaster recovery plan test.
• Objectives should address recovery time, critical functions, and procedures.

Audit Trail for Server Start-Up Procedures

• Audit trails should include evidence of operator overrides during server start-up.
• Operator actions can signify unauthorized changes affecting system security and performance.

Follow-Up Activities in Audits

• Evaluating if alternative controls effectively mitigate risks is critical when management's actions differ from initial discussions.
• Alternatives may still meet the original intentions of the controls.

Business Continuity Plan (BCP)

• Documentation of workaround processes is essential to keep business functions operational during IT recovery.
• Workarounds minimize disruption impacts, ensuring continuity for customers and stakeholders.

Description

Practice questions for the CISA exam, covering topics such as disaster recovery and business impact analysis. Prepare for your ISACA certification with these quiz questions.