Certified Information Systems Auditor (CISA) Cert Guide 109 Questions with Verified Answers
Which of the following best describes a baseline
... [Show More] document?
a. A PCI industry standard requiring a 15-minute session timeout
b. Installation step recommendations from the vendor for an Active Directory server
c. A network topography diagram of the Active Directory forest
d. Security configuration settings for an Active Directory server - CORRECT ANSWER D. A baseline is correct because it is a platform-specific rule related to the security configuration for an Active Directory server. Answers A, B, and C are not platform specific.
Which of the following best describes integrated auditing?
a. Integrated auditing places internal control in the hands of management and reduces the time between the audit and the time of reporting.
b. Integrated auditing combines the operational audit function, the financial audit function, and the IS audit function.
c. Integrated auditing combines the operational audit function and the IS audit function.
d. Integrated auditing combines the financial audit function and the IS audit function - CORRECT ANSWER B. Integrated auditing is a methodology that combines the operational audit function, the financial audit function, and the IS audit function. Therefore, Answers C and D are incorrect because they do not list all three types of functions to be integrated. Answer A is incorrect because it describes control self-assessment (CSA), which is used to verify the reliability of internal controls and places internal controls in the hands of management
Which storage of evidence would best preserve the chain of custody of evidence obtained during an audit?
a. Locked department safe behind card access doors
b. Offsite location, such as home, out of reach by anyone at work
c. Archival at a third-party offsite facility
d. Locked cabinet on the department floor with only one key, in the possession of the auditor - CORRECT ANSWER D. The best choice would be a locked cabinet on the department floor with only one key, in the possession of the auditor. With only one key in the auditor's possession, there is clear accountability, and access is limited to one person. Answer A is incorrect because multiple individuals may still have access to the safe. Answer B is incorrect because it would call into question the security of the home and the ability to restrict access to family members. Answer C is incorrect because third-party access cannot be verified in a third-party site, given the way the facts were presented.
Which of the following best describes risk that can be caused by the failure of internal controls and can result in a material error?
a. Residual risk
b. Inherent risk
c. Detection risk
d. Control risk - CORRECT ANSWER D. A control risk is risk caused by failure of internal controls; it can result in a material error. Answer A is incorrect because residual risk is the amount of risk the organization is willing to accept. Answer B is incorrect because inherent risk is the risk that can occur because of the lack of compensating controls. Combined, inherent risks can create a material risk. Answer C is incorrect because detection risk is the risk if an auditor does not design tests in such a way as to detect a material risk
Which of the following is not one of the best techniques for gathering evidence during an audit?
a. Attend board meetings
b. Examine and review actual procedures and processes
c. Verify employee security awareness training and knowledge
d. Examine reporting relationships to verify segregation of duties - CORRECT ANSWER A. Attending board meetings is not one of the best ways to gather evidence during an audit. The best ways to gather evidence include observing employee activity, examining and reviewing procedures and processes, verifying employee security awareness training and knowledge, and examining reporting relationships to verify segregation of duties.
Which of the following is not an advantage of control self-assessment (CSA)?
a. CSA helps provide early detection of risks.
b. CSA is an audit function replacement.
c. CSA reduces control costs.
d. CSA provides increased levels of assurance. - CORRECT ANSWER B. CSA is not an audit function replacement. Answers A, C, and D are all advantages of CSA.
If an auditor cannot obtain the material needed to complete an audit, what type of opinion should the auditor issue?
a. Unqualified opinion
b. Qualified opinion
c. Adverse opinion
d. Disclaimer - CORRECT ANSWER D. A disclaimer is used when an auditor cannot obtain appropriate evidence to base an opinion.
Which of the following is the best example of general control procedures?
a. Internal accounting controls used to safeguard financial records
b. Business continuity and disaster-recovery procedures that provide reasonable assurance that the organization is secure against disasters
c. Procedures that provide reasonable assurance for the control of access to data and programs
d. Procedures that provide reasonable assurance and have been developed to control and manage data-processing operations - CORRECT ANSWER A. Internal accounting controls used to safeguard financial records are an example of a general control procedure. Answers B, C, and D all describe information system control procedures.
Which of the following describes a significant level of risk that the organization is unwilling to accept?
a. Detection risk
b. Material risk
c. Business risk
d. Irregularities - CORRECT ANSWER B. The word material describes a significant level of risk that the organization is unwilling to accept. Answers A, C, and D do not define the term.
Which of the following is the most accurate description of a substantive test in which the data represents fake entities such as products, items, or departments?
a. Parallel tests
b. Integrated test facility
c. Embedded audit module
d. Test data - CORRECT ANSWER B. An integrated test facility is a type of substantive test that uses data represented by fake entities, such as products, items, or departments. Answer A is incorrect because a parallel test compares real results to those generated by the auditor to compare the control function. Answer C is incorrect because embedded audit modules identify and report specific transactions or other information, based on predetermined criteria. Answer D is incorrect because test data uses theoretical transactions to validate program logic and control mechanisms.
You need to review an organization's balance sheet for material transactions. Which of the following would be the best sampling technique?
a. Attribute sampling
b. Frequency estimating sampling
c. Stop-and-go sampling
d. Variable sampling - CORRECT ANSWER D. Variable sampling would be the best sampling technique to review an organization's balance sheet for material transactions. It is also known as dollar estimation. Answer A is incorrect because attribute sampling is used to determine the rate of occurrence. Answer B is incorrect because frequency sampling is another name for attribute sampling; both terms describe the same sampling technique. Answer C is incorrect because stop-and-go sampling is used when an auditor believes that only a few errors will be found in a population.
Which of the following best describes types of questions that might be on the CISA exam related to how to implement specific risk types discussed in this chapter?
a. Task statements
b. Operational audits
c. Knowledge statements
d. Integrated audits - CORRECT ANSWER A. Task statements describe how to apply knowledge statements. Answers B and D are types of audits, not domain question types. Answer C is incorrect because knowledge statements questions are the facts you are expected to know.
Which of the following is not a benefit of CSA?
a. Provides early detection of risks
b. Reduces potential audit costs
c. Increases employee awareness of internal controls
d. Can be used to avoid a regulator audit - CORRECT ANSWER D. Regulatory audits are not impacted by a CSA program. Answers A, B, and C are all potential benefits of CSA.
Which of the following should have priority on the planning and scoping of an IS audit?
a. Company standards
b. Organization's master plan
c. Regulatory requirements
d. Industry best practices - CORRECT ANSWER C. Regulatory requirements are not optional and must be given priority due to the impact on the organization. Answers A, B, and D are important, but unlike regulatory mandates, they are under the control of the organization in terms of timing and scope of implementation.
Which of the following is a control document that describes a software improvement process characterized by five levels, where each level describes a higher level of maturity?
a. ISO 17799
b. CMM
c. COSO
d. COBIT - CORRECT ANSWER B. This capability maturity model (CMM) specifies five levels of control for software maturity levels. Answer A is incorrect because ISO 17799 is a comprehensive set of controls designed to gauge best practices in information security. Answer C is incorrect because COSO was designed to help prevent and detect fraud in financial reports. Answer D is incorrect because COBIT was designed to aid in the development of good IT process and policies.
Which of the following roles is a role whose duties should not be fulfilled by a network administrator?
a. Quality assurance
b. Systems administrator
c. Application programmer
d. Systems analyst - CORRECT ANSWER C. A network administrator should not have programming responsibilities. Answers A, B, and D are all duties that an administrator can hold, and a network administrator might have end-user responsibilities, aid in the system administration, and help in the early phases of design.
You are auditing a credit card payment system. The best assurance that information is entered correctly is by using which of the following?
a. Audit trails
b. Separation of data entry and computer operator duties
c. Key verification
d. Supervisory review - CORRECT ANSWER C. Key verification would provide the highest level of confidence. Answer A is incorrect because audit trails would provide details of the entered activities but would not improve accuracy. Answer B is incorrect because separating job roles would be an additional control but would not add any accuracy to the information that was entered incorrectly. Answer D is incorrect because the supervisory review is a detective and compensating control but is not the best answer.
You are reviewing unfamiliar malware event records. Which of the following would be the best source of information to start your review about the file?
a. Trending charts based on the event records
b. Metadata information
c. Security access information
d. Executive summary on malware event - CORRECT ANSWER B. Any time you are inspecting unfamiliar records, you need to understand what type of data is stored. Metadata describes the type of data. Answers A and D are not the best answers because they primarily provide insights but only after you understand the type of data contained in the records. Answer C is incorrect because while it allows you to understand who can access the information, it does not help to understand the data.
Look at the following common policy characteristics. The attribute most closely associated with a bottom-up policy development is that it __________.
a. aligns policy with strategy
b. is a very slow process
c. does not address concerns of employees
d. involves risk assessment - CORRECT ANSWER D. Bottom-up policy development addresses the concerns of operational employees because it starts with their input and concerns and examines risk. Answers A, B, and C are incorrect because all these items are tied to top-down policy development. A top-down approach aligns with company policy, is a slow process, and might not fully address the concerns of employees.
Which of the following best describes a balanced scorecard?
a. Used for benchmarking a preferred level of service
b. Used to measure the effectiveness of IT services by customers and clients
c. Used to verify that the organization's strategy and IT services match
d. Used to measure the evaluation of help desk employees - CORRECT ANSWER C. A balanced scorecard is used to match the organization's information technology to the strategy of the organization. Answer A is incorrect because it is not used for benchmarking, Answer B is incorrect because it is not used to measure effectiveness, and Answer D is incorrect because it is not used to evaluate help desk employees.
Your organization is considering using a new ISP for time-sensitive transactions. From an audit perspective, what would be the most important item to review?
a. The service level agreement
b. The physical security of the ISP site
c. References from other clients of the ISP
d. Background checks of the ISP's employees - CORRECT ANSWER A. Any time an outsourcing provider will provide a time-sensitive process, such as ISP services, an SLA can be used to obtain a guarantee of the level of service the outsourcing partner is agreeing to provide. The SLA should specify the uptime, response time, and maximum outage time they are agreeing to. Answer B is incorrect because although physical security is important, it is not the most important in this case. Answers C and D are incorrect because neither would serve as an adequate measure for an independent evaluation of the ISP's service capability.
Separation of duties is one way to limit fraud and misuse. Consider the following explanation: "This control allows employees access to cash or valuables." Of the four separation of duties controls, which one most closely matches this?
a. Authorization
b. Custody
c. Record keeping
d. Reconciliation - CORRECT ANSWER B. Custody is related to access to cash, merchandise, or inventories. Answer A is incorrect because authorization describes verifying cash, approving purchases, and approving changes. Answer C is incorrect because record keeping deals with preparing receipts, maintaining records, and posting payments. Answer D is incorrect because reconciliation deals with comparing monetary amounts, counts, reports, and payroll summaries.
Which of the following combinations of two job roles can be combined to create the least amount of risk or opportunity for malicious acts?
a. Systems analyst and quality assurance
b. Computer operator and systems programmer
c. Security administrator and application programmer
d. Database administrator and systems analyst - CORRECT ANSWER D. Database administrator and systems analyst are two roles that ISACA believes can be combined. Answers A, B, and C are incorrect because none of these positions should be combined. An auditor should understand how the combination of certain roles increases risk. For example, a systems analyst should be discouraged from performing the duties of someone in a quality assurance role. If these roles are combined, quality assurance levels could be compromised if strong compensating controls are not being used.
You have been asked to perform a new audit assignment. Your first task is to review the organization's strategic plan. What is the first item that should be reviewed in the plan?
a. Documentation that details the existing infrastructure
b. Previous and planned budgets
c. Organizational charts
d. The business plan - CORRECT ANSWER D. Before auditors can begin any technical duties, they must understand the environment in which they are working. The best way to do that is to review the business plan, which details the goals of the organization. Only after the business plan has been reviewed should the other items listed be reviewed. Therefore, Answers A, B, and C are incorrect.
Which of the following should be the primary objective when using tape backup as a recovery strategy?
a. That the RPO is high
b. That the RPO is low
c. That the RTO is low
d. That fault tolerance is low - CORRECT ANSWER B. The recovery point objective (RPO) is the earliest point in time at which recovery can occur. If RPO is low, tape backup or another solution is acceptable. Answer A is incorrect because a high RPO would require mirroring or another type of timely recovery method. Answer C is incorrect because a low RTO would mean that little time is available for recovery. Answer D is incorrect because low fault tolerance indicates that little time is available for unavailable services.
When performing an audit, which of the following is the best reason to use a hot site?
a. It can be used for long-term processing.
b. It is not a subscription service.
c. There is no additional cost for using it or periodic testing.
d. It is ready for service. - CORRECT ANSWER D. Although hot sites are an expensive alternative, they are ready for service. Answer A is incorrect because a hot site cannot be used for long-term processing. Answer B is incorrect because a hot site is a subscription service. Answer C is incorrect because there are additional fees; the organization must pay a variety of fees for use, testing, and access.
Which of the following is the greatest advantage of JBOD?
a. In case of drive failure, only the data on the affected drive is lost.
b. It is superior to disk mirroring.
c. It offers greater performance gains than RAID.
d. It offers greater fault tolerance than RAID. - CORRECT ANSWER JBOD allows users to combine multiple drives into one large drive. JBOD's only advantage is that, in case of drive failure, only the data on the affected drive is lost. Answers B, C, and D are incorrect because JBOD is not superior to disk mirroring, is not faster than RAID, and offers no fault tolerance.
Which of the following processes is most critical in terms of revenue generation?
a. Discretionary
b. Supporting
c. Core
d. Critical - CORRECT ANSWER C. Critical processes that produce revenue are considered a core activity. Answer A is incorrect because discretionary processes are considered nonessential. Answer B is incorrect because supporting processes require only minimum BCP services. Answer D does not specify a process; critical is a term used to describe how important the service or process is.
As an auditor, how often would you say that a business continuity plan should be updated?
a. Every five years
b. Every year or as required
c. Every six months
d. Upon any change or modification - CORRECT ANSWER D. Business continuity planning is an ongoing process that should be revisited each time there is a change to the environment. Therefore, Answers A, B, and C are incorrect.
During an audit, you have been asked to review the disaster recovery and backup processes. When maintaining data backups at offsite locations, which of the following is the best way to control concern?
a. The storage site should be as secure as the primary site.
b. A suitable tape-rotation plan should be in use.
c. That backup media should be tested regularly.
d. That copies of current critical information should be kept offsite. - CORRECT ANSWER D. The most critical concern is keeping the copies of critical information current at an offsite location. Answers A, B, and C are important but are not the most important.
Which of the following is the most important purpose of BIA?
a. Identifying countermeasures
b. Prioritizing critical systems
c. Developing recovery strategies
d. Determining potential test strategies - CORRECT ANSWER B. BIA is an important part of the BCP process. The purpose of BIA is to document the impact of outages, identify critical systems, prioritize critical systems, analyze outage impact, and determine recovery times needed to keep critical systems running. Answers A, C, and D are incorrect because they do not specify steps performed during BIA.
Which of the following is not a valid BCP test type?
a. Paper test
b. Structured walk-through
c. Full operation test
d. Preparedness test - CORRECT ANSWER B. There is no BCP test known as a structured walk-through. Valid types are listed in Answers A, C, and D: paper test, full operation test, and preparedness test.
Which of the following is the practice of routing traffic through different cable facilities?
a. Alternate routing
b. Long-haul diversity
c. Diverse routing
d. Last-mile protection - CORRECT ANSWER C. Diverse routing is the practice of routing traffic through different cable facilities. Answer A is incorrect because alternate routing is the ability to use another transmission line if the regular line is busy or unavailable. Answer B is incorrect because long-haul diversity is the practice of having different long-distance communication carriers. Answer D is incorrect because last-mile protection provides a second local loop connection.
When classifying critical systems, which category matches the following description: "These functions are important and can be performed by a backup manual process but not for a long period of time?"
a. Vital
b. Sensitive
c. Critical
d. Demand driven - CORRECT ANSWER A. Vital meets the description of functions that are important and can be performed by a manual backup process but not for a long period of time. Answer B is incorrect because it describes tasks that are important but can be performed manually at a reasonable cost. Answer C is incorrect because critical refers to extremely important functions. Answer D is incorrect because demand driven does not describe a valid functional label.
As an IS auditor, at which step of the SDLC would you want to verify that final user acceptance is performed?
a. Design
b. Development
c. Implementation
d. Requirements - CORRECT ANSWER C. Implementation is the stage at which user acceptance is usually performed. Therefore, Answers A, B, and D are incorrect.
When planning to add time constraints to a project, which of the following should be examined most closely?
a. Budget
b. Critical path
c. Skills of the project team
d. Tasks that require the most time - CORRECT ANSWER B. The critical path is the sequence of activities that must be completed on time for the project to stay on schedule. Delays of any items on the critical path will slow the entire project. Answers A, C, and D are incorrect because, although the budget, team skills, and individual tasks are all items to consider, the critical path should be examined first because that will affect all other items.
During the implementation review of SDLC, which of the following best describes activities that should be performed?
a. Perform an ROI
b. Design the audit trail
c. Complete an entity relationship diagram
d. Perform acceptance testing - CORRECT ANSWER A. Following implementation, a cost-benefit analysis or ROI calculation should be performed. Answer B is incorrect because the audit trail should be designed during the design phase. Answer C is incorrect because an ERD should be performed during the requirements phase. Answer D is incorrect because final acceptance testing should be performed during the implementation phase.
Which of the following types of tests is used to verify that the proposed design will function in its intended environment?
a. Regression testing
b. Function testing
c. Pilot testing
d. Sociability testing - CORRECT ANSWER D. Sociability testing is performed to confirm that a new or modified system will work in its intended environment. Answer A is incorrect because regression testing verifies that changes have not introduced errors. Answer B is incorrect because function testing verifies that systems meet specifications. Answer C is incorrect because pilot testing is used for limited evaluations.
Which of the following development methods is known to not work well for large projects?
a. Spiral model
b. Rapid application development
c. Scrum
d. Extreme programming - CORRECT ANSWER D. Extreme programming does not work well for large project teams. Extreme programming requires that teams include business managers, programmers, and end users. These teams are responsible for developing usable applications in short periods of time. Answer A is incorrect because the spiral model is based on the concept that software development is evolutionary. The spiral model begins by creating a series of prototypes to develop a solution. As the project continues, it spirals out, becoming more detailed. Each step passes through planning, requirements, risks, and development phases. Answer B is incorrect because RAD requires well-trained development teams that use integrated power tools for modeling and prototyping. Answer C is incorrect because scrum uses short cycles referred to as sprints and is focused on object-oriented technology.
Programming languages that most closely map to database management are found at what generational level?
a. 2GL
b. 3GL
c. 4GL
d. 5GL - CORRECT ANSWER C. Fourth-generation languages (4GL) are most commonly used for databases. Examples of 4GLs include FOCUS, Natural, and dBase. Answer A is incorrect because 2GL is assembly language. Answer B is incorrect because 3GL includes languages such as FORTRAN, Pascal, and C. Answer D is incorrect because 5GLs are very high-level languages such as Prolog.
Which of the following does the PERT weighted average consider?
a. High cost, low cost, and best cost
b. Average cost plus 5%
c. Best time, worst time, and average time
d. Average time plus 5% - CORRECT ANSWER C. PERT is used to schedule, organize, and coordinate tasks. The PERT weighted average examines the shortest time, average time, and longest time a task is scheduled to be completed. Therefore, Answers A, B, and D are incorrect.
As an IS auditor, which changeover process would you recommend if the requirements were that all users get up to speed in advance so that a defined changeover can be set to a fixed date?
a. Pilot changeover
b. Direct changeover
c. Phased changeover
d. Parallel changeover - CORRECT ANSWER B. A direct changeover requires the establishment of a cut-off date so that all users must switch to the new system by then. Answer A is incorrect because a pilot scenario is used when an entire new system is used at one location. Answer C is incorrect because a phased changeover is gradual. Answer D is incorrect because a parallel changeover brings the new system online while the old is still in operation.
Entity relationship diagrams are built using two essential components. What are they?
a. Processes and attributes
b. Processes and decision blocks
c. Entities and relationships
d. Nouns and adverbs - CORRECT ANSWER C. Entity relationship diagrams are built using two essential components that include entities and relationships. Therefore, Answers A, B, and D are incorrect.
Which of the following development techniques uses short cycles, referred to as sprints, and is focused on object-oriented technology?
a. Spiral model
b. Rapid application development
c. Scrum
d. Extreme programming - CORRECT ANSWER C. Scrum uses short cycles referred to as sprints and is focused on object-oriented technology. Answer A is incorrect because the spiral model is based on the concept that software development is evolutionary. The spiral model involves creating a series of prototypes to develop a solution. As the project continues, it spirals out, becoming more detailed. Each step passes through planning, requirements, risks, and development phases. Answer B is incorrect because RAD requires well-trained development teams that use integrated power tools for modeling and prototyping. Answer D is incorrect because extreme programming requires that teams include business managers, programmers, and end users. These teams are responsible for developing useable applications in short periods of time.
Dropbox can best be described as which of the following types of cloud services?
a. Public
b. Private
c. Community
d. Hybrid - CORRECT ANSWER A. Dropbox is an example of a public cloud service. A private cloud model is based on the concept that the cloud is owned and operated by a private entity. A community cloud model can be used by several entities. A hybrid cloud model can be a combination of any of the other cloud models. Therefore, Answers B, C, and D are incorrect.
Which of the following is a growing alternative to encryption and can help ensure compliance with regulatory requirements in a cloud environment?
a. Random numbers
b. Tokenization
c. Cookies
d. User ID - CORRECT ANSWER B. Tokenization randomly generates a value for plain text and stores the corresponding value in a database. Answers A, C, and D are incorrect because random numbers, cookies, and user IDs are not used as a replacement for encryption
VirtualBox is an example of which of the following?
a. Type 1 hypervisor
b. Type 2 hypervisor
c. Type 3 hypervisor
d. Type 4 hypervisor - CORRECT ANSWER B. Type 2 hypervisors are those that require an underlying OS. Examples of Type 2 systems include VirtualBox and VMware Workstation. Answers C and D are incorrect as there are no Type 3 or 4 hypervisors. Virtualization systems fall into two categories: Type 1 and Type 2. Answer A is incorrect because a Type 1 hypervisor resides directly on hardware.
Which of the following is the most common implementation of n-tier?
a. Workstation and server
b. LAMP stack
c. Workstation and cloud
d. Workstation, server, and database - CORRECT ANSWER D. The most common implementation of n-tier is the three-tier approach. A three-tier architecture is typically composed of a presentation tier, a domain logic tier, and a data storage tier such as a workstation, server, and database. Answer A is incorrect because a workstation and a server is not the most common implementation of n-tier. Answer B is incorrect because the LAMP stack is Linux, Apache, MySQL, and PHP/Python/Perl. Answer C is incorrect because a workstation and cloud is not considered n-tier.
As an IS auditor, which of the following reports would you review to verify that an outsourcing or business partner has had its control objectives and activities examined by an independent accounting and auditing firm?
a. Privacy Shield
b. COBIT
c. ITIL
d. SAS 70 - CORRECT ANSWER D. An SAS 70 report verifies that the outsourcing or business partner has had its control objectives and activities examined by an independent accounting and auditing firm. Answer A is incorrect because privacy shield is used for EU protection of data. Answer B is incorrect because COBIT is a good-practice framework created by international professional association ISACA for information technology (IT) management and IT governance. Answer C is incorrect because ITIL is a set of detailed practices for IT service management that seeks to align IT services with the needs of the business.
Of the following options, which process is not an application system testing methodology?
a. Snapshots
b. Entity integrity
c. Mapping
d. Base case system evaluation - CORRECT ANSWER B. Valid application testing methodologies include snapshots, mapping, tracing and tagging, using test data, and base case system evaluation. Answer B is an example of a data integrity control.
Which of the following is a continuous auditing technique that detects items that meet specific criteria?
a. Audit hooks
b. Snapshots
c. Integrated test facilities
d. Continuous and intermittent simulation - CORRECT ANSWER A. Audit hooks detect items that meet specific criteria. Answer B is incorrect because snapshots require an audit trail. Answer C is incorrect because integrated test facilities should not be used with test data. Answer D is incorrect because continuous and intermittent simulation requires examination of transactions that meet specified criteria.
A decision support system should be used appropriately. A DSS is designed to do which of the following?
a. Use structured models to solve complex problems
b. Support nontraditional support activities
c. Answer rigidly structured problems
d. Answer less structured problems - CORRECT ANSWER D. Decision support systems (DSSs) are software-based applications that help analyze data to answer less structured problems. DSS typically uses knowledge databases, models, and analytical techniques to make decisions. Answer A is incorrect because a DSS does not use structured models to solve complex problems. Answer B is incorrect because a DSS is designed to support traditional decision-making activities. Answer C is incorrect because a DSS is designed to support unstructured problems. [Show Less]