CISA Practice Questions

A.  

De-scope business processes to be covered by CSAs from future audit plans.

B.  

Design testing procedures for management to assess process controls effectively.

C.  

Perform testing to validate the accuracy of management's self-assessment.

D.  

Advise management on the self-assessment process.

A.  

Indicating which data elements are necessary to make informed decisions

B.  

Allocating the resources necessary to purchase the appropriate software packages

C.  

Performing the business case analysis for the data analytics initiative

D.  

Designing the workflow necessary for the data analytics tool to evaluate the appropriate data

A.  

Retrain operations personnel.

B.  

Implement a closing checklist.

C.  

Update the operations manual.

D.  

Bring staff with financial experience into operations.

A.  

Enable automatic encryption, decryption, and electronic signing of data files.

B.  

Automate the transfer of data between systems as much as is feasible.

C.  

Have coders perform manual reconciliation of data between systems.D

D.  

Implement software to perform automatic reconciliations of data between systems.

A.  

To detect and respond to possible attacks

B.  

To ensure risks are effectively identified and mitigated

C.  

To ensure payments for flight bookings are processed

D.  

To ensure policies and procedures are followed

A.  

Internal auditors share the audit plan and control test plans with management prior to audit commencement.

B.  

Internal auditors design remediation plans to address control gaps identified by internal audit.

C.  

Internal auditors attend IT steering committee meetings.

D.  

Internal auditors recommend appropriate controls for systems in development.

A.  

The proximity badge did not work for the first two days of audit fieldwork.

B.  

There was no requirement for an escort during fieldwork.

C.  

There was no follow-up for unsuccessful attempted access violations.

D.  

The proximity badge incorrectly granted access to restricted areas.

A.  

Through the use of elliptical curve cryptography on transmitted messages

B.  

Through the use of a certificate issued by a certificate authority (CA)

C.  

Through the use of private keys to decrypt data received by a user

D.  

Through the use of enterprise key management systems

A.  

Require the auditee to address the recommendations in full.

B.  

Update the audit program based on management's acceptance of risk.

C.  

Evaluate senior management's acceptance of the risk.

D.  

Adjust the annual risk assessment accordingly.

A.  

Perform a cost-benefit analysis.

B.  

Document and inform the audit committee.

C.  

Report the finding to external regulators.

D.  

Notify senior management.

A.  

Review of monthly performance reports submitted by the vendor

B.  

Certifications maintained by the vendor

C.  

Regular independent assessment of the vendor

D.  

Substantive log file review of the vendor's system

A.  

It identifies legal obligations that may be incurred as a result of business service disruptions

B.  

It provides updates on the risk level of disasters that may occur

C.  

It delineates employee responsibilities that the organization must fulfill in a crisis

D.  

It helps prioritize the restoration of systems and applications

A.  

Financial regulations affecting the organization

B.  

Data center physical access controls whore the application is hosted

C.  

Privacy regulations affecting the organization

D.  

Per-unit cost charged by the hosting services provider for storage

A.  

Inspecting a sample of alerts generated from the central log repository

B.  

Comparing a list of all servers from the directory server against a list of all servers present in the central log repository

C.  

Inspecting a sample of alert settings configured in the central log repository

D.  

Comparing all servers included in the current central log repository with the listing used for the prior-year audit

A.  

Percentage of problems raised from incidents

B.  

Mean time to categorize tickets

C.  

Number 0t incidents reported

D.  

Number of reopened tickets

A.  

computer room closest to the uninterruptible power supply (UPS) module

B.  

computer room closest to the server computers

C.  

system administrators’ office

D.  

booth used by the building security personnel

A.  

The minutes from the IT strategy committee meetings

B.  

Synchronization of IT activities with corporate objectives

C.  

The IT strategy committee charier

D.  

Business unit satisfaction survey results

A.  

data classifications are automated.

B.  

a data dictionary is maintained.

C.  

data retention requirements are clearly defined.

D.  

data is correctly classified.

A.  

feasibility study

B.  

business case

C.  

request for proposal (RFP)

D.  

alignment with IT strategy

A.  

Directive

B.  

Detective

C.  

Preventive

D.  

Compensating

A.  

There is no requirement for desktops to be encrypted

B.  

Staff are allowed to work remotely

C.  

Security awareness training is not provided to staff

D.  

Security policies have not been updated in the past year

A.  

Data storage costs

B.  

Data classification

C.  

Vendor cloud certification

D.  

Service level agreements (SLAs)

A.  

results are stated m terms of the frequency of items in error

B.  

it can easily be applied manually when computer resources are not available

C.  

large-value population items are segregated and audited separately

D.  

it increases the likelihood of selecting material items from the population

A.  

Maintain an onboarding and annual security awareness program.

B.  

Ensure user workstations are running the most recent version of antivirus software.

C.  

Include security responsibilities in job descriptions and require signed acknowledgment.

D.  

Enforce strict email security gateway controls

A.  

Availability integrity

B.  

Data integrity

C.  

Entity integrity

D.  

Referential integrity

A.  

Report the variance immediately to the audit committee

B.  

Request an explanation of the variance from the auditee

C.  

Increase the sample size to 100% of the population

D.  

Exclude the transaction from the sample population

A.  

Management contracts with a third party for warm site services.

B.  

Management schedules an annual tabletop exercise.

C.  

Management documents and distributes a copy of the plan to all personnel.

D.  

Management reviews and updates the plan annually or as changes occur.

A.  

Function point analysis

B.  

Work breakdown structure

C.  

Critical path analysts

D.  

Software cost estimation

A.  

Prioritizing IT projects in accordance with business requirements

B.  

Reviewing periodic IT risk assessments

C.  

Validating and monitoring the skill sets of IT department staff

D.  

Establishing IT budgets for the business

A.  

Information security manager

B.  

Quality assurance (QA) manager

C.  

Business department executive

D.  

Business process owner

A.  

Whether system delays result in more frequent use of manual processing

B.  

Whether the system's performance poses a significant risk to the organization

C.  

Whether stakeholders are committed to assisting with the audit

D.  

Whether internal auditors have the required skills to perform the audit

A.  

EUC inventory

B.  

EUC availability controls

C.  

EUC access control matrix

D.  

EUC tests of operational effectiveness

A.  

Implement real-time activity monitoring for privileged roles

B.  

Include the right-to-audit in the vendor contract

C.  

Perform a review of privileged roles and responsibilities

D.  

Require the vendor to implement job rotation for privileged roles

A.  

Monitoring network traffic

B.  

Changing existing configurations for applications

C.  

Hardening network ports

D.  

Ensuring transmission protocols are functioning correctly

A.  

The system is hosted on an external third-party service provider’s server.

B.  

The system is hosted in a hybrid-cloud platform managed by a service provider.

C.  

The system is hosted within a demilitarized zone (DMZ) of a corporate network.

D.  

The system is hosted within an internal segment of a corporate network.

A.  

Detective

B.  

Compensating

C.  

Corrective

D.  

Directive

A.  

Performing periodic reviews of physical access to backup media

B.  

Performing periodic complete data restorations

C.  

Validating off ne backups using software utilities

D.  

Reviewing and updating data restoration policies annually

A.  

Control requirements

B.  

Rollback procedures

C.  

Functional requirements documentation

D.  

User acceptance lest (UAT) results

A.  

Consultation with security staff

B.  

Inclusion of mission and objectives

C.  

Compliance with relevant regulations

D.  

Alignment with an information security framework

A.  

Implement an intrusion detection system (IDS),

B.  

Update security policies and procedures.

C.  

Implement multi-factor authentication.

D.  

Utilize strong anti-malware controls on all computing devices.

A.  

Reference architecture

B.  

Infrastructure architecture

C.  

Information security architecture

D.  

Application architecture

A.  

discontinue maintenance of the disaster recovery plan (DRP>

B.  

coordinate disaster recovery administration with the outsourcing vendor

C.  

delegate evaluation of disaster recovery to a third party

D.  

delegate evaluation of disaster recovery to internal audit

A.  

Backlog consumption reports

B.  

Critical path analysis reports

C.  

Developer status reports

D.  

Change management logs

A.  

Input by data custodians

B.  

Security policy requirements

C.  

Risk assessment results

D.  

Current level of protection

A.  

A control self-assessment (CSA)

B.  

Results of control testing

C.  

Interviews with management

D.  

A control matrix

A.  

An audit report of the controls by the service provider's external auditor

B.  

Documentation of the service provider's security configuration controls

C.  

An interview with the service provider's information security officer

D.  

A review of the service provider's policies and procedures

A.  

payment processing.

B.  

payroll processing.

C.  

procurement.

D.  

product registration.

A.  

review qualifications of key members of the project team.

B.  

review the request for proposal (RFP) to ensure that it covers the scope of work.

C.  

review cost-benefit documentation for reasonableness.

D.  

ensure that vendor contracts are reviewed by legal counsel.

A.  

Configuration phase

B.  

User training phase

C.  

Quality assurance (QA) phase

D.  

Development phase

A.  

Enable automatic encryption decryption and electronic signing of data files

B.  

implement software to perform automatic reconciliations of data between systems

C.  

Have coders perform manual reconciliation of data between systems

D.  

Automate the transfer of data between systems as much as feasible