Free preview mode
Enjoy the free questions and consider upgrading to gain full access!
CISA
Free trial
Verified
Question 226
An organization is planning to re-purpose workstations that were used to handle confidential information. Which of the following would be the IS auditor's BEST recommendation to dispose of this information?
- A: Overwrite the disks with random data.
- B: Reformat the disks.
- C: Erase the disks by degaussing.
- D: Delete the disk partitions.
Question 227
Which of the following is the PRIMARY objective when encrypting a database?
- A: Preserving the ability to query data
- B: Protecting data from unauthorized changes
- C: Preserving the ability to access data securely
- D: Protecting data from unauthorized viewing
Question 228
Audit observations should be FIRST communicated with the auditee:
- A: during fieldwork.
- B: at the end of fieldwork.
- C: within the audit report.
- D: when drafting the report.
Question 229
Which of the following would be an IS auditor's GREATEST concern when reviewing the organization's business continuity plan (BCP)?
- A: The recovery plan does not contain the process and application dependencies.
- B: The duration of tabletop exercises is longer than the recovery point objective (RPO).
- C: The recovery point objective (RPO) and recovery time objective (RTO) are not the same.
- D: The duration of tabletop exercises is longer than the recovery time objective (RTO).
Question 230
Which of the following provides the BEST evidence that IT portfolio management is aligned with organizational strategies?
- A: IT steering committee minutes that include approval for prioritization of IT projects
- B: Project sponsor sign-off on all project documents from beginning to end
- C: Project sponsor sign-off on IT project proposals and milestones
- D: Finance committee minutes that include approval for the annual IT budget
Question 231
An IS auditor reviewing an IT organization should be MOST concerned if the IT steering committee:
- A: does not meet regularly for oversight of IT investments and projects.
- B: consults the board of directors on procedural and standard changes.
- C: reviews IT-related policies and standards only once per year.
- D: does not include business-level representation.
Question 232
A bank performed minor changes to the interest calculation computer program. Which of the following techniques would provide the STRONGEST evidence to determine whether the interest calculations are correct?
- A: Review of the quality assurance (QA) test results
- B: Manual verification of a sample of the results
- C: Source code review
- D: Parallel simulation using audit software
Question 233
External experts were used on a recent IT audit engagement. While assessing the external experts' work, the internal audit team found some gaps in the evidence that may have impacted their conclusions. What is the internal audit team's BEST course of action?
- A: Engage another expert to conduct the same testing.
- B: Report a scope limitation in their conclusions.
- C: Recommend the external experts conduct additional testing.
- D: Escalate to senior management.
Question 234
An IS auditor has been asked to review an event log aggregation system to ensure risk management practices have been applied. Which of the following should be of MOST concern to the auditor?
- A: Completeness testing has not been performed on the log data.
- B: Log feeds are uploaded via batch process.
- C: The log data is not normalized.
- D: Data encryption standards have not been considered.
Question 235
Concerned about a major data security breach, the chief executive officer (CEO) has asked for a detailed audit of the network security function. A recent reorganization has left the IS audit department with limited technical experience. The BEST course of action for the IS audit manager is to:
- A: assign the most senior IS auditors to the network security audit.
- B: accept the audit request but postpone the audit until network training can be obtained.
- C: contract with an external organization to perform the audit.
- D: give the audit high priority in next year's audit plan.
Question 236
Which of the following is MOST likely to increase if an organization increases its risk appetite?
- A: Audit findings
- B: Key controls
- C: Opportunities
- D: Security incidents
Question 237
The practice of periodic secure code reviews is which type of control?
- A: Compensating
- B: Detective
- C: Preventive
- D: Corrective
Question 238
An IS audit review identifies inconsistencies in privacy requirements across third-party service provider contracts. Which of the following is the BEST recommendation to address this situation?
- A: Prioritize contract amendments for third-party providers.
- B: Review privacy requirements when contracts come up for renewal.
- C: Suspend contracts with third-party providers that handle sensitive data.
- D: Require third-party providers to sign nondisclosure agreements (NDAs).
Question 239
What should an IS auditor recommend to management as the MOST important action before selecting a Software as a Service (SaaS) vendor?
- A: Determine service level requirements.
- B: Perform a business impact analysis (BIA).
- C: Complete a risk assessment.
- D: Conduct a vendor audit.
Question 240
An IS auditor discovers from patch logs that some in-scope systems are not compliant with the regular patching schedule. What should the auditor do NEXT?
- A: Request a plan of action to be established as a follow-up item.
- B: Interview IT management to clarify the current procedure.
- C: Review the organization's patch management policy.
- D: Report this finding to senior management.
Question 241
Which of the following observations should be of GREATEST concern to an IS auditor performing an audit of change and release management controls for a new complex system developed by a small in-house IT team?
- A: IT administrators have access to the production and development environment.
- B: Some user acceptance testing (UAT) was completed by members of the IT team.
- C: Post-implementation testing is not conducted for all system releases.
- D: Access to change testing strategy and results is not restricted to staff outside the IT team.
Question 242
For effective IT governance, it is MOST important to have an independent reporting line for which of the following IT functions?
- A: Risk management
- B: Infrastructure
- C: Operations
- D: Security
Question 243
Which of the following is the PRIMARY role of key performance indicators (KPIs) in supporting business process effectiveness?
- A: To analyze workflows in order to optimize business processes and eliminate tasks that do not provide value
- B: To evaluate the cost-benefit of tools implemented to monitor control performance
- C: To enable conclusions about the performance of the processes and target variances for follow-up analysis
- D: To assess the functionality of a software deliverable based on business processes
Question 244
During an audit of payment services of a branch based in a foreign country, a large global bank's audit team identifies an opportunity to use data analytics techniques to identify abnormal payments. Which of the following is the team's MOST important course of action?
- A: Request the data from the branch as the team audit charter covers the country where it is based.
- B: Conduct a walk through of the analytical strategy with stakeholders of the audited branch to obtain their buy-in.
- C: Consult the legal department to understand the procedure for requesting data from a different jurisdiction.
- D: Agree on a data extraction and sharing strategy with the IT team of the audited branch.
Question 245
Which of the following is MOST important to include in a business case for an IT-enabled investment?
- A: Business impact analysis (BIA)
- B: Security requirements
- C: Risk assessment
- D: Cost-benefit analysis
Question 246
Which of the following should be the PRIMARY consideration when designing a backup strategy for an online reservation system that requires high availability?
- A: Data classification
- B: Scheduled maintenance
- C: Recovery time objective (RTO)
- D: Recovery point objective (RPO)
Question 247
During recent post-implementation reviews, an IS auditor has noted that several deployed applications are not being used by the business. The MOST likely cause would be the lack of:
- A: change management.
- B: IT portfolio management.
- C: IT resource management.
- D: system support documentation.
Question 248
Which of the following is the PRIMARY way in which data analytics tools increase audit quality and execution efficiencies?
- A: Enabling the evaluation of data within IT systems to allow full population testing
- B: Facilitating access to confidential client data for analysis
- C: Providing a narrowed risk focus for more targeted testing procedures
- D: Detecting certain types of fraud in order to predict future fraud scenarios
Question 249
Which of the following is the BEST way for an IS auditor to assess the design of an automated application control?
- A: Interview the application developer.
- B: Obtain management attestation and sign-off.
- C: Review system configuration parameters and output.
- D: Review the application implementation documents.
Question 250
An IS auditor is evaluating an enterprise resource planning (ERP) migration from local systems to the cloud. Who should be responsible for the data classification in this project?
- A: Information security officer
- B: Data architect
- C: Database administrator (DBA)
- D: Information owner
Free preview mode
Enjoy the free questions and consider upgrading to gain full access!