CISA Certified Information Systems Auditor Certification Practice Test

Batch control reconciliation is a _____________________ (fill in the blank) control for mitigating risk of inadequate segregation of duties.

Options are :

  • Preventative
  • Compensatory (Correct)
  • Detective
  • Corrective

Answer : Compensatory

What is essential for the IS auditor to obtain a clear understanding of network management?

Options are :

  • A graphical map of the network topology (Correct)
  • Security administrator access to systems
  • Systems logs of all hosts providing application services
  • Administrator access to systems

Answer : A graphical map of the network topology

Regarding digital signature implementation, which of the following answers is correct?

Options are :

  • A digital signature is created by the sender to prove message integrity by encrypting the message with the recipient's public key. Upon receiving the data, the recipient can decrypt the data using the recipient's public key
  • A digital signature is created by the sender to prove message integrity by encrypting the message with the sender's public key. Upon receiving the data, the recipient can decrypt the data using the recipient's private key.
  • A digital signature is created by the sender to prove message integrity by initially using a hashing algorithm to produce a hash value or message digest from the entire message contents. Upon receiving the data, the recipient can independently create it. (Correct)
  • A digital signature is created by the sender to prove message integrity by encrypting the message with the sender's private key. Upon receiving the data, the recipient can decrypt the data using the sender's public key

Answer : A digital signature is created by the sender to prove message integrity by initially using a hashing algorithm to produce a hash value or message digest from the entire message contents. Upon receiving the data, the recipient can independently create it.

Which of the following would provide the highest degree of server access control?

Options are :

  • A fingerprint scanner facilitating biometric access control (Correct)
  • Host-based intrusion detection combined with CCTV
  • Network-based intrusion detection
  • A mantrap-monitored entryway to the server room

Answer : A fingerprint scanner facilitating biometric access control

What does PKI use to provide some of the strongest overall control over data confidentiality, reliability, and integrity for Internet transactions?

Options are :

  • A combination of public-key cryptography and digital certificates (Correct)
  • A combination of public-key cryptography and two-factor authentication
  • A combination of public-key cryptography and digital certificates and two-factor authentication
  • A combination of digital certificates and two-factor authentication

Answer : A combination of public-key cryptography and digital certificates

What should an IS auditor do if he or she observes that project-approval procedures do not exist?

Options are :

  • Assign project leaders
  • Create project-approval procedures for future project implementations
  • Recommend to management that formal approval procedures be adopted and documented (Correct)
  • Advise senior management to invest in project-management training for the staff

Answer : Recommend to management that formal approval procedures be adopted and documented

Why does the IS auditor often review the system logs?

Options are :

  • To get evidence of password sharing
  • To get evidence of password spoofing
  • To get evidence of data copy activities
  • To determine the existence of unauthorized access to data by a user or program (Correct)

Answer : To determine the existence of unauthorized access to data by a user or program

Which of the following is an effective method for controlling downloading of files via FTP? Choose the BEST answer

Options are :

  • A first-generation packet-filtering firewall
  • An application-layer gateway, or proxy firewall (Correct)
  • An application-layer gateway, or proxy firewall, but not stateful inspection firewalls
  • A circuit-level gateway

Answer : An application-layer gateway, or proxy firewall

What is an effective countermeasure for the vulnerability of data entry operators potentially leaving their computers without logging off? Choose the BEST answer.

Options are :

  • Employee security awareness training
  • Close supervision
  • Administrator alerts
  • Screensaver passwords (Correct)

Answer : Screensaver passwords

What is the most common purpose of a virtual private network implementation?

Options are :

  • A virtual private network (VPN) helps to secure access within an enterprise when communicating over a dedicated T1 connection between network segments within the same facility.
  • A virtual private network (VPN) helps to secure access between an enterprise and its partners when communicating over a dedicated T1 connection
  • A virtual private network (VPN) helps to secure access between an enterprise and its partners when communicating over an otherwise unsecured channel such as the Internet. (Correct)
  • A virtual private network (VPN) helps to secure access between an enterprise and its partners when communicating over a wireless connection.

Answer : A virtual private network (VPN) helps to secure access between an enterprise and its partners when communicating over an otherwise unsecured channel such as the Internet.

Which of the following BEST characterizes a mantrap or deadman door, which is used as a deterrent control for the vulnerability of piggybacking?

Options are :

  • A one-way door that does not allow exit after entry
  • A monitored turnstile entry system
  • A monitored doorway entry system
  • A monitored double-doorway entry system (Correct)

Answer : A monitored double-doorway entry system

Who is accountable for maintaining appropriate security measures over information assets?

Options are :

  • Data and systems auditors
  • Data and systems custodians
  • Data and systems users
  • Data and systems owners (Correct)

Answer : Data and systems owners

Which of the following is MOST is critical during the business impact assessment phase of business continuity planning?

Options are :

  • End-user involvement (Correct)
  • Security administration involvement
  • Senior management involvement
  • IS auditing involvement

Answer : End-user involvement

Key verification is one of the best controls for ensuring that:

Options are :

  • Database indexing is performed properly
  • Input is authorized
  • Only authorized cryptographic keys are used
  • Data is entered correctly (Correct)

Answer : Data is entered correctly

Which of the following is a guiding best practice for implementing logical access controls?

Options are :

  • Implementing the Biba Integrity Model
  • mplementing the Take-Grant access control model
  • Classifying data according to the subject's requirements
  • Access is granted on a least-privilege basis, per the organization's data owners (Correct)

Answer : Access is granted on a least-privilege basis, per the organization's data owners

The traditional role of an IS auditor in a control self-assessment (CSA) should be that of a(n):

Options are :

  • Facilitator (Correct)
  • Developer
  • Implementer
  • Sponsor

Answer : Facilitator

A transaction journal provides the information necessary for detecting unauthorized _____________ (fill in the blank) from a terminal.

Options are :

  • Input (Correct)
  • Deletion
  • Duplication
  • Access

Answer : Input

Which of the following typically focuses on making alternative processes and resources available for transaction processing?

Options are :

  • Disaster recovery for networks
  • Disaster recovery for systems (Correct)
  • Diverse processing
  • Cold-site facilities

Answer : Disaster recovery for systems

A check digit is an effective edit check to:

Options are :

  • Detect data-transcription errors
  • . Detect data-transposition errors
  • Detect data-transposition, transcription, and substitution errors
  • Detect data-transposition and transcription errors (Correct)

Answer : Detect data-transposition and transcription errors

Run-to-run totals can verify data through which stage(s) of application processing?

Options are :

  • Final
  • Various (Correct)
  • Initial
  • Output

Answer : Various

An advantage of a continuous audit approach is that it can improve system security when used in time-sharing environments that process a large number of transactions. True or false?

Options are :

  • . False
  • TRUE (Correct)

Answer : TRUE

Which of the following is best suited for searching for address field duplications?

Options are :

  • Productivity audit software
  • Generalized audit software (Correct)
  • Text search forensic utility software
  • Manual review

Answer : Generalized audit software

Function Point Analysis (FPA) provides an estimate of the size of an information system based only on the number and complexity of a system's inputs and outputs. True or false?

Options are :

  • . False (Correct)
  • TRUE

Answer : . False

What is the recommended initial step for an IS auditor to implement continuous-monitoring systems?

Options are :

  • Perform compliance testing on internal controls
  • Establish a controls-monitoring steering committee
  • Identify high-risk areas within the organization (Correct)
  • Document existing internal controls

Answer : Identify high-risk areas within the organization

What type of risk is associated with authorized program exits (trap doors)? Choose the BEST answer

Options are :

  • Inherent risk (Correct)
  • Business risk
  • Audit risk
  • Detective risk

Answer : Inherent risk

Of the three major types of off-site processing facilities, what type is often an acceptable solution for preparing for recovery of noncritical systems and data?

Options are :

  • Cold site (Correct)
  • Alternate site
  • Warm site
  • Hot site

Answer : Cold site

An integrated test facility is not considered a useful audit tool because it cannot compare processing output with independently calculated datA. True or false?

Options are :

  • TRUE
  • FALSE (Correct)

Answer : FALSE

With the objective of mitigating the risk and impact of a major business interruption, a disaster recovery plan should endeavor to reduce the length of recovery time necessary, as well as costs associated with recovery. Although DRP results in an increase of pre-and post-incident operational costs, the extra costs are more than offset by reduced recovery and business impact costs. True or false?

Options are :

  • TRUE (Correct)
  • FALSE

Answer : TRUE

If an IS auditor observes that an IS department fails to use formal documented methodologies, policies, and standards, what should the auditor do? Choose the BEST answer.

Options are :

  • The auditor should at least document the informal standards and policies, and test for compliance. Furthermore, the IS auditor should create formal documented policies to be implemented.
  • The auditor should at least document the informal standards and policies. Furthermore, the IS auditor should create formal documented policies to be implemented
  • Lack of IT documentation is not usually material to the controls tested in an IT audit.
  • The auditor should at least document the informal standards and policies, and test for compliance. Furthermore, the IS auditor should recommend to management that formal documented policies be developed and implemented. (Correct)

Answer : The auditor should at least document the informal standards and policies, and test for compliance. Furthermore, the IS auditor should recommend to management that formal documented policies be developed and implemented.

When participating in a systems-development project, an IS auditor should focus on system controls rather than ensuring that adequate and complete documentation exists for all projects. True or false?

Options are :

  • FALSE (Correct)
  • TRUE

Answer : FALSE

Which of the following would prevent accountability for an action performed, thus allowing no repudiation?

Options are :

  • Proper identification
  • Proper identification AND authentication (Correct)
  • Proper identification, authentication, AND authorization
  • Proper authentication

Answer : Proper identification AND authentication

_______________ (fill in the blank) is/are are ultimately accountable for the functionality, reliability, and security within IT governance. Choose the BEST answer.

Options are :

  • Business unit managers
  • Data custodians
  • The board of directors and executive officers (Correct)
  • IT security administration

Answer : The board of directors and executive officers

To properly evaluate the collective effect of preventative, detective, or corrective controls within a process, an IS auditor should be aware of which of the following? Choose the BEST answer

Options are :

  • The effect of segregation of duties on internal controls
  • The point at which controls are exercised as data flows through the system (Correct)
  • Organizational control policies
  • The business objectives of the organization

Answer : The point at which controls are exercised as data flows through the system

What often results in project scope creep when functional requirements are not defined as well as they could be?

Options are :

  • Insufficient strategic planning
  • Project delays
  • Inaccurate resource allocation
  • Inadequate software base lining (Correct)

Answer : Inadequate software base lining

What must an IS auditor understand before performing an application audit? Choose the BEST answer

Options are :

  • Application risks must first be identified.
  • The potential business impact of application risks
  • Relative business processes. (Correct)
  • Relevant application risks.

Answer : Relative business processes.

What is the first step in a business process re-engineering project?

Options are :

  • Forming a BPR steering committee
  • Defining the scope of areas to be reviewed (Correct)
  • Identifying current business processes
  • Reviewing the organizational strategic plan

Answer : Defining the scope of areas to be reviewed

Set 1 : Certified Information Systems Auditor
Set 2 : Certified Information Systems Auditor
Set 3 : Certified Information Systems Auditor
Set 4 : Certified Information Systems Auditor
Set 5 : Certified Information Systems Auditor
Set 6 : Certified Information Systems Auditor

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions