0% found this document useful (0 votes)

28 views

Domain 1 Q&A

The document provides information about an information system auditing process, including 29 multiple choice questions about topics like audit planning, risk assessment, controls review, and evaluating security policies and procedures. For each question, the document identifies the single best answer and provides a brief explanation.

Uploaded by

Abbas Nyoni

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOC, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

28 views

Domain 1 Q&A

Uploaded by

Abbas Nyoni

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as DOC, PDF, TXT or read online on Scribd

You are on page 1/ 32

Domain 1: Information System Auditing Process

1. Which of the following outlines the overall authority to perform an IS audit?

A. The audit scope with goals and objectives

B. A request from management to perform an audit
C. The approved audit charter
D. The approved audit schedule
Answer: C. The approved audit charter

2. In performing a risk-based audit, which risk assessment is completed FIRST by an IS auditor?

A. Detection risk assessment
B. Control risk assessment
C. Inherent risk assessment
D. Fraud risk assessment
Answer: C. Inherent risk assessment

3. Which of the following would an IS auditor MOST likely focus on when developing a risk-based
audit program?
A. Business processes
B. Administrative controls
C. Environmental controls
D. Business strategies
Answer: A. Business processes

4. Which of the following types of audit risk assumes an absence of compensating controls in the
area being reviewed?
A. Control risk
B. Detection risk
C. Inherent risk
D. Sampling risk
Answer: C. Inherent risk

5. An IS auditor performing a review of an application’s controls finds a weakness in system

software that could materially impact the application. In this situation, an IS auditor should:

A. Disregard these control weaknesses because they are not part of the application controls.
B. Review the system software controls as it may be a part of the overall review.
C. Refer the matter to management and include it in the audit report.
D. Request that the auditee investigate the matter.
Answer: B. Review the system software controls as it may be a part of the overall review.

6. An IS auditor is evaluating the control framework in a large organization. Which of the following
is the BEST recommendation?
A. Implement an established framework.
B. Develop an internal framework.
C. Implement an established framework and internal controls.
D. Implement an established framework and customize it as needed.
Answer: D. Implement an established framework and customize it as needed.

7. The PRIMARY purpose of an IS audit is to:

A. Assist in the early detection of fraud.
B. Ensure compliance with policies and procedures.
C. Provide assurance that the organization’s information assets are safeguarded.
D. Ensure the integrity and reliability of information.
Answer: C. Provide assurance that the organization’s information assets are safeguarded.

8. Which of the following is the BEST way to ensure that audit findings are addressed in a timely
manner?
A. Include audit findings in a formal report.
B. Follow up with the auditee periodically.
C. Require the auditee to submit a corrective action plan.
D. Schedule a follow-up audit.
Answer: C. Require the auditee to submit a corrective action plan.

9. The PRIMARY reason for having an IS audit function is to:

A. Ensure compliance with regulatory requirements.
B. Provide assurance on the adequacy of internal controls.
C. Detect and prevent fraud.
D. Improve operational efficiency.
Answer: B. Provide assurance on the adequacy of internal controls.

10. Which of the following should be the PRIMARY basis for planning IS audit activities?
A. The results of risk assessments
B. The availability of audit staff
C. The findings from previous audits
D. The schedule of audits approved by senior management
Answer: A. The results of risk assessments

11. Which of the following is MOST critical when planning an IS audit?

A. Availability of resources
B. Complexity of the technology
C. Independence of the audit team
D. Alignment with organizational objectives
Answer: D. Alignment with organizational objectives

12. An IS auditor is reviewing the implementation of an enterprise resource planning (ERP) system.
Which of the following is the MOST critical control that should be evaluated?
A. User acceptance testing
B. Data conversion procedures
C. Access controls
D. System documentation
Answer: C. Access controls

13. Which of the following is the BEST indicator of the effectiveness of an information security
policy?
A. The number of security incidents
B. The extent of user compliance
C. The frequency of policy updates
D. The scope of policy coverage
Answer: B. The extent of user compliance

14. When conducting an IS audit, which of the following is the MOST important consideration when
reviewing the adequacy of backup procedures?

A. The frequency of backups

B. The type of backup media used
C. The location of backup storage
D. The ability to restore data
Answer: D. The ability to restore data

15. An IS auditor reviewing the adequacy of controls over internet-based financial transactions
should be MOST concerned if:
A. User access to the internet is unrestricted.
B. Transactions are not encrypted during transmission.
C. User activities are not monitored.
D. Data is not backed up regularly.
Answer: B. Transactions are not encrypted during transmission.

16. Which of the following is the MOST important consideration when planning an IS audit?
A. The scope of the audit
B. The availability of audit tools
C. The auditee’s schedule
D. The audit budget
Answer: A. The scope of the audit

17. An IS auditor is planning an audit of a new application system. Which of the following is the
MOST important consideration?
A. The availability of system documentation
B. The complexity of the system
C. The criticality of the system to the organization
D. The experience of the audit team
Answer: C. The criticality of the system to the organization

18. Which of the following should be the FIRST step in developing an IS audit plan?
A. Assessing the availability of audit resources
B. Identifying the auditable units
C. Performing a risk assessment
D. Reviewing the organization’s objectives
Answer: C. Performing a risk assessment

19. Which of the following is the MOST important factor in ensuring the effectiveness of an IS audit
function?

A. The independence of the audit team

B. The experience of the audit staff
C. The comprehensiveness of the audit plan
D. The support of senior management
Answer: D. The support of senior management

20. An IS auditor is evaluating the effectiveness of a business continuity plan (BCP). Which of the
following is the MOST important factor to consider?
A. The frequency of BCP testing
B. The involvement of senior management in the BCP process
C. The alignment of the BCP with organizational objectives
D. The comprehensiveness of the BCP documentation
Answer: C. The alignment of the BCP with organizational objectives

21. Which of the following is the MOST important consideration when evaluating the adequacy of an
organization’s information security policy?
A. The policy’s alignment with organizational objectives
B. The frequency of policy updates
C. The policy’s compliance with regulatory requirements
D. The extent of user awareness of the policy
Answer: A. The policy’s alignment with organizational objectives

22. An IS auditor is reviewing the implementation of a new application system. Which of the
following is the MOST important control to review?
A. User access controls
B. Data conversion procedures
C. System documentation
D. User training
Answer: A. User access controls

23. Which of the following is the MOST important consideration when planning an IS audit of a
third-party service provider?
A. The service provider’s reputation
B. The terms of the service level agreement (SLA)
C. The availability of audit evidence
D. The service provider’s compliance with regulations
Answer: C. The availability of audit evidence

24. An IS auditor is reviewing the controls over an organization’s data center. Which of the
following is the MOST important control to review?
A. Physical access controls
B. Environmental controls
C. Fire suppression systems
D. Data backup procedures
Answer: A. Physical access controls

25. Which of the following is the MOST important consideration when evaluating the effectiveness
of an organization’s incident response plan?
A. The frequency of incident response training
B. The involvement of senior management in the incident response process
C. The alignment of the incident response plan with organizational objectives
D. The comprehensiveness of the incident response documentation
Answer: C. The alignment of the incident response plan with organizational objectives

26. An IS auditor is reviewing the controls over an organization’s network infrastructure. Which of
the following is the MOST important control to review?
A. Network access controls
B. Network monitoring procedures
C. Network documentation
D. Network configuration management
Answer: A. Network access controls

27. Which of the following is the MOST important consideration when planning an IS audit of an
organization’s information security program?
A. The scope of the information security program
B. The availability of information security resources
C. The alignment of the information security program with organizational objectives
D. The experience of the information security staff
Answer: C. The alignment of the information security program with organizational objectives

28. An IS auditor is evaluating the controls over an organization’s change management process.
Which of the following is the MOST important control to review?
A. Change authorization procedures
B. Change testing procedures
C. Change documentation
D. Change implementation procedures
Answer: A. Change authorization procedures

29. Which of the following is the MOST important consideration when evaluating the effectiveness
of an organization’s data backup procedures?
A. The frequency of data backups
B. The type of backup media used
C. The location of backup storage
D. The ability to restore data
Answer: D. The ability to restore data
30. An IS auditor is reviewing the controls over an organization’s disaster recovery plan (DRP).
Which of the following is the MOST important control to review?
A. The comprehensiveness of the DRP documentation
B. The frequency of DRP testing
C. The alignment of the DRP with organizational objectives
D. The involvement of senior management in the DRP process
Answer: C. The alignment of the DRP with organizational objectives

31. Which of the following is the MOST important consideration when evaluating the effectiveness
of an organization’s information security policy?
A. The frequency of policy updates
B. The policy’s compliance with regulatory requirements
C. The extent of user awareness of the policy
D. The policy’s alignment with organizational objectives
Answer: D. The policy’s alignment with organizational objectives

32. An IS auditor is reviewing the controls over an organization’s IT asset management process.
Which of the following is the MOST important control to review?
A. Asset inventory procedures
B. Asset disposal procedures
C. Asset acquisition procedures
D. Asset tracking procedures
Answer: A. Asset inventory procedures

Domain 2: Governance and Management of IT

1. In order for management to effectively monitor the compliance of processes and applications,
which of the following would be the MOST ideal?
A. A central document repository
B. A knowledge management system
C. A dashboard
D. Benchmarking
Answer: C. A dashboard

2. Which of the following would be included in an IS strategic plan?

A. Specifications for planned hardware purchases
B. Analysis of future business objectives
C. Target dates for development projects
D. Annual budgetary targets for the IT department
Answer: B. Analysis of future business objectives

3. Which of the following BEST describes an IT department’s strategic planning process?

A. The IT department will have either short- or long-range plans depending on the organization’s
broader plans and objectives.
B. The IT department’s strategic plan must be time- and project-oriented but not so detailed as to
address and help determine priorities to meet business needs.
C. Long-range planning for the IT department should recognize organizational goals, technological
advances and regulatory requirements.
D. Short-range planning for the IT department does not need to be integrated into the short-range
plans of the organization since technological advances will drive the IT department plans much
quicker than organizational plans.
Answer: C. Long-range planning for the IT department should recognize organizational goals,
technological advances and regulatory requirements.

4. The MOST important responsibility of a data security officer in an organization is:

A. Recommending and monitoring data security policies.
B. Promoting security awareness within the organization.
C. Establishing procedures for IT security policies.
D. Administering physical and logical access controls.
Answer: A. Recommending and monitoring data security policies.

5. What is considered the MOST critical element for the successful implementation of an
information security program?
A. An effective enterprise risk management framework
B. Senior management commitment
C. An adequate budgeting process
D. Meticulous program planning
Answer: B. Senior management commitment

6. An IS auditor should ensure that IT governance performance measures:

A. Evaluate the activities of IT oversight committees.
B. Provide strategic IT drivers.
C. Adhere to regulatory reporting standards and definitions.
D. Evaluate the IT department.
Answer: A. Evaluate the activities of IT oversight committees.

7. Which of the following tasks may be performed by the same person in a well-controlled
information processing computer center?
A. Security administration and change management
B. Computer operations and system development
C. System development and change management
D. System development and system maintenance
Answer: D. System development and system maintenance

8. Which of the following is the MOST critical control over database administration (DBA)?
A. Ensuring database modifications are reviewed
B. Segregating DBA functions from application programming
C. Implementing change management procedures
D. Logging changes to the database
Answer: B. Segregating DBA functions from application programming

9. An IS auditor should review the procedures for the backup and storage of the database logs to
ensure that the logs are:
A. Archived to a secure location.
B. Manually maintained.
C. Stored on tapes.
D. Tested periodically.
Answer: A. Archived to a secure location.

10. The IS audit process must be performed in accordance with the IS audit standards established by:
A. The organization being audited.
B. The IS auditor’s organization.
C. International auditing standards.
D. ISACA.
Answer: D. ISACA.

11. Which of the following is the MOST important objective of the exit conference with
management?
A. To explain the audit findings
B. To gain agreement on the audit findings
C. To review recommendations
D. To discuss the audit report
Answer: B. To gain agreement on the audit findings

12. Which of the following BEST describes an audit charter?

A. It provides a detailed plan for the IS audit engagement.
B. It specifies the overall authority, scope, and responsibilities of the audit function.
C. It sets the objectives and standards for the IS audit function.
D. It outlines the specific procedures for conducting an IS audit.
Answer: B. It specifies the overall authority, scope, and responsibilities of the audit function.

13. Which of the following should an IS auditor use to detect duplicate invoice records within an
invoice master file?

A. Generalized audit software

B. Test data
C. Integrated test facility
D. Embedded audit module
Answer: A. Generalized audit software

14. Which of the following is the MOST important consideration when planning an IS audit?
A. The scope of the audit
B. The availability of audit tools
C. The auditee’s schedule
D. The audit budget
Answer: A. The scope of the audit

15. An IS auditor is reviewing the implementation of an enterprise resource planning (ERP) system.
Which of the following is the MOST critical control that should be evaluated?
A. User acceptance testing
B. Data conversion procedures
C. Access controls
D. System documentation
Answer: C. Access controls

16. Which of the following BEST indicates the success of a security awareness training program?
A. Reduced number of security incidents
B. Increased number of reported incidents
C. Higher compliance rates
D. Positive feedback from participants
Answer: A. Reduced number of security incidents

17. Which of the following should be the FIRST step in developing an IS audit plan?
A. Assessing the availability of audit resources
B. Identifying the auditable units
C. Performing a risk assessment
D. Reviewing the organization’s objectives
Answer: C. Performing a risk assessment

18. Which of the following should be the PRIMARY basis for planning IS audit activities?
A. The results of risk assessments
B. The availability of audit staff
C. The findings from previous audits
D. The schedule of audits approved by senior management
Answer: A. The results of risk assessments

19. Which of the following BEST describes an IS auditor’s primary responsibility when performing
an audit?
A. Detecting fraud
B. Examining transactions
C. Reporting findings
D. Evaluating controls
Answer: D. Evaluating controls

20. An IS auditor is reviewing the controls over an organization’s data center. Which of the
following is the MOST important control to review?
A. Physical access controls
B. Environmental controls
C. Fire suppression systems
D. Data backup procedures
Answer: A. Physical access controls

21. Which of the following is the PRIMARY objective of an audit of IT governance?

A. To ensure compliance with policies and procedures
B. To assess the effectiveness of IT controls
C. To evaluate the alignment of IT with business objectives
D. To determine the adequacy of IT resources
Answer: C. To evaluate the alignment of IT with business objectives

22. Which of the following is the MOST important factor in ensuring the effectiveness of an IS audit
function?
A. The independence of the audit team
B. The experience of the audit staff
C. The comprehensiveness of the audit plan
D. The support of senior management
Answer: D. The support of senior management

23. Which of the following is the MOST important consideration when evaluating the adequacy of an
organization’s information security policy?
A. The policy’s alignment with organizational objectives
B. The frequency of policy updates
C. The policy’s compliance with regulatory requirements
D. The extent of user awareness of the policy
Answer: A. The policy’s alignment with organizational objectives

24. An IS auditor is reviewing the implementation of a new application system. Which of the
following is the MOST important control to review?
A. User access controls
B. Data conversion procedures
C. System documentation
D. User training
Answer: A. User access controls

25. Which of the following is the MOST important consideration when planning an IS audit of a
third-party service provider?
A. The service provider’s reputation
B. The terms of the service level agreement (SLA)
C. The availability of audit evidence
D. The service provider’s compliance with regulations
Answer: C. The availability of audit evidence

26. Which of the following is the MOST important consideration when evaluating the effectiveness
of an organization’s information security program?
A. The extent of user awareness
B. The alignment with organizational objectives
C. The frequency of security incidents
D. The comprehensiveness of the security policy
Answer: B. The alignment with organizational objectives
Domain 3: Information Systems Acquisition, Development and
Implementation - Self-assessment Questions and Answers
1. To assist in testing an essential banking system being acquired, an organization has provided
the vendor with sensitive data from its existing production system. An IS auditor’s PRIMARY
concern is that the data should be:
A. sanitized.
B. complete.
C. representative.
D. current.
Answer: A. sanitized.

2. Which of the following is the PRIMARY purpose for conducting parallel testing?
A. To determine if the system operates in the production environment.
B. To determine if the new system performs adequately before replacing the old system.
C. To test the old and new systems simultaneously.
D. To ensure the new system meets user requirements.
Answer: B. To determine if the new system performs adequately before replacing the old
system.

3. The BEST method to ensure that the new system is compatible with the existing system is:
A. Data mapping.
B. Integration testing.
C. Pilot testing.
D. Parallel testing.
Answer: B. Integration testing.

4. Which of the following would be of GREATEST concern to an IS auditor reviewing the

implementation of a new system?
A. Lack of user training.
B. Lack of management support.
C. Lack of system documentation.
D. Lack of a project management plan.
Answer: D. Lack of a project management plan.

5. Which of the following is MOST important to ensure the success of a project?

A. Adequate funding.
B. User involvement.
C. Executive support.
D. Skilled team members.
Answer: C. Executive support.

6. During the implementation phase of an IS project, which of the following activities should be
the PRIMARY responsibility of the user department?
A. Developing test data.
B. Developing detailed system specifications.
C. Coding and documentation.
D. Approving user acceptance testing.
Answer: D. approving user acceptance testing.

7. Which of the following represents the GREATEST risk when assessing the impact of
changes to the scope of an IT project?
A. Increased project costs.
B. Implementation delays.
C. Inadequate testing.
D. Reduced quality of deliverables.
Answer: D. Reduced quality of deliverables.

8. Which of the following tasks should an IS auditor perform FIRST when developing an audit
program for reviewing an application system?
A. Gain an understanding of the business process.
B. Identify relevant IT risks.
C. Evaluate existing controls.
D. Review previous audit reports.
Answer: A. Gain an understanding of the business process.

9. Which of the following is the PRIMARY objective of a post-implementation review?

A. To ensure that project objectives were achieved.
B. To ensure that system requirements were met.
C. To evaluate the effectiveness of the project management process.
D. To identify lessons learned for future projects.
Answer: A. To ensure that project objectives were achieved.

10. Which of the following BEST describes the role of an IS auditor during the implementation of a
new system?
A. To design and test application controls.
B. To act as a consultant to project management.
C. To develop and execute test plans.
D. To ensure that data conversion is accurate.
Answer: B. To act as a consultant to project management.

11. An IS auditor conducting a post-implementation review should ensure that:

A. The system operates as intended.
B. Project deliverables were completed on time.
C. All project costs were within the budget.
D. The project plan was followed correctly.
Answer: A. The system operates as intended.

12. Which of the following is the MOST critical factor to the success of a project?
A. Clearly defined objectives.
B. A large budget.
C. A detailed project plan.
D. Experienced project team members.
Answer: A. Clearly defined objectives.

13. Which of the following is the BEST method for managing scope changes in a project?
A. Using a formal change control process.
B. Conducting regular project status meetings.
C. Performing risk assessments.
D. Documenting all project changes.
Answer: A. Using a formal change control process.

14. Which of the following BEST ensures that a new application meets the requirements of the
business?
A. Conducting a user acceptance test.
B. Performing a system integration test.
C. Developing detailed functional specifications.
D. Using a prototyping approach.
Answer: A. Conducting a user acceptance test.

15. Which of the following BEST describes the role of an IS auditor during the feasibility study phase
of an application development project?
A. To review the feasibility study report.
B. To assist in the development of functional specifications.
C. To design test cases for the new system.
D. To participate in the selection of the project team.
Answer: A. To review the feasibility study report.
16. Which of the following is the BEST way to ensure that the implementation of a new system does
not disrupt the operations of other systems?
A. Conducting system integration testing.
B. Implementing the new system during off-peak hours.
C. Using a phased implementation approach.
D. Performing a post-implementation review.
Answer: A. Conducting system integration testing.

17. Which of the following is the PRIMARY purpose of conducting a post-implementation review?
A. To ensure that project objectives were achieved.
B. To identify lessons learned for future projects.
C. To evaluate the effectiveness of the project management process.
D. To ensure that system requirements were met.
Answer: A. To ensure that project objectives were achieved.

18. Which of the following is the MOST important reason for conducting a post-implementation
review?
A. To ensure that project objectives were achieved.
B. To evaluate the effectiveness of the project management process.
C. To ensure that system requirements were met.
D. To identify lessons learned for future projects.
Answer: A. to ensure that project objectives were achieved.

Domain 4 of the CISA Review Manual:

1. Which one of the following provides the BEST method for determining the level of
performance provided by similar information processing facility environments?
A. User satisfaction
B. Goal accomplishment
C. Benchmarking
D. Capacity and growth planning
Answer: C. Benchmarking

2. For mission-critical systems with a low tolerance to interruption and a high cost of recovery,
the IS auditor, in principle, recommends the use of which of the following recovery options?
A. Mobile site
B. Warm site
C. Cold site
D. Hot site
Answer: D. Hot site

3. Which of the following is the MOST effective method for an IS auditor to use in testing the
program change management process?
A. Trace from system-generated information to the change management documentation
B. Examine change management documentation for evidence of accuracy
C. Trace from the change management documentation to a system-generated audit trail
D. Examine change management documentation for evidence of completeness
Answer: A. Trace from system-generated information to the change management
documentation

4. Which of the following would allow an enterprise to extend its intranet across the Internet to
its business partners?
A. Virtual private network
B. Client-server
C. Dial-up access
D. Network service provider
Answer: A. Virtual private network

5. The classification based on criticality of a software application as part of an IS business

continuity plan is determined by the:
A. Nature of the business and the value of the application to the business
B. Replacement cost of the application
C. Vendor support available for the application
D. Associated threats and vulnerabilities of the application
Answer: A. Nature of the business and the value of the application to the business

6. When conducting an audit of client-server database security, the IS auditor should be MOST
concerned about the availability of:
A. System utilities
B. Application program generators
C. Systems security documentation
D. Access to stored procedures
Answer: D. Access to stored procedures

7. When reviewing a network used for Internet communications, an IS auditor will FIRST
examine the:
A. Validity of password change occurrences
B. Architecture of the client-server application
C. Network architecture and design
D. Firewall protection and proxy servers
Answer: C. Network architecture and design

8. An IS auditor should be involved in:

A. Observing tests of the disaster recovery plan
B. Developing the disaster recovery plan
C. Maintaining the disaster recovery plan
D. Reviewing the disaster recovery requirements of supplier contracts
Answer: A. Observing tests of the disaster recovery plan

9. Data mirroring should be implemented as a recovery strategy when:

A. Recovery point objective (RPO) is low
B. Recovery point objective (RPO) is high
C. Recovery time objective (RTO) is high
D. Disaster tolerance is high
Answer: A. Recovery point objective (RPO) is low

10. Which of the following components of a business continuity plan is PRIMARILY the
responsibility of an organization’s IS department?
A. Developing the business continuity plan
B. Selecting and approving the recovery strategies used in the business continuity plan
C. Declaring a disaster
D. Restoring the IT systems and data after a disaster
Answer: D. Restoring the IT systems and data after a disaster

11. Which of the following is the BEST method to ensure that the new system is compatible with
the existing system?
A. Data mapping
B. Integration testing
C. Pilot testing
D. Parallel testing
Answer: B. Integration testing

12. Which of the following would be of GREATEST concern to an IS auditor reviewing the
implementation of a new system?
A. Lack of user training
B. Lack of management support
C. Lack of system documentation
D. Lack of a project management plan
Answer: D. Lack of a project management plan

13. Which of the following is MOST important to ensure the success of a project?
A. Adequate funding
B. User involvement
C. Executive support
D. Skilled team members
Answer: C. Executive support

14. During the implementation phase of an IS project, which of the following activities should be
the PRIMARY responsibility of the user department?
A. Developing test data
B. Developing detailed system specifications
C. Coding and documentation
D. Approving user acceptance testing
Answer: D. approving user acceptance testing

15. Which of the following represents the GREATEST risk when assessing the impact of
changes to the scope of an IT project?
A. Increased project costs
B. Implementation delays
C. Inadequate testing
D. Reduced quality of deliverables
Answer: D. Reduced quality of deliverables

16. Which of the following tasks should an IS auditor perform FIRST when developing an audit
program for reviewing an application system?
A. Gain an understanding of the business process
B. Identify relevant IT risks
C. Evaluate existing controls
D. Review previous audit reports
Answer: A. Gain an understanding of the business process

17. Which of the following is the PRIMARY objective of a post-implementation review?

A. To ensure that project objectives were achieved
B. To ensure that system requirements were met
C. To evaluate the effectiveness of the project management process
D. To identify lessons learned for future projects
Answer: A. to ensure that project objectives were achieved

18. Which of the following BEST describes the role of an IS auditor during the implementation
of a new system?
A. To design and test application controls
B. To act as a consultant to project management
C. To develop and execute test plans
D. To ensure that data conversion is accurate
Answer: B. to act as a consultant to project management

19. An IS auditor conducting a post-implementation review should ensure that:

A. The system operates as intended
B. Project deliverables were completed on time
C. All project costs were within the budget
D. The project plan was followed correctly
Answer: A. The system operates as intended

20. Which of the following is the MOST critical factor to the success of a project?
A. Clearly defined objectives
B. A large budget
C. A detailed project plan
D. Experienced project team members
Answer: A. clearly defined objectives

21. Which of the following is the BEST method for managing scope changes in a project?
A. Using a formal change control process
B. Conducting regular project status meetings
C. Performing risk assessments
D. Documenting all project changes
Answer: A. Using a formal change control process

22. Which of the following BEST ensures that a new application meets the requirements of the
business?
A. Conducting a user acceptance test
B. Performing a system integration test
C. Developing detailed functional specifications
D. Using a prototyping approach
Answer: A. Conducting a user acceptance test

23. Which of the following BEST describes the role of an IS auditor during the feasibility study
phase of an application development project?
A. To review the feasibility study report
B. To assist in the development of functional specifications
C. To design test cases for the new system
D. To participate in the selection of the project team
Answer: A. To review the feasibility study report

24. Which of the following is the BEST way to ensure that the implementation of a new system
does not disrupt the operations of other systems?
A. Conducting system integration testing
B. Implementing the new system during off-peak hours
C. Using a phased implementation approach
D. Performing a post-implementation review
Answer: A. Conducting system integration testing

25. Which of the following is the PRIMARY purpose of conducting a post-implementation

review?
A. To ensure that project objectives were achieved
B. To identify lessons learned for future projects
C. To evaluate the effectiveness of the project management process
D. To ensure that system requirements were met
Answer: A. To ensure that project objectives were achieved

26. Which of the following is the MOST important reason for conducting a post-implementation
review?
A. To ensure that project objectives were achieved
B. To evaluate the effectiveness of the project management process
C. To ensure that system requirements were met
D. To identify lessons learned for future projects
Answer: A. To ensure that project objectives were achieved

27. Which of the following is the MOST critical factor to the success of an IT project?
A. Clearly defined objectives
B. A detailed project plan
C. A large budget
D. Experienced project team members
Answer: A. Clearly defined objectives

28. Which of the following is the BEST way to ensure that changes to an application do not
introduce new risks?
A. Conducting a risk assessment
B. Performing a system integration test
C. Conducting a user acceptance test
D. Using a phased implementation approach
Answer: B. Performing a system integration test

29. Which of the following is the PRIMARY objective of a post-implementation review?

30. Which of the following is the MOST critical factor to the success of an IT project?
A. Clearly defined objectives
B. A detailed project plan
C. A large budget
D. Experienced project team members
Answer: A. Clearly defined objectives

31. Which of the following is the BEST way to ensure that changes to an application do not
introduce new risks?
A. Conducting a risk assessment
B. Performing a system integration test
C. Conducting a user acceptance test
D. Using a phased implementation approach
Answer: B. Performing a system integration test

32. Which of the following is the PRIMARY objective of a post-implementation review?

33. Which of the following is the MOST critical factor to the success of an IT project?
A. Clearly defined objectives
B. A detailed project plan
C. A large budget
D. Experienced project team members
Answer: A. Clearly defined objectives

34. Which of the following is the BEST way to ensure that changes to an application do not
introduce new risks?
A. Conducting a risk assessment
B. Performing a system integration test
C. Conducting a user acceptance test
D. Using a phased implementation approach
Answer: B. Performing a system integration test

Domain 5 of the CISA Review Manual

1. An IS auditor reviewing the configuration of a signature-based intrusion detection system would
be MOST concerned if which of the following is discovered?
A. Auto-update is turned off.
B. Scanning for application vulnerabilities is disabled.
C. Analysis of encrypted data packets is disabled.
D. The IDS is placed between the demilitarized zone and the firewall.
Answer: A. Auto-update is turned off.

2. Which of the following BEST provides access control to payroll data being processed on a local
server?
A. Logging access to personal information
B. Using separate passwords for sensitive transactions
C. Using software that restricts access rules to authorized staff
D. Restricting system access to business hours
Answer: C. Using software that restricts access rules to authorized staff.

3. An IS auditor has just completed a review of an organization that has a mainframe computer and
two database servers where all production data reside. Which of the following weaknesses would
be considered the MOST serious?
A. The security officer also serves as the database administrator.
B. Password controls are not administered over the two database servers.
C. There is no business continuity plan for the mainframe system’s noncritical applications.
D. Most local area networks do not back up file-server-fixed disks regularly.
Answer: B. Password controls are not administered over the two database servers.

4. An organization is proposing to install a single sign-on facility giving access to all systems. The
organization should be aware that:
A. Maximum unauthorized access would be possible if a password is disclosed.
B. User access rights would be restricted by the additional security parameters.
C. The security administrator’s workload would increase.
D. User access rights would be increased.
Answer: A. Maximum unauthorized access would be possible if a password is disclosed.

5. When reviewing an implementation of a Voice-over Internet Protocol system over a corporate

wide area network, an IS auditor should expect to find:
A. An integrated services digital network data link.
B. Traffic engineering.
C. Wired equivalent privacy encryption of data.
D. Analog phone terminals.
Answer: B. Traffic engineering.

6. An insurance company is using public cloud computing for one of its critical applications to
reduce costs. Which of the following would be of MOST concern to the IS auditor?
A. The inability to recover the service in a major technical failure scenario.
B. The data in the shared environment being accessed by other companies.
C. The service provider not including investigative support for incidents.
D. The long-term viability of the service if the provider goes out of business.
Answer: B. The data in the shared environment being accessed by other companies.

7. Which of the following BEST determines whether complete encryption and authentication
protocols for protecting information while being transmitted exist?
A. A digital signature with RSA has been implemented.
B. Work is being done in tunnel mode with the nested services of AH and ESP.
Answer: B. Work is being done in tunnel mode with the nested services of AH and ESP.

8. Which of the following concerns about the security of an electronic message would be addressed
by digital signatures?
A. Unauthorized reading
B. Theft
C. Unauthorized copying
D. Alteration
Answer: D. Alteration

9. Which of the following characterizes a distributed denial-of-service attack?

A. Central initiation of intermediary computers to direct simultaneous spurious message traffic at a
specified target site.
B. Local initiation of intermediary computers to direct simultaneous spurious message traffic at a
specified target site.
C. Central initiation of a primary computer to direct simultaneous spurious message traffic at multiple
target sites.
D. Local initiation of intermediary computers to direct staggered spurious message traffic at a
specified target site.
Answer: A. Central initiation of intermediary computers to direct simultaneous spurious
message traffic at a specified target site.

10. Which of the following is the MOST effective preventive antivirus control?
A. Scanning email attachments on the mail server
B. Restoring systems from clean copies
C. Disabling universal serial bus ports
D. An online antivirus scan with up-to-date virus definitions
Answer: A. Scanning email attachments on the mail server

11. To ensure confidentiality, how should a storage device be disposed of?

A. By performing a low-level format of the storage device.
B. By deleting the files on the storage device.
C. By erasing the storage device using the "delete" command.
D. By physically destroying the storage device.
Answer: D. By physically destroying the storage device.

12. Which of the following is the BEST method to prevent a successful attack against a system with
known vulnerabilities?
A. Installing an intrusion detection system.
B. Applying the latest security patches.
C. Implementing proper firewall rules.
D. Using network segmentation.
Answer: B. Applying the latest security patches.
13. Which of the following techniques is the MOST effective for detecting vulnerabilities in a
network?
A. Penetration testing
B. Intrusion detection
C. Vulnerability scanning
D. Network traffic analysis
Answer: A. Penetration testing

14. Which of the following BEST describes the primary objective of implementing corporate
governance of IT?
A. Alignment of IT with business objectives
B. Compliance with regulatory requirements
C. Assurance of effective IT risk management
D. Achievement of cost efficiency in IT operations
Answer: A. Alignment of IT with business objectives

15. Which of the following would BEST help an IS auditor understand an organization's information
security program?
A. Reviewing the information security policy
B. Interviewing key information security personnel
C. Evaluating the results of a security risk assessment
D. Reviewing information security incident reports
Answer: A. Reviewing the information security policy

16. What is the PRIMARY purpose of a business impact analysis?

A. To assess the impact of an interruption on business operations
B. To identify critical business processes and recovery priorities
C. To determine the financial impact of a business interruption
D. To develop a business continuity plan
Answer: A. To assess the impact of an interruption on business operations

17. Which of the following is MOST effective in preventing brute force attacks on network devices?
A. Limiting login attempts
B. Using complex passwords
C. Encrypting network traffic
D. Implementing a strong firewall
Answer: A. Limiting login attempts
18. Which of the following is the BEST method for controlling access to systems containing
sensitive information?
A. Implementing role-based access controls
B. Using biometric authentication
C. Requiring two-factor authentication
D. Encrypting sensitive information
Answer: A. Implementing role-based access controls

19. Which of the following is MOST important when considering the security of an outsourced IT
function?
A. Reviewing the vendor's security policies and procedures
B. Ensuring the vendor has insurance coverage
C. Conducting regular security audits of the vendor
D. Including security requirements in the contract
Answer: D. including security requirements in the contract

20. Which of the following would BEST ensure the confidentiality of data stored in the cloud?

A. Using data encryption

B. Implementing access controls
C. Regularly backing up data
D. Conducting security awareness training
Answer: A. Using data encryption

21. Which of the following is the PRIMARY purpose of an incident response plan?
A. To ensure business continuity during an incident
B. To minimize the impact of security incidents
C. To document security incidents and responses
D. To comply with regulatory requirements
Answer: B. To minimize the impact of security incidents

22. Which of the following is the MOST effective way to prevent unauthorized access to data on
mobile devices?
A. Encrypting the data
B. Using strong passwords
C. Implementing remote wipe capabilities
D. Requiring multi-factor authentication
Answer: A. Encrypting the data
23. Which of the following is the MOST effective control to prevent internal fraud?
A. Segregation of duties
B. Implementing an audit trail
C. Conducting background checks
D. Requiring mandatory vacations
Answer: A. Segregation of duties

24. Which of the following is the PRIMARY objective of access controls?

A. To ensure data confidentiality
B. To prevent unauthorized access
C. To track user activity
D. To ensure data integrity
Answer: B. To prevent unauthorized access

25. Which of the following is the MOST important consideration when developing an information
security policy?
A. Aligning with business objectives
B. Complying with legal requirements
C. Addressing all identified risks
D. Ensuring user awareness
Answer: A. Aligning with business objectives

26. Which of the following BEST describes the primary objective of an IT risk management
program?
A. To identify and mitigate IT risks
B. To comply with regulatory requirements
C. To improve IT governance
D. To enhance IT service delivery
Answer: A. To identify and mitigate IT risks

27. Which of the following is MOST effective in ensuring that unauthorized changes to production
systems are detected?
A. Implementing change management procedures
B. Conducting regular audits
C. Using a version control system
D. Monitoring system logs
Answer: D. monitoring system logs
28. Which of the following is the BEST method to ensure that security patches are applied in a timely
manner?
A. Implementing an automated patch management system
B. Conducting regular vulnerability assessments
C. Establishing a patch management policy
D. Performing regular system audits
Answer: A. Implementing an automated patch management system

29. Which of the following BEST describes the purpose of a security awareness program?
A. To educate users about security policies and procedures
B. To ensure compliance with security policies
C. To reduce the number of security incidents
D. To improve the organization's security posture
Answer: A. To educate users about security policies and procedures

30. Which of the following is the MOST important factor when selecting a cloud service provider?
A. The provider's security controls
B. The provider's compliance with regulations
C. The provider's reputation
D. The provider's service level agreements
Answer: A. The provider's security controls

31. Which of the following is the PRIMARY purpose of a data classification scheme?
A. To determine the appropriate level of protection for data
B. To comply with legal and regulatory requirements
C. To ensure data integrity
D. To facilitate data recovery
Answer: A. To determine the appropriate level of protection for data

32. Which of the following is the BEST way to ensure that only authorized personnel have access to
sensitive information?
A. Implementing role-based access controls
B. Conducting regular access reviews
C. Using strong passwords
D. Encrypting sensitive information
Answer: A. Implementing role-based access controls
33. Which of the following is the MOST important factor in the success of an information security
program?
A. Management support
B. User awareness
C. Adequate funding
D. Effective policies and procedures
Answer: A. Management support

34. Which of the following is the MOST effective way to manage the risk of data leakage from
mobile devices?
A. Implementing a mobile device management solution
B. Using strong passwords
C. Encrypting the data
D. Conducting regular security awareness training
Answer: A. Implementing a mobile device management solution

35. Which of the following is the PRIMARY purpose of an incident response team?
A. To coordinate the organization's response to security incidents
B. To investigate security incidents
C. To document security incidents and responses
D. To prevent security incidents
Answer: A. To coordinate the organization's response to security incidents

36. Which of the following is the MOST important factor in the effectiveness of a security awareness
program?
A. Management support
B. User participation
C. Regular updates
D. Comprehensive content
Answer: A. Management support

37. Which of the following is the BEST method for ensuring that access to sensitive information is
restricted to authorized users?
A. Implementing role-based access controls
B. Using strong passwords
C. Conducting regular access reviews
D. Encrypting the information
Answer: A. Implementing role-based access controls
38. Which of the following is the PRIMARY objective of a security policy?
A. To define acceptable use of information systems
B. To establish guidelines for protecting information assets
C. To ensure compliance with legal and regulatory requirements
D. To provide a framework for managing security risks
Answer: D. To provide a framework for managing security risks

39. Which of the following is the MOST effective way to protect data at rest?
A. Encrypting the data
B. Implementing access controls
C. Using strong passwords
D. Conducting regular security audits
Answer: A. Encrypting the data

40. Which of the following is the BEST way to ensure that users comply with security policies?
A. Conducting regular security awareness training
B. Implementing technical controls
C. Performing regular audits
D. Enforcing disciplinary measures
Answer: A. Conducting regular security awareness training

41. Which of the following is the MOST important consideration when developing an incident
response plan?
A. Ensuring business continuity
B. Minimizing the impact of incidents
C. Complying with legal requirements
D. Documenting incidents and responses
Answer: B. Minimizing the impact of incidents

Isaca Cisa - Updated May 2024
No ratings yet
Isaca Cisa - Updated May 2024
44 pages
ISACA CISA v2022-08-26 q249
67% (3)
ISACA CISA v2022-08-26 q249
60 pages
Full QA CISA With Answer
No ratings yet
Full QA CISA With Answer
65 pages
CISA Practice Questions - IsACA
No ratings yet
CISA Practice Questions - IsACA
111 pages
Test 1
100% (1)
Test 1
21 pages
CISA REVIEW QUESTIONS No Answers
No ratings yet
CISA REVIEW QUESTIONS No Answers
29 pages
Preliminary Test
No ratings yet
Preliminary Test
5 pages
SUJET EXAMEN SEMESTRE 1 AUDIT DE SECURITE Et TEST DE PENETRATION
No ratings yet
SUJET EXAMEN SEMESTRE 1 AUDIT DE SECURITE Et TEST DE PENETRATION
4 pages
Certified Information Systems Auditor (CISA) - Mock Exam 2
No ratings yet
Certified Information Systems Auditor (CISA) - Mock Exam 2
11 pages
Mock Exam - Final - WTH Answers
100% (1)
Mock Exam - Final - WTH Answers
29 pages
Cisa Exam Mar 2021 Important
100% (1)
Cisa Exam Mar 2021 Important
129 pages
Soal Dan Jawaban Quiz CISA (Trial)
No ratings yet
Soal Dan Jawaban Quiz CISA (Trial)
8 pages
Auditing Quiz
No ratings yet
Auditing Quiz
2 pages
Part 1
No ratings yet
Part 1
20 pages
CISA Exam Preparation Question Answer - M2023
100% (1)
CISA Exam Preparation Question Answer - M2023
49 pages
rukuni questions
No ratings yet
rukuni questions
5 pages
CISA Chapter 1 Practice
No ratings yet
CISA Chapter 1 Practice
132 pages
Sujet Examen Semestre 2 Audit de Securite
No ratings yet
Sujet Examen Semestre 2 Audit de Securite
4 pages
Certified Information Systems Auditor (CISA) - Mock Exam 1
No ratings yet
Certified Information Systems Auditor (CISA) - Mock Exam 1
11 pages
Module 1
No ratings yet
Module 1
7 pages
Control Self-Assessments: o o o o
No ratings yet
Control Self-Assessments: o o o o
17 pages
2011 CISA Sample Exam by Domain Area
No ratings yet
2011 CISA Sample Exam by Domain Area
21 pages
5 6318691500020466224-1
No ratings yet
5 6318691500020466224-1
5 pages
CISA-demo
No ratings yet
CISA-demo
11 pages
Audit
No ratings yet
Audit
36 pages
Questions - April 18 2024
No ratings yet
Questions - April 18 2024
229 pages
Certified Information Systems Auditor (CISA) - Mock Exam 6
No ratings yet
Certified Information Systems Auditor (CISA) - Mock Exam 6
11 pages
201 To 220
No ratings yet
201 To 220
4 pages
Chapter 1 Quiz Example
No ratings yet
Chapter 1 Quiz Example
10 pages
CISA Practice Questions IT Governance
67% (3)
CISA Practice Questions IT Governance
4 pages
Domain 2
No ratings yet
Domain 2
5 pages
Domain 3 - Systems and Infrastructure Life Cycle Management
No ratings yet
Domain 3 - Systems and Infrastructure Life Cycle Management
2 pages
CISA Sample Exam
100% (2)
CISA Sample Exam
15 pages
Cisa V2535 - 220623 - 075432
No ratings yet
Cisa V2535 - 220623 - 075432
189 pages
Cis 10
No ratings yet
Cis 10
1 page
Cisa V2495 - 220623 - 075451
No ratings yet
Cisa V2495 - 220623 - 075451
169 pages
Sample CISA Test
100% (2)
Sample CISA Test
26 pages
Domain 1 (Case Study)
No ratings yet
Domain 1 (Case Study)
2 pages
Cisa V26.75 - 1
No ratings yet
Cisa V26.75 - 1
182 pages
CA(PL) IT Goverance Sample Question
No ratings yet
CA(PL) IT Goverance Sample Question
33 pages
Module-1 Practice Questions
No ratings yet
Module-1 Practice Questions
22 pages
Cisa Exam 1
100% (1)
Cisa Exam 1
23 pages
Disa Sample
No ratings yet
Disa Sample
5 pages
Cisa V26.25
No ratings yet
Cisa V26.25
175 pages
C Is A 100 Practice Question
100% (1)
C Is A 100 Practice Question
100 pages
DOMAIN 4 Exam
No ratings yet
DOMAIN 4 Exam
16 pages
05.2 - 2020 - CISA-50Q - Additional - Questions - v1
100% (1)
05.2 - 2020 - CISA-50Q - Additional - Questions - v1
8 pages
Certified Information Systems Auditor (CISA) - Mock Exam 4
No ratings yet
Certified Information Systems Auditor (CISA) - Mock Exam 4
10 pages
Cisa 100 Practicequestion
No ratings yet
Cisa 100 Practicequestion
102 pages
2.Exercise-1-Exam-2
No ratings yet
2.Exercise-1-Exam-2
23 pages
CISA Full File 1ttekr
No ratings yet
CISA Full File 1ttekr
106 pages
Cisa Exam
No ratings yet
Cisa Exam
10 pages
CISA 100 Practice Questions: Compiled and Arranged by
No ratings yet
CISA 100 Practice Questions: Compiled and Arranged by
26 pages
1.Exercise-1-Exam-1
No ratings yet
1.Exercise-1-Exam-1
31 pages
Vendor: ISACA Exam Code: CISA Exam Name: Certified Information Systems Auditor Version: DEMO
No ratings yet
Vendor: ISACA Exam Code: CISA Exam Name: Certified Information Systems Auditor Version: DEMO
6 pages
2011 CISA Sample Exam Scrambled
No ratings yet
2011 CISA Sample Exam Scrambled
21 pages
Auditing
No ratings yet
Auditing
7 pages
Q 35
No ratings yet
Q 35
4 pages
ITIL 4 Foundation Exam Study Guide
From Everand
ITIL 4 Foundation Exam Study Guide
Georgio Daccache
No ratings yet
CISA EXAM-Testing Concept-Roles of various functions
From Everand
CISA EXAM-Testing Concept-Roles of various functions
Hemang Doshi
1.5/5 (2)
To, President Central Airmen Selection Board PO Box: 11807 New Delhi-110010 83
No ratings yet
To, President Central Airmen Selection Board PO Box: 11807 New Delhi-110010 83
1 page
University of Kerala: Office of The Controller of Examinations
No ratings yet
University of Kerala: Office of The Controller of Examinations
1 page
Description Description Description: 600-1G161-BASE-100
No ratings yet
Description Description Description: 600-1G161-BASE-100
42 pages
SWISSPLURALEXECUTIVE
No ratings yet
SWISSPLURALEXECUTIVE
19 pages
Absolute Back: Week 1 / 4
100% (1)
Absolute Back: Week 1 / 4
27 pages
Pci Leasing and Finance, Inc .V. Giraffe-X
No ratings yet
Pci Leasing and Finance, Inc .V. Giraffe-X
12 pages
Tutorial 2 Chapter 2&3 Questions
No ratings yet
Tutorial 2 Chapter 2&3 Questions
3 pages
Folio P.moral
No ratings yet
Folio P.moral
6 pages
Mindanao Shopping Vs Duterte
100% (1)
Mindanao Shopping Vs Duterte
5 pages
Indian Evidence Act Practice Sheet 3 Questions5586783
No ratings yet
Indian Evidence Act Practice Sheet 3 Questions5586783
5 pages
MCA LLP Amendment To Rules
No ratings yet
MCA LLP Amendment To Rules
4 pages
Assignment Questions
No ratings yet
Assignment Questions
3 pages
BenefitIllustration 1711696006171
No ratings yet
BenefitIllustration 1711696006171
1 page
Visitor Safety Briefing
100% (2)
Visitor Safety Briefing
1 page
Woodland_Birds
No ratings yet
Woodland_Birds
7 pages
3M Scotchlok Insulation Displacement Connectors
No ratings yet
3M Scotchlok Insulation Displacement Connectors
4 pages
Ticket
No ratings yet
Ticket
2 pages
Indian Accounting Standards
No ratings yet
Indian Accounting Standards
7 pages
Benefits of Community Policing - Handout2a
67% (3)
Benefits of Community Policing - Handout2a
3 pages
Scandal at Satyam - Truth, Lies and Corporate Governance
No ratings yet
Scandal at Satyam - Truth, Lies and Corporate Governance
7 pages
MyGate Installation Manual
No ratings yet
MyGate Installation Manual
4 pages
Bfin Exam
No ratings yet
Bfin Exam
30 pages
Adult Quiz Paper - 5th & 10th Imam
0% (1)
Adult Quiz Paper - 5th & 10th Imam
3 pages
Federalist v. Anti-Federalist Cartoons: Option 1: Create Three Separate Cartoons With Three Scenes
No ratings yet
Federalist v. Anti-Federalist Cartoons: Option 1: Create Three Separate Cartoons With Three Scenes
4 pages
Arens Auditing16e SM 03
No ratings yet
Arens Auditing16e SM 03
19 pages
EPSPOL+PC-Mull+PU-102+6+IBC+1000 TDS ENG
No ratings yet
EPSPOL+PC-Mull+PU-102+6+IBC+1000 TDS ENG
3 pages
Useful Phrases Telephoning
No ratings yet
Useful Phrases Telephoning
1 page
Genesis 17:1-27
No ratings yet
Genesis 17:1-27
6 pages
Cavite Mutiny On 1872
No ratings yet
Cavite Mutiny On 1872
10 pages
Online Vital Registration
100% (1)
Online Vital Registration
70 pages