CISA REVIEW – 2

1. An IS auditor has been asked to review proposals to implement a standardized IT infrastructure.

Which of the following findings would likely be featured in the auditor’s report? The proposals
likely to:
A. Improve the cost-effectiveness of IT service delivery and operational support.
B. Increase the complexity of IT service delivery and support.
C. Reduce the level of investment in the IT infrastructure.
D. Reduce the need for testing of future application changes.
2. Which of the following would BEST help to prioritize project activities and determine the
timeline for a project?
A. A Gantt chart
B. Earned value analysis (EVA)
C. Program evaluation review technique (PERT)
D. Function point analysis (FPA)
3. An IS auditor reviewing a series of completed projects finds that the implemented functionality
often exceeded requirements and most of the projects can significantly over budget. Which of
these areas of the organization’s project management process is the MOST likely cause of this
issue?
A. Project scope management
B. Project time management
C. Project risk management
D. Project procurement management
4. An IS auditor is reviewing the software development process for an organization. Which of the
following functions would be appropriate for the end users to perform?
A. Program output testing
B. System configuration
C. Program logic specification
D. Performance tuning
5. An IS auditor is reviewing system development for a healthcare organization with two
application environments—production and test. During an interview, the auditor notes that
production data are used in the test environment to test program changes. What is the MOST
significant potential risk from this situation?
A. The test environment may not have adequate controls to ensure data accuracy.
B. The test environment may produce inaccurate results due to use of production data.
C. Hardware in the test environment may not be identical to the production environment.
D. The test environment may not have adequate access controls implemented to ensure data
confidentiality.
6. The IS auditor is reviewing a recently completed conversion to a new enterprise resource
planning (ERP) system. As the final stage of the conversion process, the organization ran the
old and new systems in parallel for 30 days before allowing the new systems to run on its own.
What is the MOST significant advantage to the organization by using this strategy?
A. Significant cost savings over other testing approaches
B. Assurance that new, faster hardware is compatible with the new system
C. Assurance that the new system meets functional requirements
D. Increased resiliency during the parallel processing time
7. What kind of software application testing is considered the final stage of testing and typically
includes users outside the development team?
A. Alpha testing
B. White box testing
C. Regression testing
D. Beta testing
8. During which phase of software application testing should an organization perform the testing
of architectural design?
A. Acceptance testing
B. System testing
C. Integration testing
D. Unit testing
9. Which of the following is the MOST efficient way to test the design effectiveness of a partially
automated change control process?
A. Test a sample population of changes
B. Perform an end-to-end walk-through of the process
C. Test one change that has been authorized
D. Use a computer-assisted audit test (CAAT)
10. An organization is replacing a payroll program that it developed in house, with the relevant
subsystem of a commercial enterprise resource planning (ERP) system. Which of the following
would represent the highest potential risk?
A. Undocumented approval of some project changes
B. Faulty migration of historical data from the old system to the new system
C. Incomplete testing of the standard functionality of the ERP subsystem
D. Duplication of existing payroll permissions on the new ERP subsystem
11. An IS auditor is evaluating a virtual machine-based (VM-based) architecture used for all
programming and testing environments. The production architecture is a three-tier physical
architecture. What is the MOST important IT control to test in order to ensure availability and
confidentiality of the web application in production?
A. Server configuration hardening
B. Allocated physical resources are available
C. System administrators are trained to use the VM architecture
D. The VM server is included in the disaster recovery plan (DRP)
12. During a post-implementation review, which of the following activities should be performed?
A. User acceptance testing (UAT)
B. Return on investment (ROI) analysis
C. Activation of audit trails
D. Updates of the future state of enterprise architecture (EA) diagrams
13. An IS auditor reports that the financial module of an enterprise resource planning (ERP)
application is very slow because the audit trails are activated on some sensitive tables. The
vendor has asked to disable audit trails on these transactional tables and restrict auditing only to
successful and unsuccessful logons to the system. What is the GREATEST threat if this
recommendation is implemented?
A. The integrity of the financial data could not be guaranteed
B. The integrity of the system logs could not be guaranteed
C. Access to sensitive data is not logged
D. Fraud could occur
14. An IS auditor should ensure that review of online electronic funds transfer (EFT) reconciliation
procedures should include:
A. Vouching
B. Authorizations
C. Corrections
D. Tracing
15. Web application developers sometimes use hidden fields on web pages to save information
about a client session. This technique is used in some cases to store session variables that enable
persistence across web pages, such as maintaining the contents of a shopping chart on a retail
web site application. The MOST likely web-based attack due to this practice is:
A. Parameter tampering
B. Cross-site scripting
C. Cookie poisoning
D. Stealth commanding
16. After consulting with senior management, and organization’s IT department decided that all IT
hardware would be replaced three years from the procurement date. The MOST likely reason
for doing this is to:
A. Manage IT assets in a cost-effective manner
B. Keep pace with new cost-effective technologies
C. Ensure that existing capacity can meet all users’ needs
D. Ensure that IT hardware is covered by the manufacturer warranty.