Certified Information Systems Auditor (CISA)

Multiple Choice Questions:

1. Who is accountable for ensuring relevant controls over IS resources?
a. The system administrator
b. Network administration
c. Resource owners
d. The database administrator

2. The primary consideration of an IS auditor when evaluating a fraudulent

transaction is_______________.
a. To remain unbiased while evaluating the evidence.
b. To ensure that the integrity of the evidence is maintained.
c. The independence of the IS auditor.
d. To determine the source of the evidence.

3. An IS auditor observes that an enterprise has outsourced software

development to a startup company or a third party. To ensure that the
enterprise’s investment in software is protected, which of the following
should be recommended by the IS auditor?
a. Due diligence should be performed on the software vendor.
b. A quarterly audit of the vendor facilities should be performed.
c. A high penalty clause should be included in the contract.
d. There should be a source code escrow agreement in place.

4. An IS auditor finds a small number of user access requests that

managers had not authorised through the normal predefined workflow
steps and escalation rules. The IS auditor should _________________.
a. Perform an additional analysis.
b. Recommend that the owner of the identity management (IDM)
system fix the workflow issues.
c. Report the problem to the audit committee.
d. Conduct a security risk assessment.
5. Responsibility of granting access to data with the help of security officer
resides with________________.
a. The data owners
b. The system developer
c. The library controller
d. The system administrator

6. An IS auditor is reviewing the physical security controls of a data center

and notices several areas for concern. Which of the following areas is
the most important?
a. The emergency power off button cover is missing.
b. Scheduled maintenance of the fire suppression system was not
performed.
c. There are no security cameras inside the data center.
d. The emergency exit door is blocked.

7. Which of the following choices best helps information owners to classify

data correctly?
a. Understanding of technical controls that protect data.
b. Use of an automated data leak prevention (DLP) tool.
c. Training on organisational policies and standards.
d. Understanding which people need to access the data.

8. A test that is conducted when a system is in the development phase

is_______________.
a. A sociability test
b. A functionality test
c. A load test
d. A unit test
9. An enterprise’s risk appetite is best established by_________________.
a. The steering committee
b. Security management
c. The audit committee
d. The chief legal officer

10. Which of the following is the best performance indicator for the
effectiveness of an incident management program?
a. Incident resolution meantime.
b. Incident alert meantime.
c. Number of incidents reported.
d. Average time between incidents.

11. Backups will most effectively minimise a disruptive incident's impact on

a business if they are__________________.
a. Taken according to recovery point objectives (RPOs).
b. Performed by automated backup software on a fixed schedule.
c. Scheduled according to the service delivery objectives.
d. Stored on write-once read-many media.

12. An IS audit reveals that an organisation is not proactively addressing

known vulnerabilities. Which of the following should the IS auditor
recommend the organisation does first?
a. Assess the security risks to the business.
b. Ensure the intrusion prevention system (IPS) is effective.
c. Verify the disaster recovery plan (DRP) has been tested.
d. Confirm the incident response team understands the issue.
13. An IS auditor has completed the fieldwork phase of a network security
review and is preparing the initial draft of the audit report. Which of the
following findings should be ranked as the highest risk?
a. Network penetration tests are not performed.
b. The network device inventory is incomplete.
c. The network firewall policy has not been approved by the
information security officer.
d. Network firewall rules have not been documented.

14. Which of the following is the primary advantage of parallel processing

for a new system implementation?
a. Significant cost savings over other system implementation
approaches.
b. More time for users to complete training for the new system.
c. Assurance that the new system meets functional requirements.
d. Assurance that the new system meets performance requirements.

15. During an internal audit of automated controls, an IS auditor identifies

that the integrity of data transfer between systems has not been tested
since its successful implementation two years ago. Which of the
following should the auditor do next?
a. Review previous system interface testing records.
b. Document the finding in the audit report.
c. Review relevant system changes.
d. Review IT testing policies and procedures.

16. The MAIN benefit of using an integrated test facility (ITF) as an online
auditing technique is that it enables________________.
a. The integration of financial and audit tests.
b. Auditors to test without impacting production data.
c. A cost-effective approach to application controls audit.
d. Auditors to investigate fraudulent transactions.
17.Which of the following should be the MOST important consideration
when conducting a review of IT portfolio management?
a. Adherence to best practices and industry-approved
methodologies.
b. Frequency of meetings where the business discusses the IT
portfolio.
c. Assignment of responsibility for each project to an IT team
member.
d. Controls to minimise risk and maximise value for the IT portfolio.

18.Which of the following would BEST facilitate the successful

implementation of an IT-related framework?
a. Establishing committees to support and oversee framework
activities.
b. Documenting IT-related policies and procedures.
c. Aligning the framework to industry best practices.
d. Involving appropriate business representation within the
framework.

19. What is the MAIN reason to use incremental backups?

a. To increase backup resiliency and redundancy.
b. To reduce costs associated with backups.
c. To improve key availability metrics.
d. To minimise the backup time and resources.

20. When auditing the security architecture of an online application, an IS

auditor should FIRST review the_________________.
a. Location of the firewall within the network.
b. Firewall standards.
c. Firmware version of the firewall.
d. Configuration of the firewall.
21. An organisation is planning an acquisition and has engaged an IS auditor
to evaluate the IT governance framework of the target company. Which
of the following would be MOST helpful in determining the effectiveness
of the framework?
a. Recent third-party IS audit reports.
b. Current and previous internal IS audit reports.
c. IT performance benchmarking reports with competitors.
d. Self-assessment reports of IT capability and maturity.

22. The IT Assurance Framework consists of all of the following except

_______________.
a. ISACA Code of Professional Ethics
b. IS audit and assurance standards
c. ISACA Audit Job Practice
d. IS audit and assurance guidelines

23. An audit project has been taking far too long, and management is
beginning to ask questions about its schedule and completion. This audit
may be lacking________________.
a. Effective project management
b. Cooperation from individual auditees
c. Enough skilled auditors
d. Clearly stated scope and objectives

24. Which of the following is true about the ISACA Audit Standards and
Audit Guidelines?
a. ISACA Audit Standards are mandatory.
b. ISACA Audit Standards are optional.
c. ISACA Audit Guidelines are mandatory.
d. ISACA Audit Standards are only mandatory for SOX audits.
25. For the purposes of audit planning, can an auditor rely upon the audit
client's risk assessment?
a. Yes, in all cases.
b. Yes, if the risk assessment was performed by a qualified external
entity.
c. No. The auditor must perform a risk assessment himself or herself.
d. No. The auditor does not require a risk assessment to develop an
audit plan.

26. An auditor is auditing the user account request and fulfilment process.
The event population consists of hundreds of transactions, so the
auditor cannot view them all. The auditor wants to view a random
selection of transactions, as well as some of the transactions for
privileged access requests. This type of sampling is known
as_____________.
a. Judgmental sampling
b. Random sampling
c. Stratified sampling
d. Statistical sampling

27. An auditor is developing an audit plan for an accounts payable function.

Rather than randomly selecting transactions to examine, the auditor
wants to select transactions from low, medium, and large payment
amounts. Which sample methodology is appropriate for this approach?
a. Judgmental sampling
b. Stratified sampling
c. Non-random sampling
d. Statistical sampling
28. What is the objective of the ISACA audit standard on organisational
independence?
a. The auditor's placement in the organisation should ensure the
auditor can act independently.
b. The auditor should not work in the same organisation as the
auditee.
c. To ensure that the auditor has the appearance of independence.
d. To ensure that the auditor has a separate operating budget.

29. Which of the following audit types is appropriate for a financial services
provider such as a payroll service?
a. SSAE18
b. SAS70
c. AUP
d. Sarbanes-Oxley

30. An auditor is auditing an organisation's personnel onboarding process

and is examining the background check process. The auditor is mainly
interested in whether background checks are performed for all
personnel and whether background check results lead to no-hire
decisions. Which of the following evidence-collection techniques will
support this audit objective?
a. Request the full contents of background checks along with
hire/no-hire decisions.
b. Request the background check ledger that includes the
candidates' names, results of background checks, and hire/no-hire
decisions.
c. Request the hire/no-hire decisions from the auditee.
d. Examine the background check process and note which
characteristics of each candidate are included.
31. According to ISACA Audit Standard 1202, which types of risks should be
considered when planning an audit?
a. Fraud risk
b. Business risk
c. Cybersecurity risk
d. Financial risk

32. Which of the following is the best example of a control self-assessment

of a user account provisioning process?
a. An examination of Active Directory to ensure that only domain
administrators can make user account permission changes.
b. Checks to see that only authorised personnel made user account
changes.
c. Confirmation that all user account changes were approved by the
appropriate personnel.
d. Reconciliation of all user account changes against approved
requests in the ticketing system.

33. What are the potential consequences if an IS auditor is a member of

ISACA and is CISA certified and violates the ISACA Code of Professional
Ethics?
a. Fines
b. Imprisonment
c. Termination of employment
d. Loss of ISACA certifications

34. Which of the following should be of greatest concern to an IS auditor

reviewing an organisation's business continuity plan (BCP)?
a. The BCP has not been tested since it was first issued.
b. The BCP is not version-controlled.
c. The BCP's contact information needs to be updated.
d. The BCP has not been approved by senior management.
35.Which of the following would be most useful when analysing computer
performance?
a. Tuning of system software to optimise resource usage.
b. Operations report of user dissatisfaction with response time.
c. Statistical metrics measuring capacity utilisation.
d. Report of off-peak utilisation and response time.

36. Which of the following is the greatest risk if two users have concurrent
access to the same database record?
a. Entity integrity
b. Availability integrity
c. Referential integrity
d. Data integrity

37. Which of the following is the most effective way for an organisation to
help ensure agreed-upon action plans from an IS audit will be
implemented?
a. Ensure ownership is assigned.
b. Test corrective actions upon completion.
c. Ensure sufficient audit resources are allocated.
d. Communicate audit results organisation-wide.

38. Which of the following issues associated with a data center's closed
circuit television (CCTV) surveillance cameras should be of MOST
concern to an IS auditor?
a. CCTV recordings are not regularly reviewed.
b. CCTV records are deleted after one year.
c. CCTV footage is not recorded 24 x 7.
d. CCTV cameras are not installed in break rooms.
39. An IS auditor has been asked to audit the proposed acquisition of new
computer hardware. The auditor's primary concern is
that_______________.
a. A clear business case has been established.
b. The new hardware meets established security standards.
c. A full, visible audit trail will be included.
d. The implementation plan meets user requirements.

40. To confirm the integrity of a hashed message, the receiver should

use________________.
a. The same hashing algorithm as the sender to create a binary
image of the file.
b. A different hashing algorithm from the senders to create a
numerical representation of the file.
c. A different hashing algorithm from the senders to create a binary
image of the file.
d. The same hashing algorithm as the senders to create a numerical
representation of the file.