Topic 6: Exam Pool (Jul-Aug)
The MAIN reason an organization’s incident management procedures should include a post-incident review is to:
A.
enable better reporting for executives and the audit committee
B.
improve processes by learning from identified weaknesses
C.
take appropriate action when procedures are not followed
D.
ensure evidence is collected tor possible post-event litigation.
improve processes by learning from identified weaknesses
An organization uses a web server hosting critical applications. Which of the following would represent the
HIGHEST risk regarding the
availability and integrity of the web server?
A.
Not applying program fixes on a regular basis
B.
Placing the web server in the DMZ
C.
Not disabling the server s external drives
D.
Inadequate rotation of backups
Placing the web server in the DMZ
Stress testing should ideally be carried out under a:
A.
production environment with test data
B.
test environment with test data.
C.
production environment with production workloads.
D.
test environment with production workloads.
production environment with test data
An IS auditor is mapping controls to risk for an accounts payable system What is the BEST control to detect
errors in the system?
A.
Quality control review of new payments
B.
Management approval of payments
C.
Input validation
D.
Alignment of the process to business objectives
Input validation
Which of the following is the BEST point in time to conduct a post-implementation review (PIR)?
A.
After a full processing cycle
B.
Immediately after deployment
C.
To coincide with annual PIR cycle
D.
Six weeks after deployment
Six weeks after deployment
An organization's current end-user computing practices include the use of a spreadsheet for financial
statements. Which of the following is the GREATEST concern?
A.
Operational procedures have not been reviewed in the current fiscal year
B.
The spreadsheet is not maintained by IT.
C.
The spreadsheet contains numerous macros.
D.
Formulas are not protected against unintended changes.
Formulas are not protected against unintended changes.
While auditing an IT department s cloud service provider, the IS auditor found that privileged access
monitoring is not being performed as
required by the contract. The provider disagrees with this issue and notes that compensating controls are in
place. The IS auditor's NEXT course
of action should be to:
A.
review privileged access logs.
B.
define a remediation plan.
C.
recommend revising the service level agreement (SLA).
D.
test compensating controls as part of the audit
test compensating controls as part of the audit
An IS auditor reviewing a new application for compliance with information privacy principles should be
MOST concerned with:
A.
collection limitation.
B.
availability.
C.
nonrepudiation.
D.
awareness.
collection limitation.
What is an IS auditor’s BEST course of action if informed by a business unit’s representatives that they are
too busy to cooperate with a scheduled audit?
A.
Reschedule the audit for a time more convenient to the business unit.
B.
Notify the chief audit executive who can negotiate with the head of the business unit.
C.
Begin the audit regardless and insist on cooperation from the business unit.
D.
Notify the audit committee immediately and request they direct the audit begin on schedule.
Notify the chief audit executive who can negotiate with the head of the business unit.
Which of the following is the BEST indication of control maturity in an organization's systems development
and implementation processes?
A.
Code changes are tested and deployed manually.
B.
Code changes are tested and deployed through automation.
C.
Code changes are deployed to a test server and then to production.
D.
Code changes are documented and approved.
Code changes are tested and deployed through automation.
What should be an IS auditor s NEXT course of action when a review of an IT organizational structure reveals IT staff members have duties in
other departments?
A.
Recommend that segregation of duties controls be implemented.
B.
Report the issue to human resources (HR) management
C.
Determine whether any segregation of duties conflicts exist.
D.
Immediately report a potential finding to the audit committee.
Determine whether any segregation of duties conflicts exist.
An IS Auditor is performing a business continuity plan (BCP) audit and identifies that the plan has not been
tested for five years, however, the plan was successfully activated during a recent extended power outage.
Which of the following is the 15 auditor’s BEST count of action?
A.
Determine if the annual BCP training program is in need of review
B.
Determine if a follow-up BCP audit is required to identify future gaps
C.
Determine if lessons learned from the activation were incorporated into the plan
D.
Determine if the business impact analysis (BIA) is still accurate.
Determine if lessons learned from the activation were incorporated into the plan
| Page 35 out of 85 Pages |
| 2223242526272829303132333435363738394041424344454647 |
| CISA Practice Test Home |
Real-World Scenario Mastery: Our CISA practice exam don't just test definitions. They present you with the same complex, scenario-based problems you'll encounter on the actual exam.
Strategic Weakness Identification: Each practice session reveals exactly where you stand. Discover which domains need more attention, before exam day arrives.
Confidence Through Familiarity: There's no substitute for knowing what to expect. When you've worked through our comprehensive CISA practice exam questions pool covering all topics, the real exam feels like just another practice session.
Copyright © All Rights Reserved