Isaca Certified Information Systems Auditor CISA Exam Practice Test

Page: 1 / 14
Total 1454 questions
Question 1

The MOST effective way to reduce sampling risk is to increase:



Answer : D


Question 2

Which of the following is the PRIMARY purpose of a business impact analysts (BIA) in an organization's overall risk management strategy?



Answer : B


Question 3

Which of the following is the BEST way for an IS auditor to assess the design of an automated application control?



Answer : C

Reviewing the application implementation documents is the best way for an IS auditor to assess the design of an automated application control. An automated application control is a control that is embedded in the application software and is executed by the system without human intervention. An automated application control is designed to ensure the accuracy, completeness, validity, and authorization of transactions and data processed by the application. Examples of automated application controls are input validation, edit checks, calculations, reconciliations, and exception reports.

The application implementation documents are the documents that describe the design specifications, logic, and functionality of the application and its controls. The application implementation documents may include:

Business requirements document - a document that defines the business objectives, needs, and expectations of the application.

Functional specifications document - a document that describes the features, functions, and interfaces of the application and its controls.

Technical specifications document - a document that details the technical architecture, design, and configuration of the application and its controls.

Test plan and test cases - a document that outlines the testing strategy, methodology, and scenarios for verifying the functionality and performance of the application and its controls.

User manual and training material - a document that provides instructions and guidance on how to use the application and its controls.

By reviewing the application implementation documents, an IS auditor can:

Gain an understanding of the purpose, scope, and nature of the application and its controls.

Evaluate whether the application and its controls are designed to meet the business requirements and objectives.

Identify any gaps, inconsistencies, or errors in the design of the application and its controls.

Compare the design of the application and its controls with the best practices and standards in the industry.

Determine whether the application and its controls are adequately tested and documented.

Interviewing the application developer is not the best way for an IS auditor to assess the design of an automated application control. An interview is a verbal communication technique that involves asking questions and listening to responses. An interview can be useful for obtaining general information or clarifying specific issues related to the application and its controls. However, an interview alone cannot provide sufficient evidence or documentation to support the auditor's assessment of the design of an automated application control. An interview may also be subject to bias, misunderstanding, or misinterpretation by either party.

Obtaining management attestation and sign-off is not the best way for an IS auditor to assess the design of an automated application control. Management attestation and sign-off is a formal process that involves obtaining written confirmation from management that they have reviewed and approved the design of the application and its controls. Management attestation and sign-off can indicate management's commitment and accountability for the quality and effectiveness of the application and its controls. However, management attestation and sign-off cannot substitute for an independent and objective evaluation by an IS auditor. Management attestation and sign-off may also be influenced by pressure, conflict of interest, or fraud.

Reviewing system configuration parameters and output is not the best way for an IS auditor to assess the design of an automated application control. System configuration parameters are settings that define how the system operates or interacts with other components. System output is data or information that is produced by the system as a result of processing transactions or performing functions. Reviewing system configuration parameters and output can help an IS auditor to verify whether the system is configured correctly and whether it produces accurate and reliable output. However, reviewing system configuration parameters and output cannot provide a comprehensive view of how the application and its controls are designed to achieve their objectives. Reviewing system configuration parameters and output may also require technical expertise or access rights that may not be available to an IS auditor.


Question 4

During a follow-up audit, an IS auditor finds that senior management has implemented a different remediation action plan than what was previously agreed upon. Which of the following is the auditor's BEST course of action?



Answer : B

The IS auditor's best course of action is to evaluate the implemented control to ensure it mitigates the risk to an acceptable level.This is because the objective of a follow-up audit is to verify that corrective actions have been accomplished as scheduled and that theyare effective in preventing orminimizing future recurrence1. If senior management has implemented a different remediation action plan than what was previously agreed upon, the IS auditor should assess whether the alternative control is adequate and appropriate for the situation. Requesting justification from management for not implementing the recommended control (option D) may be a secondary step, but it is not the best course of action. Reporting the deviation by the control owner in the audit report (option A) may be premature and unnecessary if the implemented control is satisfactory.Canceling the follow-up audit and rescheduling for the next audit period (option C) is not advisable, as it would delay the verification of the effectiveness of the implemented control and potentially expose the organization to further risks.Reference:1: Follow-up Audits - Canadian Audit and Accountability Foundation


Question 5

An IS auditor has been asked to review an event log aggregation system to ensure risk management practices have been applied. Which of the following should be of MOST concern to the auditor?



Answer : B

The IS auditor should be most concerned if completeness testing has not been performed on the log data, as this could indicate that some logs are missing, corrupted, or tampered with, and that the log aggregation system is not reliable or accurate12.Completeness testing is a process of verifying that all the logs generated by the source systems are successfully collected, transferred, and stored by the log aggregation system, and that there are no gaps or inconsistencies in the log data34. Completeness testing is essential for ensuring the integrity and validity of the log data, and for supporting the risk management practices of the organization.

Reference

1: Log Aggregation: How it Works, Methods, and Tools - Exabeam22: Log Aggregation & Monitoring Relation in Cybersecurity43: Log Aggregation: What It Is & How It Works | Datadog34: Data Flow Testing - GeeksforGeeks1


Question 6

An IS auditor is reviewing an artificial intelligence (Al) and expert system application. The system has produced several critical errors with severe impact. Which of the following should the IS auditor do NEXT to understand the cause of the errors?



Answer : A


Question 7

A telecommunications company has recently created a new fraud department with three employees and acquired a fraud detection system that uses artificial intelligence (AI) modules. Which of the following would be of GREATEST concern to an IS auditor reviewing the system?



Answer : B


Page:    1 / 14   
Total 1454 questions